10-10-2004 04:01 pm
[WP] Computer users face new scourge: Hidden adware programs hijack hard drives
The Washington Post
Computer Users Face New Scourge
Hidden Adware Programs Hijack Hard Drives
By Ariana Eunjung Cha
Washington Post Staff Writer Sunday, October 10, 2004; Page A01
SAN FRANCISCO -- Chuck Harris remembers when the Internet was fun and he'd spend
hours reading his favorite news sites, checking the church calendar, browsing
the shops. Then, a few weeks ago, he lost control of his computer. It turned
into a giant electronic billboard.
The Web browser was taken over by a company he didn't recognize. Pop-up windows
tried to download stuff he didn't ask for. Strange icons kept appearing offering
low home mortgage loans and sexual enhancement pills he didn't want.
Harris spent days trying to fix the computer, but the programs had multiplied to
the point where he couldn't run anything else and he decided to give up on the
machine. Last week, the 68-year-old retired aerospace engineer from Yorktown,
Va., shelled out $1,000 for a new computer, but now he and his wife, Dorothy,
use it only when absolutely necessary.
"We have just about quit using the computer," he said. "It isn't worth the
aggravation."
As if computer users didn't have enough to worry about with hackers, viruses,
spam, and other online menaces, now comes a new scourge.
Millions of consumers like Harris have been struggling with a recent surge in
what computer experts call spyware or adware.
The terms apply to a broad range of programs that users download from the
Internet, usually without intending to. Unlike the occasional pop-up ad, these
electronic hitchhikers are hidden programs that stay on the computer's hard
drive. They keep serving up advertisements, redirecting browsers to certain Web
pages or reporting the computer user's movements and personal information. Or
all of the above.
Some spyware comes attached to free, brand-name software that users want and
install themselves -- instant-message, video-player and file-sharing programs,
for example. A reference to the spyware may be included in the legal jargon of
one of those on-screen installation agreements that computer users routinely
accept with the casual click of a "yes" button.
Others come unbidden as a side effect of browsing shady sites. Many appear on
people's machines simply because they are connected to the Internet.
Experts estimate that tens of thousands of spyware and adware programs circulate
on the Internet. For now, the problem of such unauthorized software almost
exclusively affects Microsoft Windows users. It's by far the most popular
operating system and the same features that make it so versatile also make it
easier for intruders to secretly run programs on it.
Microsoft Corp. Chairman Bill Gates, in a speech to Silicon Valley technologists
this month, said that while he's never had a virus infect his computer, he's
been surprised to find many spyware and adware programs that he never authorized
on it. He said he has directed the company to launch a new project to create a
"cure."
The National Cyber Security Alliance, a partnership between the tech industry
and the Homeland Security Department, estimates that 90 percent of computers
using high-speed Internet connections have collected at least one spyware or
adware program, causing a loss in productivity, extra customer support, and
repairs.
Members of Congress say their offices are fielding an increasing number of
constituent complaints about the problem. Two bills that aim to address the
problem passed the House last week. One, sponsored by Rep. Mary Bono (R-Calif.),
who first became aware of the problem when her teenage children's computers were
affected, calls for civil fines of up to $3 million for those who use spyware to
defraud consumers. Her bill also would require companies to post more
conspicuous notifications that their software might come with adware. Another,
introduced by Robert W. Goodlatte (R-Va.), Zoe Lofgren (D-Calif.) and Lamar S.
Smith (R-Tex.), would allocate $10 million for the Justice Department to fight
spyware.
"Spyware is a very real problem that is endangering consumers, damaging
businesses, and creating millions of dollars of additional costs," Lofgren said
after a spyware bill was passed on Thursday.
A coalition of technology companies, many of which have resisted regulation in
the past, have rallied behind a spyware bill.
Colleen Ryan, a Dell Inc. spokeswoman, said the programs have done damage both
in dollars and reputation to the technology industry. Since August 2003, she
said, customer support calls to Dell related to spyware have gone from slightly
more than 2 percent to between 10 to 15 percent.
She said many customers assume that their problems are with the company's
hardware rather than spyware. "We have to tell them: It's not your computer."
Using a computer was supposed to get easier, not harder. At the height of the
dot-com boom, companies promised "plug and play" functionality so that even
"dummies" could use the latest technologies to download music, create family
videos and build blogs.
But along the way something changed. The Internet got a lot more dangerous,
forcing consumers to take on more responsibility for protecting their machines.
If Internet users got grades for the effort they take to maintain their
computers, Harris would be a straight-A student.
He installed a firewall to protect against hackers, a virus protection program
to stop online bugs. He made sure to use e-mail on the Web rather than a program
that downloads it -- and possible spam and other annoying or nefarious agents --
to his computer. He avoided installing instant messenger and chat-room programs,
many of which are known to be associated with adware.
"All, apparently, to no avail," he said.
Harris said he equates the problem to "someone breaking into your house and
someone saying you didn't have enough locks on your doors." He believes more
responsibility should fall on companies to make sure the machines are protected.
"I drive an 18-year-old car and a 12-year old truck and have a 10-year-old
dishwasher. They are still functional. But not the computer."
It is difficult for even the most technology-savvy to avoid the problem.
In June, Philippe Ombredanne, a systems administrator and programmer from Menlo
Park, Calif., bought a new computer. He said he was feeling lazy so he put off
installing security software for a day. When he woke up, the computer was
infected with one virus and about 30 spyware or adware programs, forcing him to
erase data and programs from his hard drive and reinstall everything from
scratch. "A vanilla computer with no protection has no chance on the Internet
anymore," he said.
The SANS Institute, a Bethesda-based computer security research center, has
studied what it calls the "survival time" of an unprotected computer hooked up
to the Internet. A year ago, the average time before it was compromised was
about 55 minutes. Today it's 20 minutes.
Johannes B. Ullrich, a technologist with the SANS Institute, said the challenge
in controlling the adware and spyware programs is that they fall in a gray area
between legitimate software and hacker-type programs designed to take over a
computer.
"It's sometimes hard to figure out where they originally got adware from,
whether it was part of an attack or whether a person installed it themselves
without really knowing," Ullrich said.
The problem is prompting systems administrators like Ombredanne to recommend
open-source alternatives. Open-source software is often developed
collaboratively by volunteers and the code behind the programs is available for
all to see. For years, technology wonks have argued about whether that makes the
programs more or less secure than those with proprietary code.
He said he tells clients to use Gaim instead of AOL Instant Messenger and
Mozilla Firefox instead of Internet Explorer and that companies are much more
open to that advice than they were several years ago, because of adware and
spyware.
Meanwhile, the problem of adware and spyware is creating a new type of Internet
user -- one who is disenchanted with promises of technological bells and
whistles and just wants the basics to work. Some are sticking to dial-up
Internet service rather than upgrading to broadband because higher speeds on an
"always on" connection create more opportunities for infection with nefarious
programs. They are foregoing multimedia programs, basically using their
computers as typewriters.
Harris and his wife are in that group.
At the height of his computer use a few years ago, Harris was so excited about
it that he set up and maintained a Web site for his church and for some local
charities. Now he dreads having to log on.
"I used to feel that the Internet had tremendous potential for communication and
was a wonderful tool to use," he said. "I don't anymore."
© 2004 The Washington Post Company