Strategies for Effective Mitigation

There are two primary methods to deal with spyware: the first is to look to the host (computer that could have spyware installed) and the second is to look at the network.

Host-Based Solutions

The host-based solution will provide several valuable options. The best of which is prevention. By using systems that are not vulnerable to the kinds of attacks that spyware--particularly the nasty variety not discussed here--one will gain a measure of protection; the vulnerabilities in ActiveX, for example, that enable such problems are simply not present in other operating systems like MacOS, Linux, and FreeBSD. Note that not all spyware works by ActiveX controls, however--the Pharmatrak system worked for any Web-based system; users of these systems would (and, indeed, did) have information about them collected.

Another host-based option is to create a standard “build” of the desktop system for users that includes not only the operating system and applications, but also defense mechanisms such as anti-malware packages.

A significantly less effective mechanism is spyware “removal.” While this might appear to be a more attractive solution than prevention in some cases (because there is no need to justify the expense of an anti-spyware package on the grounds that such a threat might materialize in the future), it should be noted that any software running on a system that has been compromised might not be able to behave as advertised. In particular, malware that changes operating system libraries could cause a “removal” program to do more damage than harm to the system in question. The safest option in the event of a system compromise is to throw away the compromised installation and to replace it with one that can be trusted--which takes us back to the standard build option mentioned earlier.

Network-Based Solutions

Another option is to take a network-based view of the system. That is, to configure intrusion detection systems, firewalls, and other policy enforcement mechanisms to prevent spyware packages from working.

The first means of doing this would be to identify unsafe content (e.g., ActiveX controls) flowing from an untrusted zone (e.g., the Internet) into a trusted zone (e.g., an internal network) and blocking the download. Another means would be to identify attempts of spyware to “phone home,” effectively preventing them from being able to report their activity, but not preventing the spyware from hitting the user's system in the first place. A third mechanism would be to enforce a policy that refuses connectivity from trusted systems to unknown sites or to allow downloads of unidentifiable content.