We saw a significant increase in spyware infestation overall, but enterprise levels were steady. A big reason for that is that spyware attacks still rely on application and operating system vulnerabilities. Most large organizations have the patching process down to a science, so there is less of an attack vector for spyware. Also, enterprises usually have more protection mechanisms, whether they are gateway filters or client-side software.
Small to medium-sized businesses and, of course, home users don't have the same types of resources. The term "spyware" used to refer to unwanted software that served pop-up ads and possibly tracked Internet use. How has the definition of that term changed?
We like to categorize unwanted software into two groups, adware and spyware. Adware is the first generation of unwarranted software. It is mostly just an annoying infection that serves advertisement purposes.
The more malicious varieties of unwarranted software are Trojans, keyloggers and system monitors. But we use the term spyware to refer to malicious software that hides itself on your system, its goal being to be as stealthy as possible. For instance, a virus lets you know it is there by affecting the way your computer operates. Effective spyware does its thing without alerting the user. There was an interesting pairing of well-known malicious software terms in the report: phishing Trojan. Phishing usually refers to an email-based social engineering attack, so what does a phishing Trojan have to do with spyware?
This is an example of the surge in more targeted spyware attacks we saw in Q1. The concept really isn't new and it is not surprising that this type of attack has shown up since the building blocks are available on the Internet.
A phishing Trojan operates in a familiar way, infecting a PC in a classic drive-by fashion. Once installed, a phishing Trojan monitors your activity and notes when the infected machine visits an online banking or e-commerce site. It records the data entered at these sites and forwards it to a centralized server.
We found a phishing Trojan last quarter and reported it to the FBI. We researched the Trojan and traced the data theft to an FTP server based in New York. The Trojan infected 10,000 machines in 125 countries. You mention that spyware is becoming more targeted. Can you expand on this and discuss some other ways spyware is evolving?
We are seeing a definite shift from something like adware, with its broad, untargeted attack method, to spyware that does not target a machine the way a virus would. Instead, it targets the user and the user's online information like bank accounts and social security numbers.
Another aspect to this type of attack would be the targeting of a particular company. We are seeing more spyware with a viral component of a tiered attack. Once a user is infected through browsing, the spyware attempts to spread to other machines on the network like a virus would, but it still works to stay hidden and gather information.
The complexity of new malicious software makes this more possible. Some spyware is able to block antivirus and antispyware software from updating itself. So, not only is spyware hiding itself, but it is also interfering with protection software. You mentioned the obfuscation element of spyware. Are you seeing the use of rootkit technology as well?
Yes we are seeing rootkit technology as part of the strategy of some spyware writers. Rootkit technology can be the most malicious because it can fool the operating system. You also noticed an increase in spyware distribution from China. Is that country becoming the next haven for malicious code writers?
Actually, no. China overtook the U.S. as a distribution center over the past three months, but I must make a distinction between distribution of spyware and spyware authors. Distributors are usually weak machines that have been taken over and unknowingly used to distribute spyware.
This aspect speaks to the difficulty of tracking malicious code writers. Those with the motives to steal information are rarely those with the means to write and distribute spyware.