Oct 31 2006

Spy Wars

Schools are turning to an ever-expanding arsenal of weapons and strategies to fight today's spyware threat.

Melissa Solomon

TREAT YOUR COMPUTER AS YOU TREAT your car. If you replace your aging brakes and tires before they fail, it’ll save you a lot of money and frustration in the long run.

Randy Williams, MIS director at Victoria Independent School District in Victoria, Texas, thought that was a reasonable way to explain why staff and faculty should check regularly for updates to the antivirus and antispyware tools his team had installed during the summer. The response, though, wasn’t what he had imagined.


“A lot of them said they don’t change the oil in their cars, so why should they do maintenance on their computers,” Williams says. “Using the car analogy didn’t seem to catch on.”


With seven technicians managing a 4,500-computer network, it was impossible for Williams’ team to update every machine manually. As a result, they’d wind up with about 35 calls a week from teachers who couldn’t get online to access their Web-based grade books and from staff whose computers wouldn’t even boot up.

The culprit was clear: spyware, stealth software that downloads onto unsuspecting victims’ computers and sends information back to its creators. Spyware can slow computer performance, cause frequent system crashes or, in the case of adware (a category of spyware), produce out-of-control pop-up ads.

Once downloaded, spyware programs are hard to remove because they contain so many pieces, warns spyware researcher Eric Howes, who analyzes antispyware tools and posts the information on SpywareWarrior.com. “They just litter the system with all sorts of files and registry data,” he says. If not cleaned entirely, the programs can resuscitate themselves. “You can have 100 files, and you can remove 99, but if you miss that one, [the spyware problem] comes back.”

Schools are learning very quickly that it takes an arsenal of tools and a lot of due diligence to stem the tide of spyware, including software, end-user education and strict policies.

“Spyware is constantly changing,” warns Peter Firstbrook, an IT security analyst at Gartner, a Stamford, Conn.-based research firm. “This is an arms race.”

All Hands on Deck

Last fall, some unusual traffic patterns appeared on the network at Saint Stephen’s Episcopal School in Bradenton, Fla. Computers were timing out while trying to connect to the Internet. Using a network analysis tool, the school’s three-person technology team discovered that the bulk of the traffic was originating from a computer lab with 21 machines.

Inside the lab, thousands of spyware and adware programs were replicating themselves. One machine was infected with 1,500 spyware programs, recalls David Snodgress, director of technology and media services. The programs were also communicating back and forth with the companies that created them.

His team cordoned off the lab from the rest of the network, and the traffic levels dropped substantially. “We got it fast enough,” Snodgress says. The team cleaned the lab in about a day and a half using Spybot-Search & Destroy and Ad-Aware, two freeware products that detect and remove spyware.

“It was a slow process because no matter how good the spyware or adware [cleaner] is, it always misses something, and then you have to find a manual fix,” Snodgress explains.

One fix involves deleting programs in the directory, but you need to know what you’re doing or you may delete needed files. In many cases, the spyware runs as a process in the operating system, so the infected computers have to be put into safe mode before running the utilities.

Prior to the outbreak, the school had been using spyware detectors, but the definitions hadn’t been updated in a while. “We weren’t paying attention when it happened,” Snodgress admits. “We’ve become a lot more aware of [spyware] because of that.”

Their best guess was that students picked up the spyware from game sites loaded with pop-up ads offering free MP3 downloads. As a result, Snodgress’ team blocked the gaming site category on the school’s content filter and started updating definitions about once every two to three weeks.

Snodgress plans to try a year's subscription to Symantec’s AntiVirus Corporate Edition. The latest edition, released earlier this year, includes enhanced protection from spyware and adware. He likes the idea of managing the spyware utility centrally, which he can’t do with the freeware tools.

Snodgress says his most successful antispyware strategy has involved implementing the Firefox Web browser from Mozilla Foundation. Many spyware programs were designed to expose flaws in Internet Explorer, so Snodgress hides all traces of that browser and encourages users to try Firefox instead. However, some Web sites are compatible only with Microsoft browsers, so he hasn’t completely eliminated Internet Explorer from the network. “Internet Explorer’s always there if I need it,” Snodgress adds.

For schools that have standardized on Internet Explorer, the Windows XP Service Pack 2 addresses many of the flaws, and Microsoft has released a free beta antispyware tool for Windows.

Building an Arsenal

Using a variety of tools makes sense, says antispyware analyst Howes. In some cases, new policies or configurations can help. For instance, by creating limited user accounts instead of giving end users administrative privileges, schools can stop spyware in its tracks.

On many networks, users can install software, modify the registry and change settings. “That’s very convenient, but if you can do it, every [piece of] software that gets installed on your computer also can do it,” says Howes.

He suggests tightly configuring firewalls and using automatic software updates. Some schools may even consider a gateway solution, which can help filter out unwanted sites. There are dedicated spyware gateway solutions, but they’re still fairly basic, says Howes.

“No solution is 100 percent,” Howes adds. “You’re always going to need a layered approach.”

Teach the Teachers

Internet surfers encounter limitless temptations, visiting dubious sites, and downloading smiley faces, songs or weather reports with reckless abandon. They may even be enticed by ads offering free spyware scans to ensure their computers aren’t infected. Such offers are often a source of spyware.

In October 2004, America Online and the National Cyber Security Alliance, a Washington, D.C.-based nonprofit group that teaches safe online practices, surveyed 329 home users, and 73 percent said they felt their computer was “very safe” or “somewhat safe” from viruses. However, scans of the respondents’ machines found spyware or adware on 80 percent of them.

At Saint Stephens, Snodgress has held workshops so staff could look out for signs of spyware, especially in student labs. His team also advises them to use antispyware products if their computers experience problems.

Many people who had thought their computers were just getting old were amazed when spyware scans turned up hundreds or thousands of instances of spyware. When they cleaned them, they’d wind up with like-new computers, says Snodgress.

At Victoria Independent School District, Williams recognizes the value of educating end users, but points out that “teachers want to teach. They don’t want to be messing with their computers.”

Another challenge is that the average age of computers in the Victoria district is six years, and many are still running on Windows 95 and 98.

In the last few years, Williams’ team has focused on getting the infrastructure in place and improving bandwidth so he can centrally perform software installations and upgrades. The district is now in the process of implementing Computer Associate’s eTrust PestPatrol Anti-Spyware for the enterprise, which has centralized management capabilities.

Snodgress thinks that the market will soon get a handle on spyware as we know it today. However, he is convinced this is just the first of many generations. “We’re going to invest a lot of money in spyware-filtering software,” Snodgress predicts, “and then someone’s going to come out with something new that’s going to completely circumvent it.”


1. There’s an increase in bandwidth utilization. Why? Spyware consumes bandwidth by reporting back to the company that developed it.

2. An unfamiliar toolbar appears on your browser, or a URL that you didn’t add is on your favorites list. Spyware programs often change your Web browser settings to encourage you to visit certain sites.

3. When you go online, your computer automatically redirects you to another site. Why? Hijackers, a form of spyware, basically hijack browsers and automatically take users to sites whether they like it or not.

4. You are inundated with pop-up ads. Why? Adware, one of the most common forms of spyware, collects information about users so that advertisers can send them loads of targeted ads.

5. Your computer moves at a noticeably slow pace. Why? Spyware programs tend to replicate themselves, so infected computers wind up with hundreds or thousands of programs that are wasting space on the hard drive and constantly communicating with their developers.


What is it? Definitions vary as to what comprises spyware, but, generally, it’s any program that’s downloaded onto a computer to collect information about the user without his or her knowledge. Adware is a common form of spyware that collects information about a user’s computing habits to create pop-up ads targeted specifically to that user.

Why should you care? Pop-up ads can get annoying, but there are more malicious forms of spyware that could harm a computer or network. Keystroke loggers or hijackers—two types of spyware—can steal passwords and, in turn, sensitive information. Even the less damaging forms of spyware can take up so much space that they can render a computer useless or zap much-needed network bandwidth.

How can you keep spyware out of your schools? There are several products—some of which are free—that effectively block, detect and clean spyware. Many antivirus companies have recently created spyware plug-ins for their existing products. Firewalls, Web content filters and other tools can help keep schools protected, but one of the most important steps is teaching staff and students to stick to legitimate Web sites and to use caution when surfing the Web, checking e-mails or downloading any type of software.


1. Update spyware detectors continuously. If the definitions are outdated, the detectors can’t block them.

2. Manage antispyware tools centrally to make it easier to update the tools and send fixes to networked machines.

3. Limit the number of end-user accounts with administrative privileges. The tighter the restrictions on downloads, the harder it is for unwanted programs to wind up on a computer.

4. Tightly configure firewalls so spyware has trouble getting into the network.

5. If you use Microsoft Internet Explorer, upgrade to Windows XP Service Pack 2, which has corrected the flaws in Internet Explorer that have been a major source of spyware problems.

6. Restrict end users from downloading games, free MP3 files, smiley faces, weather bars and other entertaining freeware. These giveaways often come with spyware built in.

7. Stay current on Microsoft service packs.

8. Install or enable pop-up blockers.

9. Use Web filtering software to block common spyware sites.

10. Install a gateway solution to block spyware before it gets inside the network.

Melissa Solomon is a New York City-based freelance journalist who specializes in technology.