Home » Data Protection » Malware/Cybercrime

Drive-By Spyware

An academic study finds that Internet Explorer needs to take a note from Firefox to help stop spyware.

Earlier this year researchers at the University of Washington published an important study of spyware on the Internet based on their analysis of 40 million webpages. The study is important for CSOs because it shows not just the magnitude of the spyware problem but also the specific kinds of behavior on the part of users that result in these devilish programs being installed on their computers. And it illustrates a significant difference in the security levels provided by Microsoft's Internet Explorer browser and Mozilla Firefox.

Spyware today is generally malicious software that exists for the sole purpose of leaking confidential information from a victim's computer to an outside organization. Some spyware merely shows pop-up advertisements or collects marketing demographics that are reported back to a central clearinghouse. Makers of this software bristle at the label of "spyware," preferring the demure term "adware" instead. Other programs capture every keystroke and mouse click, periodically uploading the data to hijacked servers controlled by shadowy hacker organizations. The keystrokes are typically used for collecting passwords and other information useful for fraud and theft. The most malicious spyware allows a computer to be remotely controlled over the Internet. These programs have been used to penetrate corporate networks and are implicated in some large-scale thefts of financial information.

Titled "A Crawler-Based Study of Spyware on the Web" and published this February at the Annual Network and Distributed System Security Symposium in San Diego, the University of Washington (UW) study used a cluster of 10 dual-processor Pentium 4 computers running a total of 40 virtual machines to crawl over 2,500 websites. The researchers started by doing searches on Google for specific keywords. They took the list of resulting URLs and explored every link on every page, to a maximum depth of three clicks.

The crawling computers were set to download and run any executable program encountered on the webpages. The researchers then scanned the computers with Lavasoft's AdAware, which was configured to report only actual spyware, excluding cookies or hostile entries in the computer's registry. After a machine was infected and then scanned with AdAware, it would automatically reload a "clean" virtual machine and start crawling the Web again. According to the authors, it took on average 92 seconds to create a clean virtual machine, install an executable, and perform an AdAware sweep. In other words, each Web-crawling virtual machine was infected with another spyware program roughly every minute and a half.