LAWTECH GURU BLOG by Jeff Beard

What to Make About Spyware Results from Earthlink

Earthlink published the spyware results for the first quarter of 2004, compiled from Webroot's SpyAudit program and EarthLink Spy Audit. The Register and MarketingVox commented on the results.

The number breakdown from a total of 1,062,756 system scans:

System Monitors (e.g., keyloggers) = 184,559
Trojans = 184,919
Adware = 5,344,355
Adware Cookies = 23,826,785

All for a grand total of 29,540,618 instances of spyware found. Divide this by the 1,062,756 system scans, and one arrives at the average of 27.8 instances of spyware per scanned PC.

However, these results are not empirically helpful. For instance, let's assume my PC had 100 infestations and I used their service to scan it weekly and didn't know how to remove the malware. Now let's compare it to someone who only ran the scan once and then cleaned their system. Wouldn't that skew the results?

Instead, I think the numbers are useful for less stringent scientific study. For instance, adware browser cookies are by far the most common, with adware not that much behind. Fortunately, true spyware (keyloggers, trojans, etc.) is less common in comparison, but I find those numbers quite telling in that it is definitely a problem. However, it's been my experience that users who have spyware on their system have it for the most common reason that they simply don't know how it got there. In other words, they're happily surfing along and downloading malware-ridden programs of interest, without realizing that they are the direct cause of their own infestations. Perhaps they didn't have a firewall or antivirus software installed. It's not uncommon at all to find that such a user has multiple spyware infestations ranging from browser hijackers to trojans, worms and other nasties. All of which would further skew any such "average infestation" analysis. While probably a good number of PCs have some malware installed either by choice or otherwise, I'd bet there are a smaller number of machines with "hyper infestations".

I'm also likely to conclude from the above results and my direct experience that the vast majority of us probably have more undesirable browser cookies than we'd like, but unless our browser is actively blocking them, we just don't have the time to deal with them individually. Running scans from Ad-Aware, SpyBot, PestPatrol and the like is probably the easiest second line of defense after they've made it past any browser defenses, which by default are set to fairly weak protection so that web sites load properly.

I don't see malware going away any time soon, and I'd suspect that the people with multiple infestations are probably not following some basic rules of practicing safe hex:

• Use a firewall, even if it's only a software-based personal firewall like ZoneAlarm. Properly configured, it stealths your computer ports and acts like a traffic cop to block many inbound and outbound threats. I don't recommend using Windows XP's built-in firewall since it only blocks inbound requests. However, even this is better than using no protection at all.
  
  
• Use a name brand antivirus program and keep it updated. My personal preference is Norton Antivirus, but there are a number of good ones available.
  
  
• Antivirus programs won't detect or block all threats. Install and regularly run good anti-malware programs such as Ad-Aware, SpyBot, and PestPatrol.
  
  
• Be selective of the web sites you visit, but more importantly, be cautious of the content you click on. For example, don't click on those ads that say you've won something (e.g., the moving monkey). If it's not relevant to what you are looking for, why click on it?
  
  
• Set your web browser to disable or block unsafe content (e.g., objects not marked safe for scripting), and set it prompt you for potentially dangerous content (e.g., ActiveX objects).
  
  
• Before downloading programs, especially those for free, read the privacy policy to see what information it tracks. This will give you some idea of its intrusiveness.
  
  
• Also check out special web sites such as SpywareInfo and Spyware-Guide.com, which provide tons of helpful information and maintain lists of spyware- and malware-ridden programs.
  
  
• Regularly use Windows' and other tools to examine your Windows startup settings (registry, startup group, etc.) to remove any malware from autostarting.
  
  
• Be wary of clicking on any links or attachments in e-mails that are not from trusted sources. If you can, open the source e-mail message in a pure text editor, such as Notepad, to verify that the links really do go where they're supposed to go.
  
  
• Use good anti-spam software. The more junk mail that is blocked or filtered into a separate spam e-mail folder, the less likely you'll want to open it or any attachments, or click on any embedded links.
  
  

I could go on, but you get the idea. The reason why malware spreads is collectively "us". Security is a process, not a product, and we remain the weakest link in that chain. While most of an organization could be using the Internet with caution, it only takes a very few uninformed users to unwittingly compromise a system. Thus having good backup/recovery/incident plans and systems are just as important. Perhaps most important might be what I've attempted to achieve via this post: education. Remove someone's spyware for them, and it's clean for a day. Show them how to avoid getting it in the first place, and it just might stay clean longer.