the business impact ofspyware - zift...

The Business Impact of Spyware

A Guide for

A Trend Micro White Paper I June 2006

Protecting Your Bottom Line

Small and Medium Businesses

CONTENTI. EXECUTIVE SUMMARY....................................................................................................................

The Threat from Spyware is Real.......................................................................................................

II. SPYWARE IS A SERIOUS THREAT TO BUSINESSES...............................................................Spyware Captures Sensitive Data for Profit......................................................................................Spyware is Often Downloaded Without User Consent......................................................................Spyware Compromises Data and Network Security............................................................................Spyware is Difficult to Remove..............................................................................................................Standard Antivirus Solutions Cannot Find or Remove Spyware........................................................

III. THE BUSINESS IMPACT OF SPYWARE FOR SMALL AND MEDIUM BUSINESS..............Reduced Computing and Internet Access.........................................................................................Loss of Confidential Business and Personal Data............................................................................Loss of Business Reputation.............................................................................................................Possible Legal Liability.......................................................................................................................High Cost of Spyware Removal.........................................................................................................

IV. HOW TO DEAL WITH SPYWARE—TODAY................................................................................Determine Whether Your Computer Has Spyware............................................................................Remove Spyware from Your Computer.............................................................................................Prevent Spyware Infections...............................................................................................................

V. REFERENCES...................................................................................................................................

THE BUSINESS IMPACT OF SPYWARE

2 White Paper I The Business Impact of Spyware

33

45

6668

99

10101010

11111212

13



I. EXECUTIVE SUMMARYProfit is a powerful motivator—and the incentive that has propelled spyware into its dramatic growth pattern and deceptive methods. Spyware vendors make money from company or user data—emailmessages, passwords, sensitive customer data—that spyware software silently collects from unsus-pecting users. Using questionable or devious methods, spyware installs itself onto your computer. It can be “relatively harmless” by forcing pop-up ads or it can perform more sinister actions such asmonitoring and sending sensitive information over the Internet to other computers. Regardless of theaction, spyware programs hide their true purpose from the user while reducing system performance,draining user productivity, and stealing confidential data for profit.

Spyware continues to proliferate because it generates revenue and profits. It also does not require a large financial investment or significant resources to make money from the information that it steals orgathers from users. As long as developers can use it to make money, spyware will persist and grow.

This guide describes the significant threat that spyware presents to businesses—particularly small- and medium-sized businesses (SMBs). It discusses why SMBs are vulnerable and the impact that spyware can have on business continuity, employee productivity, and most importantly, the bottom line.

THE THREAT FROM SPYWARE IS REAL

• According to an FBI survey in 2005, 80 percent of companies experience spyware problems. 1

• Spyware components in threats have more than doubled in 2005, to the point where 65 percent of the top 15 threats contained a spyware or grayware component. 2

• IDC reports that IT respondents to a survey now consider spyware their #2 threat, up from fourth place in 2004. 3

• According to research firm The Radicati Group, worldwide business spending on anti-spyware software will jump from $214 million in 2006 to nearly $1.4 billion by 2010. 4



II. SPYWARE IS A SERIOUS THREAT TO BUSINESSES The widespread use of technologies such as broadband, wireless, network interconnectivity, and mobile devices provide businesses with faster and wide-ranging capabilities for exchanging information.But these technologies also increase the probability for viruses and spyware to attack and infectcomputers, threatening employee productivity, data integrity, and confidentiality.

Viruses have been a threat to computers for years, but spyware is a relative newcomer that has appeared with the proliferation of e-commerce on the Internet. Spyware, a category of malicious software that threatens computer operations and exploits infected computers, is a serious threat tobusinesses because of its impact on both corporate security and system management. It has becomeprevalent because its target—personal and sensitive information—can generate profits for others.

According to the U.S. Department of Commerce in its May 20th, 2005 report, $19 billion was earned selling products or services online in just the first quarter of 2005. For the last five years, e-commerce has increased over 20 percent each year with no signs of slowing down. 5 Spyware writers have discovered how to make money from this growth of electronic commerce—using your network and taking advantage of your computing resources. In fact, spyware has become so pervasive that theresearch firm IDC now ranks it as one of the top two categories of malicious code—the other is viruses—that threatens computer operations. 3

Spyware has unique characteristics that set it apart from viruses. Because it is not a virus, Trojan or worm, antivirus software and firewalls may not prevent spyware from installing, updating or attacking your computer or network. Spyware may perform registry modifications that are not automatically fixed by antivirus software, so it requires separate repair tools. It requires new strategies for protection as well as different methods of cleanup for infected systems. This fact is particularly critical for small- and medium-sized businesses that often rely on standard antivirus software to protect business-criticalcomputer operations.



Spyware Captures Sensitive Data for Profit Viruses, Trojans and worms are designed to wreak havoc, attack network resources, or cause damage to data, primarily to help its authors gain notoriety, be “popular” in their underground communities, show off their programming prowess, or simply cause chaos in the digital world.

Spyware, however, is a security threat to businesses—not to be taken lightly in today’s environment. It is designed to capture and send users’ computing habits, personal and business information to thirdparties for profit. That compromised data can then be used to steal financial assets, generate referralrevenue on the Web, or it can simply be sold to others for profit. Developers of spyware often register as affiliates to major portals, where they receive generous bounties per click or per unique user.

PRIMARY TYPES OF SPYWARE

• SpywareA spyware program monitors and gathers user information for different purposes. Since it usually runs in the background, its activities are transparent to most users. Many users inadvertently agree to install spyware by accepting the End User License Agreement (EULA) on certain free software. Many users consider spyware an invasive form of data gathering. Spyware may also cause a general degradation in both network connection and system performance.

• KeyloggersPrograms that log keyboard activity are called keyloggers. Certain malware employs these programs to gather user information. Some legitimate keylogging programs are used by corporations to monitor employees and by parents to monitor their children. Keyloggers usually catch and store all keyboard activity, but a person or another application has to sort through the keystroke logs for valuable information, such as logon passwords or credit card numbers.

• AdwareAdware software displays advertising banners on Web browsers such as Internet Explorer and Mozilla. Although it is not categorized as malware, many users consider adware invasive. These programs often create unwanted effects on a system, such as annoying pop-up ads and sometimes the degradation in either network connection or system performance. Like spyware, these programs are typically bundled with certain free software, so users inadvertently install the adware by accepting the EULA on the free software.

• GraywareGrayware is a general classification of applications that have annoying, undesirable, or undisclosed behavior. It does not fall into the major threat categories such as viruses or Trojans because it is subject to system functionality. Some grayware has been linked to malicious activities, while other items considered grayware provide users with targeted information in terms of product announcements. Organizations dealing with sensitive information should be generally alarmed by the capability of any application with data gathering functionality.



Spyware is Often Downloaded Without User Consent Viruses spread without user permission and have multiple routes of infection:clicking on emailattachments, slipping through system vulnerabilities, even surfing the Web. Since the goal iswidespread distribution or damage, writers hide the installation and propagation from the user. Although spyware tends to be installed as a result of user action, it often employs questionable means as described in the sidebar.

HOW SPYWARE IS INTRODUCED ONTO PCS

• Downloaded with legitimate programs

• Surreptitiously bundled with programs like peer-to-peer files, music, image or video sharing applications

• Installed without user knowledge while visiting Web sites that use Web-based scripts, often called “drive-by” installs

• Installed when the user clicks on an attachment Web link in an email or instant message

• Installed when the user inadvertently gives permission to install spyware by accepting end user license agreements of legitimate programs—most users do not read or fully understand these agreements

Spyware Compromises Data and Network Security While viruses can cause significant computer damage, spyware can compromise data security andconfidentiality for a business, its employees, its business partners, or its customers. Since it can gather sensitive and confidential data and pass that data to others, spyware can cause significantdamage to the reputation of a business.

Spyware is Difficult to Remove Spyware can become a system management nightmare for an IT department. Because it is persistent and adaptable, it is much more difficult to eliminate from a single computer or a network.Spyware can bury itself deep into a system, self-update, or even reinstall itself if it is not completelyremoved. A thorough cleanup and the use of up-to-date removal instructions are important. Otherwise,by design, spyware may reinstall itself onto the computer when it is removed 5.

Figure 1 shows some of the differences between viruses and spyware.



FIGURE 1. Differences between viruses and spyware

INTENT

To damage computer/network, spread rapidly, destroy files or network connectivity, gain notoriety

PROPAGATION METHOD

Infected files, company email, personal email, exploitation of system vulnerabilities

IMPACT

System damage, downtime, loss of data, high support costs, loss of business continuity, IT cleanup time, rapid spread, may triggerdamage on cue or date, productivity slowdown

CLEANUP

Antivirus software typically performs malwarecleanup activities:

• Terminates all malware instances in memory• Removes malware registry entries• Removes malware entries from system files• Scans for and deletes all malware

copies in all local hard drives

PREVENTION

Keep systems patched; do not open unknownemails; use multilayer antivirus software (desktop, Internet gateway, email server) toprotect multiple entry points

For profit; install silently, stay undetected, and capturesensitive data such as logins, passwords, surfing habits, and personal information

User-permitted installation or download; may be freeware or download with a confusing end user license agreement;silent “drive by” Web downloads and updating methods

Same as viruses plus the following: theft of confidentialinformation and invasion of privacy

Manual cleanup is difficult because spyware can self-update or reinstall if not completely removed; besidesspyware program components, additional cleanup typically needs to take place on the following: registry keys, Web browsing histories, profiling cookies, Internetcache files, and more

Use anti-spyware software that proactively blocksinstallation, finds and completely eradicates spyware

Viruses Vs. Spyware

VIRUSES, WORMS, TROJANS SPYWARE



Standard Antivirus Solutions Cannot Find or Remove Spyware Spyware is not created using the same technology as viruses. The are an more sophisticated Trojan.Because of the spyware revenue, spyware companies can afford to tune spyware to elude securitysoftware, avoid removal and update itself. It is continually becoming more sophisticated in its quest for data that can turn into profit. Spyware technology is designed to infect a computer and remain onthat computer at all costs. Most are harmful to companies and need to be removed and protectedagainst. Spyware, however, poses an additional serious challenge for companies because they cannot rely on their existing antivirus software or firewalls for protection on either the desktop or thenetwork. Users cannot always understand warnings so they ignore them, and legitimate installationscannot always be anticipated by IT.

Antivirus companies typically provide protection by updating the malware signatures and the methods of scanning based on their research about new viruses. But the technology used behind these methodsis may be only partially effective not effective against spyware, which is more subtle than viruses—yet can potentially be more harmful to users. The initial infection is key to accomplishing spyware’s goal and the longer it is installed, the higher the probability that the spyware vendor can achieve profits. Meanwhile, users may be unaware of the real damage it may create; they only feel the pain of daily distractions of pop-up ads and time spent trying to eliminate those disruptions to their work.

Spyware is not just one simple program. Some spyware or its components include file downloaders orupdate modules that can install other malicious code. It may multiply into many programs It may residedeep in a PC or network, making it difficult—if not impossible—for standard antivirus software to locateand destroy it (see Figure 2). Because it is so pervasive throughout the computer or network, spywarerequires specific anti-spyware scanning and special programs to help eradicate it from the system.

FIGURE 2. Spyware may include multiple programs and reside deep in each PC within the network

InternetSpyware Server

Office Network



III. THE BUSINESS IMPACT OF SPYWARE FOR SMALL AND MEDIUM BUSINESSESSmall and medium businesses are particularly vulnerable to spyware attacks because of several risk factors:

• IT departments who don’t have time or resources to conduct frequent vulnerability assessments and install patches to eliminate the vulnerabilities.

• Reliance upon the Internet, often via “always on” cable or DSL network connection, which increases exposure to spyware, viruses, backdoors, worms, and other malware

• Limited network security staff and other IT resources

• Few, if any, policies to govern Internet use

• Inadequate tools to help prevent spyware

In addition, the rapid expansion of the mobile and at-home workforce exposes more laptop PCs, notebooks,and other mobile devices to threats outside the corporate network. Spyware can use these devices as apathway to infect business networks with new and recurring spyware payloads.

The impact of spyware infecting a computer or network can be far-reaching and can affect the business inmany ways.

Reduced Computing and Internet AccessSystem administrators consider spyware an ongoing, full-scale challenge because of its impact on userproductivity and PC performance. Spyware takes advantage of your business resources to benefit others.A computer infected with spyware handles 20 times the number of operations compared to a cleancomputer. 7 This activity dramatically reduces PC performance. It also can tie up Internet connectionswhile it communicates data with a Web server, which can slow or even stop Web and email access. While these activities are running in the background, actual business-related activities—creating Worddocuments, calculating spreadsheets, or performing research online—compete for your computer’soperating resources.

Spyware also causes difficult-to-resolve support calls about computers that “do not work” or “take foreverto download”. It can even make changes to critical Microsoft Windows operating system files. In fact,Microsoft estimates that spyware causes more than half of the Windows operating systems failuresreported, yet users may not be aware that spyware is the cause. 8

Without user permission, spyware can hijack your browser and take control. Browser hijacker programssuch as CoolWebSearch can install dozens of bookmarks on the desktop to disrupt employee productivityor morale by displaying inappropriate Web content, such as adult content or other controversial Web sites. It can also add toolbars to Internet Explorer or change your home page without permission. PCperformance slows down; Windows can freeze, crash, or randomly reboot as a result of these programs.These programs can even change their name and location on the infected computer several times perday, making it difficult to control and destroy.



Loss of Confidential Business and Personal DataThe most harmful spyware capability is gathering and sending information via the Internet to unknown third parties, who use it for their own financial gain. Credit card numbers, user names and passwords,customer or supplier names, price lists, customer or client financial information, patient medical information,employee privacy data, email messages, or other confidential and sensitive files are common examples ofdata captured by spyware and sent across the Internet to third parties, compromising privacy and businessinformation. An increasing number of malicious attackers, including organized crime, are using spyware tocollect confidential business information.

Loss of Business ReputationLoss of a business’ integrity is especially disastrous to businesses that depend on data security and the trust of their customers for success. When sensitive information is compromised, it is difficult to rebuild your reputation or win back trust. Internal corporate information stolen for competitive purposes could cost a company millions of dollars in sales and possible loss of its market competitive position.

Possible Legal LiabilitySome industries, such as healthcare, have regulatory requirements to protect business data, so potentiallegal liability may also be an issue. One important priority for any size of company is to protect employees’personal information and provide a safe computing environment free from inappropriate content.

High Cost of Spyware RemovalSince spyware needs to remain on a computer to ensure the revenue stream for its developers, it employstechniques that make removal very difficult.

For Example:• “Add/Remove Programs” may remove only its visible parts and retain the collection agent.

• After a user attempts to remove spyware, the bundled spyware programs may reinstall the original spyware or ask the user a confusing question that results in a reinstall.

• Spyware often binds itself to freeware that cannot be used unless the spyware is also installed.

• Spyware must “live” profitably on one machine—not spread to others. For example, it can function as a virtual ATM, generating cash for its creators as long as it can keep running on a PC.

• Spyware is programmed to stay alive at all costs or to reinstall if it detects attempts to remove it.

The bottom-line business impact of spyware is the high costs associated with it. It affects businesscontinuity—it slows down or even crashes systems making them unavailable for users. Spyware makescomputers and systems less reliable. User productivity suffers because of slow response time, systemcrashes, or no Internet access. Spyware’s need for connectivity and its buggy code may crash or freezebrowsers. It also threatens network security. Depending on the activity, spyware can potentially costbusinesses thousands—or even millions of dollars—in sales and even market position. So it is important for businesses to learn ways to eliminate and prevent spyware from entering their systems.



IV. HOW TO DEAL WITH SPYWARE—TODAYIn December 2005 the National Cyber Security Alliance and AOL conducted an online safety study and found 61 percent of those surveyed had spyware/adware programs installed on their computers, but nearly 92 percent were unaware these programs existed on their computers. 9

Chances are high that your computer has spyware, but you may not realize it. Spyware employs stealthtechniques; but unlike viruses, which are not visible to users, spyware appears through pop-up ads and thefreeware constantly showing colorful targeted information. It typically does not damage the computer likeviruses do, but it must stay unnoticed or it risks getting uninstalled.

Since many computers are likely to have spyware, the first step is to determine if it resides on your computer.

Determine Whether Your Computer Has Spyware Figure 3 describes some common symptoms that indicate the probability that your computer has spyware. If these symptoms are present, consider scanning your computer with a reputable online spyware removaltool, such as the Trend Micro Anti-Spyware for the Web online tool: www.trendmicro.com/spyware-scan

S Y M P T O M

Monitor is plagued with numerous pop-up windows displaying advertising

Browser home page or search result pages display sites you did not want

“Bookmarks” or “Favorites” lists inappropriate links—often to adult content Web sites—that you did not select

Modem (analog or ISDN) makes calls to premium-rate phone numbers (‘dialers’) without your permission

No uninstall feature for downloaded software, which makes it is difficult to remove because of code being installed in unexpected or hidden locations

Web browser exhibits strange behavior and often freezes

Windows operating system errors start appearing regularly

Often unable to use your mouse and cursor freezes

Computer performance becomes sluggish and crashes regularly

Internet access or sending/receiving email slowed to a crawl

S P Y WA R EP R O B A B I L I T Y

5

5

5

5

4

3

3

3

2

2

FIGURE 3. Common spyware symptoms that indicate the presence of spyware

KEY5 -Spyware is present 4 -Very strong probability of spyware infection 3 -Strong likelihood of spyware infection but could be other causes 2 -Average likelihood, could be other causes



Remove Spyware from Your ComputerSpyware is specifically designed to be difficult to remove. One spyware infection often spawns many changes to open backdoors for continuous spyware infections. Removal attempts may affect only the original application and leave many pieces of associated spyware intact on the system. Spyware can even download and install itself to defeat attempts to remove the software. Because of its adaptability and persistence, manual attempts to remove spyware are increasingly difficult and ineffective without an up-to-date and comprehensive anti-spyware program.

The best way to remove it safely and accurately is to use a trusted solution that detects and removes spyware automatically on networked PCs and servers. The best tools minimize the impact on users when the spyware is scanned and removed, so most users do not even know they are being protected.

Prevent Spyware InfectionsThe sidebar provides guidelines to help prevent spyware from infecting your computer or network.

GUIDELINES TO PREVENT SPYWARE INFECTIONS

D O

• Visit trustworthy Web sites

• Read user reviews, download site reviews, or analyst/press reviews—CNet, ZDnet, Tucows—for software you intend to download

• Before installing any software, carefully read license agreements and privacy statements for how information is collected

• To close pop-ups, ignore the message and click the Windows close “x” button

• Run anti-spyware software to block and remove spyware in real time

• Download and install the latest updates for your anti-spyware software and Microsoft Windows operating systems

• Set appropriate security settings for Internet Explorer. Learn more at www.microsoft.com/windows/ie/using/howto/security/settings.mspx

• Use a separate, non-mission-critical machine for testing downloaded software

• Install a personal firewall to track outgoing connections before and after installing downloaded software

D O N ’ T

• Install free programs, specifically file sharing programs, until you know all the software that is bundled with it

• Click on attachments or links in emails or Internet messages from unknown senders or even from someone you know if the content is unexpected. Confirm that the sender meant to send that content before clicking on the link or attachment

• Give permission for unknown software to install itself on your computer

• Click on links or buttons on pop-up windows—even a click on the “no” and “cancel” buttons can install spyware on your machine

• Install non-work-related software onto your work computers.

For additional information, please visit our Web site at www.trendmicro.com/smb

TREND MICRO™

Trend Micro, Inc. is a global leader in network antivirus and Internet content security products and services. The company is focused on providing customers with customized and comprehensive security strategies to manage the impacts of known and unknown threats. Trend Micro has offices in 30 countries and its stock trades on the Tokyo Stock Exchange (4704) and on NASDAQ (TMIC).

TREND MICRO INC.10101 N. De Anza Blvd.Cupertino, CA 95014USA toll free: 1+800-228-5651phone: 1+408-257-1500fax: 1+408-257-2003www.trendmicro.com

Copyright © 2006. Trend Micro Incorporated. All rights reserved. Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. Informationcontained in this document is subject to change without notice. [WP03BSSPY30_060905US]



REFERENCE:1 “Computer crime costs $67 billion, FBI says,” Joris Evers CNET News.com, January 19, 2006,

http://news.com.com/Computer+crime+costs+67+billion,+FBI+says/2100-7349_3-6028946.html?tag=nefd.top.2 Trend Micro.3 IDC Worldwide Spyware 2004-2008 Forecast and Analysis, December 2004, and Worldwide IT Security Software,

Hardware and Services 2005-2009 Forecast: The Big Picture. IDC, December 2005.4 The Radicati Group, Inc. Corporate Anti-Spyware Market, 2006-2010. March 2006.5 The Trend of Threats Today: 2005 Annual Roundup and 2006 Forecast, Trend Micro 2006.6 Federal Trade Commission. Monitoring Software on Your PC: Spyware, Adware and Other Software. Staff Report. Federal Trade Commission, March 2005. www.ftc.gov/os/2005/03/050307spywarerpt.pdf

7 Ibid.8 The Committee on Energy and Commerce. Mr. Jeffrey Friedberg, Director of Windows Privacy, Microsoft, April 2004.

http://energycommerce.house.gov/108/Hearings/04292004hearing1255/Friedberg1950.htm9 AOL/NCSA Online Safety Study, October 2004.www.staysafeonline.org/pdf/safety_study_2005.pdf

http://news.com.com/Computer+crime+costs+67+billion,+FBI+says/2100-7349_3-6028946.html?tag=nefd.top

www.ftc.gov/os/2005/03/050307spywarerpt.pdf

http://energycommerce.house.gov/108/Hearings/04292004hearing1255/Friedberg1950.htm

www.staysafeonline.org/pdf/safety_study_2005.pdf

www.trendmicro.com

the business impact ofspyware - zift...

Documents