Let’s face it: We are good at writing some pretty useless laws in this country. And one of the hall-of-famers was the CAN-SPAM act, which was a complete joke.
The facts speak for themselves, as this graph from spamnation.info shows:
So congress is barreling through another piece of legislation, called the SPY-ACT.
You know what would be really scary? To have the same “success” with the SPY-ACT as we did we CAN-SPAM. In that event, the only people being helped would be security vendors. In other words, good for me, bad for you.
It’s absolutely certain that this law will lead to unintended consequences. And, quite possibly, will support the very people we don’t want to protect.
As Jim Rapoza wrote in e-week earlier this month:
The bill includes several wide-reaching exemptions that could make it perfectly legal for a software vendor to include spyware on your systems for the purposes of security, tech support or the prevention of fraudulent activities. That last item is scariest to me, as a broad interpretation would let ISPs or software vendors monitor and record pretty much any information on user systems.
Also, the Spy Act supersedes tougher state laws and completely prevents individual legal actions against spyware vendors, limiting all legal action to the FTC and state attorneys general. As several analysts and writers have already pointed out, if the Spy Act had been law when the notorious Sony rootkit was discovered, Sony would have been largely protected under this law and the state of California would not have been able to take the same legal actions that it did against Sony.
Protecting DRMers is a point brought up earlier by Ed Foster in his article, Spy Act Only Protects Vendors and their DRM.
In other words, it’s perfectly OK for basically any vendor you do business with, or maybe thinks you do business with them for that matter, to use any of the deceptive practices the bill prohibits to load spyware on your computer. The company doesn’t have to give you notice and it can collect whatever information it thinks necessary to make sure there’s no funny business going on. And by the way, another exception provision specifically protects computer manufacturers from any liability for spyware they load on your computer before they send it to you. Of course, the exception for software companies checking to make sure you’re an authorized user is the strongest evidence of what this bill is all about. After all, in terms of function, there’s not much difference between spyware and DRM. Too bad for Sony this bill wasn’t already the law when its rootkit-infected CDs came to light.
Well, you can read the act yourself here and make up your own mind.
But it makes one wonder — just what problem is this act trying to solve? Adware installations are on a decline, in large part because of successful prosecution of the miscreants by the FTC. They have the laws in place to do what they need to do — and one of the biggest issues, cross-border enforcement, was recently helped by the US SAFE WEB Act.
The truly bad stuff out there is criminal. So what are we trying to solve here?
Larry Seltzer wrote recently about the decline of adware. He got some skeptical responses. Well, he’s actually right. Here’s what happened:
1. Large adware developers (180 Solutions, Direct Revenue, WhenU, eXact, Claria, etc.) have either gotten out of the business or have scaled back their operations. This is due to pressure from the FTC and other governmental agencies; pressure from their own investors; the threat of class action lawsuits; and the decline of classic P2P apps which bundled adware like BearShare, Kazaa, etc. in favor of other P2P apps like LimeWire (which has as non-adware model) and BitTorrent.
Examples:
- WhenU: Over pressure from their investors and other groups, moved to a direct, non-affiliate model over 2 years ago. This dramatically reduced their installs. The installs are climbing, but it’s not at the scale you saw a couple of years ago.
- Claria: Got out of the Gator adware business over pressure from investors, etc.
- 180Solutions: Still the bad boy, but not nearly as prevalent as they were. Still using affiliates, which is a bad thing.
- Direct Revenue: Pretty much decimated by the legal actions of the New York AG.
2. The increasing prevalence of Windows XP SP 2 (forget Vista, almost no one runs it) has made it more difficult to infect systems.
3. Users have become smarter and they also have better protection on their system. However, in my opinion, this is not nearly as significant as the other points.
4. The decline of mass adware installers. The year 2005 was the hey-day of companies that little else than install/redistribute other people’s adware packages — companies like IST, MediaMotor, Pacerd, EliteMediaGroup, DollarRevenue, TopInstalls, etc. These were the companies primarily responsible for those big fat 20mb adware dumps.
With the exception of TopInstalls, they have almost all disappeared from the scene. One culprit in their decline is heightened governmental scrutiny. Another is over-exposure following the mass exploitation of the WMF vulnerability in late 2005/early 2006. The third culprit is the general decline of large adware vendors, who have been under pressure to clean up their installation practices.
Ok, with that out of the way, I would be hesitant to write off adware as a major threat. The one lesson learned from our history with adware is that one of the more effective ways for unwanted software to insinuate itself on a system is to exploit user deception. Why break in the back door when you can bamboozle the user into “consenting” to the install and walk in the front?
The adware guys were enormously successful using this model, and it remains an effective means to install on systems — witness the continued popularity of scam anti-spyware apps and system cleaners, which are the bastard spawn of adware.
With improved (not perfect, but improved) OS security in Vista, user deception remains an important tool for the bad guys, and the adware industry wrote the book on how to do it.
So what’s happening now?
We do not mean to say that people aren’t getting infected. Quite the contrary. It’s just that the breadth of infection is not what it used to be.
There is a difference in the type of infections these days, which has changed the dynamics of the market. In the past, you had broad installations of adware on many different systems by many different spyware developers and, in cahoots, distributors and affiliates. As I’ve written before, antivirus companies weren’t up to the task of fixing these problems, so that role went to companies that had a particular expertise in adware – and the winners were the ones with a background in system cleaning — registry cleaners, window cleaners — since these types of infections required a bulldozer-like approach to cleaning a system.
That has changed. We now see less adware infections, but the infections that are occurring are becoming increasingly more vicious and complex. The endpoint security products out there need to keep pace with the changing times. The old “system cleaner” model of antispyware applications is no longer effective. What’s needed are more sophisticated technologies (which is being done to varying levels of success by the antispyware and antivirus companies).
What we see now is:
The continued use of social engineering. Fake codecs, fake game utilities, spam as an infection vector, rogue security apps, etc. Get the user to click on something, and it’s oh happy day for the malware guys. It’s worth noting that a top infection that we continually see through ThreatNet (our user community that reports back on infections) is the Zlob Fake Codec. So it’s clear that people continue to click on these damned things.
Botnets. Glorious botnets that can be used to send spam, DDoS attacks and other unpleasantries. Want to see some stats? Go to ShadowServer’s stats page.
Targeted attacks. Those MS Office vulnerabilities and exploits you occasionally hear about? They’re not being used for widespread attacks — on the contrary, they’re being used for very specific targeted attacks. Don’t like a competitor? Send him an email with a word file attached. Open the file, and poof — insta keylogger.
Zero day exploits. Now, there’s a difference here: When the WMF exploit first hit, it was a veritable orgy by the bad guys to infect systems. When the ANI cursor exploit hit, you didn’t see nearly the level of breadth. But it was still used to infect systems. And it’s worth noting that the ANI exploit was (and is) extraordinarily nasty.
And finally, rootkits. It used to be a big deal when we’d see a rootkit. Now, we see them all the time. That’s a bad thing. Rootkits are pretty horrific in their ability to infect and clamp on to a system.
So is adware dead? No, it’s still out there. But as we’ve said before, we have this continuing bifurcation, where the new types of threats coming out are increasingly nasty and vicious. There’s not the breadth of infection, but there’s certainly more depth when a system is infected.
And I think you’ll find that security researchers are seeing about 10% of all malware these days being used to steal personal identities. However, a program that steals personal identities is already illegal, so why do we need a law to make illegal that which is already illegal?
And so, the SPY-ACT, HR 964, barrels ahead to solve a non-problem and in the meantime, quite possibly gives protection to the very people we don’t want to protect.
Alex Eckelberry
(With thanks to Eric Howes for his assistance)