Spyware. History and Description

by: Leif Wheeler

The first known use of the expression “spyware” occurred on October 17th, 1994 in a post that joked about Microsoft's business model. Spyware later came to allude to snoop equipment such as diminutive cameras. In early 2000, the man who started Zone Labs used the term in a press release for a new product. Since then, the computer-community has used the term in its current definition.

Spyware often comes wrapped-in with shareware or other software, and with music CDs. The user installs a program, for example, a file-trading utility or music program. The installer also installs the spyware. Even though the acceptable software itself may not do harm, the wrapped-in spyware does. Occasionally, spyware authors will pay shareware creators to wrap-in spyware with their software. An example is the Gator spyware distributed by Claria. There are instances when spyware authors will repackage desirable free software with destructive installers that add spyware.

Another way of propagating spyware is by tricking users. A program will manipulate a security feature that is supposed to prevent harmful installations. Internet Explorer is designed to stop websites from starting an unwanted download. Alternately, a user action must normally trigger a download (like clicking on a link). Nevertheless, links can prove misleading. For example, a pop-up may look like a normal Windows dialog box. The box contains wording like "Do you want to improve your Internet experience?" with links that look like real buttons reading No and Yes. It doesn’t matter which button the user selects, a malicious download will start, installing the spyware on the user's computer. Newer versions of Internet Explorer offer better security against this tactic.

Many unscrupulous spyware creators infect a computer by going after security weaknesses in the Web browser or in other applications on the targeted computer. When the user arrives at a Web site controlled by the spyware creator, the site includes code that forces the download and installation of spyware or infiltrates the browser. This kind of spyware creator will have broad knowledge of commercial-quality firewall and anti-virus programming. This is commonly known as a “drive-by download”. It leaves the user an unfortunate onlooker to the intrusion. Conventional "browser attacks" target security weaknesses in Microsoft Java Runtime and Internet Explorer.

Another problem in the case of some kinds of spyware programs is that they will replace the banner ads on visited web sites. Spyware that acts like a Browser Helper or web proxy can replace a site's own advertisements with advertisements that benefit the spyware author. This can seriously affect the revenue stream of advertising funded web sites.

There have been instances when a worm or virus has delivered a cargo of spyware. For example, some attackers used the W32.Spybot.Worm to set up spyware that caused pornographic ads to pop up on the screens of an infected system. By re-routing traffic to commercial sites that are set up to funnel funds to the spyware creators, they can profit even by such obviously illegal actions.