Adware and spyware – they may be as hard to define as they are to eradicate. But there’s one thing just about everyone can agree on: what started as a minor annoyance has ballooned into a full-blown corporate headache.

How big of a headache? According to the most recent edition of the Symantec Internet Security Threat Report, adware is a growing concern. Between January 1 and June 30, 2004, adware made up 4 percent of the top 50 malicious code reports to Symantec. Between July 1 and Dec. 31, it made up 5 percent of the top 50 reports. As for spyware, the most common program during the second half of 2004 was Webhancer, which alone represented 38 percent of the top 10 spyware programs reported.

This growing concern about adware and spyware has put enterprises at greater risk for decreased productivity, more help desk calls, loss of privacy, and potential legal liability. Analyst firm META Group estimates that cleaning infected clients can represent 20 percent or more of IT help desk efforts.

A 2005 Forrester Research Inc. survey of IT decision-makers found that 40 percent of respondents didn’t know how many systems in their organization were infected with spyware. Those who could measure the number of systems infected with spyware found that about 20 percent of systems were infected, and the number is growing rapidly.

Small wonder, then, that adware and spyware have surpassed spam and identity theft as the threats that security managers are most concerned about, according to Forrester. The research firm predicts that 65 percent of companies will either purchase or upgrade anti-spyware software this year, making it the most popular security technology of 2005.

Methods of Installation
Some organizations justify the use of adware as a way of providing services while lowering costs to customers. This is particularly true of software that is made available for users to download for free. These “freeware” programs usually require the user to agree to a EULA (end user license agreement). But some EULAs can be complicated and confusing – to the point that the user is unable or unwilling to read and understand the terms and conditions before agreeing to it. As a result, adware that is bundled with the desired software gets installed without the user’s knowledge.

Adware is also often installed through the user’s Web browser. This can be done through pop-up ads offering free software to download. The pop-up offers the user a choice of clicking “Yes” or “No” to accept or reject the offer. In reality, though, clicking anywhere on the ad results in the download of adware. Browser-installed adware may also be installed through ActiveX controls or browser helper objects (BHOs). BHOs can provide spyware with a wide range of functionality, including the ability to download program updates, or log and export confidential data. During the last six months of 2004, three of the top 10 reported spyware programs used BHOs.

Some adware programs hijack a user’s browser and redirect searches. A program may redirect a search by replacing the default search engine or by replacing “404 page not found” messages with internal search queries. This is not only misleading for the user but also represents a security risk, as the redirection may result in the user downloading malicious code from the new page. Five of the top 10 adware programs reported in the last six months of 2004 hijacked browsers. Spyware can also hijack browsers.

If users’ browsers are enabled to accept cookies and ActiveX files, as many are, unwanted code can be installed in the background without their permission or knowledge. Spyware also travels on fake messages telling users their systems need to be tuned up, or similar instant message screens that appear to be sent by a system administrator.

Keeping Trouble Out
Like viruses and worms, adware and spyware are moving targets, and enterprises can best protect themselves by deploying multiple defenses – at the desktop, the gateway, and across the enterprise – and by educating users on what behaviors will best keep the spies where they belong: out in the cold.   The most effective way to reduce risks from programs such as spyware and adware is to use a complete security solution that deals with a wide range of threats. In particular, enterprises need a solution that categorizes programs according to their functionality and allows them to choose an acceptable risk level. Integrated technologies (antivirus, firewall, and intrusion protection) should work together to provide defense in depth. For example, while an antivirus solution works to protect a system against spyware, a firewall allows an organization to create a list of recipients of personal information and to block unwanted advertisements. Furthermore, when a firewall detects that an application is trying to establish an outbound network communication (as a spyware program would to relay information to the outside world) it should automatically close the port and prevent the transmission.

Combating spyware and adware, like combating viruses and malicious code, requires a solid solution and a dedicated research and response mechanism to track new spyware risks and provide timely updates as the threat landscape evolves.

Other issues to consider: the number of spyware definitions supported by a particular solution, the process used for finding new spyware programs, and how the definitions are updated.

To strengthen their defenses, businesses should also consider implementing additional security precautions like securing encrypted Internet connections, implementing more restrictive Web browser settings, and disabling the acceptance of third party cookies.

In addition to the use of strong technologies, there are policy measures that can help organizations reduce their risks. For example, make sure that you know and trust the authenticity of any software before you download it and install it. Read the EULAs of software programs to make sure you know what you are getting, and make sure that you understand, and agree with, the program’s functionality. Examine EULAs carefully to make sure they are in agreement with your security policy. Also, as some spyware is installed using ActiveX controls, consider requiring a prompt for ActiveX to execute within Web browsers.

The Federal Trade Commission warns: “Before using a file-sharing program, you may want to buy software that can prevent the downloading of spyware or help detect it on your hard drive.”  Due to the breadth of security threats and risks, it is vital that organizations heed this warning and use security products that can not only deal with spyware and adware, but the entire breadth of Internet security threats.  Antivirus and firewall products allow users to protect themselves from malicious code such as viruses and Trojans, as well as expanded threats, which include spyware and adware.  

Summary
Spyware and adware infections have become a top concern for IT operations as well as security managers. While much of this code is benign, some is not. Even if a security risk isn’t present, cookies and pop-ups can cause significant performance and productivity problems. Enterprises are encouraged to follow the recommendations in this article to keep their systems properly “scrubbed.”  

Some Definitions