One of my friends called me in a panic the other day. It seems his eight-year-old daughter was surfing the Internet, searching for Barbie dolls, games designed for children, and other things of interest to eight-year-old girls, when something bad popped up on the screen. She may not have understood what she saw, but she knew it was bad and so she called Mom and Dad.
You can probably guess what popped on the screen. That's right, a page with explicit, graphic pornography. But wait, there's more. It gets worse.
Bookmarks for "mature porn" also popped up all over the computer, placed everywhere from the desktop to the Quick Links toolbar of the browser, to the Favorites area in Internet Explorer - and these links appeared for all three users who can login to this system. The browser was also redirected, or "hijacked" to display an explicit porn site as the home page, and any attempt to change it back were to no avail. An application also started running secretly in the background, ensuring any attempts to remove these links would be replaced.
My friend, who works in the software industry, knew that their family computer had been infected with spyware. Nowadays it only takes a single click. He also knew what to do. He ran the free spyware removal tool, Spybot Search & Destroy, to no avail. Then he ran another popular free tool, Ad-aware, also to no avail. He made sure he had downloaded all the updates to both these tools, then ran them again in safe mode. Both tools found the spyware hijacker, but were unable to remove it despite multiple reboots. Still, the links to mature porn would reappear. His daughters were told not to use the computer until this "spyware" was removed - which in this case, was proving surprisingly difficult to remove. As it turns out, the "spyware" in question had self-updating code, and had updated itself to a newer version that could not yet be removed by any of the major anti-spyware tools. Instead, my friend spent significant time figuring out how to manually delete a malicious, system-level application that he never installed.
Self-updating code. Hijacked home pages. Applications installed without your knowledge. Toolbars you don't want and never asked for. Your movements on the Web are tracked and recorded. All this, and yet we still call this stuff "spyware"?
It's a sad day for the Internet community when an 8-year-old girl, through a single click, is not only subjected to graphic pornography but has caused a nefarious, hard-to-remove application to be installed. An application that spews porn at every turn — plus gives you links to more porn that cannot be removed without a significant investment in a parent's time and frustration.
When spyware crosses the line, it's not spyware anymore. It's a virus - and in my opinion, should be dealt with by the anti-virus companies.
Drawing the line
An entire cottage industry has sprung up with the advent of spyware, and a few people are making a great deal of money using shady tactics. For the most part these people and companies can be identified, tracked and held accountable for their actions. Yet today, it rarely happens. Why?
I believe one of the problems is that a clear line has yet to be drawn between what is "acceptable" spyware versus what is unacceptable. Clearly, porn hijackers, self-updating applications, and domain-blocking applications are unacceptable. Yet I would argue that any application that gets installed without your knowledge is unacceptable and by nature crosses the line. And of course, the line from here to the legality of such things is very murky indeed.
Not only can spyware be installed on a fully-patched Windows machine running the latest anti-virus software, spyware companies and the slimeballs who run them have been known to find, use and exploit undisclosed IE vulnerabilities to their advantage and for financial gain. In the Internet community that I grew up with, one that existed long before the Web, that kind of activity would never have been allowed to sustain.
Patch the cheese, please
Before you rush to email me your thoughts on this assertion, understand that the spyware issue has little to do with a lapse in a user's desktop security. The bane of good security practice whereby you patch/firewall/anti-virus everything in sight still won't fully protect you - spyware gets installed through ActiveX, or by exploiting zero day vulnerabilities that (eventually) get patched in Internet Explorer.
Simply disable ActiveX, right? Well, it's not quite that easy. Some of the sites you visit may know you're running IE and believe that they truly need to use ActiveX. Other options? Here's one: try surfing the Web with IE configured to "ask" about running ActiveX scripts and controls. But be forewarned. It will nag you worse than your ex-wife's cranky mother.
Spyware is largely (though not exclusively) an Internet Explorer problem. And like it or not, Internet Explorer, the Swiss cheese of the Internet, commands about 80 per cent of the world's browsing. But individuals can freely switch to Firefox or Opera and effectively bypass the spyware problem, at least for now. Sure, security holes can, have and will be found in these browsers too but the difference in their security track records compared to Internet Explorer is absolutely night and day. Corporations and Enterprises can use desktop management software to centrally distribute these new browsers, and save money by not having to license anti-spyware applications to clean up the mess that's been swept through IE.
I give accolades to Scott Granneman for having the guts to tell people it's time to dump Internet Explorer. Never mind all the features competing browsers have that enhance the browsing experience. Personally I think it's worth switching for the spyware problem alone.
I've read comments from people who've said they've been using Microsoft Internet Explorer for many years and have never encountered a single case of spyware. Oh really? My response to that is very simple: what planet are you living on?!
It's not the benign spyware that I worry about, either. It's the ease with which these more malicious "spyware" applications can install themselves without your knowledge - and hijack your browser so it displays porn to an eight-year-old girl. Then it updates itself so you can't remove it. This is "spyware" that has clearly crossed the line.
Kelly Martin is the content editor for SecurityFocus.