Nothing is Secret with Spyware Lurking in PCs

A company CFO sits alone in his office writing up a counter-offer for an acquisition he'strying to push through. Down the hall, a clerk in accounting goes onto the company intranetto check a few problematic direct deposit accounts. And a few floors below, a softwareengineer adds a few more lines of code to a new piece of software.

They all think they're alone. A security guard stands in the lobby. They all used ID badgesto get into the building that morning. Their office doors are closed.

But they're not alone. Not really.

They're every keystroke is being tracked. Every open application is being viewed. Everypassword copied and stored.

Like many corporate employees, they're being plagued by spyware. And they're not even awarethat the problem is out there.

Spyware bots are generally defined as software modules that are surreptitiously deposited onPCs. Much like a Trojan, the spyware allows unauthorized people to monitor Web surfingbehavior, giving them information about what Web sites the user visits, what they view, andwhat they buy. Spyware also can track keystrokes, steal passwords, 'listen in' on instantmessaging conversation, and spy on open applications. Some spyware even allows unauthorizedusers to take control of the PC.

''My bets are that every single PC in the world is infected,'' says Jim Hurley, vicepresident and managing director of security and privacy practice at the Aberdeen Group, aBoston-based analyst firm. ''It's embedded so deep in the software that most people neverknow it exists... There's nothing in the average environment to stop this stuff right now.People don't know it exists so they don't even know they're at risk.''

Some spyware is embedded in software -- mostly freeware -- downloaded from the Web. Otherspyware bots can be installed directly on a corporate PC -- say, by a disgruntled employeelooking to sell information, or a contractor working for a competitor.

And it's a hidden problem that is escalating in size.

Hurley says Aberdeen has been tracking spyware since 1999. Back then, there were probably five or 10 spyware bots. In January or Februrary of this year, they counted 5,800. Today, he says they've logged more than 7,000.

''We've dealt with several companies and some of them have figured that they've had lossesin the millions,'' says Grey McKenzie, founder of Panama City, Fla.-based SpyCop Inc., a company with both freeware and commercial software to detect and delete spyware. ''One company found that employees put spyware on the system and used intelligence to make bids against them. They were always losing contracts and didn't understand why. You can't even imagine the damage that can be done. It's insidious.''

Firewalls and and anti-virus software, which IT managers use to keep worms and viruses atbay, do not catch spyware. Special spyware detection software needs to be used. SpyCop, Zone Labs, Inc., and PestPatrol Inc., are players in the market.

Analysts note the relationship between spyware and adware, which are definitely akin to each other. Adware, generally downloaded in freeware, software upgrades and even electronic cards, gets into a system and then monitors search terms, buyingand surfing habits, and even shoots pop-up ads onto the screen.

Both forms are considered intrusive and problematic, though neither are illegal.

''You don't know what's going on but all of a sudden there's all this information about yougoing to a central server that analyzes you and learns about you,'' says Dan Woolley, a vicepresident at SilentRunner, a network security company. ''Once the information is harvested,it's very valuable and can easily be sold. It's dangerous technology.''

Woolley says spyware can steal a great deal of personal information, but it's dangerous froma corporate perspective, as well. Critical data could be flying out the door without anyoneknowing about it.

''If a company was not being judicious about what they were doing, someone could glean quitea bit of information off of them,'' adds Woolley. ''Would you let a stranger come into youroffice and watch you and all your people? You wouldn't let them sit there and take notesabout your business add day long, would you?''