Spyware motives raise concerns

Spyware is becoming a more serious threat as profits become a bigger incentive for hackers and other online criminals, a security vendor has claimed.

Adam Biviano, senior systems engineer at Trend Micro, said 70 percent of malware samples Trend Micro found 'in the wild' were now profit-driven.

"In the past, [malware authors] were script kiddies and programmers out to make a name for themselves."

That had changed, he suggested.

The aim was no longer to cause widespread damage but to set up a discrete network of PCs to launch denial of service (DOS) or spam attacks, Biviano said.

Such 'bot' networks were the result of malicious spyware installations that let a remote third party take control of a PC. However, blocking spyware was not as simple as blocking a virus, Biviano said.

"With viruses it was very cut-and-dried. A virus was 'bad' and needed to be stopped."

The spyware situation was not so clear cut, he said.

Terms and conditions buried in software licence agreements made it difficult for security companies to effectively block intrusive applications without risking legal action from software vendors. TrendMicro called such applications "greyware".
 
"With greyware, it's neither black nor white," Biviano said. Instead of blocking the application outright, security software let the user determine whether a program had been run.

Western Australia senator Brian Greig, of the Australian Democrats, would like to see such software better regulated. The Democrats had proposed a Spyware Bill that would establish privacy protection guidelines for such spyware.

A law could facilitate prosecution of the creators of more malicious trojan and keylogger spyware, he said.

Rich Mogull, vice president of  information security and risk at IT analyst Gartner in the US, said laws were needed to make an example out of malware perpetrators but shouldn't be depended on to eliminate the problem.

Laws in the US had some impact but mostly had not been significant, he said. 

Serious criminal acts, such as using spyware to collect credit card details, would always find a way, Mogull said.

However, the California State Bill 1386 had been effective. That Bill had required a company to notify Californian residents if certain combinations of personal information were lost.

That Bill had become law in the State of California, and the public disclosure of information loss that followed had spurred other countries into implementing similar laws, Mogull said.

With credit card theft, phishing and other online criminal activity becoming more common, companies' security efforts would likely focus on protecting their customer data, Mogull said.

Malware attacks were expected to go on getting more serious over the next one or two years, Mogull added.