Get documents about "Spyware A Clear and present danger
Document Sample
computerworld
TechnologY
BriefingS
SecUriTY
Spyware:
A Clear and
present danger
TAbLE Of CONTENTS SpONSOREd bY
Spyware: A Clear and Present Danger........................... 2
Online Crooks Fine-Tune Selling of Malware ............... 5
Phishing Researcher
‘Targets’ the Unsuspecting ............................................... 7
The Fight to Stay a Step Ahead
of Troublemakers ................................................................. 9
STRATEGIC TECHNOLOGY INSIGHTS fROm COmpuTERwORLd CuSTOm pubLISHING
THREAT LANdSCApE obtrusively on a host computer.
In the rootkit variety, such code is
Spyware: hidden from the operating system.
Once on a computer, it may monitor
system activity or log keystrokes,
A clear and present danger making this information visible to
an outside party.
While viruses typically are cre-
Strong threats demand stronger, targeted ated by individuals seeking bragging
countermeasures rights within a hacker community,
creators of spyware do so for fi-
nancial gain—through the theft of
valuable corporate data or personal
identity such as credit card informa-
U
bY STAN GIbSON sed to be, a virus would tion and social security numbers.
tear through computer Spyware is one tool used by thieves
systems worldwide and who broke into the computer
within days, trash hun- systems of clothing retailer TJX.
dreds of thousands of systems, garner- According to published reports,
ing global headlines before an antidote thieves attached USB drives to store
was created and distributed with simi- kiosks and thereby installed mali-
lar alacrity. Now, silent and potentially cious spyware—keyloggers—on
far more deadly code is in play, which TJX host systems to gain access to
if it’s working right, will never be no- data. The theft of credit card and
ticed, even as it siphons off critical in- drivers’ license information may
formation or quietly turns a computer cost the firm anywhere from several
into a bot or spamming node. hundred million dollars to a billion
The new malware is spyware, but dollars or more before all the dust
it’s not the mere annoyance that has settled. In Carson, Calif., mean-
first appeared on the scene while, thieves are believed to have
a decade ago and later be- planted keylogging spyware on the
came notorious as a system- city treasurer’s PC, obtaining the
slowing nuisance. In the password for the municipality’s gen-
past several years, spyware eral fund account and nearly mak-
has morphed from an ir- ing off with $450,000 in May 2007.
ritant into a powerful tool More of the same is on the way,
for serious cybercriminals. experts say. In a recent report by
Spyware, like other forms of International Data Corp., the re-
malware, is unwanted soft- search company stated: “IDC fore-
ware that installs itself on a sees a rising trend in the area of
computer system. Unlike a criminal activity related to spyware.
virus or worm, however, it The intention is to steal personally
is not designed to replicate identifiable and private informa-
itself, destroy data or bring tion, company intellectual property,
down computers one after another. customer records and anything else
Rather, it is intended to reside un- the criminal thinks has value.” Re-
TECHNOLOGY BRIEFING • SpYwARE: A CLEAR ANd pRESENT dANGER
search firm Gartner Inc. predicts clogged systems by installing Web-
that by the end of 2007, undetected ... Companies that root software, which has done an
spyware will reside on 75% of cor- effective job keeping spyware away.
porate systems. have protected their They say Webroot is easy to install,
Things Are Quiet—Too Quiet
corporate systems provides a clear, informative user in-
terface and provides superior results
Because of its intentionally unobtru- with software intended in finding and removing spyware.
sive nature, some IT managers may
think spyware is as benign as a cook-
mainly to guard against But as spyware changes, antispyware
must change as well. Because of the
ie. Others may think it is a variant of viruses won’t be safe unobtrusive nature of spyware, users
virus code. But companies that have are dependent on the diligence of
protected their corporate systems from the new spyware. their spyware vendor, including the
with software intended mainly to skill of the vendor’s research team,
guard against viruses won’t be safe up systems sometimes fell short. not only in discovering spyware, but
from the new spyware. IT managers “Many times we would spend sever- in rapidly creating remedies that
at one major home improvement re- al hours removing software without seamlessly remove threats.
tailer had installed Symantec Norton success, only to have to wipe out the Although a slow system may still
AntiVirus, but when the company computer and reinstall Windows,” signal the presence of spyware, it’s
deployed Webroot AntiSpyware says Kirk Woloshyn, IT manager at increasingly likely that a spyware-in-
Corporate Edition, which is spe- Walters Wholesale Electric in Long fested system may show little or no
cifically crafted to combat spyware Beach, Calif. “We had a tremendous performance degradation. In either
rather than viruses, it found there loss of productivity—slow systems, case, spyware, unlike viruses, does
were 6,900 instances of adware, 21 crashing systems and applications not overtly announce its behavior.
system monitors and 586 Trojan that didn’t work,” Woloshyn adds. Waiting for a system to slow before
horses corporate-wide. acting may needlessly expose the
Many IT professionals were driv- Anywhere, system to danger. The new strategy
en to find a solution to the spyware Anytime Protection for combating spyware is to seek it
problem when the performance deg- Jim Miller, director of IT for Op- out before it infects the PC.
radation of corporate PCs became eration PAR Inc., a social service This is done by scanning Web sites,
unacceptable several years ago. “In organization in Pinellas Park, Fla., especially those most frequently vis-
the first half of 2004, people would reports that laptop systems, because ited, for the presence of spyware, says
bring their machine into the office— their users so often take them out Peter Watkins, CEO of Webroot. Al-
the computer was extremely slow from behind the corporate firewall though it’s impossible to scan every
and things would launch. But there and utilize removable data storage site on the Internet, it is possible to
weren’t a lot of tools to use to find devices such as USB drives, are frequently examine the Web’s most
out what was on the machine,” says more likely to become infected and popular sites, says Watkins.
Tim Rush, network administrator therefore must be protected with “You have to go out and find it. It
at POWER Engineers Inc., a global greater diligence than desktop sys- doesn’t find you. We use our auto-
engineering firm headquartered in tems. “I have a laptop now that’s so mated tools to scan millions of Web
Hailey, Idaho. Like many IT pros, infected, we have to wipe it clean sites weekly,” says Watkins. He notes
Rush reports having to spend any- and re-image it,” he says. that Webroot scanned 250 million
where from 20 minutes to five hours Rush, Woloshyn and Miller all Web pages last year and Webroot
trying to clean up each system. “It had installed antivirus software, but technologists found 3 million items
was not feasible to spend five hours came to the conclusion that software that were suspected to contain spy-
on a machine,” he says. specifically aimed at spyware was ware. And, in the first seven months
Even determined efforts to clean needed. Each responded to their of 2007, Webroot has found over
TECHNOLOGY BRIEFING • SpYwARE: A CLEAR ANd pRESENT dANGER
6 million sites harboring spyware, an ing to Webroot’s antivirus offering
annualized increase of 183%.
Before users can become infected
“Webroot has proven which includes Sophos technology.
by spyware that may be on the sites to provide the great- conclusion
they visit, Webroot software scans
the sites for the presence of spyware.
est protection against Many IT professionals were driven to
deploy antispyware products because
That’s important, because it’s better spyware at the time of the hit in system performance that
practice to prevent a spyware infec-
tion in the first place than it is to
of this testing. ” was slowing their corporate users.
Now they are staying with enterprise
remove spyware after the fact. None- antispyware because it provides the
reSeArch finDingS
theless, according to Webroot Chief VeriTeST foundation to combat the next genera-
Technology Officer Gerhard Eschel- tion of malware—sophisticated and
beck, Webroot’s skilled technologists 91% of adware, 97% of Trojan horses insidious code written by profit-driven
have crafted the company’s products and 88% of system monitors. In doing criminals who aim to steal sensitive
to surgically remove spyware—even so, the report states, Webroot Anti- data and cause serious financial harm.
rootkits—without disturbing a com- Spyware Corporate Edition “signifi- According to IDC, “This profit-driven
puter’s operating system. cantly outperformed Symantec Anti- motivation will cause the number of
Virus Corporate and Trend Micro attacks to increase in sophistication,
The right Stuff Anti-Spyware Enterprise.” The report frequency and severity.” It’s a sobering
Tests conducted by research firm adds: “Webroot has proven to provide thought, and all the more reason to
VeriTest found that Webroot Anti- the greatest protection against spy- make sure your systems are safe. The
Spyware Corporate Edition was ware at the time of this testing.” new spyware is a clear and present
more effective than competing Webroot is now expanding from danger, albeit an invisible one. w
products from Symantec and Trend its firm foundation in antispyware
Micro in detecting and removing to offer antivirus software from Stan Gibson is a technology writer
spyware. Specifically, Webroot Anti- Sophos. POWER Engineers’ Rush in the Boston area and the former
Spyware Corporate Edition removed says that next year he will be switch- executive editor of eWEEK.
TECHNOLOGY BRIEFING • SpYwARE: A CLEAR ANd pRESENT dANGER
IN THE wILd tech support and free updates for their
malicious creations, and some forums
online crooks Fine-tune feature escrow services for purchases
made through their site. In these cases,
the forum holds onto the transaction
Selling of malware money as a neutral party until both
the buyer and the seller appprove the
deal—just like the escrow process of
less like the casbah these days, more like the mall buying a house.
A Professor Peers in
Thomas J. Holt, an assistant professor
in the Department of Criminal Justice
at the University of North Carolina,
has spent the past year discovering
bY ERIK LARKIN This article originally appeared in the August 1, these practices as he and his team sift
007 edition of PC World. through black-market sites and col-
lect data on Internet attacks. At the
“T
he best program in DefCon hacker’s conference in Las
its class I have ever Vegas, he told the crowd how today’s
seen!” gushes one malware-peddling Web forums use
review. “One of the these buyer-friendly tactics to draw
most powerful products on the market,” shoppers to their site.
reads another. They’re common lines, Seller reputations may seem para-
indistinguishable from thousands of doxical in a realm where anonymity is
others for thousands of programs. Until prized. But the identity-hiding handles
you come to this one: “Works well ... to used by sellers—such as Corpse, or the
find a new attacker.” Cyber Underground Project, or Cr4sh—
These aren’t just any reviews. They’re work much the same as eBay account
comments from satisfied customers of names, in the sense that they allow
black-market malware and utilities, left reputations to accompany the handle.
on forums and sites where user ratings A new seller debuts as an unknown,
are just one way the shadowy online Holt says. Then, as he garners posi-
crooks who profit from spewed spam, tive user reviews like those above, his
virus-laden PCs and identity theft use reputation improves until he becomes a
standard business practices to sell their “verified seller.” Conversely, if he’s out
illegal bounties. For instance, those user to swindle the swindlers, he’ll become
comments affect a seller’s displayed labeled as an untrustworthy “ripper”—
reputation rating, a la eBay. Popular someone who rips people off.
underground forums also offer their Those reputations can persist even if
own product testing reports that make a particular forum is shut down by au-
clear whether an attack program can do thorities. Holt discovered one database
what its seller claims—something long of rippers that maintains a reference list
done by PC World and other groups for of known scammers, and even distin-
benign technology products. guishes public, unverified ripper com-
The illicit entrepreneurs even offer plaints from vetted private complaints
TECHNOLOGY BRIEFING • SpYwARE: A CLEAR ANd pRESENT dANGER
from registered members that are by antivirus applications when it’s de- He did what we all do. He Googled.
deemed more reliable. It’s a sort of livered. Tech support is included. After wading through a few pages
black-market Better Business Bureau. If you need services, not software, of search results for terms such as
you can hire “razorsasa” to churn out “bot, sale, dump and Trojan,” Holt
Malware lab Tests millions of pump-and-dump stock scam found some junk sites that cut-and-
As surprising as they may be, virus messages for $150 per million. And if pasted for-sale postings from other
vendor reputations are only one exam- you’re not above dirty tricks to beat out locations in the hopes of catching
ple of modern marketplace practices an online competitor, a full day’s worth unwary buyers—rippers, in other
in the underground. Some poisonous of denial-of-service attacks costs a pal- words. But those ripper sites eventu-
program promotion sites also mimic try $100. ally led him to the real action, where
the extensive testing from labs that run If you’re in the “carding” business trusted forum admins vet malware
independent reviews of technology and want to rake in illicit earnings using and rank sellers.
products. The PC World Test Center, stolen credit card numbers and finan- Holt says he and his university
for instance, is usually hopping with cial account information, you can pick team found sites in Vietnamese,
evaluations on everything from proces- up data dumps from ID-theft malware Spanish, English, Chinese and even
sor speed to application reliability to for as little as 20 cents per megabyte. Arabic, but the most popular sites are
digital camera photo quality. in Russian. The team translates sites
Some malware forums offer the using a combination of automated
same kind of product testing, but in- For $400 you can pur- and human translators.
stead of benchmarking a computer’s
speed, they’ll test whether a given
chase the “Illusion DDoS Authorities no real Threat
Trojan can conduct the type of denial- Bot” from the Cyber Un- That variety of languages is one rea-
of-service attack claimed by its author, son English-speaking authorities can’t
or whether it communicates with other derground Project, which easily locate and shut down these
infected PCs in the promised manner.
Holt found that some sites will even
says the bot is capable forums, Holt says. It also takes time
and skilled personnel to monitor and
spot-check a batch of stolen credit card of launching a variety of analyze posts. Consider that Holt’s
numbers using account verifiers to
ensure they’re actual, useable accounts.
denial-of-service attacks. team has been at work on this for the
better part of a year.
Prospective buyers see the site review Holt says he does share his data
ThoMAS J. holT, ASST. Prof.
listed alongside the product pitch. with law enforcement, and there have
DePArTMenT of criMinAl
JUSTice, UniV. of no. cArolinA been successful takedowns against
Dirty Tricks for hire known black-market sites, such as the
So just what can a would-be Internet Whatever the purchase, a buyer Secret Service-run Operation Fire-
criminal buy on these sites? According will typically contact the vendor pri- wall three years ago. That operation
to Holt, for $400 you can purchase the vately using an ICQ number, e-mail or, against the notorious Shadowcrew re-
“Illusion DDoS Bot” from the Cyber in some cases, a private message sent sulted in 28 arrests around the globe.
Underground Project, which touts the through the forum. Money generally But just as a major drug bust can’t
malware app as capable of launching a changes hands through untraceable be expected to dry up the drug trade,
variety of denial-of-service attacks that online services such as e-gold or Operation Firewall didn’t make much
can overwhelm Web sites and servers, WebMoney. of a dent in the online black market.
with control managed through an IRC It might seem that you’d have to be Other sites quickly emerged to re-
channel or a Web site. If you’re on a in the know to find the malware black place those that were taken down,
budget, $30 will get you a customized market. But when Holt began his hunt and the business practices of the
Pinch data-stealing Trojan that its for these sites, he didn’t try for tips underground malware economy are
seller guarantees will not be detected from people with dodgy connections. continually evolving. w
TECHNOLOGY BRIEFING • SpYwARE: A CLEAR ANd pRESENT dANGER
IN THE LAb or have their computers controlled
remotely by hackers.
phishing researcher Jakobsson’s research subjects can’t
know they’re being experimented
upon, or the results would be mean-
‘targets’ the unsuspecting ingless. The typical procedure is to
tell them about the research after
they’ve unknowingly participated,
Markus Jakobsson attacks out of—well, not love, which Jakobsson admits has led to
but his aims are honorable some angry responses.
In one experiment, Jakobsson and
his students sent e-mails to about 20
people directing them to a site au-
thenticated only by a self-signed cer-
bY JON bROdKIN This article originally appeared in the August 9, tificate, an identity certificate signed
007 edition of Network World. by its creator. Many people accepted
the certificate even though anyone
I
f he weren’t so ethical, Markus knowledgeable in computer security
Jakobsson could be a world-class should not have.
online fraudster. In a way, he “We were on four continents
already is. within a day with a starting point
Jakobsson, a cybersecurity re- of 20 of these messages,” Jakobsson
searcher and professor at Indiana said. “We could have put malware on
University in Bloomington, spends computers.”
much of his time perpetrating online
attacks of unsuspecting Web surf- More education needed
ers—without actually harming them, In another study, Jakobsson found
of course—to see what types of rus- that while people often won’t click
es people will fall for and to predict on a suspicious link within an e-
potential new techniques phishers mail, they will go to the site if they
might pursue. are instructed to copy and paste
The university that gave the the same URL into their browsers.
world Alfred Kinsey, the famous The lesson Jakobsson took from the
sex researcher, is more than willing study—which involved an e-mail
to tolerate experiments that might asking users to update their eBay
improve computer security, even if it accounts—is that public education
annoys a few unwitting participants. efforts about the danger of online
“They think everything that is not attacks are insufficient. People know
immoral or illegal is fine,” Jakobsson they’re not supposed to click on sus-
joked at the Usenix Security Sym- picious links, but they haven’t been
posium in Boston, while delivering told not to copy and paste the same
a talk on the human factor in online links into an address bar. A slight
fraud such as phishing, click fraud change in approach causes victims
and crimeware. Victims of online to let their guards down and pays
attacks often give up personal infor- dividends for bad guys.
mation, such as bank account details, Jakobsson also found a problem
TECHNOLOGY BRIEFING • SpYwARE: A CLEAR ANd pRESENT dANGER 7
related to the practice of credit card than people in the middle, which kobsson argues. They improve
companies identifying users by the confirms to me that they’re crazier phishing countermeasures by dis-
last four digits of their account num- than the rest of us,” Jakobsson said. covering what works and what
bers, which are random. From his In another study, Jakobsson and doesn’t. Jakobsson said one experi-
research, it turns out people are will- his wife exposed weaknesses in ment showed 400 subjects one of
ing to respond to fraudulent e-mails eBay’s system that allows communi- two AT&T links: one with the com-
if the attacker correctly identifies cation between buyers and sellers. pany name in the URL or one with
the first four digits of their account A recipient of an e-mail sees a yel- the phrase “accountonline.com.”
numbers, even though the first four low button that says “respond now,” The accountonline.com link was
are not random and are based on but the button carries no informa- the real one used by AT&T—yet us-
who issued the card. tion about the intended recipient. ers deemed it less trustworthy than
“People think [the phrase] ‘start- Jakobsson pasted the button onto a the one with AT&T’s name in the
ing with’ is just as good as ‘ending spoofed e-mail to a victim, making it URL. Phishers seem to know this
with,’ which of course is remarkable appear to be a legitimate e-mail from already, as they tend to register do-
insight,” he said. an eBay user. Instead, the victim—or, main names that look similar to the
Another experiment targeted Indi- in this case, research
ana University professors, prompt- subject—is taken to a
ing them to use their university-is- site with a URL that’s
sued passwords to get onto a site similar to eBay’s but
that appeared to be hosted outside was actually run by
of the school. Most were duped. Jakobsson.
“We sent them to a page that said The researchers
‘service temporarily unavailable, spoke with eBay af-
please try again later.’ That would ter performing their
stimulate people’s interest and many experiment.
people returned,” he said. “It was “Just a few months
nice to see computer scientists never after we performed
fell for the experimental attack when this experiment and
it was sent by a stranger ... It was a told them the results, this attack site they want people to think they
wakeup call that the people in the started to happen in the wild, pretty are logging on to.
School of Education did not distin- big-scale too,” he said. “We were ter- “Custom name attacks are remark-
guish whether it was from a friend rified that we caused it to happen.” ably successful,” Jakobsson said.
or someone unknown to them.” It turned out the same type of at- Experiments can help researchers
tack had already been occurring, but predict trends by discovering what
human Vulnerabilities on a smaller scale, so Jakobsson was human vulnerabilities haven’t been
One finding could have been pre- off the hook. He said eBay officials exploited yet, Jakobsson said.
dicted by anyone: Men are more reacted positively to his research Although some argue users can’t
likely to click on a link sent to them because it gives them information be taught to avoid online attacks, Ja-
by a female than by a male. But the that can help improve security. For kobsson thinks his research can lead
study dug up some more surprising reasons related to public relations, to better education methods. Some
facts by targeting e-mail addresses eBay doesn’t experiment on its own common advice is so vague that it’s
from a social networking site that customers, he said. pretty much useless, he said, leaving
listed political affiliations. lots of room for improvement.
“It was delightful for me to see The case for experiments “The technical component is
that people on the far left and far There are several good reasons important, but it’s not all,” Jakobsson
right were much more vulnerable to perform such experiments, Ja- said. w
TECHNOLOGY BRIEFING • SpYwARE: A CLEAR ANd pRESENT dANGER
Q&A to distribute bot technology to build
bot networks to distribute spam and
the Fight to Stay a Step
create denial-of-service attacks. It’s
even capable of updating itself with-
out the user knowing about it. Root-
Ahead of troublemakers
kits are also playing a role. They’re
not new, but they’re being leveraged
in a malicious fashion now. They al-
low attackers to conceal their code
on a user’s computer and therefore
make it harder to identify and re-
move it.
A
s spyware is increas-
ingly used as a tool of Q: how is Webroot keeping up with
cybercriminals, it is these new threats?
growing more sophisti- A: We are identifying these new
cated and more malicious. Webroot threats through our fully auto-
Chief Technology Officer Gerhard mated proactive infrastructure
Eschelbeck is tasked with making called Phileas®. You can think of it
sure that antispyware technology as a Google for malware. It doesn’t
stays a step ahead. He explains require that thousands of research-
Webroot’s approach to technology ers go out and scour the Internet.
writer Stan Gibson Instead, it leverages automation for
a real-time view into the Internet
Q: how are today’s spyware attacks dif- and lets our research team focus on
ferent from what we have seen before? new threats and create new ways
A: The spyware threat has evolved to combat those evolving threats.
significantly over the past three Because we know what the threat
years. It started with software that landscape looks like, we can adjust
created a lot of pop-ups that was our protection and removal proce-
known as adware. It had a usability dures to shield our users from the
impact by making systems slower. latest threats before they can get
These days we’re dealing with mali- infected. We also devote consider-
cious spyware that is designed to able time and effort to making our
stay hidden from the user as long as products easy to use and enabling
possible so its creators can conduct them to generate clear reports, two
their business. It can gather and traits about which our users are
steal personal and confidential data, very enthusiastic.
financial information, credit card
data and login information to vari- Q: how can i tell if my antispyware
ous accounts. software isn’t doing the job?
A: It’s a challenge to see the level of
Q: So spyware continues to grow in infection; however, we have a Spy
sophistication? Audit tool that can scan a system
A: Spyware is at the root of the eco- for free. We see 20% to 30% infec-
system of malware that’s being used tion rates among organizations that
TECHNOLOGY BRIEFING • SpYwARE: A CLEAR ANd pRESENT dANGER 9
have deployed other antispyware antivirus is not designed to protect ment that customers expect today and
technology. In fact, one of our new- from spyware. rightfully so. At the same time, we see
est customers was using a leading a shift. More organizations are looking
antivirus provider along with a few Q: Will Webroot work alongside other for a one-stop solution and we have
layers of freeware, and our Spy Au- vendors’ antivirus software? products on the market that cover the
dit found 6,900 undetected spyware A: Yes indeed. We work closely with full range of user needs. So you can
programs—including 586 Trojans the security industry to make sure our use Webroot alongside another ven-
and 21 keyloggers. So you see, free products and technology can coexist dor’s antivirus software or purchase
antispyware does not do the job and on the users’ desktops. It’s a require- the entire solution from us. w
TECHNOLOGY BRIEFING • SpYwARE: A CLEAR ANd pRESENT dANGER 10
