Posted By: Margaret Pozzini

Elizabeth Millard, toptechnews.comSat Nov 4, 7:46 PM ET

Although spyware has been called the plague of the Internet, many people still regard the invasive software as a kind of digital Avian flu. "Yes, it's bad and potentially very threatening, but it's the kind of thing that only happens to other people,not me."

Unfortunately, that way of thinking could be a big mistake.

The prevalence of spyware, which usually slithers onto a system undetected during a download of other content, is formidable and poses a very real danger to every Internet user.

"You name it, spyware can do it," says Craig Schmugar, virus research manager at McAfee Avert Labs, which monitors Internet threats. "Everything from stealing your identity to turning your machine into a spam relay machine to popping up ads on your system. It can degrade your system performance to the point that using your machine is unbearable."

Defining the Threat

Spyware is a term that can be broken down into two categories, Schmugar said. In the first category are the illegal, information-stealing threats, such as Trojan viruses and "keylogger" programs that track user input. These are the villains of the Internet, and they pose a considerable risk to users. These types of programs are on the rise because the collected data can be quite profitable if sold.

Not all spyware is designed to be so harmful, though. The second category consists of programs intended to simply redirect users to different Web sites, or to collect general information on browsing habits.

"Advertisers often use spyware to cover competitors' Web sites," says Ben Edelman, a Harvard University researcher who focuses on spyware. Consider, just hypothetically, "Where better could [a company like] Netflix get a new customer than someone about to sign up with Blockbuster?"

If a legitimate business wanted to employ spyware, Edelman notes, it would first hire an ad network. This company would then hire another ad network, which would buy advertising space from a spyware vendor. This chain of companies distances the legitimate business from spyware activity while still giving it an edge in the marketplace.

Although this type of spyware, also called adware, might not be designed to hijack a system or steal identities, it still can be annoying. Working in the background, it can gobble up processing power, severely slow down a system, and even cause frequent crashes. It might also prompt a significant increase in pop-up ads, an Internet phenomenon that is almost universally despised.

"The advertisers are profiting from this, as are the adware makers, and those affiliates who distribute the adware," McAfee's Schmugar says. "A significant number of affiliates are indirectly violating adware makers' terms of service by exploiting system vulnerabilities to silently install adware."

Spy vs. You

Although some spyware is relatively benign, especially the type that simply tries to get users to view ads or visit a rival site, other types are downright scary.

Keylogging programs, for example, can capture passwords, user IDs, and other personal information. This is not just the kind of stuff that absentminded people put on Post-It Notes, either. Through keylogging, somebody can read every e-mail you send, track every Web site you visit, watch every e-commerce transaction, and secretly view your private instant-messaging chats.

With all that information, identity theft would be child's play, and even worse, it could extend into every facet of a person's digital life. A so-called "phisher" could send e-mails with keylogging software attachments from a victim's account, which would then infect the person's entire network of family and friends.

As unsettling as it might be to have one's identity hijacked, the effect on family finances could be devastating. With this level of personal information, a phisher might set up an electronic checking account, transfer every dollar from the victim's bank account into it, and walk away. Just as the customer is wrangling with the bank over what happened, the credit card bills with unauthorized transactions start to arrive.

Many phishing victims have reported feeling violated by the actions, as if the phisher had come into their homes while they were sleeping and cleaned them out.

But to extend the metaphor, phishing can be even worse than outright property theft. Thanks to insurance, most valuables can be replaced. But with phishing, someone's information can be sold again and again on the underground data market, forcing the victim to spend thousands of dollars, and months of time, trying to clear his or her good name and recover financially.

Other scenarios might not be as frightening as losing one's digital identity, but prove annoying and frustrating nonetheless. A spyware creator could hijack a user's system, turning the computer into a spam-spewing zombie, or so severely cripple the machine that it is nearly unusable.

Who's at Risk?

People who surf the Web in a corporate environment are usually protected. Computer-network experts have become adept at setting up firewalls, blocking suspicious e-mail attachments, and watching for dubious download activity. Well aware of the spyware problem, many companies also do periodic sweeps of their systems to remove any unwanted programs that sneaked through the filters.

But many home PC users are not so fortunate. Some have installed antispyware protection, but in general, many are at risk, said Harvard's Edelman. Also vulnerable are libraries, airports, and hotels, all of which offer open Internet access without spyware blockers.

According to antivirus software company Symantec, visiting certain Web sites can also affect the likelihood of being infected with spyware. In a recent experiment, researchers started with a fresh installation of ng it because it has a funky, scary alert message."" />Windows XP containing the latest security updates and spent an hour visiting well-known sites in major areas such as games, shopping, travel, and kid-oriented fare.

What was left behind on the machines was compelling, Symantec notes. Sites for kids produced the most adware, downloading more than 350 applications onto the system, but no pieces of spyware. In contrast, gaming sites caused only 23 adware applications to appear, but four spyware programs. Visiting shopping sites was the safest activity, resulting in no adware or spyware.

"What this experiment tells us is that if you want to avoid spyware, there are certain parts of the Web you should stay away from," says Dave Cole, director of Symantec Security Response. "They're the dark alleys of the Internet world. Basically, you visit a game cheat site, and you're vulnerable for spyware. A children's site will open you up to adware."

Tool Kit

The good news is that there are several spyware blockers and cleaners on the market, and Edelman noted that many users download programs like Ad-Aware, Webroot, and Counterspy.

A company that was established last year, SiteAdvisor, uses a system of automated testers that patrol the Web and gives out spyware safety ratings, allowing people to see if their favorite sites are really spyware havens. After you download SiteAdvisor's software, a small box appears on your browser with a red, yellow, or green icon to indicate the threat level from spyware.

Antispyware tools work by scanning a computer system to find suspicious-looking programs that seem to have no business on a PC, like adware, password crackers, remote-administration tools, jokes, and other applications. Some of what is caught is legitimate, which is why everything is presented in list format to the user, who can then sort out the desirable extras from the junk.

Lately, though, even antispyware programs must be viewed with suspicion. A major trend has been the use of pop-ups by firms that allegedly provide free system scans and spyware cleaning. When a user chooses to accept the offer, he gets a message informing him that his system is riddled with spyware, even if it is perfectly clean. The irony is that during the scan, spyware is actually being installed.

"Stick with what you trust," says Symantec's Cole. "Don't use something from a pop-up ad that tries to scare you into downloading it because it has a funky, scary alert message."

The information reported above is property of Yahoo! inc. and reprinted or modified with legitimate permission.