Sign In

Communications of the ACM


Spyware Was Inevitable

That which begins as minor nuisances and curiosities enabled by the subversion of new technological capabilities has always evolved into invasive problems once someone has found a way to profit from their application.

Early email chain letters and "cc: broadcasts" were mere annoyances to early Internet adopters. But it wasn't until commercial interests saw the money to be made through one-sided abuse of email that unsolicited commercial email (UCE) hit the big time and, as spam, has become a crippling problem for all users of the Internet.

Similarly, Internet denial-of-service (DoS) attacks, which once created annoying but generally benign short-term outages for their victims, have evolved into "prolonged outages for hire" now employed by extortionists against those whose commercial interests depend upon an ongoing and reliable Internet presence.

And so it is with spywareuninvited, unwanted, stealthful, invasive, intrusive, annoying, exploitive, and potentially privacy-compromising PC add-on software whose ongoing presence in millions of PCs worldwide benefits not the computer's owner and operator, but the interests of the publishers of this troubling new class of unsolicited software.

Spyware, as loosely defined here, has always been possible, but it wasn't until the Internet brought ubiquitous worldwide connectivity that "the spies" had any means for communicating back to their masters. And then, as we've seen time and time again, the addition of commercial profitability moves latent capability from the realm of minor nuisance to serious threat.

By leveraging the inherently open nature of the PC, from which it derives virtually all of its inherent value, this unsolicited commercial software (UCS) sneaks into a computer to set up shop without the user's knowledge or permission. Without introduction, it may first be noticed as a new button that has mysteriously appeared on the browser's toolbar, or perhaps as a new menu item to be chosen, or maybe as yet one more mysterious icon in the user's system tray. Perhaps there will be no visible indication of the software's presence, yet it will always be running "in the background" performing any unknown purpose of its author's design. What it may do, who produced it, where it came from, how it crawled into the system ... are all anyone's guess.

Spyware is the PC user's latest and biggest problem; a larger source of worry, concern, and frustration than anything PC users have faced before, and potentially more damaging than the worst computer viruses. Due to the growing use of PCs for personal tax preparation, online banking, investment portfolio management, and real-time e-commerce, the threat from privacy violation and identity theft cannot be ignored.

Spyware is the PC user's latest and biggest problem; a larger source of worry, concern, and frustration than anything PC users have faced before, and potentially more damaging than the worst computer viruses.

Back to Top

Any Solution in Sight?

Thus far, the anti-spyware model has followed the existing mature anti-virus model: A third-party clearinghouse aggregates the experience, knowledge, and findings of thousands of users, investigates reports of new malicious software, and maintains an often updated anti-malware scanning toolfree or paidthat can be used to examine any suspecting user's system for traces of known malware.

An interesting twist to the existing anti-virus model is that whereas viruses are created by unknown criminal authors who are, of course, unable and unwilling to defend their right to infect anyone's PC with their code, spyware is generally created by quasi-legitimate business entities who routinely threaten to bring legal action against the authors of any tools that label their spyware for what it is. For this reason, the larger well-established anti-virus community has chosen to eschew the fray and not add anti-spyware scanning to their existing anti-virus offerings.

Now that Microsoft has formally entered the anti-spyware arena with the Beta release of their Windows AntiSpyware scanner, it seems obvious the vendors of anti-viral scanners will steer clear of what would otherwise have been a large and lucrative market.

Back to Top

What About a Real Solution?

The real solution for the malware problem is similar to the ultimate solution for email. Unfortunately, it is prone to false positives and negatives and requires a great deal more attention from the userin addition to further infrastructure support: Just as incoming email can be screened through a process of whitelisting, greylisting, and blacklisting known and unknown senders, the operating system's execution of software can be controlled based upon the cryptographically verifiable publisher of each piece of software. This test can be made before the software is ever executed. As witnessed by the recent security measures introduced by Windows XP's Service Pack 2, this appears to be the direction in which future software security measures are moving.

Cryptographic "codesigning" will allow the operating system to examine an executable program's signature before allowing it to be run. Individual software publishers can be placed onto "trusted," "untrusted," or "unknown" lists to direct the operating system how to handle each program. In an approach similar to email real-time blacklists (RBLs), lists of known malware authors can be obtained and continuously updated.

This solution incurs costs and problems that will not be solved overnight. For example, Microsoft's "Authenticode" codesigning credentials are expensive and require annual renewal. This will be seen as an unfair imposition limiting access by non-commercial publishers. The end user must decide whether to trust and run unsigned programs. Another problem with this solution is the underlying OS will require significantly more "security hardening," since there are many known ways to circumvent such tests.

Sadly, as with email controls, it appears that some end-user freedoms will ultimately be diminished in order to thwart the abusive interests of commercial entities. The silver lining is that just as spam controls harden the email channel against viral spread, adding execution controls to the operating system to prevent the inadvertent and stealthful execution of malicious software, and further hardening the OS itself, will hugely increase the safety and security of all computer usage which, as these machines become ever more critical to our daily lives, will create benefits that more than outweigh the costs.

Back to Top


Steve Gibson is president of Gibson Research Corporation, Laguna Hills, CA;

©2005 ACM  0001-0782/05/0800  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2005 ACM, Inc.