The Basics on Spyware

Spyware is a type of malware (or “malicious software”) that collects and shares information about a computer or network without the user’s consent. It can be installed as a hidden component of genuine software packages or via traditional malware vectors such as deceptive ads, websites, email, instant messages, as well as direct file-sharing connections. Unlike other types of malware, spyware is heavily used not only by criminal organizations, but also by unscrupulous advertisers and companies who use spyware to collect market data from users without their consent. Regardless of its source, spyware runs hidden from the user and is often difficult to detect, but can lead to symptoms such as degraded system performance and a high frequency of unwanted behavior (pop-ups, rerouted browser homepage, search results, et cetera).

Spyware is also notable for its networking capabilities. Using an infected system to find information is of little value if the spyware can’t deliver that information back to the attacker. As a result, spyware employs a variety of techniques to communicate back to an attacker in a way that will not cause suspicion or generate attention from network security teams.

As a tool for advertising, spyware is used to collect and sell user information to interested advertisers or other interested parties. Spyware can collect almost any type of data including web browsing habits and download activity. Perhaps the greatest concern related to spyware is that—regardless of whether it’s presence detectable or not—the user has neither any idea of what information is being captured, sent away, or used, nor any mechanism or technology for finding out. 

Spyware can use keyloggers to obtain personal details such as the user’s name, address, passwords, bank and credit information, and social security information. It can scan files onto the system’s hard drive, snoop other applications, install additional spyware, read cookies and modify the system’s internet settings and dynamically linked libraries (DLL). This can result in lowered security settings (to invite in more malware), and malfunctions on the Internet and computer varying from numerous pop-up advertisements, whether on or offline, to connectivity failures sourced deep in the Internet settings of the system. Many of these changes are difficult to reverse or recover from without reimaging the affected device.

In addition to the stated threats that spyware pose to infected computers, it can also be a major consumer of system resources, often hogging up processor power, RAM, disks, and network traffic. The resulting performance degradation can lead to crashes or general system instability. Some spyware even disable or eliminate competing spyware programs, and can detect and intercept the user’s attempts to remove it.

Spyware can be prevented through a combination of end-point and network security controls. Antispyware features are often integrated into modern antivirus software products that provide protection at the end-point.  Given the need for spyware to communicate over the network, spyware is also increasingly being controlled at the network security layer, where spyware communications can be detected and blocked. Additionally, drive-by download protections can be enforced at the end-point by using the browser’s pop-up blocker as well as via next-generation network controls that prevent the download of files without the user’s consent  Lastly, it is important to be monitor and validate which software components, plug-ins and services are allowed to run on a device as well as on the network; if the software is not recognizable or there is no specific reason to trust it, it is safer not to accept it until conducting further research.

Ignite 2017 Vancouver