In-Depth

Q&A: How Spyware Escapes Definition

What exactly is spyware? Just as with viruses, discussion of malware, grayware, adware, and spyware often gets hung up on definitions, and lately even legal threats over classifications.

• By Mathew Schwartz
• 09/06/2005

How is spyware defined as spyware?

Just as with viruses, a discussion of nasty code—malware, grayware, adware, and spyware—often gets hung up on definitions, and lately even legal threats over classifications. For example, is software “spyware” if it includes an end-user license agreement (EULA), no matter how lengthy or obscure, that explicitly allows a program to also install monitoring software on a user’s PC?

To discuss this issue, we spoke with David Perry, global director of education at Trend Micro, and Bruce Hughes, a Trend Micro senior antivirus researcher.

Where are we in the evolution of malware, whether it’s viruses, worms, or spyware?

Perry: We’ve entered into a space where things are not necessarily malicious and not necessarily definable.

How can you tell the difference between good and bad code?

The difference is intent. The difference is adware and spyware are written for a commercial, profit motive. …

So defining spyware is less about looking at things technologically?

Well, if a piece of software gets installed on your system without your permission, you have the right to block that from happening. And as the owner of that machine, you have the right to remove that piece of software from your machine.

Hughes: On the other hand, we’re still having this discussion on viruses, after 15 years, because there are still different schools of thought about what makes a virus a virus. All of this is very contentious. The other side of the coin is, when people talk about spyware, they often mean … EULA (end-user license agreement) assignations of spyware. … But the other stuff, the no-permission, Web-borne, dark side of the force is so fantastically prevalent that the EULA, statistically speaking, doesn’t even hardly register.

How do researchers track different kinds of spyware?

Everyone is pretty much furiously researching adware and spyware. … Yet we’re [also] in new ethical territory, where there is litigation. We have to stop and make an ethical judgment on the software we’re blocking. This is new territory for us. … [Typically] if a self-replicating piece of code is on your computer, you take it away.

Has anyone proposed legislation to protect companies who classify malware?

There is an effort to create legislation. Our customers do, in fact, want us to block [malware].

Is there some non-contentious way of classifying spyware?

Ugh. We even say grayware—adware, spyware, and grayware. This is really fuzzy. If you start a conference with one definition, you might have to jump off into another definition in the middle of the discussion. … Also, if I’m using a word to stop someone from suing me because of what I’m calling them, but it means the same thing, what then?

Meanwhile, is spyware becoming more advanced and harder to detect?

Rootkits—software that can hide itself and gain control at the root level of a computer—are one of the ways spyware guys are advancing. A lot of the spyware companies are commercially backed; they’re able to hire new programmers. And we’ve actually seen new versions of adware where they detect spyware—what we used to call stealth, in the virus days.

Perry: Now we’re getting spyware that’s attempting to remove anti-adware and anti-spyware.

Malware has a lot of potential for phoning home and updating itself, but have you seen much of that happening?

Very few viruses have made it to update themselves. … If we find a piece of adware or spyware that’s using a particular URL or IRC channel, we have a tendency to contact the gatekeeper of the site or channel, to take it down.

Hughes: That’s one of the reasons you don’t see instant messaging viruses spreading as fast as traditional viruses, because the links being sent in those messages you can get shut down by contacting AOL, Microsoft, Yahoo. We are, however, seeing a surge in mass-mailing writers that are also installing spyware with their malicious code. …

So where does spyware eradication go from here?

Perry: There are four main things: First, the operating systems and applications themselves will get better. Second, specific security products and procedures and services that are available will expand to be more effective. That’s our job. Third, there’s the rule of law: there’s specific legislation coming out about this, and this is very tricky, because it involves legitimate businesses and users. At the same time, I hope it comes down on the side of the individual user, even if they’ve clicked the EULA. Finally, there’s user education. A lot of this is still [caused by] social engineering.

Don’t some software companies argue the EULA is a contract?

I don’t know that I’ve ever met an end user that’s read the EULA …

Hughes: … or the 30 pages that are involved.

Perry: This appears, from a casual inspection, to be an attempt to keep the user from learning what they’re really doing.

Hughes: There was one company that offered, in the EULA—after you’d read 25 pages down—they’d offer you $5 for getting that far. It took 40,000 installs before someone contacted them to get the money.

Related Articles:

Is Too Much Anti-Spyware a Bad Thing?
http://www.esj.com/Security/article.aspx?EditorialsID=1460

Spyware Distributor Settles
http://www.esj.com/news/article.aspx?EditorialsID=1435