Routes of infection with spyware

Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities.

The most direct route by which spyware can infect a computer involves the user installing it. However, users tend not to install software if they know that it will disrupt their working environment and compromise their privacy. So many spyware programs deceive the users, either by piggybacking on a piece of desirable software, or by tricking the users to do something that installs the software without them realizing. Recently, spyware has come to include “rogue anti-spyware” programs, which masquerade as security software while actually doing damage.

Classically, a Trojan horse, by definition, smuggles in something dangerous in the guise of something desirable. Some spyware programs get spread in just this manner. The distributor of spyware presents the program as a useful utility — for instance as a “Web accelerator” or as a helpful software agent. Users download and install the software without immediately suspecting that it could cause harm. For example, Bonzi Buddy, a spyware program targeted at children, claims that:

He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you’ve ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he’s FREE! ^[4]
The BearShare file-trading program, “supported” by WhenU spyware. In order to install BearShare, users must agree to install “the SAVE! bundle” from WhenU. The installer provides only a tiny window in which to read the lengthy license agreement. Although the installer claims otherwise, the software transmits users’ browsing activity to WhenU servers.

^[5]

Spyware can also come bundled with shareware or other downloadable software, as well as music CDs. The user downloads a program (for instance, a music program or a file-trading utility) and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software, as with the Gator spyware now marketed by Claria. In other cases, spyware authors have repackaged desirable free software with installers that add spyware.

A third way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. The Internet Explorer Web browser, by design, prevents websites from initiating an unwanted download. Instead, a user action (such as clicking on a link) must normally trigger a download. However, links can prove deceptive: for instance, a pop-up ad may appear like a standard Windows dialog box. The box contains a message such as “Would you like to optimize your Internet access?” with links which look like buttons reading Yes and No. No matter which “button” the user presses, a download starts, placing the spyware on the user’s system. Later versions of Internet Explorer offer fewer avenues for this attack.

Some spyware authors infect a system by attacking security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and install of spyware. The spyware author would also have some extensive knowledge of commercially-available anti-virus and firewall software. This has become known as a “drive-by download”, which leaves the user a hapless bystander to the attack. Common browser exploits target security vulnerabilities in Internet Explorer and in the Microsoft Java runtime.

The installation of spyware frequently involves Microsoft’s Internet Explorer. As the most popular Web browser, and with an unfortunate history of security issues, it has become the largest target. Its deep integration with the Windows environment and its scriptability make it an obvious point of attack into Microsoft Windows operating systems. Internet Explorer also serves as a point of attachment for spyware in the form of browser helper objects, which modify the browser’s behavior to add toolbars or to redirect traffic.

In a few cases, a worm or virus has delivered a payload of spyware. For instance, some attackers used the W32.Spybot.Worm worm to install spyware that popped up pornographic ads on the infected system’s screen. ^[6] By directing traffic to ads set up to channel funds to the spyware authors, they can profit even by such clearly illegal behavior.