Spyware is getting more dangerous and has become a greater threat to the enterprise, according to the latest quarterly state of spyware report from Boulder, Co.-based Webroot Software.
Although spyware definition writers have kept pace with spyware writers, the threat has become more sinister, more insidious, and is now going after bigger payoffs, said the report scheduled for release on Tuesday.
The study shows spyware growth has now tapered-off as a percentage of infected machines, and is keeping pace with the rising rate of computer ownership, said Richard Stiennon, vice-president of threat research for Webroot Software. Webroot is releasing version 2.5 of its Spy Sweeper Enterprise software today.
“It’s basically growing with the size of the universe,” said Stiennon. “End users are getting educated thanks to all the press around spyware.”
The amount of spyware per infected enterprise PC grew more than 19 per cent to 27 spyware items per PC, 4.4 of which were malicious. Systems monitors and Trojan infection remained unchanged at seven per cent of infected PCs. One-third of the PCs had adware.
Webroot estimates that 20 to 50 per cent of all corporate help desk usage involves spyware. Typical rebuild time for an infected PC is two hours, resulting in lower employee productivity and impaired network performance.
The spyware world can be broadly divided into two categories: adware and malicious spyware. Adware, typically, installs onto a computer without user permission, and is often bundled with other products. Malicious spyware (malware) includes keystroke loggers and Trojans that attempt to gather personal information for financial gain.
Stiennon said public education and legislation in the US are forcing adware companies to reform by re-writing end-user license agreements, attributing pop-up windows to the program, and have uninstall utilities that actually work.
“As they get a little more honest people are not installing it, so they’re actually loosing market share,” said Stiennon.
Many spyware companies, however, are offshore and outside the jurisdiction of US legislation.
Malware is more dangerous and growing, posing a more pronounced threat to the enterprise. Stiennon points to a recent case in Israel where companies were found to be using spyware for corporate espionage. Insiders could also be involved – infecting computers from inside the network.
“That’s the most worrisome thing that IT managers should be watching out for,” said Stiennon.
Neil Schwartzman, chairman of the Coalition Against Unsolicited Commercial Email, based in Montreal, said corporate IT staff must be more vigilant about spyware.
“For an enterprise, the amount of private information they can get a hold of is significantly larger,” said Schwartzman. “So is the immediacy, the urgency, and the potential disastrousness of having one of these things at the enterprise level.”
He says it isn’t just financial information that’s at risk. At a hospital or clinic, confidential medical files could be obtained, or a company could loose sensitive corporate data.
“For technical remedies, as usual it’s an arms race,” said Schwartzman. “Every time we come out with a solution they come out with something that beats us and vice-versa.”
The Anti-Spyware Coalition (ASC), a Washington, DC-based industry group, is working to better define spyware as a first step to finding ways to eliminate it. Legislation has already been passed by a number of US states and several bills will be pending before Congress this fall. But North of the border, no federal legislation has been introduced yet.
An Industry Canada taskforce formed two years ago focused on Spam, but any legislation the government drafts relating to that report should be expanded to address the larger issue of spyware, said David Fewer, legal counsel for the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa.
“If we don’t have trust in the Internet as a vehicle for e-commerce, that affects Canada’s economy and our future growth, and that’s not good,” he said.
Fewer also emphasized the need to expand the scope of legal responsibility. When a company hires a marketer to run its online advertising, the marketer contracts another firm like 180solutions, which contracts to distributors paid by the install. Many of these distributors use dishonest methods. Under current laws, only the distributor is legally liable, which gives the marketer and the company advertiser little motivation to force changes.
“Ultimately its American Express that shows up on your computer and 180solutions serving-up the pop-ups,” said Fewer. “Why aren’t they held accountable for this activity, particularly when you consider the costs they’re imposing on businesses and consumers?”