sign in sign up
<<
Home , Adware, BonziBuddy, CounterSpy (software), Lavasoft, Spyware, SpywareBlaster

SECURITY Dealing With And

Lisa Phifer

You'll need a hybrid of host- ment just by reducing spyware remediation cost. estimates that help de.sk calls, resurrect- and network-based ing compromised workstations and the resulting approaches, as well as the down time run about $250 per , per year (a security professional's calculation is shown in Figure 1). Potential return on investment does not end greatest asset: Constant there. Spyware not only slows desktops; it saps vigilance. worker productivity and hogs bandwidth. Accord- ing to SurfControl, ISPs find that peer-to-peer f early viruses like BubbleBoy and LoveBug spyware programs (e.g., Grokster, , make you pine for simpler times, then you are Limewire) generate up to 70 percent of network probably waging war against this millenni- traffic. Spyware that exposes private data may um's far more tenacious foe: The stubborn result in embarrassing public disclosure, costly Icrop of spyware that now infests three out of four customer notificafion and compliance violations PCs. From pesky adware like BonziBuddy to that bring hefty fines. Spyware is also a popular malicious like Trojan-Down loader-Zlob, for executing electronic crimes like identi- spyware is literally choking corporate desktops ty theft and on-line . In one well-publicized and networks. Responsible for one out of four case, 22 Israelis were anested for using spyware help desk calls and half of the PC crashes report- to commit corporate . Wbite data theft ed to , spyware is draining IT resources costs are notoriously difficult to quantify, the and business productivity. gravity of such incidents cannot be denied. Busi- Worse, spyware is now morphing from nui- ness consequences are already significant, and sance to nightmare. Those seeking financial gain will continue to escalate as spyware grows more through spyware have evolved from tracking virulent. cookies and intrusive pop-up ads to more selective Unfortunately, defeating spyware is harder and insidious methods. For example, drive-by- than evading conventional viruses. Spyware is any downloads are installing exploit code onto PCs potentially-unwanted program that makes unde- that merely visit websites, without user interac- sirable changes to your computer and/or collects tion. trojans are monitoring browser information about user activities, without , activity, waiting to capture identities and creden- usually for financial gain. That definition may be tials during on-line banking transactions. Keylog- fine in the abstract, but making concrete decisions Lisa Phifer is an gers are harvesting sensitive ^^^^^^^^^ owner and principal data from victims, violating ^ consultant at Core laws and industry reg- FIGURE1 Cost Of Spyware (A Calculator) Competence, a ulations. Number of Workstations: 11000 technology consulting Stamping Out Spyware Average Hours to Re-image: firm based in Chester Associated business risks are Hourly Value of Employee Time; Springs, PA. A 25-year making it impossible for com- veteran ofthe panies to ignore spyware. The Re-image Rate: networking industry. Radicati Group projects that Average Cost per Help Desk Call; Lisa has been battling anfi-spyware spending will Monthiy % Chance of Spyware Call: the spyware scourge grow from $103 million in since 2001. She can be 2005 to more than reached at $1 billion by 2009. Many Totai Cost of Spyware: lisa @ corecom. com. companies can justify invest- Source: Webroot

44 BUSINESS COMMUNICATIONS REVTEW / AUG 2006 Use BCR's Acronym Dircclnrv ;il about which programs are really spyware can be These are but a few of thousands of pieces of difUcult. code congregating under the spyware umbrella. • Annoying Adware—Many programs monitor They illustrate that spyware is extremely diverse activity, but when does that become a breach of in delivery method, installed behavior and poten- Spyware has a privacy? Cookies retain personal information— tial impact. These characteristics make spyware usernanies, , preferences—so that web- challenging to detect, and even more challenging penchant for sites can improve user experience. But some cook- to mitigate. In .short, spyware is a complex threat social ies share tracking data with third parties that deliv- that is most effectively addressed through multi- er pop-tips and banner ads; those installed without phase, multi-layered defenses. engineering user consent are called adware cookies. And then there are programs like WeatherBug and Surf- Phase One: Proactive Prevention SideKick thai display sponsor ads while they run. The old adage, "An ounce of prevention is worth a Such adware programs may or may not obtain pound of cure" certainly applies to spyware. Once consent to track and share personal data through spyware has been installed on a host, it can be end user license agreements^—which most users extremely difficult to return that host to a trust- simply accept without reading. worthy state. Efficient spyware defense starts with • Nebulous NonBizWare—Many workers proactive steps intended to circumvent popular insUill non-business on corporate PCs, delivery methods. from IM and softphones to multi-user games and Spyware has a penchant for social engineer- peer-to-peer . Beyond reducing pro- ing—from tricking users into clicking on fake ductivity. NonBizWjire establishes communica- pop-ups to bundling trojans with enticing share- tion "'back channels" that could be exploited to ware. We cannot depend on users to "do the right penetrate or attack a corporate network. thing," but we can still benefit from spyware edu- NonBizWare may also expose employers to cation. Many on-line resources exist, including legal liability as.stKiated with distribution of copy- StopBadWare.org. StaySafeOnline.org. CERT righted music, pirated software and pornographic Cyber Security Tip ST{)4-016. and knowledge material. Therefore, even though NonBizWare bases published by reputable anti-spyware ven- may not "spy" on users, many anti-spyware solu- dors. But take care to avoid rogue anti-spyware— tions treat these potentially-unwanted programs as see www. spywarewarrior.com/rogue.anti-spy- ware, htm. another form of spy wjire. • Menacing Malware—A growing percentage Spyware often makes its way onto a desktop of spyware is malicious software intended to dam- through a . Secure browser configu- age a computer, steal data, or create an attack plat- ration can help to stop hijackers and drive-by fonn. For example, browser hijackers like Cool- downloads. ActiveX controls are a spyware WebSearch_xplugin change home pages, redirect favorite; disabling unsigned ActiveX is a simple Web searches, and misdirect URLs to phishing bul valuable step. Disabling Java applets can also pages and pay-to-play search engines. Keyloggers be helpful, but more likely to cripple legitimate websites. These and other browser configuration like SpyBuddy record document edits, email, tips can be found online, including bltp://cyber- instant messages, chat room conversations and coyote.org/security/browsers.shtml. Companies Web form responses by relaying user keystrokes should disable user prompting, enforcing active to remote attackers. use worms or trojans content and plug-in settings with a desktop man- to plant drones like SoberQ that listen for IRC agement tool like Active Directory Group Policy commands instructing them to relay spam or join Objects. DDoS attacks. Trojan downloaders like Zlob and Wstart hide in attachments and downloads, open- Many adware cookies and browser hijackers ing back doors through which other programs can can be neutralized by configuring browser Privacy be remotely installed. like NTRootKit settings to disable third-party cookies and block pop-ups. Exceptions can be made for legitimate are trojans that operate as hidden system files, let- websites that require these features to operate cor- ting attackers gain unrestricted access to a "root- rectly, preferably by importing a company-defined ed" computer. And tbe list goes on. list of permitted sites. Pop-up blockers are freely Unlike adware and NonBizWare, there is little available from many sources, including tbe Win- room for interpretation here: Malware rarely dows XP SP2 upgrade for Intemet Explorer and belongs on any system. the Google Toolbar. • Rogue Anti-Spyware—Finally, spyware itself Use Intemet Explorer's Restricted Site Zone has created an opportunity for rogue anti-spy- (or equivalent features in otber browsers) to block ware—programs like SpyAxe, Winhound, and access to known adware and spyware silcs. But do Spy Trooper that use pop-up ads and scare tactics not attempt to populate tbis list manually. Instead, to convince users lo download phony anti-spyware use a tool like JavaCool SpywareBlaster to con- programs. When executed, many of these rogues figure this banned site list, and update that list reg- generate "false positive" warnings that hound ularly as new sites emerge. users into purchasing clean-up programs or paid Many spyware programs need administrative feature licenses.

BUSINESS COMMUNICATIONS REVIEW / AUG 2006 46 rights to install themselves, overwrite OS files or or contain embedded URLs for spyware websites. disable security measures in an effort to evade This risk can be reduced by using non-IE viewers detection. Those threats can be crippled or neu- when displaying HTML content, using applica- It is necessary to tralized by browsing the Web from a Least- tion settings to disable active content and script Privileged User Account (LUA), Never browse the execution, stripping risky file attachments, and combine Web as administrator. If you must, use a free tool flagging deceptive URLs. Spam filtering can also prevention with like Microsoft DropMyRights to downgrade priv- weed out many dangerous messages before users ileges when launching your browser (or any other have an opportunity to get themselves in trouble detection Intemet application). when reading them. A significant percentage of spyware has been Finally, spyware and adware do their dirty designed specifically to exploit Intemet Explorer work by communicating with third parties. Pre- features or vulnerabilities. Diligent patching can venting back-channel communication literally make a big difference, as can upgrading to a newer renders these programs mute. DNS black holes version of IE. Security improvements found in IE can be used to resolve host names and domain version 7 include ActiveX opt-in, a "No Add Ons" names that are known to propagate spyware to (he mode, a "Fix My Settings" option, and better pro- loopback address 127.0.0.1. Entries can be added tection fi-om cross-domain scripting attacks. Or to desktop files. DNS Servers, or both, consider using an alternative browser like using lists maintained by the Bleeding Snort DNS for general Web surfing, reserving IE for Black Hole project. known/trusted sites that do not work well other- wise. Alternative browsers may be a less popular Phase Two: in-Depth Detection spyware target, but they still require secure con- These proactive steps, coupled with persistent figuration and patching. patching, list maintenance, and configuration Browsers may be spyware's favorite target, but enforcement, can significantly reduce spyware. many other applications can fall victim. For exam- But prevention is never foolproof Spyware sites ple, email can carry spyware in file attachments, move, users add exceptions, and NonBizWare

FiGURE2 Layered Defense

Adware NonBizWare Spyware Key loggers Site Trojan Downioaders Rootkits...

Network Block HTTP requests to Spyware sites Anti-Spyware Filter responses for banned objects Appliance Scan messages for Spyware signatures Enforce Anti-Spyware policies ^ Block Spyware back-channels -^ using on-demand scans and real-time monitoring to disable risky requests and content, block cookies and pop-ups, detect and quarantine/delete Desktop Spyware objects Anti-Spyware Server

Desktop Anti-Spyware Programs (Stand-alone Centrally define Or Agent) Desktop Anti-Spyware policies, initiate desktop audits, & monitor desktop Anti-Spyware agents

4fi BUSINESS COMMUNICATIONS RHVltW / AUG 2(K)6 sneaks in on thumb drives. It is therefore sensible definition, including the ability to customize scan to combine prevention with detection. depth, permitted exclusions, prohibited Non- Spyware may be harder to classify and eradi- BizWare, quarantine/delete actions, .signature cate than conventional viruses, but anti-spyware updates and audit schedules. Larger enterprises Network-based defenses can be deployed in network locations may prefer group-based policies that can apply simiiar to those used for anti-virus: on the desklop, different lists and schedules to regular users, solutions allow at Ihe network edge, and as a managed service administrators and high-value systems. for more uniform (Figure 2). Enforce centrally-managed policies with con- enforcement • Desktop Anti-Spyware—Many host-resident figuration locks, preventing users from adding anti-spyware programs are avaikibie as consumer their own exceptions or disabling spyware protec- packages or enterprise solutions. Features vary, tion. However, some exceptions may be necessary but most provide start-up scans, on-demand scans, ibr employees to do their jobs. For best results, and real-time memory/fiie/apphcation monitors. choose a policy engine that lets you selectively On-demand scans can provide periodic audits, but permit end user changes, but disable end user real-time monitoring is essential to avoid comph- prompting except where required to meet business cated cleanup. Fortunately, anti-spyware has needs. evolved from spotting consequences to quaranti- Businesses may also need real-time monitoring ning spyware before damage is done. and historical reporting features that let adminis- Anti-spyware programs have long detected trators identify where and when spyware has been potentially-unwanted changes to cookies, registry encountered, and steps that were taken to auto- keys, hosts files, browser zones and running ser- matically remediate it. Look for threat assessment vices—signs that spyware is being installed, Some aids, like the ability to single out un-remediated anti-spyware programs can block activities that hosts and tllter by spyware type/severiiy. presage spyware installation, like suspicious Larger enterprises sbould also consider scala- ActiveX execution and bility, inciuding server/database platform require- installation. Most anti-spyware programs use sig- ments, hierarchical/group views, update distribu- natures to compare Web and other application tion, integration with enterprise desktop and net- objects to thousands of known culprits, preventing work management systems and cost per desktop. installation of NonBizWare. tools, keylog- Enteqirrise anti-spyware solutions available gers, trojans and wonns. To keep up with new spy- today include Computer Associates eTrust Pest ware that morphs, behavior-based detection is Patrol, eSoft Desktop Anti-Spyware, Futuresoft being added to some anti-spyware programs. And DynaComm i;scan, Ad-Aware Enter- to detect evasive threats like rootkits, anti-spyware prise. McAfee Anti-Spyware Enterprise, Shavlik programs have also started to monitor activity NetChk Spyware, Sunbelt CounterSpy Enterprise, with lower-level drivers. SurfControl Enterprise Threat Shield. Tenebril Anti-spyware options like scan location/depth Spy Catcher Enterprise. Anti-Spy- and exclusions can be helpful—for example, ware Enterprise and Webroot Spy Sweeper Enter- ignoring an IM client used for business or your prise. own website's adware cookies. Most anti-spyware • Network Anti-Spyware—A healthy crop of programs keep a local log of detection results, anti-spyware appliances bas emerged to comple- with hot links to spyware definitions, ratings and ment desktop anti-spyware. Stopping spyware at advice. However, anti-spyware programs may or network trust boundaries avoids over dependence may not provide automated spyware removal (see on desktop defenses. Network appliances let you the section on '"Remediation"). uniformly enforce anti-spyware poiicies on all Some consumer anti-spyware programs pro- users, including contractors and visitors. Wben a vide free scanning, but require a paid license to new threat emerges, or you decide to permit busi- activate advanced features. Because spyware ness use of a P2P program, anti-spyware appli- detection varies, running more than one program ances can apply the modified policy immediately. can be useful, and combining a paid program with Appliances provide a single point for spyware free tools is common. Freely-available consumer quarantine, reducing the ri.sk of desktop infection anti-spyware programs are available from many and costly clean-up. Finally, anti-spyware appli- sources, including Defender, ances are less likely to fall victim to spyware, like SpyBot-S&D and WinPatroI. malware that tries to disable desktop security pro- Why spring for a commercial desktop anti-spy- grams. ware program? Vendors that offer both free and However, network anti-spyware is no panacea. commercial anti-spyware tend to reserve the most As with any perimeter defense, anti-spyware valuable features—notably real-time monitoring appliances cannot stop installation of spyware that and automated removal—for paid customers. originates inside the network (e.g.. NonBizWare Moreover, SMBs and enterprises require features installed from USB stick). Network-based solu- that are absent in consumer anti-spyware pro- tions must balance security and performance to grams: avoid becoming bottlenecks. They may not excel Businesses should look for centralized policy at making per-user exceptions or desktop

BUSINESS COMMUNICATIONS REVIEW / AUG 2006 47 remediation. Finally, network anti-spyware can- and incident response around multi-function secu- not protect laptop users when they work (and rity appliances from vendors like McAfee, Trend surf the Web) remotely. Micro, SonicWALL and WatchGuard. Providers Malicious Combining desktop and network anti-spyware can spin anti-spyware modules for these and other creates a layered defense that is more robust and security appliances into new anti-spyware offer- spyware removal resilient than either would be alone. In fact, some ings, accompanied by professional services like is not for the vendors offer both solutions, leveraging common spyware remediation. components like management tools and signature faint of heart databases. Phase Three: Rigorous Remediation What functions can you expect from an anti- Spyware prevention and detection can reduce the spyware appliance? need for remediation, but hosts that are already • A network appliance is a convenient place to infested with spyware must be cleansed before filter outbound HTTP requests, blocking installer applying prophylactic measures. downloads, known spyware URLs, and black-list- Relatively benign threats like adware cookies ed domains. and NonBizWare programs can often be removed • A network appliance can also strip active con- manually without difficulty. Temporary files, tent from HTTP responses, including ActiveX browser caches, cookies, and play-by-the-rules controls, Java applets, scripts and banned programs can be deleted with standard desktop S/MIME types. tools like Disk Cleanup and Add/Remove Pro- • After filters are enforced, an appliance may use grams. Unfortunately, removing more tenacious signatures to scan inbound application payloads, adware, bots and trojans without crippling the host quarantining suspicious data objects. can be very tricky, Malware that morphs to elude • A network appliance may also block adware detection can affect each host in a slightly differ- and spyware back channels, including P2P proto- ent fashion. Rootkits are especially tough to scrub cols like ICQ and malware that sneaks out on port because they replace OS files and use hidden 80. processes. Some anti-spyware appliances operate as Web As a result, malicious spyware removal is not proxies with the ability to scan SSL-encrypted for the faint of heart. Vendor knowledge bases and HTTP (e.g., Finjan Vital Security Web Appliance, public forums like CastleCops offer manual spy- Bluecoat SG). Some watch for standard protocol ware removal advice, but most businesses should deviations, vulnerabilities and associated exploits rely on automated clean-up using desktop anti- (e.g., Aladdin eSafe Gateway). Some appliances spyware programs. In addition to real-time quar- focus on spyware (e.g., 8e6 R3(XX) Enterprise antine, some anti-spyware products include roll- Filter), while others combine anti-spy- back/restore capabilities that can recover critical ware with many other network defenses (e.g., files over-written by spyware. On Windows XP eSoft Threatwall). Finally, many anti-spyware SP2 hosts, Microsoft's Malicious Software appliances operate as in-line gateways (e.g.. Face- Removal Tool (MSRT) can be used to delete the time RTGuardian, McAfee Secure Web Gateway), most prevalent malware. but some offer out-of-band spyware detection When spyware removal fails or produces ques- (e.g.. Mi5 Enterprise SpyGate). tionable results, rebuilding the desktop can be • Anti-Spyware Services—Managed security required for recovery to a trustworthy state. For services are generally aimed at those short on IT companies that already maintain standard desktop staff, security expertise, and capital. As spyware images and regular data , re-imaging may concerns grow, new managed anti-spyware ser- be time-consuming but tolerable. Others may find vices are expected to emerge for individuals and repeated spyware remediation costly enough to businesses. justify investment in the aforementioned practices, Windows Live OneCare illustrates this trend at reaping benefits beyond spyware relief. Tbose the desktop. OneCare Protection Plus is a sub- without previously-saved desktop images may scription-based managed security service that find themselves with little choice but to disconnect combines desktop anti-spyware, anti-virus, and the infested host from the Internet, quickly back defenses. OneCare primarily targets indi- up critical data to CD, reformat hard disks, and vidual consumers, but can also be used by small reinstall the and applications businesses that prefer not to configure, monitor, or from scratch. maintain desktop security programs. Other ven- Alternatively, some experts recommend brows- dors have also announced subscription-based ing the Web from virtual machines (e.g., VMware desktop security services that will include anti- Workstation, Microsoft Virtual PC). This kind of spyware, notably McAfee Falcon and Symantec "sandboxing" can insulate your real operating sys- (aka Genesis). tem, letting spyware damage be undone simply by At the network edge, providers that deliver discarding the compromised virtual machine. CPE-based managed security services are adding Those who routinely use virtual machines for anti-spyware. Many already wrap expert provi- other reasons (e.g., software development and sioning, 24/7 NOC monitoring, threat assessment testing) may find this approach very helpful.

48 BUSINESS COMMUNICATIONS REVIEW / AUG 2006 Conclusion Fighting spyware may seem like an uphill battle, but it is a campaign that most of us have little choice but to wage. Over a 15-month period. Microsoft's MSRT alone removed 16 million Add It To Your Mix. instances of malicious software from 5.7 million computers, 62 percent of which housed at least 42% of BCR's subscribers make one trojan. Even the most computer- and final purchasing decisions. security-savvy Intemet users occasionally fall vic- tim to spyware. Given the financial gain that dri- ves spyware. these pests will undoubtedly contin- ue to proliferate. For spyware, the best defense is a strong offense: taking reasonable steps to pre- vent and detect spyware can reduce your risk of compromise and your need for expensive remedi- ation n

Companies Mentioned In This Article

8e6 Technologies (www.8e6.eom) Aladdin (www.aladdin.com) Bleeding Snort DNS Black Hole project (ww w.bieedingsnort .com/bl ackhole-dn s/) Blue Coat (www.bluecoat.com) CastleCops (wiki.castlecops.com/PIRT) CERT (www.cert.org) Computer Associates (www.ca.com) eSoft (www.esoft.com) BCR readers wiii spend more FaceTime (www.faeetime.com) than $80 biilion this year on: Finjan (www.finjan.com) Futuresoft (www.futuresoft.com) • Internetworking Google (www.google.com) • IP-telephony Lava.soft (www.lavasoft.com) McAfee (www.mcafee.com) • Convergence Mi5 Networks (www.mi5networks.com) • Data communications Microsoft (www.microsoft.com) Shavlik (www.shavlik.com) • Internet SonicWALL (www.sonicwall.com) • Network management StaySafeOnline.org (www.staysafeonline.org) • Video/multimedia StopBadWare.org (www.stopbadware.org) Sunbelt (www.sunbelt-software.com) BUSINESS SurfControl (www.surtcontrol.com) COMMUNICWIONS Symantec (www.symantec.eom) REVIEW Tenebril (www.tenebril.com) Trend Micro (www.trendmicro.com) National Sales Director WatchGuard www.watchguard.com) Robert Pavone Webroot (www.webroot.com) Phone: 212/600-1280 Fax: 212/600-1220 Email: [email protected]

BUSINESS COMMUNICATIONS REVIEW / AUO 2006 61