Theft You Don't Even See

By Leslie Walker
Thursday, September 1, 2005

How's this for a one-two punch -- software that secretly alters your Google search results, then tries to drop nasty programs on your computer by luring you to a bogus eBay link?

That appears to be what is happening with a new program documented by security software vendor Webroot Software Inc. Called 2search, the program secretly hijacks some Google searches by presenting fake results in the midst of legitimate ones. Because the pages shown look identical to regular Google results, most victims would have no clue anything is amiss.

As if that weren't enough, one of the fake results Webroot researchers recently saw seemed to be leading to product auctions on eBay. Webroot researchers could not say who was behind the eBay links, but they suspected what they were offering was more "spyware" -- a general term for software installed on computers without the owner's knowledge.

So why would the creators of spy software be lurking in the shadows of Google and eBay?

"If you had a Web site that said, "'Hey, get your spyware here,' no one would go to it," said Paul Piccard, Webroot's director of threat research. "So they look for ways to confuse or fool the user and make sure they are willing to download the spyware."

Spy software is going mainstream as it becomes big business, generating about $2.4 billion in annual revenue, according to a report issued last week by Webroot. Eager to make money by installing advertising and spy programs on more computers, the purveyors are using clever new tactics, such as pretending to be a Yahoo page or a music file from iTunes.

Webroot said spy programs are growing more sophisticated, harder to detect and more financially motivated. Since the start of the year, the number of Internet sites pushing unwanted software onto computers has quadrupled to 300,000. Webroot also found a sharp increase in such programs on corporate computers -- up 19 percent in the second quarter. The United States is still the leading host; nearly half of all spy software originates here, the report said. Yet the rest of the world combined now provides more, with Poland the second biggest host and the Netherlands third.

Often visitors get infected by what's known as a "drive-by download'' -- the act of calling up a particular Web site secretly drops a program on their computer.

The programs range widely on the danger scale, starting with simple "cookie" files used by commercial Web sites to recognize repeat visitors and tailor ads and pages. More annoying are programs dubbed "adware" because they pop up unwanted ads and sometimes secretly track a user's Web surfing to decide which ads to show. More sinister are "system monitors" that track everything a computer user does and secretly send reports over the Internet. Often those are used for crimes ranging from financial theft to extortion and espionage.

Webroot chief executive C. David Moll dropped by my office last week and offered a chilling account of a particularly nefarious variant -- "keyloggers," so-called because they invisibly log every keystroke a user makes and transmit that information back to their authors.

They've been around for years but are more widespread now and easier to install from a distance.

"What's new is you don't have to be a sophisticated technician to remotely install it," Moll said as he described off-the-shelf programs offered for sale online, including one marketed by an outfit named NetHunter.

CONTINUED     1        >

© 2005 The Washington Post Company