This is not only possible, but its actively being used. There was a large bust of folks just a week or so ago that were using spyware to not only harvest email addresses, but also get login credentials for online sites from unknowing users.

Sup Noid.

Yea i read about that. But up until this point i think spyware hasnt had the ability to propagate to other machines -- has it? My understanding was that spyware was more like a virus. I am imagining -- it more like a worm.

I cant believe that spyware is such a problem. I know of a few companies that leave spyware detection and eradication upto the users!

Noid answered the question, but I'd like to add this:
No. Spyware is just a subclassification of a "trojan" which exists with a majority of worms and viruses in the superclass called "malware"

The idea of packaging something undesired with something desired is old. The Idea of automating the distribution of other malware (with a virus or worm) is not new either.
Even using a worm to pass a virus which also carries a worm is not a new concept either.
Such "blending" is becoming more common each day, and causes conventional classifications of malware to seem in need for an update.

[Added content:]
Nope. More like a trojan. Most spyware out there requires user support to get installed.

the payload of a worm, or virus can be any other kind of malware. The concept of such combinations is not new.

I think you may be confusing the general definitions of how the three operate.

Spyware is typically installed by an end user unaware of its presence.

Viruses typically propagate by attaching themselves to media (floppies) or files (executables, Word documents) and are transferred manually - e.g., sneakernet, as email attachments, etc., anything requiring human intervention.

Worms are self-replicating and tend to exploit known vulnerabilities in the platforms they're attacking while seeking out further hosts to infect.

I can... Between lax systems administration practices, poor defense against known threats, and overall shoddy OS design, it's actually surprising that the instances of spyware infestation aren't *higher*.

And many, many more that don't even take that level of interest.

What i meant by "spyware is more like a virus", is that a virus doesnt have the means to send it self to other computers -- just like spyware doesnt have any mechs(that i have read in the media) to send it self to other hosts--yet?

Cotman: Yea i didnt think i stumbled upon something new. Just wanted to discuss the possibilities with more knowledgable people.

Consider early MS Outlook Express Worms that would spread in an automatic way through mail to different windows machines, and then take random documents and mail them as attachments to random people in addressbooks or snarfed e-mail addresses as founf in stored mail.

Budget projections were leaked as were HR info, and private documents that people never intended to have published. This was, what? 6 years ago when we saw something like this in thw wild?

In this case, you could make a case for a worm that carries spyware (by literal definition of a program that allows others to gain access to information over a network that you don't want them to see..)

I do not see "new innovation" in the payload of one being another. Something that was innovative was the creation of cross-platform malware. So was the idea of polymorphism.

To me, repackaging of payloads of malware in malware is as innovative as tunneling one protocol through another protocol in different combination.

Cotman: Great point.

What made the idea of infection via malicious webpage is that spyware seems to attack machines without tripping the anti virus product. I know there are softwares that are behaivor based.

That's the thing, though: spyware doesn't actually attack the machine per se - it generally uses standard installation mechanisms (OS- or application-based) and the user's consent coupled with ignorance to install itself. Partly because of this and partly by definition, antivirus packages aren't meant to detect spyware - with some notable exceptions such as Back Orifice, SubSeven, Netbus, and others. Even taking a heuristic approach to software installation (which is largely what most IPSes are doing these days) isn't a 100% guarantee.

Gotcha. I understand the situation a little better now. Thanks to all those who posted.

Another point worth noting is that "spyware" (a relatively new term used mostly to describe browser-based malicious or unwanted crapware) is almost exclusively a Windows+Internet Explorer phenonmenon. There are a few minor examples of spyware being installed by other browsers, but spyware (as usually defined) doesn't exist on any platform other than Windows (to my knowledge, anyway). That makes it like most of the other viruses and worms to date, with the exception of a few (Morris '88, sadmind...). The next evolution in malware can't just be another way to own a Windows system...it will have to be cross platform.

This seems to scream that the entire spyware problem (i.e. the industry, its victims, and the costs) is completely due to Microsoft's clueless marriage of web browser and operating system (and other "web-enabled" OS features like Web Agent and WebDAV). Anyone versed in security engineering and/or operating systems will tell you "this is a bad idea", but Microsoft saw the web browser as a unified interface, and that replacing all the old net tools (tin, gopher, ftp, etc.) with it would facilitate mass consumer use of the Internet. The *nixes, most of which had been happily using the Internet for years, wouldn't have dreamed of including a web browser with OS hooks. Mosaic, I miss you so....

-g

Luckily I've never caught it, but damned if I don't get a trillion questions about it.

I agree with most of the posts above, but never under-estimate "spyware". Recently my predecessor's client's web site was affected from a shared web-hosting vuln, spamming iframes across any file it could get its dirty hands on. From an infected machine.

Since that horrific experience I now believe spyware to be viral, sometimes with the oldskool "har har", sometimes malicious, and sometimes "entrepreneurial"

Here's how to suck eggs, but .. Spyware began when unethical authors found it difficult to cash in on affiliate spam after huge controversy (e-mail first, then spam sites) and so used other people's sites for a buck or two to propogate spyware that would infect machines to spam across vulnerable open-source script sites. Equally illegal, but equally-taking-2-years-to-create-legislation-and-still-not-prosecuting.

Makes me wonder why the Internet went public sometimes

Funny (Or Sad -- depending on which OS you run )

I just read an article on CNN/Money about a critical flaw in IE that could be used to take control of a users machine...

Microsoft said that vulnerabilities exist in its Internet Explorer Web browser, the most severe of which could allow an attacker to take complete control of an affected computer.

An attacker could exploit that vulnerability by luring users to malicious Web pages and running software code on the user's PC resulting in a takeover.

*Run for the hills, Or Run Linux :-P

Indeed. Most mechanisms currently in use seem to me to be completely valid implimentations of the hooks available within the framework of the Windows OS and application development toolkits. Malware is accurate classification. The exploitation of functionality intended to be available; although at a low level.

I was just thinking the other day of what havok, although not immediately apparent, would be seen if someone went after modifications to digital badges and signatures... never need them till you need them, and if they become invalid, synchonizing would be as hugely lame as going to the DMV during peak time. Anyone know how to replace a compromised root certificate after its been invalidated, other than a wipe/reload?

-gh

If you mean wipe and reload of the certificate and as this is an issue I have recently had to deal with, here you go:

Compromised Certification Authority

When a CA has been compromised, you must revoke the CA's certificate. Revoking a CA's certificate invalidates the CA and its subordinate CAs, as well as invalidating all certificates issued by the CA and its subordinate CAs. If you discover a compromised CA, perform the following activities as soon as possible:

* Revoke the compromised CA's certificate. If the CA has been renewed, revoke all of the CA's certificates only if all related keys have been compromised.
* Publish a new CRL containing the revoked CA certificate. Note that client applications can store the CRL until it expires, so you will not see the newly published CRL until the old one expires.
* Remove compromised CA certificates from Trusted Root Certification Authorities stores and CTLs.
* Notify all affected users and administrators of the compromise and inform them that certificates issued by the affected CAs are being revoked.
* Repair whatever led to the compromise.

To restore the CA hierarchy, you must deploy new CAs, or renew a CA's certificate and generate a new key to replace the compromised hierarchy. You must then reissue the appropriate certificates to users, computers, and services. Depending on where in the hierarchy the revocation occurred, it could require a new CA hierarchy or only a portion of it.

Attributed to Microsoft and can be found at the following url:

http://tinyurl.com/5nkth (note my strong google-fu...)

So I think the answer to your question is no there doesn't appear to be any other option. This, obviously is just for Win-based platforms, but would think it would be pretty much SOP for other platforms as well. Damn you Goat! I now have another research topic to add to a growing list. :-)

valkyrie that is/r0cketgrl that was