ВУЗ: Не указан
Категория: Не указан
Дисциплина: Не указана
Добавлен: 07.04.2021
Просмотров: 165
Скачиваний: 1
Yahoo Search Marketing was in news a few years ago for their alleged inability to stop the misuse of their
program and also for posting deceiving ads themselves. Some merchants monitor those who participate in
their programs while some do not. Those merchants who do not monitor their participants can be easily
taken advantage of by exploiting their program. The next two parties in the game are the spyware author,
who writes the spyware program and the person who wants to make money from this setup. Often these
are two different parties but they can also be the same person. The person who is looking to make money
strikes a deal with the spyware author. The spyware author includes the person’s affiliate program code in
the spyware. The spyware is then distributed on to the internet by using any of the techniques mentioned
in section 5. When the spyware gets downloaded on an unaware user’s computer, it starts popping up ads
with the affiliate code embedded in them. When the user clicks these ads, the person with the affiliate
code gets paid per click by the merchant. This revenue is then split between the person and the spyware
author.
7.
Legal issues related to spyware
Most countries have laws which render unauthorized access of a computer by a person who does not own
it illegal. These laws have been put to use, to deal with virus writers, hackers etc., but spyware authors
seem to be immune from them. The primary reason behind this immunity is that most spyware is installed
with the user’s consent and is thus legal. The EULA or Terms of Service or the Terms of Use is a legally
binding contract and online consent is achieved when you click the “I agree” button. Nobody installs
spyware knowingly; it just takes a ride along with a shareware or a freeware that you install. In most of
the cases the EULA will have a description of what is going to be installed on your computer. Since, a lot
of people don’t care to read the EULA and certainly not till the end, they end up installing spyware
legally without even knowing it. Because of this legality issue, major players in the antivirus arena like
McAfee and Norton stayed at a distance from the antispyware business for a long time. This issue also
puts antispyware software in a dodgy territory because they automatically remove the software which was
downloaded by agreeing to the EULA, thus helping the user to breach the contract they made when
installing the spyware bundled with freeware [18]. This is exactly what happened when New.net sued the
antispyware company Lavasoft for branding their software “spyware” and stopping it from getting
distributed in the way it was supposed to. Although New.net lost the lawsuit, there is still a lot of doubt
about the issue of the legality of spyware. In another such incident, which shows how difficult it is to
implement these laws WhenU.com sued the state of Utah, and was successful in preventing the
implementation of the Spyware control Act in the state.
8.
Antispyware
Antispyware has borrowed a lot from its older cousin, the antivirus which has been here much before
antispyware came into existence. Although antivirus techniques tackle an altogether different problem of
separating illegitimate software programs from the legitimate ones, yet they are the most frequently used
countermeasures against spyware [4]. As is the case with the antivirus software the antispyware software
is also always one step behind the latest spyware, waiting for something to happen before taking an action
[5]. In this section we briefly survey spyware detection techniques and the current state of art in this field.
8.1
Manual identification
Manual detection is perhaps the oldest malware detection technique known to man. It involves tracking
and investigating the system changes made by the malware manually. This technique is effective in
identifying both known and unknown spyware but comes at a high cost, since it is very time consuming
and requires a professional to look at the infected system for substantial period of time [5].
8.2
Signature based identification
This is the most widely used detection method used by a large number of antispyware. A signature
consists of a unique pattern and properties of the malware in question. The antispyware contains a
comprehensive database of signatures of spywares found till date. It checks every suspicious piece of
software against this database to see if it is a spyware [6]. Thus an important thing to keep in mind from a
user’s point of view is to keep his antispyware database updated. The flipside of this technique is that it
cannot tackle latest spyware threats until its signature has been updated.
8.3
Behavior based identification
To evade signature based identification, spyware authors started developing spyware which continuously
kept morphing itself and thus had no particular signature. Detecting such polymorphic spyware is
impossible using the signature based identification, so the antispyware people had to come up with a
different technique. Since, the spyware even after morphing itself performs a certain set of malicious
actions, so the direction then turned to identifying behavior rather than signatures. Behavior based
identification consists of matching the activities of a software with a set of malicious actions. If the
software performs a number of malicious actions which exceeds a permissible limit, it is identified as
spyware.
8.4
Reverse firewalls
Packet filtering techniques, such as reverse firewalls are one of the recent methods being used for tackling
spyware. Reverse firewalls prevent the host from connecting to unsafe locations [17]. This method works
in two ways, first it stops a spyware from sending data back to its originator and second it can identify a
spyware program, if the program repeatedly tries to send data to an unsafe location. The problem here is
how to identify safe and unsafe locations by inspecting the packet?
8.5
EULA analyzers
Another recent technique which has come up is analyzing the EULA of software you are about to install.
Software such as EULAlyzer [19], exist on the internet which are free and will analyze the EULA for
you. Most spyware vendors will have a description of the spyware software in the EULA, but often the
EULAs are written in “legalese” and are so long, tedious and convoluted that they are hard for an
ordinary computer user to understand. EULA analyzer technique mines the EULA of legitimate and
suspicious software alike to find traces of spyware and alerts the user even before the installation begins
[4].
8.6
Real time protection
Antispyware which provides real time protection are memory resident programs. These programs
integrate themselves with the operating system so that they can monitor each executable file before it is
executed. If a file is found to be suspicious its execution is prevented. Real time protection thus is a
proactive approach compared to the other traditional reactive approaches.
8.7
Antispyware suites
A new paradigm in the antispyware business is of antispyware suits. Spyware is constantly evolving and
becoming more and more difficult to detect or manage. Thus, there is a need to integrate a number of
different detection and protection techniques which will be able to prevent, detect and remove spyware at
various levels. One such suite is the eSoft complete antispyware solution [6]. The suit provides two levels
of protection. The first level is the network level and eSoft’s network level antispyware is called Gateway
antispyware. At this level the suite deals with the spyware by using methods like Intrusion prevention,
signature matching and URL filtering. This prevents a number of spyware from entering the protected
network. For the spyware which manages to bypass this level of security, there is a second level of
protection called the Desktop antispyware. The desktop antispyware provides real time protection by
keeping a watch on the memory and the registers, it also consists of a centralized management and
reporting part which is used to manage detected threats and provide updated security at all times. An
explanatory
figure
is
presented
below.
Figure 4. eSoft's antispyware suite for enterprise [6]
9.
New trends and the future of spyware
Spyware is constantly growing and evolving. From simple software for promoting ads, it has now grown
into a serious security threat with financial motives behind it. A study by the Tel Aviv based Aladdin
Knowledge Systems in 2005 found that as much as 70 percent of the new virus and worm code also
contained spyware components [3]. With time we will see, more and more such integration of spyware
with viruses and worms. Spybot W32 is a prototype of such kind of future virus/worm/spyware. Coming
together of spyware and virus authors is perhaps the most troublesome aspect of future for the
antispyware industry. Recently, a virus was in circulation which could disable Zone Alarm so that the
spyware can carry on doing their stuff without getting interrupted. New age spyware like the
CoolWebSearch browser hijacker employ the update feature in much the same way as antispyware do,
updating itself and mutating over time to evade detection. Mutating spyware is going to be the spyware of
the future. Although behavior based detection technique are able to catch them but these techniques are
not perfect and generate too many false positives and negatives. Eventually they require human
intervention to take a decision. If the computer user is not aware and knowledgeable these spyware can
work unnoticed. We have seen how prolific spyware’s growth has been in recent years. This becomes
even more astonishing if we consider that there is no spyware toolkit, like viruses. A spyware author
therefore has to be a technically capable person. What will happen if such a toolkit is developed and there
is no reason to believe it won’t be? Any person with malicious intent and with no or little technical
expertise will be able to write a spyware. The spyware bomb is just waiting to explode and if we are not
ready and proactive we will be the ones at loss.
10.
Conclusion
We started this report by looking at the history and origin of spyware. Then we talked about the specifics
of the present day spyware, its types, its mode of operation and how it affects a user. In the next couple of
sections we talked about how spyware is used to make money and the legal issues related to spyware.
Towards the end we talked about some present day antispyware techniques before discussing the future of
spyware.
As we saw from the statistics in the beginning of this report, spyware is growing tremendously and it
is affecting enterprises and personal usage alike. One alarming aspect of this is that the worst is yet to
come. Continuing the discussion at the end of the previous section, we are about to see a spyware boom
and the need to be protected against it is now becoming a necessity. To mitigate the threat that spyware
poses it needs to be attacked from as many fronts as possible at the same time. In the current scenario we
have three different modes of attack and prevention,
awareness, legal protection
and
antispyware
protection
. Let’s go over these three one by one.