• Sidebar: What is Spyware

Despite the security improvements Microsoft made to Windows XP in the second service pack, computers are still susceptible to increasingly malicious spyware. Spyware is rapidly evolving beyond the innocuous gathering of limited personal information used in targeting Web-based advertisements to becoming malicious and hard-to-detect programs that can steal sensitive data, such as passwords or bank account numbers. Microsoft’s current three-step "Protect Your PC" program does little to prevent spyware from installing itself on a PC and stealing information—at a minimum, users need to take the additional step of using spyware detection software.

How Spyware Installs

In recent tests, a Windows-based computer that was connected to the Internet for more than a half-hour, even with a firewall, began to collect spyware. (Some common spyware is described in the sidebar "What Is Spyware?".)

Spyware can install itself by exploiting vulnerabilities such as buffer overflows. Other attacks can install spyware by targeting a combination of vulnerabilities on servers and browsers, as was the case with Download.ject, which shows why keeping PCs patched is so important. (See the sidebar "Exploit Targeted Online Commerce, Banking" on page 4 of the Aug. 2004 Update.)

However, the majority of spyware is installed as the result of "social engineering" exploits. Among the tricks used to get users to install or accept spyware are the following:

Trojan (Horses). Like the wooden horse used by the Greeks to gain access to the city of Troy, its software namesake entices users to accept a software gift, such as a free program, image, music, or movie file, and let it pass through their computer’s defenses, only to discover later that it also included additional unwanted and malicious software.

Pop-ups. Many legitimate Web sites use pop-ups to display useful messages or information, such as providing a larger resolution display of an image contained on a page. Others are used in an effort to trick users into installing spyware. Typically a series of pop-ups will be very hard to close, forcing the user to eventually give in and click a control that installs the software. (In some cases, buttons labeled "Cancel" or "Close" are programmed to instead start the installation or take users to a Web page asking them to install the software). Or, a pop-up may obscure buttons or controls to trick the user into making the wrong choice.

Misleading dialog boxes. Some Web sites present a dialog box asking users if they want to perform a seemingly desirable or innocuous task (such as, ironically, checking their machines for spyware). When users accept, the site actually begins downloading and installing spyware.

Confusing licenses. Knowing that most users do not read or understand the terms of an End User License Agreement (EULA), and counting on the fact they will just click OK to accept the license, some software includes a EULA that gets users to agree to the installation of both the software and spyware.

Similar Web site names. Some malicious Web sites use URLs that are very close to known popular Web sites—for example, they may include an additional letter or be a common misspelling of the desired site. When the user visits the site, it may use known vulnerabilities or other social engineering tricks, such as a cascade of pop-ups or misleading dialog boxes, to install spyware (in what is called a "drive-by" installation). This has turned a common Internet practice—guessing at an organization’s URL in a browser’s location window—into a vector for spyware. If the URL is wrong, the user could hit a site that purports to be the real site but tricks the user or exploits an unpatched vulnerability to install some form of spyware.

Invalid links. Links on search engines and Web sites that purport to be one thing, such as a pointer to a site with hints for winning a computer game or offering the lyrics of songs, may actually redirect the enticed user to a malicious Web site that will attempt to install spyware.

Regardless of how spyware is initially installed, it can be hard to detect and remove. That's because, for all intents and purposes, it looks and acts like any other desired application or utility, except that spyware is unlikely to appear in the Add/Remove Programs Control Panel or, if it does, it is unlikely to completely or cleanly uninstall at the user's command. Even the most minimal spyware installation routine (it is not likely that spyware will use the Windows Installer) has probably copied files into system or program directories, created and modified Registry entries, set itself to load and run automatically with each reboot of the computer, or inserted itself into the computer system in other hard-to-detect ways. For this reason many antivirus and spyware detection programs will not detect any signature or unusual marker and cannot distinguish the spyware from software the user wanted to install.

Preventing Spyware

Although Microsoft made improvements to its Internet Explorer (IE) browser in the second service pack for Windows XP (XP SP2), these will only be useful in a limited number of cases.

These changes do make it easier for the user to manage pop-ups and limit the potential for deceptive pop-ups that trick the user into installing spyware. XP SP2 also makes it easier for the user to manage downloads by using the IE Information bar to learn more about or reject downloads. But these improvements are only available to IE on Windows XP. Users of older Windows versions, such as Windows 2000 Professional, gain no such protection, even if they have installed and patched the latest available version of IE.

In addition, following the three steps outlined in Microsoft’s three-step "Protect Your PC" campaign will not completely protect users against spyware. If a user keeps a computer up-to-date with patches, uses antivirus software, keeps the virus signature files current, and uses a firewall—particularly the Windows Firewall that only monitors inbound communications—the user may still get spyware on her computer through new vulnerabilities or social engineering tactics.

Similarly, changing to a browser other than IE may limit the amount of spyware installed through known IE vulnerabilities, but will do little to prevent social engineering exploits.

At a minimum, customers should consider adding two more steps to those suggested in the "Protect Your PC" campaign:

Run spyware detection software. Just as users today should run antivirus software with current antivirus signature files, users should install and keep up-to-date spyware detection software on their computer. Like antivirus software, spyware detection software should be running on a continual basis and be frequently updated to ensure it has the latest information needed to detect the latest spyware techniques. But while running antivirus software from a single vendor is adequate, because this is a new and rapidly expanding issue, it may be necessary to run spyware detection software from multiple vendors to completely detect all spyware.

Run with fewer privileges. Many Windows users run in the role of Administrator with full permission to make system-level changes, such as installing software on their computers. While it is technically possible to create user IDs with restricted or user-level privileges, in practice, the design of Windows and most Windows applications makes this impossible or extremely inconvenient. For example, running as User means that most software (including spyware) won't install, but it also means that common tasks, such as reconnecting to a wireless access point, are also restricted.

Some additional steps can reduce spyware's impact if it finds its way onto a computer. For example, simply removing the phone cord between the computer’s modem and wall jack when not needed will limit the functionality of most dialers—that is, spyware that bills charges to the user’s phone number. Although it requires more technical expertise, restricting or monitoring traffic on outbound ports on a firewall may also limit the ability of spyware to distribute the information it has collected.

Resources

Microsoft provides background information on spyware, including a limited list of partners that supply spyware detection software, at www.microsoft.com/spyware.

Antivirus vendors, such as Symantec, provide background information on spyware. Symantec’s Web site is at www.symantec.com/index.htm.

PestPatrol, a vendor of spyware detection software, also provides background information on spyware at www.pestpatrol.com.

For background on the changes to IE in Windows XP SP2, see "No Stand-Alone Updates on IE Roadmap" on page 3 of the Aug. 2004 Update.