Spying on Spyware

What exactly is spyware? How does it work? What is its impact on users---and the businesses that employ them?

C Matthew Curtin, CISSP
Interhack Corporation

Millions of computer users are being watched, not just by employers and auditors, but by the software that they use---frequently without their knowledge or consent. This “spyware” has become the center of the personal privacy debate.

What exactly is spyware? How does it work? What is its impact on users---and the businesses that employ them?

Interhack's Internet Privacy Project has been pioneering the dissection and documentation of spyware since 1999.

This report is available in PDF.

Introduction to Spyware

Software to observe user behavior to collect information under users' noses is often called spyware. These systems have become central to a heated debate regarding online privacy, prompting the U.S. Congress to consider several bills.1 In addition, the very nature of such systems--the collection of data that would not otherwise be available outside of corporate firewalls--raises questions about how companies can remain compliant with privacy-oriented regulation like the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLBA).

How Spyware Works

In this paper, we'll briefly outline two systems that could be classified as spyware to demonstrate different methods for collecting information from users without their knowledge. In both cases, these systems perform some kind of surreptitious user tracking and then format some part of that data for reporting back to system's operator. It should be noted that there are significantly more egregious cases of spyware in use; we choose these two systems because they represent a Windows-based system that collects and reports information and a Web-based system to do the same. Other cases that we have analyzed include Spector Professoinal [5], TheCounter.com [2], Coremetrics [7], DoubleClick [8,9], and Netscape [6].

Strategies for Effective Mitigation

There are two primary methods to deal with spyware: the first is to look to the host (computer that could have spyware installed) and the second is to look at the network.

Conclusions

Spyware, though not a particularly new problem when defined generally, remains a problem that is difficult to manage. While there is no silver bullet to solve all of these problems, there is hope. Like other security incidents, the problem can be managed effectively with a comprehensive definition of the trusted computing base and a program to maintain it. With the right support from policy and technology, malware, including spyware, can be defeated. To see how Interhack can help you to define and to enforce security policy, please visit us online at web.interhack.com or call us at +1 614 545 HACK.