Spying on Spyware

Analysts say spyware writers are gaining the upper hand over computer security experts.

With an estimated 72 percent of PCs in homes now bogged down by an average 24 spyware infections each, and with the number of websites disseminating spyware skyrocketing, the question arises: who's winning the war on spyware?

Indeed, the latest "State of Spyware" quarterly report released by Webroot Software, a security software firm in Boulder, CO (from which the figures above were taken) contains chilling news: the bad guys are now bringing up their big guns, so-called "rootkit" technology and "polymorphic" code. Both are being used more and more extensively in spyware, and most old-line anti-virus programs are helpless against them, claims Richard Stiennon, Webroot's vice president of threat research.

Spyware programs often exploit browser security holes to download themselves onto a user's hard drive, where they surreptitiously send back information about the user's Web-browsing habits. With rootkit technology, these files can make themselves invisible to the host computer's operating system, allowing spyware or virus files to take up residence deep within the machine and operate undetected.

Anti-virus programs that scan hard drives for malicious code aren't much help. Rootkit files "know when they are being scanned and stop doing anything," says industry analyst Rob Enderle, head of the Enderle Group in San Jose, CA. "They are incredibly dangerous, and operate at a level where the current generation of anti-malware products cannot operate."

The danger posed by rootkit technology was brought to the fore this month when a security expert discovered that Sony BMG Music Entertainment had placed rootkit files on as many as 20 popular music CDs, to keep them from being pirated by PC users. Sony has apologized and offered a fix -- but three examples of malicious software have already been found that took advantage of the rootkit files left on PCs by the Sony CDs, and several class action lawsuits are in the works.

Another virulent spyware tool, polymorphic software, uses multiple files with random names, so that each infection is unique, requiring a unique disinfectant. Your computer's operating system might spot one, but removing it manually won't solve the problem, since the infecting files monitor each other, and if one is removed the others summon a replacement from the Web.

"You have to understand which file to get rid of first -- it's like grabbing the tail of a snake," Stiennon says. But the main problem is that scanning for the dozen or so infection routes used by most older viruses no longer works, he says.