 |
|
 |
|
|
|
 |
|
| From the issue dated January 28, 2005 |
The Next Plague
As spyware and adware invade campus computers, officials ponder what to do|
|
| |||||||||||||
Kerry McQuade knew something was amiss when ads started appearing on her computer screen every time she started it.
First Ms. McQuade, a public-affairs assistant at Marist College, in Poughkeepsie, N.Y., was subjected to the ads when she visited certain Web sites. She had to click through and close three or four of the ads before being able to view the site.
Then they became more frequent. "I got pop-ups every time I tried to access pretty much any Web site," recalls Ms. McQuade. Finally, they started surfacing even without a Web browser open.
Marist's information-technology staff found that her computer was infested with more than 900 pieces of spyware and adware -- programs installed without her knowledge, which covertly monitored her Web usage or dispensed pop-up advertisements.
After the spyware and adware were removed, all seemed fine. Then, she says, "a scantily clad woman popped up on my screen." She summoned the IT staff again, and they removed an additional 200 pieces of spyware and adware and installed two anti-spyware programs. Her computer today appears to be free of the demons.
Like Ms. McQuade, untold numbers -- probably tens of thousands -- of students, professors, and staff members at colleges have discovered that their computers are riddled with adware and spyware. For example, the University of Arkansas at Fayetteville estimates that 25 percent of the computers on its residence-hall network are infected, Scott Fendley, a senior security analyst there, said during an online discussion sponsored by the SANS Institute, of Bethesda, Md., which promotes computer security.
"This is the next plague," says Kathleen L. LaBarbera, manager of information-technology operations at Marist.
More than simply annoying, the unauthorized software can proliferate like a virus, forcing individual computers and even whole networks to their knees. And the worst of the spyware secretly records private information, such as Social Security numbers and passwords typed into an infected computer. Security officials worry that individuals could be vulnerable to identity theft and institutions could be open to hacking attempts.
There appears to be no reliable estimate of identity thefts linked to spyware, either in academe or more generally. But the Federal Trade Commission told a Congressional committee that "spyware appears to be a new and rapidly growing practice that poses a risk of serious harm to consumers.''
"With PC users unknowingly running these programs, I believe that there is a real connection between spyware and identity theft," says Ms. LaBarbera.
Campus computing officials are scrambling to stop, or at least contain, that plague. Some have installed anti-spyware software, others have imposed new limits on campus networking in an attempt to stem the flow of the software from one computer to another, and many have begun to educate users about safe computing practices that can minimize the chances that a scantily clad woman will appear unbidden on their computer screens.
But many officials fear the problem is likely to get worse before it gets better. The malicious software used to be the province of lone hackers, but experts believe that adware and spyware increasingly are being quietly sold as services to individuals and companies that seek to advertise online or steal private information.
The Problem
Computing officials often discuss spyware and adware together because both creep onto computers in similar ways -- furtively piggybacking on free software downloaded online, or secretly inserted on a computer by a Web site.
Spyware silently monitors and records a user's online activities. By contrast, adware often is annoyingly evident, as it displays advertisements based on the user's purchases and other online behavior (although not all pop-up ads are the product of adware). Some adware can also change a user's home page or even direct the computer's modem to make calls to telephone numbers that then charge fees to the user's phone bill.
File-sharing programs, which are so popular with students, often bear spyware. Pornographic Web sites are also common carriers.
Whether such programs are illegal is unclear. The Federal Trade Commission in October asked a federal court to order one alleged purveyor from distributing spyware, on the grounds that the spyware was an unfair trade practice because the company also sold software to remove the spyware. This month the company agreed to stop distributing spyware.
A bill pending in the U.S. House of Representatives, HR 29, would ban adware and spyware altogether, with violations subject to fines of up to $3-million.
Some free programs actually disclose that they incorporate adware -- in the licensing terms that users commonly ignore when installing software. "People have gotten in the habit of clicking next, next, next, next, next, without reading" when they install software, said Joseph Telafici, director of operations on the Antivirus Emergency Response Team at McAfee Inc., which tracks spyware and adware as well as viruses.
In one recent demonstration at Marist College, a staff member used a computer that was known to be free of spyware and adware to visit Web sites that are known purveyors of spyware. Within minutes, the machine was laden with hundreds of pieces of spyware.
Even instant-messaging programs can transmit spyware and adware. Marist's Ms. McQuade recalls that her problems with pop-ups got much worse after she used AOL's AIM Express instant-messaging software. "I won't even go near that now," she says. (Andrew Weinstein, an AOL spokesman, says that AOL's instant-messaging software does not include adware and that the unwanted software is more likely to be distributed through other channels, but acknowledges that adware and spyware can be secretly attached to instant messages.)
'A Very Big Deal'
Infections by adware and spyware are on the rise, both in academe and elsewhere, many officials say. "There is actually probably more adware on people's computers than there is viruses," says McAfee's Mr. Telafici.
The surge is placing new demands on already-overloaded campus IT staffs. For example, at Hollins University, in Roanoke, Va., about 80 percent of the calls to the help desk over the past two years have been related to spyware, says Greg Henderson, director of computing and systems at the institution.
Spyware and adware often are so poorly written that they interfere with a computer's functioning. And they can burrow so deeply into a computer's software that they can be nearly impossible to remove. In such cases, the hard drive needs to be erased and new copies of the operating system and applications programs installed, which can take hours and erase data.
At Temple University, for example, "hundreds and hundreds" of students have had their computers rendered virtually inoperable by spyware and adware, says Timothy C. O'Rourke, vice president for computer and information services there. At Metropolitan Community College, in Omaha, Neb., more than 200 computers have had to have their software reinstalled during the last 18 months because of spyware, says Christopher C. Vaverek, director of network services. "It's gotten to be a very big deal," he says. Many other campus officials report similar problems.
Some spyware and adware transmit information that they gather to their authors or handlers elsewhere on the Web. If many computers at a college are infected, the transmissions can clog the campus network. "When it's bad, it brings the network to a halt," says Paul V. LaClair, associate director of computer services at Franklin Pierce Law Center, in Concord, N.H.
Mr. LaClair says that Franklin Pierce's network was so overloaded toward the end of the last semester that downloads happened at about half the speed of a typical dial-up connection. Once students with their spyware-laden laptops went home for the holidays, download speeds jumped tenfold, he says. The increase was too big to be accounted for by the fact that there were fewer users on the network, he says.
The Software Solution
To protect themselves, many colleges are turning to software that can purge a computer of adware and spyware and even prevent some from being deposited on the computer in the future.
A popular strategy relies on two programs: Ad-Aware SE and Spybot Search and Destroy. Site licenses for the former are available at modest cost, and the latter can be used free.
The University of Pittsburgh is one institution that has taken this route. In two months, more than 4,200 copies of Ad-Aware were downloaded to computers there, says Jinx P. Walton, director of computing services and systems development.
Colleges commonly provide the software for faculty and staff members, and point students to Web sites where they can download Spybot and a free version of Ad-Aware. (A spokeswoman for Lavasoft Inc., which makes Ad-Aware, says her company has no information on its academic use. A spokeswoman for Spybot declined comment on the number of colleges using its product.)
Austin Community College spends about $3,000 annually for a site license for Ad-Aware for its 2,000 college-owned computers, says William E. Carter, its associate vice president for information technology. Before the software was available, cleaning a single infected computer manually took one of his staff members as much as two hours. The new program "probably paid for itself within a couple of months," he says.
Others have reached the same conclusion. The athletics department at Cornell University, which has about 250 computers, spent about $3,500 for a site license for Pest Patrol. That program, sold by Computer Associates, allows a central administrator to scan other computers on the network for spyware and to remove any that is found.
"It's freed me up," says Ricky Stewart, the department's information-technology director. "It really has cut down on a lot of the labor hours."
The University of Vermont's business school bought about 60 licenses for Pest Patrol, at $20 apiece, for use by faculty and staff members. The college also bought one "traveling license," so one copy of the software can be easily moved from one computer to another for use in disinfecting student machines. That license cost less than $1,000, he says.
Some products cost more. Webroot Software Inc. charges $12 to $15 per computer for 2,500 or more copies of its anti-spyware software, says Richard Stiennon, vice president of threat research. This month the Microsoft Corporation released a test version of anti-spyware software. The test version is free, but the company has not said whether it plans to charge for the final version.
Many college computing officials say they would prefer not to have to buy software separate from the antivirus programs they have already bought. But, so far, antivirus software hasn't been up to the task. "They've been slow to include the level of functionality that we need," says H. Morrow Long, the director of Yale University's information-security office.
That is changing, however. McAfee recently announced that it will add optional anti-spyware capabilities to its VirusScan Enterprise 8.0i product, which is in use at many campuses. The list price will be as low as $4.95 per computer for purchases of more than 10,000, says John Bedrick, the company's group product-marketing manager for system security.
The Symantec Corporation, another major vendor of antivirus software to colleges, has not yet announced an increased anti-spyware capability but is expected to soon.
File Sharing Under Fire
One question is whether colleges should act more forcefully to stem the spread of spyware by severely restricting one major conduit, file-sharing software.
H. Jacob Picart, a junior majoring in political science at San Jose State University who also runs a computer network for a nonprofit organization, says that public institutions should restrict file sharing in the interest of making campus networks function better. "It's taxpayers' money that's paying for the connection," he says.
Indeed, Temple University has taken that route by forbidding music downloads on its network. "When we find it, we stop it," says Mr. O'Rourke, the vice president. Moreover, the university has notified students that its technical-support staff will not help students whose computers are infected with spyware if the computer contains illegally downloaded music.
But security experts note that restricting file sharing is no cure-all for spyware, because that move does not, for example, block spyware that is silently dispensed by Web sites.
Bentley College, for example, shut down illegal peer-to-peer networking from the campus to the Internet even before the surge in spyware and adware. Nevertheless, the programs have made their way onto the campus network, says Jonathan Everett, Bentley's director of client services.
Other colleges have taken a different approach. Worcester Polytechnic Institute encourages faculty and staff members to use Spybot and students to use Ad-Aware. But in addition, the college has configured its network to block the downloading of specific files that college officials have decided are spyware. The college adds a couple of files to that list every month, says Jon E. Bartelson, assistant director of computing services.
Some institutions are focusing on educating users about how to avoid spyware and how to remove it if it appears. For example, Marist held a series of workshops on computer security issues, including one on spyware. It has made a video recording of the sessions available on DVD.
At Hollins University, Erin Adams, a freshman, was frustrated by the unreliability of her network connection, due to stresses caused by spyware on students' computers. The university's IT help staff was not able to keep pace with the burgeoning spyware infections, she says, so she formed the Student Coalition Against Viruses, Adware, and Spyware, a group of about two dozen volunteers who check students' computers for adware and spyware.
"The vast majority of the problems are very, very easily solved," says Ms. Adams, a psychology major.
Mr. Henderson, the computing director, says he appreciates the help. "I've got staff actually doing their jobs again," he says.
Many officials at colleges and anti-spyware companies believe that, as with computer viruses, the prognosis is bleak. Adware and spyware will increase, forcing campus officials to devote more time and money to fighting it.
"It's only going to get worse," says Mr. Stiennon, of Webroot.
Glenn Taylor, director of academic sales at Symantec, predicted that spyware increasingly will be part of "blended threats" incorporating components such as spyware, spam e-mail, and viruses.
"On the Internet, anytime people can make a buck, they're going to do it," says Temple's Mr. O'Rourke. "That's what this is all about."
http://chronicle.com
Section: Information Technology
Volume 51, Issue 21, Page A36