Lifting the lid on spyware sneaking around your PC

Wired on Friday: For years, far-seeing firms such as IBM and Sun have predicted that academics and researchers might harness…

Wired on Friday: For years, far-seeing firms such as IBM and Sun have predicted that academics and researchers might harness spare processor time on idle computers across the internet to process supercomputer-level calculations.

The idea is called distributed computing. Among the few real-world applications of the concept are a downloadable screen-saver that analyses radio telescope data for alien messages, reporting back suspicious signals to a central database; a background program that quietly calculates the shape of complex proteins for medical science on idle office computers; and the Google toolbar, which takes advantage of moments when you're not clicking on links, to offer your spare processor time to Stanford University's scientific community.

But the truth is, these noble experiments pale compared to the real users of distributed computing - internet criminals. Want your spam sent from an endless supply of innocent-looking addresses? Want a few thousand machines from which to launch your internet worm? Want to gather detailed, private information about millions of Net users' surfing habits - including watching their every keypress for credit card numbers?

Welcome to the world of spyware - and there's a good chance you're an unwitting part of it.

READ MORE

If you have Windows, you are probably already running programs that do just this kind of thing. Spyware is made up of programs that sneak their way onto PCs. It doesn't ask permission to install itself, and is almost impossible to remove. Many a PC that has magically become slower and slower over time is struggling under a load of these applications. Your PC may be one of them.

Don't believe me? Go to www.lavasoft.com or http://www.safer-networking.org/ and download their spyware-scanning programs. They're free to use, although Lavasoft sells a professional version for commercial use, so you can't use it at work.

If you're very careful about what sites you visit, rarely download programs from the Net, don't use Internet Explorer and only use your computer during the full moon, you've probably passed your spyware-scanning with flying colours. If not, I guarantee you will be surprised at how much extra baggage your PC is carrying.

Earthlink, a US Internet Service Provider (ISP), carries regular automated audits of its customers PCs, scanning them for spyware. Their latest totals show that the "average" PC is running more than 25 pieces of secret software.

What are these programs? All are sneaky: most are just annoying, like programs that take over your browser, filling your screen with pop-up ads that are completely unconnected to the sites you visit. Others silently report back on what sites you are visiting, hoping to resell the information to advertisers.

But the most malicious can take over your whole machine. Some attach to keyboard input routines, scanning for passwords and credit card numbers. Others report back to their creators, and wait patiently for orders - which can include scanning your local network for vulnerabilities, or sending malicious data to selected computers on the wider Net. According to Earthlink's statistics, one in 10 of their scanned customers was infected with such programs.

Lavasoft and Spyboy have, in the past month, been the victims of denial-of-service attacks: concentrated bursts of internet activity aimed at their websites in order to overload them. The tool that malware manufacturers probably use to direct that attack was their own victim's machines.

What better way to generate gigabytes of untraceable traffic than to order thousands of home computers to start sending messages to a preset location?

The very invisibility of spyware has meant that little has been done to fight the problem. But the growing size of the problem is beginning to dawn on politicians and technologists.

Earthlink stepped forward to do something about the spyware installed on its customer's computers after they noticed the large spikes in unsavoury traffic emitting from their networks. Politicians in Utah recently passed a law prohibiting spyware (instantly appealed by WhenU.com, one of the more public spyware creators, which claims the law violates their "constitutional right to advertise").

Everyone else waits for the bigger companies - especially AOL and Microsoft - to make their moves. If AOL or another major ISP did a deal to install anti-spyware software on all its customers' machines, a huge chunk of the Internet would be instantly liberated from spyware infestation. And if Microsoft were to work to fill the security holes in Windows' design that allows spyware to slip under computer owner's noses and secrete itself into their hard drives, the plague would quickly abate.

So why don't they? Spyware has been around for years, but only recently have the numbers grown to epidemic proportions. Microsoft, in its defence, has been working hard on security. Unfortunately, its solutions are long-term - and when they arrive will almost certainly require an upgrade to their latest operating system.

And ISPs face a quandary, too. To scan and disinfect their users machines means installing a sort of spyware themselves: one that could mess up machines or unintentionally reveal private information as easily as spyware deliberately does.

And the sad truth is that large companies are slow to move against complaints that don't effect their bottom line.

So for now, the best policy is to self-medicate until the real doctors arrive. Strip your own PC of any spyware, and encourage your friends to do the same.

This secret software has stayed secret long enough.