If, as economists tell us, small business truly is the backbone of a successful economy, then young criminal hackers (a.k.a. crackers) are turning that concept on its head. In conversations with antispyware researchers at the RSA Conference 2006 and in recent news articles, tales of youthful, criminal cyberentrepreneurial endeavors abound. Bored, young cybersavvy people are declining the chance to offer to supersize your #3 Value Meal and instead are compromising your home computer for mere pennies on the dollar. At first, that may not sound like much, but when you compromise of thousands of computers worldwide, you can sometimes make upward of $6,000 per month.
Bored, young, cybersavvy people are declining the chance to offer to supersize your #3 Value Meal and instead are compromising your home computer for mere pennies on the dollar.
According to some of the antispyware researchers I've spoken to, one trick to eliminating the specter of adware/spyware (hereafter, simply spyware) is to devalue this new economy. If we can take the money out of the spyware industry, the participants should, in theory, go elsewhere, and spyware should, in theory, taper off over time. Unfortunately, taking the money out spyware is going to be a very hard proposition to sell.
Take spam, for example
At the World Economic Forum in 2004, Bill Gates said that he wanted to eliminate spam by 2006. Well, it's 2006, and we still have spam, but we are making progress. Filters and antispam apps keep much of the junk mail out of in-boxes these days. And in the United States, laws now target bulk mailers, with EarthLink leading the way, suing several individuals, putting spammers out of business one by one. Yet, according to one estimate, roughly 5 percent of those who do receive spam still buy the products advertised. Moral: As long as someone is making money with spam, spam will continue.
With spam, the onus is totally upon the end user. If we don't buy the Viagra or whatever else is pitched to us over the Internet in the early morning hours, then we have a hand in eliminating spam. With spyware, the model is much more diversified, with many players receiving payments along the way. Taking the money out of spyware, if that's even possible, won't be an easy task.
First, there are the individuals who want spyware. Say you run a pornographic site--how are you going to get customers? You could spam everyone, as many have done, but with mail-client filters now available that look for x-rated material and shunt it away before it even hits the end-user's in-box, that advertising channel is rapidly drying up. So you resort to plan B: you buy into an ad rotation within a piece of spyware.
Vendors such as Claria (formerly Gator) insist they are providing a legitimate means of direct marketing. In fact, if you agree by accepting the End User License Agreement (EULA) to have your surfing habits monitored so that targeted advertising is displayed on your PC, there's nothing illegal about it. But most people don't bother to read the fine print on EULAs. (And with some EULAs running 20 to 30 pages of sheer legalese, who can?) Then there are the spyware apps that download onto your PC without seeking your permission; these are considered fair game for antispyware programs to quarantine and remove.
So how do these unsolicited spyware apps get onto your machine? Most are downloaded when you visit a Web page hosting such programs. This includes the momentary display of annoying pop-up windows, which sometimes replicate faster than you can remove them. The owners of a primary Web page often sign up with spyware vendors in what's called "affiliate programs." The spyware vendor will pay the Web host a modest fee for each desktop that downloads a given app. As long as everyone plays by the rules, one could argue that this is a legitimate, if unsavory, business practice. But this model can easily be broken.
But crackers game the system
A few weeks ago, I wrote about the federal case against Jeanson James Ancheta. Briefly, Ancheta leased servers to run a botnet, consisting of about 40,000 infected computers worldwide. He then profited from his botnet--first by leasing it out to others, then by signing up with various affiliate spyware programs, carefully directing his zombie computers to bogus Web sites that he controlled and profited from. At his peak, he was making several thousand dollars a month.
If Ancheta is an anomaly, he's just the tip of the iceberg. Brian Krebs, writing in the Washington Post Sunday Magazine, profiled another individual who profits by directing his botnet PCs to affiliated Web sites under his control. Known in the article only as 0x80, the 21-year-old Midwestern man claims to make about $6,000 per month. This is his sole income. He rises in the morning, directs a few captive PCs to his sites, then rests for the remainder of the day. After a while, he'll get a PayPal credit for several hundred dollars.
The four horsemen of the PC apocalypse?
So now we have four layers of money: 1) the sites that want to advertise and get you to sign up or buy their wares, 2) the companies that re-create the adware to facilitate this advertising on your desktop; 3) the Web hosts that make money from each visitor who unknowingly downloads the embedded affiliated adware; and 4) (which may be the same as 3), the botnet herder who sends thousands of captive PCs to controlled Web sites with affiliated adware. With so many people making money, removing the financial incentives behind spyware becomes a daunting task.
Sites, such as gambling and porn sites, may be prohibited from advertising in conventional ways and will always look to spam, spyware, and whatever comes next to get their name out. Removing these sites won't necessarily stop spyware. So how about eliminating the so-called spyware vendors, the facilitators?
By keeping your PC updated with latest patches, antivirus, and firewall protection, you can keep from joining the legions of enslaved botnet PCs, and that will deprive the cracker of some revenue.
Definitions, so far, have proven elusive. One direct marketing company, 180Solutions, has publicly stated its intention to crack down on known abuse of its software; for example, in November of 2005, 180Solutions sued seven former distributors, charging that software was installed without the users' permission. In October, 180Solutions helped lead to the arrest of three Dutch individuals responsible for a botnet ensnarling roughly 1.5 million PCs. The company also attended the recent Anti-Spyware Coalition meeting in Washington, D.C., pledging reform. Yet independent antispyware researcher Ben Edleman reports that Zango, the latest advertising tool available from 180Solutions, is in fact just an old spyware program renamed. Perhaps, as some have suggested, the Federal Trade Commission should act against 180Solutions, shut it down--but what's to keep it and other companies from moving to another country?
That leaves you and me. A couple of obvious recommendations come to mind. By keeping your PC updated with the latest patches, antivirus, and firewall protection, you can keep from joining the legions of enslaved botnet PCs, and that will deprive the cracker of some revenue. As for the crackers, as much as the Washington Post tried to obscure the identity of 0x80 in its article, savvy readers at Slashdot were able to connect the dots (including reading the metadata on the photographs and even reconstructing one photograph to give us a look at 0x80) and place 0x80 as living somewhere between Muldrow and Roland in rural Oklahoma. In the past, a cracker's own hubris has been his or her own downfall, and I suspect we'll see that happen again and again.
Who's responsible for spyware? The advertisers? The direct marketers? The crackers who profit? Or the end users who can't keep their PCs clean? Talk back to me.