About this series: Spyware is quickly replacing worms and viruses as IT managers' biggest worry. In this two-part series, security professionals and others debate spyware detection and who is best qualified to define it.
The company 180Solutions had a huge image problem. Rather than be seen as a legitimate media company, it was labeled a spyware pusher by several security firms. To help clear its reputation, it joined the Consortium of AntiSpyware Technology vendors. But then other COAST members withdrew in protest. The consortium collapsed.
"On the Internet, spyware is as close to a four-letter word as you can get," said 180Solutions Senior Marketing Director Todd Sawicki. As far as he's concerned, his company has been victimized by people who hate online advertising and unfairly lump it in with what he considers true spyware. "Spyware is something used to steal information and commit fraud," he said. "We don't do that. We're a media company."
As far as Chris Deason is concerned, any program that puts a crunch on the 2,000-machine network she manages for Anchorage-based Alaskan Native Medical Center is rotten, including the online pop-up ads. "Adware, spyware, grayware… it's all a problem because it bogs down our computers and puts patients' medical and financial data at risk," she said.
These opposing views illustrate
If those interviewed are any indication, a solid framework for defining spyware won't be coming anytime soon. Some take Deason's view that it's all sinister, while others agree with Sawicki that adware and cookies are legitimate programs.
Caught in the gray zone
In a way, Sawicki and Deason do agree on one thing -- distinguishing the good from bad isn't as difficult as some suggest.
Sawicki defines the bad as programs that hide on your machine and monitor activity specifically to commit fraud. That's not what 180Solutions is about, he said.
"We give content away in exchange for advertising," he said. "Those who say we're spyware are the same zealots who freaked out when they saw that first banner ad atop a Web page in the early '90s. They hate having to look at any advertisement on the way to getting what they want."
As far as he's concerned, "This whole debate has become about whether media companies are legitimate. I see these reports that say 90% of computers are infected with spyware and that's ridiculous. In my opinion, less than 5% of computers are infected with true spyware. I have a better chance of walking outside and getting hit by a car than getting hit with spyware."
To Deason, what's ridiculous is the notion that pop-up ads she doesn't ask for are legitimate. If she doesn't ask for something that costs her time, money and resources, it's bad.
"We do a lot of research here and if you click on something that downloads a bunch of junk -- whether it's ads or something else -- it bogs down your resources and slows down the work," she said. The program may not steal, she said, "but it wastes time, and that can be just as harmful as stealing."
Compatibility is another issue adware makers fail to mention in this debate, said Warren Otte, network support specialist for Pleasanton, Calif.-based TECO Pneumatic, which produces air control systems and components. Adware, cookies and the more malicious programs are often incompatible with applications already on the network, he said. Often, the unwanted programs are incompatible with each other.
"These programs are often written quickly to meet sponsors' needs, and compatibility is not part of the thought process," Otte said. "That's why machines become comatose with spyware. The programs trip over each other."
Show it or kill it?
Given the public deadlock over how to define spyware, security vendors say they've been careful about how they label suspicious programs and what they do with the stuff they find. It was easier with worms and viruses, they say. When a Sasser or Mydoom moved in, you knew it was malicious and did what was necessary to stop its spread.
Since it's trickier with spyware, some products will label items as Potentially Unwanted Programs [PUPs], or simply identify them by what they most closely resemble: Trojan horses, key loggers, adware or cookies. A number of products list questionable items in a box and leave it to the user to decide what to kill, quarantine or allow.
Deason and Otte use the SpySubtract product from Braintree, Mass.-based InterMute Inc., which automatically removes what it deems sinister.
"I'm willing to pay for someone to kill it all," Deason said. "These black and white lists are fine, but not for me. We have a small staff to manage a large network and picking through these lists takes time I don't have."
Otte said he's been satisfied with InterMute. He can now run spyware scanners like Spybot, Adaware and Microsoft AntiSpyware in beta and "they find no problems because InterMute has cleaned it up." But, he admits, he's sometimes puzzled by the things SpySubtract finds.
"If I had a chance to talk to the folks at InterMute, I'd have questions about some of what it finds," he said. "I'd like to look more deeply under the hood. I'd like to know more about who is writing the stuff they find and what [those who distribute it] are getting in return, whether it's advertising or something else."
Otte said he's seen antispyware products step on the gray zone, sometimes targeting its own applications. "In the first days of Microsoft AntiSpyware, it fingered some of its own programs, things like SP2 and SP3 for Windows 2000," he said. "I once found that Spybot had fingered a fundamental part of Windows."