Dealing with Adware and Spyware
Total Page:16
File Type:pdf, Size:1020Kb
SECURITY Dealing With Adware And Spyware Lisa Phifer You'll need a hybrid of host- ment just by reducing spyware remediation cost. Webroot estimates that help de.sk calls, resurrect- and network-based ing compromised workstations and the resulting approaches, as well as the down time run about $250 per user, per year (a security professional's calculation is shown in Figure 1). Potential return on investment does not end greatest asset: Constant there. Spyware not only slows desktops; it saps vigilance. worker productivity and hogs bandwidth. Accord- ing to SurfControl, ISPs find that peer-to-peer f early viruses like BubbleBoy and LoveBug spyware programs (e.g., Grokster, KaZaA, make you pine for simpler times, then you are Limewire) generate up to 70 percent of network probably waging war against this millenni- traffic. Spyware that exposes private data may um's far more tenacious foe: The stubborn result in embarrassing public disclosure, costly Icrop of spyware that now infests three out of four customer notificafion and compliance violations PCs. From pesky adware like BonziBuddy to that bring hefty fines. Spyware is also a popular malicious malware like Trojan-Down loader-Zlob, vector for executing electronic crimes like identi- spyware is literally choking corporate desktops ty theft and on-line fraud. In one well-publicized and networks. Responsible for one out of four case, 22 Israelis were anested for using spyware help desk calls and half of the PC crashes report- to commit corporate espionage. Wbite data theft ed to Microsoft, spyware is draining IT resources costs are notoriously difficult to quantify, the and business productivity. gravity of such incidents cannot be denied. Busi- Worse, spyware is now morphing from nui- ness consequences are already significant, and sance to nightmare. Those seeking financial gain will continue to escalate as spyware grows more through spyware have evolved from tracking virulent. cookies and intrusive pop-up ads to more selective Unfortunately, defeating spyware is harder and insidious methods. For example, drive-by- than evading conventional viruses. Spyware is any downloads are installing exploit code onto PCs potentially-unwanted program that makes unde- that merely visit websites, without user interac- sirable changes to your computer and/or collects tion. Phishing trojans are monitoring browser information about user activities, without consent, activity, waiting to capture identities and creden- usually for financial gain. That definition may be tials during on-line banking transactions. Keylog- fine in the abstract, but making concrete decisions Lisa Phifer is an gers are harvesting sensitive ^^^^^^^^^ owner and principal data from victims, violating ^ consultant at Core privacy laws and industry reg- FIGURE1 Cost Of Spyware (A Calculator) Competence, a ulations. network security Number of Workstations: 11000 technology consulting Stamping Out Spyware Average Hours to Re-image: firm based in Chester Associated business risks are Hourly Value of Employee Time; Springs, PA. A 25-year making it impossible for com- veteran ofthe panies to ignore spyware. The Re-image Rate: networking industry. Radicati Group projects that Average Cost per Help Desk Call; Lisa has been battling anfi-spyware spending will Monthiy % Chance of Spyware Call: the spyware scourge grow from $103 million in since 2001. She can be 2005 to more than reached at $1 billion by 2009. Many Totai Cost of Spyware: lisa @ corecom. com. companies can justify invest- Source: Webroot 44 BUSINESS COMMUNICATIONS REVTEW / AUG 2006 Use BCR's Acronym Dircclnrv ;il about which programs are really spyware can be These are but a few of thousands of pieces of difUcult. code congregating under the spyware umbrella. • Annoying Adware—Many programs monitor They illustrate that spyware is extremely diverse activity, but when does that become a breach of in delivery method, installed behavior and poten- Spyware has a privacy? Cookies retain personal information— tial impact. These characteristics make spyware usernanies, passwords, preferences—so that web- challenging to detect, and even more challenging penchant for sites can improve user experience. But some cook- to mitigate. In .short, spyware is a complex threat social ies share tracking data with third parties that deliv- that is most effectively addressed through multi- er pop-tips and banner ads; those installed without phase, multi-layered defenses. engineering user consent are called adware cookies. And then there are programs like WeatherBug and Surf- Phase One: Proactive Prevention SideKick thai display sponsor ads while they run. The old adage, "An ounce of prevention is worth a Such adware programs may or may not obtain pound of cure" certainly applies to spyware. Once consent to track and share personal data through spyware has been installed on a host, it can be end user license agreements^—which most users extremely difficult to return that host to a trust- simply accept without reading. worthy state. Efficient spyware defense starts with • Nebulous NonBizWare—Many workers proactive steps intended to circumvent popular insUill non-business software on corporate PCs, delivery methods. from IM and softphones to multi-user games and Spyware has a penchant for social engineer- peer-to-peer file sharing. Beyond reducing pro- ing—from tricking users into clicking on fake ductivity. NonBizWjire establishes communica- pop-ups to bundling trojans with enticing share- tion "'back channels" that could be exploited to ware. We cannot depend on users to "do the right penetrate or attack a corporate network. thing," but we can still benefit from spyware edu- NonBizWare may also expose employers to cation. Many on-line resources exist, including legal liability as.stKiated with distribution of copy- StopBadWare.org. StaySafeOnline.org. CERT righted music, pirated software and pornographic Cyber Security Tip ST{)4-016. and knowledge material. Therefore, even though NonBizWare bases published by reputable anti-spyware ven- may not "spy" on users, many anti-spyware solu- dors. But take care to avoid rogue anti-spyware— tions treat these potentially-unwanted programs as see www. spywarewarrior.com/rogue.anti-spy- ware, htm. another form of spy wjire. • Menacing Malware—A growing percentage Spyware often makes its way onto a desktop of spyware is malicious software intended to dam- through a Web browser. Secure browser configu- age a computer, steal data, or create an attack plat- ration can help to stop hijackers and drive-by fonn. For example, browser hijackers like Cool- downloads. ActiveX controls are a spyware WebSearch_xplugin change home pages, redirect favorite; disabling unsigned ActiveX is a simple Web searches, and misdirect URLs to phishing bul valuable step. Disabling Java applets can also pages and pay-to-play search engines. Keyloggers be helpful, but more likely to cripple legitimate websites. These and other browser configuration like SpyBuddy record document edits, email, tips can be found online, including bltp://cyber- instant messages, chat room conversations and coyote.org/security/browsers.shtml. Companies Web form responses by relaying user keystrokes should disable user prompting, enforcing active to remote attackers. Botnets use worms or trojans content and plug-in settings with a desktop man- to plant drones like SoberQ that listen for IRC agement tool like Active Directory Group Policy commands instructing them to relay spam or join Objects. DDoS attacks. Trojan downloaders like Zlob and Wstart hide in attachments and downloads, open- Many adware cookies and browser hijackers ing back doors through which other programs can can be neutralized by configuring browser Privacy be remotely installed. Rootkits like NTRootKit settings to disable third-party cookies and block pop-ups. Exceptions can be made for legitimate are trojans that operate as hidden system files, let- websites that require these features to operate cor- ting attackers gain unrestricted access to a "root- rectly, preferably by importing a company-defined ed" computer. And tbe list goes on. list of permitted sites. Pop-up blockers are freely Unlike adware and NonBizWare, there is little available from many sources, including tbe Win- room for interpretation here: Malware rarely dows XP SP2 upgrade for Intemet Explorer and belongs on any system. the Google Toolbar. • Rogue Anti-Spyware—Finally, spyware itself Use Intemet Explorer's Restricted Site Zone has created an opportunity for rogue anti-spy- (or equivalent features in otber browsers) to block ware—programs like SpyAxe, Winhound, and access to known adware and spyware silcs. But do Spy Trooper that use pop-up ads and scare tactics not attempt to populate tbis list manually. Instead, to convince users lo download phony anti-spyware use a tool like JavaCool SpywareBlaster to con- programs. When executed, many of these rogues figure this banned site list, and update that list reg- generate "false positive" warnings that hound ularly as new sites emerge. users into purchasing clean-up programs or paid Many spyware programs need administrative feature licenses. BUSINESS COMMUNICATIONS REVIEW / AUG 2006 46 rights to install themselves, overwrite OS files or or contain embedded URLs for spyware websites. disable security measures in an effort to evade This risk can be reduced by using non-IE viewers detection. Those threats can be crippled or neu- when displaying HTML content, using applica- It is necessary to tralized by browsing the