Corporate Computers Plagued By Spyware

Corporate desktops pack almost as much spying software as do consumers' machines, a Denver-based anti-spyware vendor reported Wednesday.

Spyware--the umbrella term given to software that installs and operates without the user's knowledge--collects data such as surfing habits, or, more maliciously, records keystrokes in the hope of snagging account passwords.

Webroot tallied the results from enterprises scanning networks for spyware with its free Corporate SpyAudit tool to produce the security business's first-ever analysis of sneaky software within corporate networks, said Richard Stiennon, Webroot's vice president of threat research.

Since early October, Corporate SpyAudit has been used to scan more than 10,000 computers in over 4,100 companies, said Stiennon. On average, it sniffed out 20 pieces of spyware per corporate computer, with about 5 percent of the systems harboring the most malicious kinds of spyware, such as system monitors (like keyloggers) and Trojan horses.

"That's a lower average than consumers' infections," said Stiennon, but still something that should ring some alarm bells in the enterprise. "The primary way to get spyware is to install free software, like screensavers and file-sharing programs, or surf to malicious Web sites, 90 percent of which are porn sites. Business users simply do those things less often than consumers. Better browsing habits, I guess."Webroot's ongoing collection of scan results from consumers' computers through its partnership with Atlanta-based Internet service provider EarthLink, has pegged infection rates at around 26 pieces of spyware, on average, per PC, since the beginning of the year.

But the enterprise offers a potentially lucrative target for the most malicious spyware, said Stiennon. "Companies offer a bounty exponentially larger than what the everyday consumer's PC might surrender. Everything from customer information to payroll details to product specs and source code are all potential targets," he explained.

For the moment, spyware creators and distributors don't seem to be targeting enterprises specifically, Stiennon added, but it's only a matter of time before they do.

"For the primary use of spyware, to generate revenue by such tactics as hijacking browsers or tracking Web usage, enterprise spyware is just fallout from letting employees use the Internet," he said.

Traditional defenses, such as firewalls at the gateway or on the desktop, or anti-virus software, aren't adequate, Stiennon claimed. "Network firewalls and AV are doing nothing to stop spyware."Enterprises need to consider anti-spyware tools, but to tell you the truth, it just takes a long time for new technologies to penetrate the business culture."

Webroot markets security tools, including the Spy Sweeper anti-spyware detection and deletion software. In June, it rolled out the first enterprise version of Spy Sweeper.