Spyware on One in Twenty Computers?

SpaceDonkey writes "New Scientist reports that researchers at the University of Washington carried out a scan of the campus network for signs of spyware. They found spyware lurking on more than one in 20 machines and also discovered a serious vulnerability in two of the four spyware programs they looked for."

Spyware flaw

[guacamolefoo]

The flaw that they detected was undoubtedly that the spyware could be detected. Duh.

Re:Spyware flaw

[gid13]

Funny, but makes you wonder how much was there that they didn't detect. And as much as I love Spybot S&D and to a lesser extent Ad-Aware, I wonder how much they miss.

Re:Spyware flaw

[OECD]

It's not exactly a representative group, is it?

New Scientist reports that researchers at the University of Washington carried out a scan of the campus network...

The same researchers noted that 90% of all computers have an inordinate number of "Phish" MP3s.

Re:Spyware flaw

[Chess_the_cat]

That's why I believe this 1-20 number. This is a relatively closed system monitored by an administrator and most likely governed by a usage policy. Perform the same study on machines found in copy shops or in homes and I'm sure the results would be quite different.

Re:Spyware flaw

[Erratio]

I'd think the number would probably remain about the same (at least relatively). Pretty much every computer I look at now has been slowed down by Spyware/Adware, so it seemed low to me initially, but these are also all computers for people who are using Kazaa and other programs they download on the Internet. Virtually all of those people will be infected (except for the few who know better), but also considering business users and people who use the Internet little or not at all (or don't download programs) the number is lowered. Not to mention people that don't run Windows. The number's probably higher in college environments but relatively similar all things considered.

Re:Spyware flaw

[glk572]

Way more than one in twenty. I would conceder my parents to be typical home users. I visit them every couple months, and when I do I give their computers a check up, part of this is running ad aware, and every time I do I find something. Last time I checked my mom's pc I found over 200 items, from almost a dozen pieces of spyware. She had so much crap that she had actually stopped using her computer because of all the pop ups. I'm usually pretty cautious, but will occasionally find spyware on my system, even though I have an antivirus that supposedly block's it.

If I were to guess at a number I would say that at any given moment that more than half of home computers running windows have some kind of spyware/adware running. This comes from helping out many friends with spyware related problems.

UW found so few instances because I'm sure that they limit users? ability to install software on their lab computers. As for dorm computers, many types of spyware can't be detected by a port scan, the only way to pick them up would be through a carnivore type system, even then not all of them would be found.

The only way to stop spyware is to start prosecuting the companies who make it; it should be pretty easy under one of the laws for protecting children on the internet. After all if opening popup windows advertising porn with every page load isn?t illegal under these laws what is?

Re:Spyware flaw

[cens0r]

Of course this wasn't home users. This was computers on their network. I'm sure some of these computers could be classified as 'home computer', but most are probably much more business like and under strict suppervision. There are probably 100 computers at my company and non have spy ware.

Re:Spyware flaw

[nemesisj]

This has been pretty much my experience as well. I've found that every computer I've used which belonged to a home user/college student in the last year was ridden with spyware.

Girls seem to average around 250-350 infections, while guys tend to be around 150-250. This is anecdotal for sure, but it's what I've observed. Draw your own conclusions.

I've found that the best solution is to switch users to Mozilla-Firefox (most spyware automatically infects default installs of IE just by visiting the page),

Re:Spyware flaw

[glk572]

I forgot to mention that my dad runs spy sweeper on his system, he bought it from a pop up add from a piece of adware, I just couldn't believe that. The software as far as I can tell doesn't do a thing.

Re:Spyware flaw

[SpaceLifeForm]

1 out of 20 is good. Possibly indicates that most of the machines on the network they scanned are *NOT* running MS Windows.

Re:Spyware flaw

[rixstep]

Something too many seem to find too easy to forget: there's a big world out there outside that Microsoft window...

A. Most Unix systems won't get infected and cannot be infected. Not only is it more difficult, the spyware perps write this stuff specifically for Windows.

B. There would seem to be an assumption here that 'all computers (in the world) run Microsoft Windows'.

C. Ad-aware does as well as an automated tool can do (hopefully), but it cannot kill the latest spyware variant, the automatic cloning program. These programs are scheduled to make multiple copies of themselves with different names and be deposited in different directories and then look out for each other. Should any one of them disappear, the others will quickly clone and replace the missing file and launch it again. Further, they incessantly monitor Windows Registry activity, and as soon as their 'autostart' (in one of the 'Run' keys) is removed, they will immediately replace it. As Ad-aware cannot deal with spyware that fights back like this, Ad-aware cannot defeat them.

D. A better estimate is not that one in ten Microsoft Windows computers is infected, but that a greater number are infected perhaps tens of times with thirty - forty spyware programs all competing for CPU. We recently had a customer completely oblivious to the issue until his XP idled at 100% CPU - that's how bad it becomes, through Windows being so easily exploitable, and through the average Windows Joe being so clueless.

Re:Spyware flaw

[ball-lightning]

C. Ad-aware does as well as an automated tool can do (hopefully), but it cannot kill the latest spyware variant, the automatic cloning program. These programs are scheduled to make multiple copies of themselves with different names and be deposited in different directories and then look out for each other. Should any one of them disappear, the others will quickly clone and replace the missing file and launch it again. Further, they incessantly monitor Windows Registry activity, and as soon as their 'autostart' (in one of the 'Run' keys) is removed, they will immediately replace it. As Ad-aware cannot deal with spyware that fights back like this, Ad-aware cannot defeat them.


Dear god, I came across this a month ago, last time I cleaned out my parent's computer. I have never seen anything fight back like that in my life. Also, windows programs like msconfig, and notepad were over-written by some program (couldn't determinei what it was) that seemed to reinfect the computer. Really nasty stuff. I did manage to get it all off, but of course I check a week later and theres tons of spyware back on it *sigh*. Luckily not the same stuff though.

there's a difference?

[NumbThumb]

Educating users and fighting windmills feel about the same to me...

Oh, wait... windmills at least do not say "but i didn't *do* anything! really!"...

Spyware? You mean data collection?

[Anonymous Coward]

Cookies are spyware.

Dont accept cookies. Ever.

That is all.

Re:Spyware? You mean data collection?

[Phroggy]

Reference [microsoft.com]

Bad spyware, bad

[fm6]

Well, if spyware ever gets any good at hiding, your joke will be for real -- and we'd all be in big trouble. Truth is, spyware is never all that sophisticated. That's half the problem: if spyware did what it was supposed to and just spied on you without drawing attention to itself, people wouldn't be so nearly pissed off. Yeah, they'd hate losing their privacy, but not half as badly as they hate having their computers crash.

When they say "defective", they mean that the spyware is crap programming. Which is hardly suprising. People who distributespyware are the same kind of idiots who are responsible for most spam. It's a kind of spam, really, since it's a way of indiscriminately spreading information. The information itself, whether it's a blurb for some penis enlargment nostrum or a piece of buggy code that generates useless statistics about what sites you visit, is basically useless. How do make money distributing something that's useless? You distribute a lot!

Excuse me for speaking the obvious

[JoeBaldwin]

But isn't the spyware in and of itself the vulnerability?

Damn, people need to get tough on this shit.

Re:Excuse me for speaking the obvious

[Syrrh]

Damn, people need to get tough on this shit.

That's really it.

Why the hell are antivirus companies so reluctant to add anti-spyware functions? I mean, boo-hoo that Gator got so upset when they were accused of making spyware, but calling it anything less than a trojan is a lie.

Firewall products have been offering popup stoppers and activity reporting for a while now. It's really time for the AV publishers to step up and do their part by keeping these things from getting a foothold. It's not like they can get in any legal trouble for blocking someone's program, since it's up to the user whether they trust McAfee or HotBar more.

Re:Excuse me for speaking the obvious

[Vancorps]

Here here, how Mcafee has survived this long I will never know. Norton Corporate Edition is by far and away the best but of course it costs money and does indeed block a lot of spyware as well.

Personally I'd say stop blaming AV companies for this problem and start teaching people that they don't need Admin rights for everyday activities. I have an install user for my parents and a backup admin account for myself. Parents always use their accounts that are locked down and after six months all it had for spy

Re:Excuse me for speaking the obvious

[hackstraw]

But isn't the spyware in and of itself the vulnerability?

Nah, AFAIK spyware only runs on Windows and its no big deal to run arbitrary code or programs on those systems.

The funny thing is that if the system came with yet another little program that hangs out by the clock (the tray or something like that) that showed CPU utilization, maybe, just maybe the user might have a clue that _something_ is going on.

My first experience with spyware was the other day when a friend came over with his (windows) laptop and I wanted to scp a file from it to my Mac. He didn't have scp so I typed in google: "putty scp", and assumed that google would do the rest. Well, I noticed a popunder (Internet Exploder still does that) the results were sleezy sounding results like: YEAH DOWNOAD SCP HERE! Or whatever. None of the results looked like normal web sites.

I could not click on a single link, I was freaked out that this was on my network, he didn't seem to concerned though. He thought it was time to reinstall windows anyway.

Type

[GabeK]

Isn't that supposed to be 1 in 20 WITHOUT spyware?

Re:Type

[spikev]

Yeah, because it's about 1 in 20 that don't run windows.

Re:Type

[gid13]

Upon reading the article, it says that they only tested for 4 specific programs: Gator, Cydoor, SaveNow, and eZula. And got 5.1% positives. So yeah, you're probably right.

Re:Type

[_Sharp'r_]

I routinely see over 10% of windows users show up with spyware on my anti-spyware [booksunderreview.com] page, and that's just what can be detected with a simple javascript utility over the web, so the actual total must be even higher than that.

Re:Type

[miu]

For technical reasons, the automatic-detection feature on this web page can only work with IE/Win, with "Active scripting" and "Run ActiveX controls" enabled.

10% seems very low, since your script can only diagnose users who allow ActiveX and scripting from the public internet I'd expect 50%+ of such users to be infected.

Re:Type

[Anonymous Coward]

The truly scary thing is they don't care. The also have about 40 programs running on their systray, so it takes 15 minutes for their insanely fast computer to boot up, and its swapping out to disk constantly despite the fact they have 512 meg of ram!

I've noticed certain people will complain and tinker with their computer all the time, no matter how well it is currently running. Most others will just *ACCEPT* popups, spam, spyware, crashing, viruses, and so forth. I have called people to let them know they have a worm (but i call it a virus for them, so they dont get confused), their computer is constantly spamming everybody with virus laden email, blah blah blah. Sometimes they say "So?" These people should not own computers. Hell, they should not be allowed to reproduce

Spyware replication

[Via_Patrino]

I've seen an University which the system image they made, and use to install in all computers, was infected with a spyware (from a file archiver I think).

So, the whole labs (120 computers) were running spyware in the background. Nice.

What can one expect?

[agoliveira]

Joe User just does not know and/or just don't care what happens inside their computer.
A few un-ethical, a few security holes and there you have it.

Insightful my ass.

[RatBastard]

It's not that Joe Average doesn't care, he/she doesn't know he/she should care! They trust their computer. The idea that malware can hijack their systems is alien to them. The fault is not the end user. The fault is with MicroSoft's default security settings leaving thier PCs as wide open as Goaste.Cx's bunghole, along with sinking Internet Explorer's tenticles deep into the core of the OS.

Simply setting IE to not autoinstall software over the net, or REQUIRING an Administrator password to install said

Ad-Aware

[amembleton]

Download yourself a free copy of Ad-Aware from here [lavasoftusa.com]. I ran it on my computer the other day and it found 22 infected files, that it cleaned up for me :)

Re:Ad-Aware

[Anonymous Coward]

On top of Ad-Aware, I recommend using Spybot S&D as well. It can be grabbed from download.com (careful, there are a lot of software packages that have a name very close to Spybot Search & Destroy). It's best to use both, I always like to have a second opinion before I actually tell either program to start deleting.

Anyway, both of these programs have their downsides. Neither is perfect, and often removing 'spyware' from apps cripples the apps. Spybot S&D has a bad habit of finding spyware in

Re:Ad-Aware

[thebes]

For having a /. ID of 411990 indicating that you've been around for a while, 22 seems a bit high :P

Re:Ad-Aware

[amembleton]

Yes, it is high but this also included a lot of cookies. There was one actuall program, which was a bit worrying. I've never ran it before though, I always felt that I was sensible enough not to get infected, but obviously I was wrong. Its been over a year since I last re-formatted my HDD so one dodgy app isn't too bad.

Re:Ad-Aware

[StrawberryFrog]

it found 22 infected files

Ad-Aware finds tracking cookies as well. While this is good, and I am glad to let Ad-aware remove them, a statement of "22 files" can be misleading as this program will show both spyware .exe's and cookies in one list.

Spybot

[The Tyro]

is the absolute bomb... [kolla.de]

Note the paypal link... throw the author a few bones; it's a great program.

File count.

[Deathlizard]

22 Infected files is pretty low in my opinion. You run a pretty tight ship on your box.

We have to clean spyware off of student PC's on campus since it screws up internet connections and F-Secure goes nuts to the point where it wont talk to the server anymore.

So far, the Ad-Aware record is 17039 from a student that had a spyware app that put 19000 internet shortcuts in her favorites directory. Number two is 1973 and number Three is 1058.

Re:Ad-Aware

[amembleton]

Not sure if this is the norm, but a fresh XP SP1 install followed by installing Spybot S&D from CD normally yields at least 10 problems. This is before the computer has been online.

What do they count as spyware?

Windows XP

Re:Ad-Aware

[ethx1]

I believe that windows media player 9 series comes with spyware that Ad-Aware detects. This is after specifically telling WMP not to send any data back to Microsoft.

I know WMP 9 is not part of a freshly installed XP, but I just thought I'd point it out. ;)

Re:Ad-Aware

[lobsterGun]

You could always run spybot search and destroy after you run ad aware...

and then run ad aware again to see if spybot installed any back doors.

Re:Ad-Aware

[swb]

I ran into a spyware application on a colleague's computer that:

1) Wasn't detected by the newest AdAware+Definitions
2) Had a randomly named .exe process listed in task manager that, when terminated, caused ANOTHER one to be launched.
3) Had a start\run\ registry key that when deleted, got re-created automatically.

I think what I did to fix it was to rename the registry key instead of deleting it, reboot, and then the app wasn't active. It was a challenge, though -- whoever wrote it did an excellent job of avoiding spyware detection and even manual deletion by randomizing the .EXE and monitoring the registry and process list.

Re:Ad-Aware

[Shadwhawk]

My dad had something like that on his computer.
Pain in the ass to get rid of. W2k was so unstable it wouldn't even boot in safe mode.
I finally wound up booting off a Knoppix CD and removing the executables.

Heh

[niko9]

No mention of the computer OS or archs.

Nice.

One in Twenty?

[Illserve]

I don't what their definition of spyware is, but I'd be amazed if it was fewer than one in three.

I would have guessed one in two.

That seems like a low percentage

[Lotek]

I'm a tech for a medium sized publishing company, and I find that the first thing I do when I get complaints of slowness and random unexplained crashes is to run spybot. In roughly half of the systems I check, I can find some kind of spyware.

Re:That seems like a low percentage

[wfberg]

Here's a quick test. Ask the user if they've ever heard of SpyBot or AdAware. If the answer is unsatisfactory, they've got spyware. That includes your mom.

5% is WAY low. Even I got infected (an app on tucows was listed as freeware, but turned out to be ad/spyware), even if you don't coun't cookies and GUIDs..

Did I mention that AOL Instant Messenger now comes with spyware? That re-installs itself? And adds "free.aol.com" to IE's "trusted zone" so new stuff installs *without a prompt or warning*.

Only one in twenty?

[DarkFencer]

Going by my former help desk experience at a college, and by experience with friends and families computers I'd expect three in twenty would be more accurate.

Though I tell people when I fix their computers from spyware, that I will do it once, put Spybot on their computers, along with Mozilla Phoe^H^H Fireb^H^H Firefox on their computers.

If they get more spyware from using IE over Firefox, then I'll charge them to take it out next time.

Re:Only one in twenty?

[Fnkmaster]

Three in twenty? Are you nuts? It's a heck of a lot higher than that. I'm away from home for a few weeks, I come back and discover my roommate's girlfriend used my computer - guess what? Spyware. Roommmate complains IE is behaving strangely - what do ya know, spyware. Mom's computer is running slow again a few weeks ago - spyware (strike two, now she has been taught to use AdAware for herself).

In business environments where people's computers are locked down or there are policies against installing software yourself, the rates are much lower. But in the general university/home/small business user community, I'm more surprised when I find that somebody is aware enough to NOT have spyware than when they do.

The Number

[krmt]

If that really is an accurate figure, then things are really improving. I, for one, hope so.

Insidiousness

[Klatoo55]

Most spyware remains undetected because it makes copies and backups of itself that are near to invisible. Although spyware is easily visible on 1 in 20, it is probably present in some form on almost every computer with an internet connection.

And this just in

[ferralis]

In a totally unrelated story, it appears that at least 4 out of every 50 computer users surveyed have had an encounter with "spam" emails in the last two years.

Stay tuned for the next ground-breaking story about the near 100% mortality rate suffered by humans and animals exposed to di-hydrogen monoxide!

Re:And this just in

[_Sharp'r_]

Yeah, 87% of statistics aren't actually accurate.

Spyware Inc Press Release:

[CajunArson]

We here at Spyware Inc are deeply troubled that
nearly 95% of all computers DON'T have Spyware!
To help capture a greater market, our newest
service will automatically install Perl(tm) spyware on any host posting to Slashdot, and even make it open source [slashcode.com]
We think OSS spyware is the future!

(Yes... this IS a joke)

Were the other 19 turned off?

[Rahga]

I'm sorry, but that number is way too low.... I'm in a bit of a hospital/nursing town, and I'd say that at least half of the nurses-in-training I know have experimented with Kazaa and other music piracy services, and are usually loaded down with 5 to 10 bad (at least gator-level) spyware installs.
The only thing that has infected that "community" around here worse would be smoking habits.

Statistics suspect

[El]

You can't extrapolate from a University network to the general community. Half the computers out there are in businesses, and most don't run any software not installed by the business. Oh, and if the spyware can be detected by scanning, it can be blocked by a firewall. Want to bet most competent IT departments have already configured their firewalls to do this? So really this is only a problem for naive home users. Even then, if there are ISPs out there that will automatically filter porn for customers, shouldn't there be ISPs that will automatically filter spyware connections?

1 : 1

[JediDan]

If you run windows there are registry keys used to track your usage of windows media player (unless you remove them) thus, the ratio is a lot closer to 1 : 1 of every windows computer out there, more so with more recent windows OSes.
It's not the only program either, use a firewall and don't install software that you don't need.

Re:1 : 1

[LostCluster]

Yeah, but that's like saying that IE's history file creates an unsecured log of where you've been unless you clear it or disable it. It's not spyware until something tries to send that log outward...

Mcafee, Norton, Hello?

[psbrogna]

I don't see these as functionally any different than viruses and think that the a/v s/w vendors are ignoring their responsibilities. Like I need yet another f*cking piece of defensive s/w.

Re:Mcafee, Norton, Hello?

[LostCluster]

No, they're not ignoring their responsiblities, but they both subscribe to a tight definition of "virus" that requires self replication. Malware distributed by a voluntary download or a tricky question posed by a website doesn't count, so you have to buy another product from them to get their anti-spyware solution.

We really should have one bad program scanner to rule them all, and I'm starting to notice that AdAware is starting to define the major worms and viruses as something their program can clean up.

Suggestions

[Anonymous Coward]

Windows can be secure. Some suggestions:

• Use Firefox [mozilla.org]. No need to worry about ActiveX spybars.
  
  
• Get AVG Anti-virus [grisoft.com]. Keeps out the trojans and viruses.
  
  
• Use Ad-aware [lavasoftusa.com]. Say goodbye to malware.
  
  
• Above all else, use a personal firewall. You won't have to worry about programs calling home without your permission.

Re:Suggestions

[Alcimedes]

My Windows copy is VERY secure. It's sitting right in the fireproof software safe I put it in two years ago when I started using OSX.

Since then I haven't had ONE spyware problem! Amazing!

More like 1 in 2

[KenFury]

Having worked at a PC repair store. I would say that 50% of the systems we seehave spyware of one sort or another installed. The real problem are one such as new.net and browser hijack spyware that requires a reinstall of TCP/IP including recreating the winsock files in the registry.

It amazes me that the same people comback again and again. We have one customer who every six to eight weeks comes in complaining that her system is slow. Volia! 500 or more spyware items. Apparently she does not mind paying 50 bucks.

We also do work for a mortgage house that get this installed and wonders why their customers get so much spam for competing mortgage companies after they email the customer. :) We explain and explain but apparently they like comet cursor and bargin buddy more.

Oh well, spyware and virii are keeping us in business.

Installing a local firewall is a good idea.

[LemonFire]

Installing a local firewall is one way to deal with spyware. I recently discovered that some freeware that all my co-workers had installed tried to dial out. Since I was running Sygate Personal Firewall (there are others) I was notified that the application wanted to dial home. After some research regarding this software I discovered that it was only trying to send out my registry file and my IP address. :-\
There's a lot of software out there that tries to dial home and any local firewall that is application aware is helpful when it comes to notify you about what's going on on your computer.

Re:Installing a local firewall is a good idea.

[SmackCrackandPot]

That's interesting ... I've got a PC in our lab, which recently had a new graphics card installed. The bizarre thing was that everytime any user logged in onto this machine, it would briefly ftp and http to their web site under the guise of the "idle process". I only found this out after running "netstat -a -o" as soon as I logged in, in order to check out what ports were open. Virus/trojan scanners didn't find anything. Neither did the local or department firewall.

After sending an E-mail to the company

I'm not surprised.

[Bistronaut]

I would say that the 20% number is way lower than what you'd find on cross-section of average home users' computers. I'll bet that they only came up with 20% because:

• University students and staff are probably more computer-savvy than the general population.
• They were only searching for four of the who-knows-how-many spyware programs out there.

If you're running Windows, you should have Spybot Search and Destroy and Ad-Aware. Not to mention a virus scanner and firewall. And run Windows Update for goodness' sake! Just more proof that Windows isn't ready for the average user yet. (Sorry, had to get a cheap jibe in there. :-)

Recommendation ?

[supertsaar]

From the article :

"...Gribble says. "We do expect that companies can and should use tools to scan their networks...."

Would't it be much simpler if companies just dissallowed their employees to install applications on their machines?
Allowing users to download & install 'anything' poses problems way beyond spyware.

More like 25% where I work...

[willith]

We use the Altiris [altiris.com] Notification Server product to track spyware at my job. I compiled a list of about 100 "worst offenders" from sites like doxdesk.com, and cast the net out to see where we stand.

Out of ~3,000 computers, ~750 of them came back with at least one positive. And that's just looking for about 100 known spyware apps based on the presence of a known-bad .EXE or .DLL or Add/Remove Programs entry.

That's a lot of fucking spyware.

Spyware is in everything now

[mrshowtime]

I cannot believe how many new programs are coming with spyware now. Worst yet, the spywares are not just cookie trackers, but keyloggers and much worse. Even some games install a scanner to scan your hd for any "virtual drives" and will not load the game if any are detected.

College Dorms

[Bryan Gividen]

I live on campus at Brigham Young University. Between me and the 40 other guys on my floor, I'd say about everyone has experienced Spyware, but everyone has removed it just with a little help from someone mentioning Ad Aware to them.

Really, Spyware is like the 8th deadly sin, spread the word and help people get Ad-Aware on their computer.

(As an aftertroll thougt, I should say this. I find it funny that /.ers will admit that tons of people don't know about Spyware and what not, showing their ignorance towards computers, but are still angered by things like Clippy the MS icon who helps people with Office and with the simplicity of Windows XP.)

Spyware is out of control

[ericandgina]

I work for a small ISP in the middle of nowhere. Often, we will offer our customers the oppritunity to bring their towers into our office if they so choose to fix a problem. For every computer that comes into our office, both Spybot and Adaware is run, and in almost every computer, I'd say about 90%, there is spyware. It really is completely out of control, as there have been computers with upwards of 500 items found between the two programs. 1 in 20 is a major understatement IMHO. I would have to say that out of the people I talk to, it's probably more like 4 out of 5. And then when the problem is Spyware, I say "Looks like you have spyware." And then they go, "What's spyware?"

Microsoft needs to fix their ActiveX problems. I usually tell people to run Firefox now days.

So easy to get onto college kids machines

[LostCluster]

AllAdvantage.com discovered this back in the late 90s. College students gladly downloaded a program that provides them no function, displays an ad bar, and has a TOS that says that their unused clock cycles can be sold to distributed computing projects, in exchange for a promise of a small payment.

Kazza is proving that you don't even need to promise the small payment to bundle the spyware, just free access to a P2P network which has a lot of copyrighted content (that it doesn't have license to have) on it.

The average college student is not majoring in tech. They don't understand what they're giving up when they run a service without understanding what it does. User education is not as good as it needs to be.

Only 1 in 20?!

[pimpin apollo]

Are you kidding? I work troubleshooting computers on a major college campus and I'd say there's some form of spy/adware on at least 90% of the machines I see. Dorms are by far the worst. Even people who are more adept than the average user seem to get it. Usually they call because their "computer is slow." I can't imagine how many people buy new computers because their old computer has "gotten slower."

Also, no one seems to realize they have to update adaware or spybot. They're using definitions from August and wonder why they're still getting popups. They usually conclude "the program just isn't very good." The same thing goes for virus scanners too.

Anybody who's designing a new system, whether security or UI, should spend a day looking at how most people use their computers. If you haven't, you might be surprised.

Microsoft Solution

[ch-chuck]

Microsoft proposes that their own customer data collection layer (CDCL) be installed automatically with every copy of Windows. Then any software firm that wants to collect user data will have to pay a fee for it. There. Problem solved.

Study Flaw

[DynaSoar]

At least in terms of the conclusion drawn: "One in twenty computers with an internet connection may be harbouring unwanted "spyware" programs..."

Their sample was computers at a college. You've got a highly wired place with people using them for all sorts of things, and comparatively little training on what and what not to do. Plus you've got younger users, many of which aren't old enough yet to not know everything, and feel free to ignore the warnings and admonishments (mark it flamebait if you like; I've taught such people and run a computerized lab. I know what they do and how they think, and so did I back then). Plus, you've got installs and re-installs (the common fix for everything Windozish) often being done by student workers with as comprehensive training in system security as they have in nuclear reactor operations.

How about a major ISP asking customers to allow them to scan for them? How about running a similar study on a large corporate system where downloading and installing external software is far more likely to be noticed, and results in far more than "Geez, we told you not to".

Biased sample, bad result. It may be right, but without better data, it's still bad.

Re:Study Flaw

[lrucker]

You've got a highly wired place with people using them for all sorts of things, and comparatively little training on what and what not to do.

That also describes most sales & marketing departments, even at high-tech companies.

Re:Study Flaw

[El Volio]

You've got a highly wired place with people using them for all sorts of things, and comparatively little training on what and what not to do. Plus you've got younger users, many of which aren't old enough yet to not know everything, and feel free to ignore the warnings and admonishments...

That sounds like a pretty common representation of the average user to me. Although many users outside of education may not be "younger", many of the characteristics hold. In fact, I would say such a user might even be more common than locked-down corporate environments. And if a major ISP ever were able to do such a scan on their customer's hosts, it wouldn't be much different.

Is that a "biased" sample? Depends on what population you're comparing against. If you're extrapolating to corporate environments, then systematic differences from the true mean may very well exist. But if you're comparing against the population of all Internet users a potentially far more interesting and useful population to study, though more difficult as well then the bias is more difficult to measure.

What OSs were profiled?

[butane_bob2003]

The article makes no mention of the operating systems profiled, just the spyware programs that were listened for (Gator, Cydoor, SaveNow, eZula). AFAIK, all of these are Windows native and would not be found on machines that are not running Windows and IE.

Windows itself is not fully to blame for the abundance of spyware and viruses on the internet, but it's generally the people who use Windows that allow viruses to propagate and make spyware feasible due to their ignorance of their own working environment.
If operating systems are to become more transparent, user friendly and powerful, the problems of spyware and viruses will have to be dealt with decisively.
The average Windows user has no idea that there are malicious TSRs lurking in the corners, doing whatever they please. They don't have fine grained control or access to processes, because Windows assumes (correctly) they would not know what to do with that level of control. Operating systems are complex enough without badly implemented security policies, threading models, filesystems and applications, the cruft of years of application and user backwards compatibility making them worse. I don't know if Windows will get a re-write on the level that Mac OS did. It was very important for Apple to move forward and leave the old OS behind, it's way past time for Windows to follow suit. Spyware and viruses could be eliminated if the user was aware of EVERYTHING the machine was doing. Don't give applications a way to hide, and they won't be able to.

Federal Trade Commission

[enforcer999]

Speaking of spyware, the Federal Trade Commission [ftc.gov] is offering a workshop on spyware that needs comments. I think it would be highly appreciated if some of you guys would comment.

More than 1:20

[macdaddy]

I'm sure of it. I contend that almost every single user that users IE has fell victim to a drive by spyware install. I cleansed a Win98 box back around New Years for a friend of the family. That machine had more pieces of spyware than you could shake a digital stick at. Adaware detected 873 items to remove (bad cookies, binaries, etc). I shit you not. 873. Their machine was running slower than a 486 I once had that had Win95 loaded on it (oh my god it was awful). Spyware was stepping on the feet of other pieces of spyware. Xupiter, Gator, you name it, it was there. Their machine was only a couple years old and had been freshly reloaded (HD crash) less than a year before. This is a fairly educated family of two teachers, a high school-aged son (doesn't use the computer much), and a very small daughter (not old enough to use the computer). They can't stand a better chance of getting infiltrated any more than any other typical Windows user. If they had it that bad imagine what other people have on their machines. 1:20 seems extremely low to me. I'd rather believe 19:20 are infected/infiltrated.

Re:More than 1:20

[Perianwyr Stormcrow]

No kidding.

One fellow I did some work for had hundreds of spyware programs on his machine, as well as a ridiculous pile of browser hijacks for porn sites. He said he lived in fear of the day that he'd be showing something to a client and the machine would begin spewing advertisements for hot asian teen cunts...

Everyone ready to make a "1 in 20?" comment.. RTFA

[BillX]

Ah....for all of you who are going to continue jumping in with "1 in 20? more like 1 in 1..." without reading the article...

The "1 in 20" figure the researchers got was not from scanning the HDDs with Spybot/AdAware/etc....they sniffed for known packets from FOUR of the significantly [spywareguide.com] more [doxdesk.com] than [cexx.org] four [pestpatrol.com] known malwares.

So, to be detected at all, the machines had to be running and the spyware loaded and actively broadcasting packets during the sampling period. Given this lack of an exhaustive check, the 1 in 20 figure doesn't surprise me. (We all know it is 1 in 1... :-)

The actual article

[El Volio]

New Scientist is just carrying their little summary; one of the authors has the paper available on his site [washington.edu] in HTML, PDF, and PostScript forms. It's to be presented at NSDI '04 [usenix.org].

Way low. Way, way low...

[ktakki]

One in twenty? More like one in five or worse. Of course, UW only looked for four pieces of spyware. IIRC, the latest Spybot definition file has over 12,000 entries (not all of which are covered by the strict definition of "spyware", but still...).

My current job is doing graphics and web work for a small computer services company, but at least once per week I go out on service and maintenance calls for our clients. At one place, the spyware infection rate was closer to 80%: Gator/Claria, Bonzi Buddy, Vomit Cursor, HiWire, IGetNet, BestWeb, Bargain Buddy, etc. One machine had 477 separate pieces of spyware and browser hijackers. Another had 25 instances of the same pr0n dialer. Even the ones that were relatively "clean" still had crapware like Webshots or WeatherBug that brought these commodity PCs to their knees. And don't get me started on Kazaa...

When I started doing this, I'd cut the users a lot of slack, letting them keep their Webshots or Benadryl Desktop Allergy Alerts. But after a month, the BOFH-nature possessed me. I have become an IT fascist: NO WEATHERBUG FOR YOU! NEXT!!!

Gah. Now I'm pissed. I think I'll go in tomorrow and schedule scandisks and defrags for 9AM Monday morning. That'll learn 'em.

k.

I Must Agree

[fire-eyes]

I gotta agree with this. I'm an admin and have to clean up this kind of crap both in the office and at customer sites.

Often times there are odd, often random errors in applications, and it begins to get worse. Or the system even if it's fast begins to crawl. I would say that 8 out of 10 times, it's spyware. In one case I found, according to SpyBot Search and Destroy (excellent tool by the way), 311 spybots and adware shits. This particular system went from the mouse barely moving on a 2.4GHz P4 with DDR ram to what it should have been.

User education is key here. But that is a depressing role to try to be educator, because it's almost all completely ignored.

Effective combination...

[Fez]

I work at a computer repair shop, and nearly every single computer I work on has some degree of spyware. The best combination of tactics to kill spyware that I've found is as follows (All in Safe Mode, of course):

• Trend Micro Damage Cleanup [trendmicro.com] - Free, Effective at catching a multitude of viruses and malware (Detects some spyware as trojans or adware)
• Spybot Search & Destroy [spybot.info]
• Ad-Aware [lavasoftusa.org]
• CWShredder [spywareinfo.com] - Kills CoolWebSearch variants
• HijackThis! [spywareinfo.com] - Powerful general tool for cleaning up what the others miss
• LSPFix [cexx.org] - to fix broken LSPs that interfere with Windows' TCP/IP stack

There's not a lot to be missed after that. Process Explorer [sysinternals.com] is also good for finding processes running that might not be of obvious origin.

1 in 20? Get Real!

[RoloDMonkey]

I started working as a computer teacher for a Catholic middle school in September. When I got there every computer had spyware. On one computer Ad-Aware identified almost 400 items! Needless to say, every class got a lecture about internet security. Most of them took it to heart, and now mostly we just get unwanted cookies.

Re:1 in 20? Thats all?

[00420]

I think someone has a spyware detector that is not detecting some of the spyware...

That's absolutely correct. According to the article they only scanned for Gator, Cydoor, SaveNow and eZula.

I manage a 50-user corporate network.

[daviddennis]

Spyware makes it on to 100% of the computers in my network. I have taught my users to put in, use and update ad-aware, but I think even with that there is spyware it's not recognizing. I come to this conclusion thanks to erratic behaviour in many of my machines that is not due to viruses.

Some of my users like spyware. Hotbar is a good example of a program that's actually liked by a number of people. But the programs that seem to do the most harm are the ones that try to stay invisible.

There are two computers on my network that never have spyware problems. One of them is the Mac I do all my web surfing on, and the other is the PC I do no web surfing on at all.

Any company I found is going to be Mac-only. There's little point in tolerating the huge overhead associated with running a Windows network.

D

the obvious question here is

[SweetAndSourJesus]

Why do you allow your users to install software?

Re:the obvious question here is

[daviddennis]

Because for better or for worse, I'm not a corporate drone. I believe users are people, not abstractions, and so I believe in giving them as much freedom as I can.

And I really, really don't like being called every time the clock drifts on one of the PCs and someone wants me to fix it.

I have better things to do than fixing it or installing software. So I delegate the power, and as much of the responsibility as people can bear, down to the users.

And users love me, because they know I have respect and sympathy for them.

I'm never going to be a Nazi-class administrator, even though I know it would solve a lot of my problems -- by, no doubt, creating newer and more frustrating ones.

D

Re:I manage a 50-user corporate network.

[daviddennis]

Two points against it:

* Microsoft Office is in many ways an excellent product, for all the criticism it gets here, and the Mac version works great. I tried installing OpenOffice on a couple of machines, and it made a complete hash out of their Word documents.

* It's a huge aesthetic step backwards, and everyone, including me, wants their computers to be nice to look at. I don't think this is frivolous, considering all the time we spend on our machines.

The reason I can't switch to another desktop OS at my

Re:I manage a 50-user corporate network.

[daviddennis]

Two points:

* Spyware is created for purely commercial reasons. It is not commercially viable to create this kind of software for a platform with a 5% market share. I don't expect spyware to become a problem under MacOS X unless something happens that pushes its market share radically higher.

if 99.99% of virii and spyware are writen for Windows, the Mac and Linux are far, far safer. That's not "security through obscurity"; it's pure, hard-headed commercial reality.

* Most of the tricks used for "drive-by installs" of Spyware work because Internet Explorer is integrated with the operating system. In other words, you use Internet Explorer + an ActiveX DLL to install updates to Windows. Therefore, you can use the same combination to do Bad Things.

On the Mac, there is no such integration, so the only way to install software is to, well, install it. Period.

You pointed me to a spyware removal tool for the Mac, but I have yet to hear of any Mac spyware. Until proven otherwise, I consider that program bogus.

D

Re:That's likely and understatement

[jamonterrell]

I've never scanned a network with a ratio of less than 3/4 infected with some form of spyware. But I guess it all depends on your definition of spyware. I personally consider any program that does something other than what it's advertised intended purpose is. Please hold the Microsoft jokes, I don't consider flaws in design as spyware, only intentionally deceitful programs.

Jamon

Re:That's likely and understatement

[FreeLinux]

That may be a little on the high side but, 1 in 20 is way too low. Spyware is as out of control as spam is but, most people aren't aware of it, as they are with spam, so it doesn't get as much mention.

I have always thought of spyware as a virus. Perhaps not as destructive but, a virus none the less. Thus, I have always felt that the commercial anti-virus companies should make their software to detect and remove spyware just as they do viruses. As yet they do not but, there is a major need for it.

Now, many people will start rattling off the plethora of spyware detectors and adware look alikes but, the fact is that none of these programs is capable of detecting all of the various spyware in the wild. Additionally, since they are all small companies or free projects they aren't and will not be able to keep up with the flood of new spyware as it comes out. Only the major players like the present anti-virus companies will be able to do it effectively with frequent updates to catch the latest bugs.

Of course, the immediate solution is to not use Windows but, that is not going to happen and even if it did, there would be spyware for Mac and Linux after a while. It's getting to the point that the little voice in my head keeps screaming at me to block off all port 80 traffic.

Re:That's likely and understatement

[Disabuser]

I have always thought of spyware as a virus. Perhaps not as destructive but, a virus none the less.

A large portion of my work is field service on home PCs. Spyware has actually become a more destructive problem than viruses for most of my residential clients who already have adequate virus protection.

Most people will have one or two spyware apps like Gator on their machines, which won't impact performance enough for them to notice. But if they have kids it's a different story. Kids download and install

Re:That seems low...

[elviscious]

If you read the article you'd see that they only looked for 4 common spyware programs. That's the reason there are only 1 in 20.

They also mentioned that college students are more computer literate, and therefore less likely to install spyware. I call bullshit. I've seen enough college students to know they are just as dumb as everybody else out there.

Yes indeed

[The Tyro]

Mirrors my experience with my neighbors (most of whom are highly-educated... some terminally-degreed).

I've rooted out more copies of Gator, Cydoor, etc from neighbors, friends, and family members... I can't even count the infections.

I typically recommend/setup the following bare minimum set of tools to avoid spyware, hax0rs, etc.

Firewall (I like smoothwall on an old PC)
Current anti-virus, set to auto-scan.
Spybot Search and Destroy run periodically.

I don't think I've ever had to look twice at a home comp

Thank you

[The Tyro]

for mentioning that. I find that OE is a tool of the devil. So many people use that preview pane....

Pop-ups too common?

[CycleMan]

I know tons of people that think random pop-ups and such are a normal part of the web.

Well, there was one on the page with the article. They wouldn't be hypocrites, now would they?

Re:One in Twenty????

[FunkyELF]

No kidding. People are dumb. Every time I format someone's computer and start them off fresh, I install basically what anyone would need. They still wind up clicking on pop-ups and clicking links in e-mails from people they don't know. Or when they install their own programs they blindly click yes, okay, next, okay, yes, yes without reading about the 3rd party software about to be installed. Its a shame that these programs are out there and that they are disguised as 'ad removers' or 'virus detectors'.

Re:Gripes against IE

[AuMatar]

Becauese they're afraid people will click that for MS software.