Meeting today at the Center for Democracy and Technology Anti-Spyware Coalition Public Forum on Corporate Spyware Threats, experts came together to discuss the state of spyware in today's environment.
According to Gerhard Eschelbeck, chief technical officer at Webroot, his research team identified more than 100,000 new potentially malicious sites in the last fiscal quarter. While the distribution of adware has decreased, the rates of trojans and other more malicious spyware programs has increased.
Eschelbeck said that spyware distributors are increasingly targeting users with keyloggers and other programs to mine personal identifiable information on the black market while upping the ante with better techniques for distribution and covering their tracks.
"Right now it is all about improving the distribution and obfuscation," he said.
He said that increasingly spyware is undetectable as developers continue to make more use of rootkit technology to place programs under the operating system layer.
In addition to the technical difficulties of nabbing spyware distributors, panelists also outlined the problem with punishing them once found.
"This problem lies at the legal-technology boundary," said Dan Kaminsky of Dox Para Research, who was one of several speakers today at the.
Kaminsky gave an example to the audience of a friend's mother whose computer was rendered inoperable by all of the spyware on the machine. She told him that it had been sitting in a closet for six months before he worked on it because she was unable to fix the problems.
"That was just one machine in one closet, but I started to think to myself, ‘How many other millions of computers are in a closet somewhere?'" he said.
"These spyware programs are causing millions of dollars in damage and no one is going to jail."
Eileen Harrington of the the Federal Trade Commission (FTC) said that while the government has been coming down hard on adware purveyors for their practices, her organization does not have the authority to arrest the criminal element in the world of spyware. Even the Department of Justice, which does have those powers, doesn't necessarily have jurisdiction as many related issues are under local jurisdiction. This often leads to cases being ignored, as local enforcement agencies just don't have the resources to go after spyware crimes.
"I think you nailed it on the head," she said to Kaminsky, "this definitely lies at that legal-technical boundary and the people who do it know it. The question for Congress is whether we want to change the laws to address this."
