By William Jackson
The spyware community has polarized, a panel of security experts said
Thursday at a Washington workshop hosted by the Anti-Spyware Coalition.
Adware distributors, under pressure from the Federal Trade Commission
and anti-spyware technology, have mostly quit the business or are going
legit. But the really bad players are getting worse, producing more
stealthy and sophisticated malware.
Nuisance adware is mostly dead, said FTC Commissioner Jonathan
Venture capital funding of companies that are paid to deliver annoying
pop-up ads to your Web browser is largely a thing of the past, Leibowitz
said. He pointed to several successful civil actions against major
distributors who have since gone out of business or gone straight.
And reports of spyware infections have gone down, said Jeffrey Fox,
technology editor for Consumer Reports. According to annual surveys,
infections have gone from one in four respondents in 2004 to one in 11
in 2007. In the same time, the estimated cost of spyware has dropped
from $3.5 billion a year to $1.7 billion.
But, to quote Miracle Max in The Princess Bride, there is a big
difference between mostly dead and completely dead.
While adware and spyware are less visible, Trojans delivering malware to
computers are more stealthy, sophisticated, and harder to detect and
Im here to tell you, there is some malware circulating on the Internet
that is impossible for an automated program to remove, said Janie
Whitty, administrator of the Lavasoft Online Support forums who works
with malware victims.
Susannah Fox, associate director of the Pew Internet and American Life
Project, said there is a lot of misplaced trust among users of rapidly
We are seeing a changing game, with the growth of broadband and wireless
connectivity and more powerful portable devices, she said. It is a
faster, more mobile and more participatory environment, and most
Americans are jumping in without considering the implications.
Despite the FTCs legal success, Leibowitz said there is a limit to what
civil enforcement can do. The line between what constitutes legal and
illegal software and permissible and impermissible behavior by an
application is not always clear, and he is reluctant for the FTC to go
too far in defining it.
I dont know that we want to overly regulate the space, he said. Its when
enforcement doesnt work and the market doesnt work that the agency
should turn to rule making. Currently, we try to go after the clear and
worst offenders, to send a message to the marketplace.
The marketplace does work. The social networking site Facebook recently
altered a program of using information about members purchases in ads
sent to that members network of friends. This raised concerns about
privacy violations, and Leibowitz said he would have supported an
investigation of Facebook if the company had not responded quickly. In
this case, the marketplace worked, he said.
Given the limitations of enforcement in a rapidly evolving environment,
a lot of responsibility falls on end users to protect themselves and on
technology companies to provide the tools.
Unfortunately, anti-spyware still is a maturing technology, Jeffrey Fox
said. Tests by Consumer Reports found that anti-spyware tools detect
only about 75 to 80 percent of the malicious code thrown at them,
compared with 90 percent or better for most antivirus engines.
Users also need to mature. Most Internet users are reactionary, said
Susannah Fox, changing their online habits only after being victimized.
And the situation is growing worse with Web 2.0, which more actively
involves end users than passive Web browsing.
I dont think there is any expectation of privacy in Web 2.0, said David
Marcus, security research manager for McAfee Avert labs. Certain formats
are custom made for delivering potentially inappropriate content. You
are going to see a lot of changes in how malicious code is delivered,
installed and hidden.
Subscribe to InfoSec News