Daniel Mothersdale, EMEA marketing director, Webroot Software tells Data Centre Management that we need to be aware of the challenges ahead

The lure of the almighty dollar is too powerful to pass up for today’s cyber criminals. Recent headlines describe countless security breaches at universities, businesses and government offices across the globe. Online perpetrators are paid high dollars to steal personal information such as social security numbers, credit card numbers, bank account numbers, user names and passwords. According to eWEEK magazine, hackers are now being paid up to £30,000 to find vulnerabilities in Microsoft’s new Vista operating system.

Increasingly Complex Challenge

Spyware is becoming increasingly more difficult to detect and remove. It is becoming more malicious and is using more advanced techniques such as rootkits, Trojans, and polymorphic mode to evade detection. Spies are becoming more complex and dangerous once they infect a machine, with more registry and file entries on the machine itself, which leads to a more difficult removal scenario. Finally, many pieces of spyware use watcher processes, which monitor each other, and if removal is attempted, the malicious code will be repopulated, or new components will be downloaded from the Internet.
Daniel Mothersdale, EMEA Marketing Director at Webroot Software, Inc., says, “Spyware itself is evolving and changing all the time. It is becoming more complex and malicious and its impact is becoming more dangerous and destructive.”

Spyware writers distribute spyware using a variety of means, including Web sites, e-mail, instant messaging services or bundled with freeware and/or shareware. Spyware can also infect a client through an inadvertent installation by the end user. For example, spyware writers include an overwhelming amount of information in their End User License Agreements (EULA). Knowing that most users will ignore the lengthy and ambiguous language of the EULA, spyware developers are able to "obtain" permission to download their spyware onto a client machine.

Spyware and other unwanted programs often bypass traditional security defenses like firewalls and other perimeter solutions because the malicious programs are often disguised as legitimate traffic entering through well-established ports. Once installed on a system, most spyware applications disguise themselves as trusted programs, allowing them to communicate freely with the Internet over TCP ports that are commonly left unprotected.

Origins and History of Spyware

Spyware originated from adware programs that returned data about users’ surfing habits. This was done without disclosure for the purposes of displaying targeted advertising. From data gathering, the next evolution was hijackers, where advertising companies redirected home pages and default search engines to specific sites, which took advantage of pay-per-click advertising.

As the financial incentives increased, the perpetrators and organizations behind them became more creative and persistent in their methods. The spyware became more difficult to remove with the ultimate goal of keeping the spyware on the users’ machines to continue to earn revenue for these dishonest companies.

Adware companies are fairly well known and easily located. As for the more malicious spyware, such as Trojans and system monitors, these organizations are well hidden and their activities are usually illegal.

For spyware, the primary payload is often a Trojan horse, which disguises the real or secondary payload. This Trojan will download multiple pieces of spyware, or contain spyware bots (web robots that run automated tasks) used for spam, backdoors, or keyloggers to record user keystrokes. The reward for these spyware writers is financial, usually in the form of bank passwords and personal information, such as social security numbers, credit card information, and Web site/ e-mail usernames and passwords.

“Trojans are very powerful and destructive. Malware writers can be paid up to £3,000 for each Trojan planted on a user’s PC,” Mothersdale explains.

Impact to Business

The impact and cost of spyware to the business community is enormous. According to a recent crime survey, approximately 79% of all enterprise PCs in the U.K. are infected with some form of spyware. According to the Radicati Group's 2006 report, the estimated cost of each infected workstation is $265 (based on IT services, downtime and re-imaging). Assuming a business has fifty users, 79% (39.5) who have a spyware infection, at $265 per workstation, a company can expect to spend over $10K to clean all infected machines - per incidence of infection.

In a report recently published by Deloitte Touche Tohmatsu, over half of all companies doing business in the technology, media and telecommunications sectors have sustained data breaches that potentially exposed their intellectual property or customer information. Approximately one-third of those incidents directly resulted in financial losses. Although 74% of respondents said that they expect to spend more time and money on improving security in 2006, the average budget increase among those companies was only 9% percent. Fewer than 15% of those increasing their security budgets planned to do so by over 20%.

The high profile data breaches at major corporations have largely eclipsed small business vulnerabilities. Yet, a survey by the Small Business Technology Institute reports that more than half of all small businesses experienced a security breach in the last year. Nearly one-fifth of small businesses do not use virus-scanning software for e-mail, over 60 percent do not protect their wireless networks with encryption, according to the study, and two-thirds of small businesses do not have an information security plan. Small businesses, overall, make reactive purchase decisions in relation to information security, and usually purchase products only after suffering an information security incident.

In a study conducted by the Federal Reserve Bank of Philadelphia, it was determined that a typical phishing attack can cost a financial institution between $50 and $60 per account compromised, or $50,000 per attack. Financial institutions must also dedicate a significant number of hours to disable phishing sites, reset legitimate user passwords, and install software patches.

Impact to Consumers

The financial loss to consumers can also be enormous. Gartner Inc. conducted a survey on phishing and identity theft which revealed that 1.2 million Americans lost a total of $929 million in one year because of phishing. Other high profile security breaches in the news include fraud and identity theft risk in online trading, higher education and social networking sites:

• In April of 2005, Ameritrade Inc. advised 200,000 current and former customers that a computer backup tape containing their personal information had been lost. The tape contained account numbers, social security numbers and other personal information on both current and past consumers.
• University of Northern Iowa alerted users in early 2006 about a possible computer security breach at the university's Wellness and Recreation Center. A stolen laptop contained IRS W-2 forms and social security numbers for student employees, staff and faculty.
• In what may be the largest computer security breach ever at a U.S. university, officials at the University of California at Los Angeles (UCLA) warned 800,000 students, alumni, and faculty and staff members that their personal information was exposed when a computer hacker broke into a huge database used by campus employees. The hacker first breached the database in October 2005, exploiting a software flaw that UCLA's computer-security technicians had not detected. Campus officials did not notice the breach until November of 2006, when they identified "an exceptionally high volume of suspicious database queries," according to a Web site the university set up after learning of the attacks.
• In the summer of 2006, the BBC reported that more than a million MySpace users had been exposed to spyware that exploits Windows vulnerability through a banner ad on the site.
• In Colorado, the state directory of new hires suffered a security breach in late 2006 when a laptop was stolen containing thousands of names, addresses and social security numbers of newly hired employees.

Future Trends and Vista Vulnerabilities

Spyware is becoming more difficult to detect and remove while the programs themselves are becoming more dangerous and are using advanced techniques to evade detection. In addition, once a machine is infected, the infection itself is now more complex. PC users need both anti-spyware and antivirus protection to guard against all forms of infection.

“Because of the burgeoning nature of spyware and viruses, there will be an increasing need for anti-spyware and antivirus protection this year,” Mothersdale says. “Malware has, in many cases, become too complex for the average user to manually uninstall.”

And while Microsoft is touting its new Vista operating system as being “the most secure version of Windows yet,” security will still be an issue on the Windows OS. Though Microsoft claims that Vista will “protect your PC from spyware, viruses, and worms,” malware writers will continue to exploit vulnerabilities. Indeed, Microsoft itself has acknowledged security issues on Vista and has responded by setting up a Windows Vista Security Blog on its Web site.

“With incentives reaching up to £30,000 to find security flaws, I think it would be wise for consumers and businesses alike to layer their security protection on top of Vista and to continue to use industry-leading, reputable anti-spyware and antivirus products. Vista may be the most secure version of Windows yet, but it does not serve as malware protection,” warns Mothersdale.