Not only was CoolWebSearch quietly tracking all the activity on an employee's PC, but it hijacked Internet Explorer to ensure that every time it opened, the homepage reverted to a menu of sundry sites regardless of how many times it reset. As data security officer for the not-for-profit Marshfield Clinic of Wisconsin, Finamore worried the tenacious spyware could corrupt other Web-facing critical business applications being used within the 40-center health care chain. So he spent hours manually uninstalling unwanted files, which proved very, very difficult because CoolWebSearch was rigged to resist removal and embedded itself so deep in the desktop that some files appeared impossible to find.
"In one sense I was in awe of the way it worked," Finamore recalled. "In another sense, I was very scared by the fact that it was so good at evading detection and removal. This was the first time I realized, 'Wow, this is serious.'"
A lot of IT administrators and managers this year arrived at a similar A-ha.
It's about time. Security experts have warned for the past two years that spyware was turning more insidious, thanks in part to a profit-driven alliance between the hacker underground and organized crime. Annoying pop-ups have been replaced by more sinister keyloggers that, despite all the acceptable-use policies in the world, continue making inroads in corporate networks. Of course, more employers are spying on their workers with online tools, but they're aware and can control them. This other stuff, they cannot.
An online survey conducted last month by SearchSecurity.com reflects the growing concerns with unwanted programs seeping into systems and cleverly evading detection. Just how bad has it gotten? Of the 304 qualified enterprise network administrators, engineers and security officers from a variety of organizations who responded, almost 74% ranked spyware as an important priority. More than half of that set listed it among their top three concerns. Moreover, almost 60% of all respondents believe spyware will become a bigger threat -- and therefore gain or remain a top threat -- in the coming year.
This mind shift also impacts security budgets. In the latest Information Security magazine readership survey, controlling spyware topped the must-do lists for the majority of 430 security managers participating in that May poll. In that study, 89% considered spyware an important issue and 42% had already invested more resources in antispyware, outstripping financial support for any security-related technologies.
The other major area of investment was worm and virus prevention. Though there are technical distinctions between that malware and spyware, those in the trenches are increasingly lumping everything intrusive -- from worms, viruses and Trojans to innocuous adware under the "spyware" umbrella. In fact, in September's SearchSecurity.com survey, readers overwhelmingly deemed "spyware" to include every program downloaded without knowledge, including multi-functional cookies. Only 22% believed the term applies only to more malicious programs downloaded without a user's consent.
Some, like the Marshfield Clinic's Finamore, who oversees the security and data integrity for a network used by 5,800 employees and 725 physicians, understand broadening definitions lead to legitimate programs' deletion during spyware sweeps. Such casualties no longer matter as much.
"Strictly speaking, spyware is an application or process on the PC that tracks Internet usage and then uploads that information to a server somewhere, usually without the information or consent of that user," he explained. "But we consider spyware in a much broader sense and include other types of malware in there as well. I think the boundaries between spyware and malware have become murky at this point. And because spyware's become such a huge problem, the fact that some legitimate programs may be caught up doesn't even concern me at this point."
According to the survey, spyware's biggest impact has been downtime. A whopping 71% said the biggest impact on their companies has been sluggish system performance and desktop crashing due to spyware overwhelming PC processing resources.
The tip-off, according to interviews with some survey-takers, is always employees complaining their computer keeps crashing. By then pop-ups have proliferated. The system's taken increasingly longer to start up. And often the homepage has changed. By the time IT intervenes, the staff is braced for a stubborn case that's going to cost many man hours. And even then, eradication may prove impossible.
"I've found that I have gotten some spyware from employees going to particular sites that I've been unable to get rid of no matter what I try," said Dana Wood, a PC and network specialist for Oregon-based power-tool maker Shindaiwa. "It costs me a lot of time. I'll try to get rid of it with registry entries and different programs. I've even had instances where I've just plain given up and reformatted the machines because it had taken over to the point where I was unable to get it off."
Wood helps secure 80 employee workstations, with all but a half dozen located at Shindaiwa's headquarters in a Portland suburb. Like Finamore, her definition of what constitutes spyware has broadened in the last couple of years. That's because the digital underground's financial incentive has created more virulent strains bundled within legitimate-looking downloads and enticing freeware.
But if such spyware is more feared, it's also more likely to be flagged by a more vigilant IT workforce, if the survey is any indication. Despite recent news reports on the uptake in keystroke loggers and other data-stealers, only 3% of respondents reported stolen corporate data as their biggest impact from spyware (and considering the consequences, it presumably would have registered ahead of other events listed). Almost 5% were hit hardest by the theft of users' identity and almost as many said their major problem had been homepage hijacking. Another almost 7% were heavily impacted by regulatory compliance issues related to the unwanted code that might nest in their networks.
Regardless of its impact, spyware will continue to consume a lot of enterprise resources and network bandwidth.
"It's all about the money now," said Matthew Prentice, director of IT for Bethesda, Md.-based Cystic Fibrosis Foundation. "The danger will continue. They'll find newer exploits to get them on our machines. They annoying ones will go away through attrition. People won't keep writing the annoying ones for the little they generate."
Tomorrow: Users outline tools to mitigate spyware's spread in the enterprise.
Note: This story originally appeared on SearchSecurity.com.