Browsers may be spyware's favorite target, but many other applications can fall victim. For example, email can carry spyware in file attachments, or contain embedded URLs for spyware websites. This risk can be reduced by using non-IE viewers when displaying HTML content, using application settings to disable active content and script execution, stripping risky file attachments, and flagging deceptive URLs. Spam filtering can also weed out many dangerous messages before users have an opportunity to get themselves in trouble when reading them.

Finally, spyware and adware do their dirty work by communicating with third parlies. Preventing back-channel communication literally renders these programs mute. DNS black holes can be used to resolve host names and domain names that are known to propagate spyware to the loopback address 127.0.0.1. Entries can be added to desktop HOSTS files, DNS Servers, or both, using lists maintained by the Bleeding Snort DNS Black Hole project.

Phase Two: In-Depth Detection

These proactive steps, coupled with persistent patching, list maintenance, and configuration enforcement, can significantly reduce spyware. But prevention is never foolproof. Spyware sites move, users add exceptions, and NonBizWare sneaks in on thumb drives. It is therefore sensible to combine prevention with detection.

Spyware may be harder to classify and eradicate than conventional viruses, but anti-spyware defenses can be deployed in network locations similar to those used for anti-virus: on the desktop, at the network edge, and as a managed service (Figure 2).Continued