Dealing With Adware And Spyware

Document Sample
Dealing With Adware And Spyware Powered By Docstoc
					                         SECURITY



                         Dealing With Adware
                         And Spyware
                         Lisa Phifer




                         You’ll need a hybrid of host-                      ment just by reducing spyware remediation cost.
                                                                            Webroot estimates that help desk calls, resurrect-
                         and network-based                                  ing compromised workstations and the resulting
                         approaches, as well as the                         down time run about $250 per user, per year (a
                         security professional’s                            calculation is shown in Figure 1).
                                                                                Potential return on investment does not end
                         greatest asset: Constant                           there. Spyware not only slows desktops; it saps
                         vigilance.                                         worker productivity and hogs bandwidth. Accord-
                                                                            ing to SurfControl, ISPs find that peer-to-peer
                              f early viruses like BubbleBoy and LoveBug    spyware programs (e.g., Grokster, KaZaA,


                         I    make you pine for simpler times, then you are
                              probably waging war against this millenni-
                              um’s far more tenacious foe: The stubborn
                         crop of spyware that now infests three out of four
                         PCs. From pesky adware like BonziBuddy to
                                                                            Limewire) generate up to 70 percent of network
                                                                            traffic. Spyware that exposes private data may
                                                                            result in embarrassing public disclosure, costly
                                                                            customer notification and compliance violations
                                                                            that bring hefty fines. Spyware is also a popular
                         malicious malware like Trojan-Downloader-Zlob,     vector for executing electronic crimes like identi-
                         spyware is literally choking corporate desktops    ty theft and on-line fraud. In one well-publicized
                         and networks. Responsible for one out of four      case, 22 Israelis were arrested for using spyware
                         help desk calls and half of the PC crashes report- to commit corporate espionage. While data theft
                         ed to Microsoft, spyware is draining IT resources  costs are notoriously difficult to quantify, the
                         and business productivity.                         gravity of such incidents cannot be denied. Busi-
                             Worse, spyware is now morphing from nui-       ness consequences are already significant, and
                         sance to nightmare. Those seeking financial gain   will continue to escalate as spyware grows more
                         through spyware have evolved from tracking         virulent.
                         cookies and intrusive pop-up ads to more selective     Unfortunately, defeating spyware is harder
                         and insidious methods. For example, drive-by-      than evading conventional viruses. Spyware is any
                         downloads are installing exploit code onto PCs     potentially-unwanted program that makes unde-
                         that merely visit websites, without user interac-  sirable changes to your computer and/or collects
                         tion. Phishing trojans are monitoring browser      information about user activities, without consent,
                         activity, waiting to capture identities and creden-usually for financial gain. That definition may be
                         tials during on-line banking transactions. Keylog- fine in the abstract, but making concrete decisions
Lisa Phifer is an        gers are harvesting sensitive
owner and principal      data from victims, violating
consultant at Core       privacy laws and industry reg-                 FIGURE 1 Cost Of Spyware (A Calculator)
Competence, a            ulations.
network security                                                Number of Workstations:                            1000
technology consulting    Stamping Out Spyware                   Average Hours to Re-image:                         6
firm based in Chester    Associated business risks are          Hourly Value of Employee Time:                 $ 40
Springs, PA. A 25-year   making it impossible for com-
                                                                Re-image Rate:                                   2
veteran of the           panies to ignore spyware. The
networking industry,     Radicati Group projects that           Average Cost per Help Desk Call:               $ 15
Lisa has been battling   anti-spyware spending will             Monthly % Chance of Spyware Call:                  10        %
the spyware scourge      grow from $103 million in
since 2001. She can be   2005      to    more      than
reached at               $1 billion by 2009. Many               Total Cost of Spyware:                            $248,400
lisa@corecom.com.        companies can justify invest-
                                                          Source: Webroot

44 BUSINESS COMMUNICATIONS REVIEW / AUG 2006
                                                                                    Use BCR’s Acronym Directory at www.bcr.com/bcrmag
about which programs are really spyware can be               These are but a few of thousands of pieces of
difficult.                                               code congregating under the spyware umbrella.
■ Annoying Adware—Many programs monitor                  They illustrate that spyware is extremely diverse
activity, but when does that become a breach of          in delivery method, installed behavior and poten-         Spyware has a
privacy? Cookies retain personal information—            tial impact. These characteristics make spyware
usernames, passwords, preferences—so that web-           challenging to detect, and even more challenging          penchant for
sites can improve user experience. But some cook-        to mitigate. In short, spyware is a complex threat        social
ies share tracking data with third parties that deliv-   that is most effectively addressed through multi-
er pop-ups and banner ads; those installed without       phase, multi-layered defenses.
                                                                                                                   engineering
user consent are called adware cookies. And then
there are programs like WeatherBug and Surf-             Phase One: Proactive Prevention
SideKick that display sponsor ads while they run.        The old adage, “An ounce of prevention is worth a
Such adware programs may or may not obtain               pound of cure” certainly applies to spyware. Once
consent to track and share personal data through         spyware has been installed on a host, it can be
end user license agreements—which most users             extremely difficult to return that host to a trust-
simply accept without reading.                           worthy state. Efficient spyware defense starts with
■ Nebulous NonBizWare—Many workers                       proactive steps intended to circumvent popular
install non-business software on corporate PCs,          delivery methods.
from IM and softphones to multi-user games and               Spyware has a penchant for social engineer-
peer-to-peer file sharing. Beyond reducing pro-          ing—from tricking users into clicking on fake
ductivity, NonBizWare establishes communica-             pop-ups to bundling trojans with enticing share-
tion “back channels” that could be exploited to          ware. We cannot depend on users to “do the right
penetrate or attack a corporate network.                 thing,” but we can still benefit from spyware edu-
    NonBizWare may also expose employers to              cation. Many on-line resources exist, including
legal liability associated with distribution of copy-    StopBadWare.org, StaySafeOnline.org, CERT
righted music, pirated software and pornographic         Cyber Security Tip ST04-016, and knowledge
material. Therefore, even though NonBizWare              bases published by reputable anti-spyware ven-
may not “spy” on users, many anti-spyware solu-          dors. But take care to avoid rogue anti-spyware—
tions treat these potentially-unwanted programs as       see www.spywarewarrior.com/rogue_anti-spy-
another form of spyware.                                 ware.htm.
■ Menacing Malware—A growing percentage                      Spyware often makes its way onto a desktop
of spyware is malicious software intended to dam-        through a Web browser. Secure browser configu-
age a computer, steal data, or create an attack plat-    ration can help to stop hijackers and drive-by
form. For example, browser hijackers like Cool-          downloads. ActiveX controls are a spyware
WebSearch_xplugin change home pages, redirect            favorite; disabling unsigned ActiveX is a simple
Web searches, and misdirect URLs to phishing             but valuable step. Disabling Java applets can also
pages and pay-to-play search engines. Keyloggers         be helpful, but more likely to cripple legitimate
like SpyBuddy record document edits, email,              websites. These and other browser configuration
instant messages, chat room conversations and            tips can be found online, including http://cyber-
Web form responses by relaying user keystrokes           coyote.org/security/browsers.shtml. Companies
to remote attackers. Botnets use worms or trojans        should disable user prompting, enforcing active
to plant drones like SoberQ that listen for IRC          content and plug-in settings with a desktop man-
commands instructing them to relay spam or join          agement tool like Active Directory Group Policy
DDoS attacks. Trojan downloaders like Zlob and           Objects.
Wstart hide in attachments and downloads, open-              Many adware cookies and browser hijackers
ing back doors through which other programs can          can be neutralized by configuring browser Privacy
be remotely installed. Rootkits like NTRootKit           settings to disable third-party cookies and block
are trojans that operate as hidden system files, let-    pop-ups. Exceptions can be made for legitimate
ting attackers gain unrestricted access to a “root-      websites that require these features to operate cor-
ed” computer. And the list goes on.                      rectly, preferably by importing a company-defined
    Unlike adware and NonBizWare, there is little        list of permitted sites. Pop-up blockers are freely
room for interpretation here: Malware rarely             available from many sources, including the Win-
belongs on any system.                                   dows XP SP2 upgrade for Internet Explorer and
■ Rogue Anti-Spyware—Finally, spyware itself             the Google Toolbar.
has created an opportunity for rogue anti-spy-               Use Internet Explorer’s Restricted Site Zone
ware—programs like SpyAxe, Winhound, and                 (or equivalent features in other browsers) to block
SpyTrooper that use pop-up ads and scare tactics         access to known adware and spyware sites. But do
to convince users to download phony anti-spyware         not attempt to populate this list manually. Instead,
programs. When executed, many of these rogues            use a tool like JavaCool SpywareBlaster to con-
generate “false positive” warnings that hound            figure this banned site list, and update that list reg-
users into purchasing clean-up programs or paid          ularly as new sites emerge.
feature licenses.                                            Many spyware programs need administrative

                                                                                        BUSINESS COMMUNICATIONS REVIEW / AUG 2006   45
                         rights to install themselves, overwrite OS files or   or contain embedded URLs for spyware websites.
                         disable security measures in an effort to evade       This risk can be reduced by using non-IE viewers
                         detection. Those threats can be crippled or neu-      when displaying HTML content, using applica-
It is necessary to       tralized by browsing the Web from a Least-            tion settings to disable active content and script
                         Privileged User Account (LUA). Never browse the       execution, stripping risky file attachments, and
combine                  Web as administrator. If you must, use a free tool    flagging deceptive URLs. Spam filtering can also
prevention with          like Microsoft DropMyRights to downgrade priv-        weed out many dangerous messages before users
                         ileges when launching your browser (or any other      have an opportunity to get themselves in trouble
detection                Internet application).                                when reading them.
                             A significant percentage of spyware has been         Finally, spyware and adware do their dirty
                         designed specifically to exploit Internet Explorer    work by communicating with third parties. Pre-
                         features or vulnerabilities. Diligent patching can    venting back-channel communication literally
                         make a big difference, as can upgrading to a newer    renders these programs mute. DNS black holes
                         version of IE. Security improvements found in IE      can be used to resolve host names and domain
                         version 7 include ActiveX opt-in, a “No Add Ons”      names that are known to propagate spyware to the
                         mode, a “Fix My Settings” option, and better pro-     loopback address 127.0.0.1. Entries can be added
                         tection from cross-domain scripting attacks. Or       to desktop HOSTS files, DNS Servers, or both,
                         consider using an alternative browser like Firefox    using lists maintained by the Bleeding Snort DNS
                         for general Web surfing, reserving IE for             Black Hole project.
                         known/trusted sites that do not work well other-
                         wise. Alternative browsers may be a less popular      Phase Two: In-Depth Detection
                         spyware target, but they still require secure con-    These proactive steps, coupled with persistent
                         figuration and patching.                              patching, list maintenance, and configuration
                             Browsers may be spyware’s favorite target, but    enforcement, can significantly reduce spyware.
                         many other applications can fall victim. For exam-    But prevention is never foolproof. Spyware sites
                         ple, email can carry spyware in file attachments,     move, users add exceptions, and NonBizWare


                                                 FIGURE 2 Layered Defense

                                          Adware
                                        NonBizWare                             Spyware
                                         Keyloggers                              Site
                                    Trojan Downloaders
                                         Rootkits…              @



                                                                 Internet



                                             Network                              Block HTTP requests to Spyware sites
                                           Anti-Spyware                            Filter responses for banned objects
                                            Appliance                            Scan messages for Spyware signatures
       Enforce Anti-Spyware policies                                                   Block Spyware back-channels
        using on-demand scans and
      real-time monitoring to disable
        risky requests and content,
        block cookies and pop-ups,
       detect and quarantine/delete                                                    Desktop
              Spyware objects                                                        Anti-Spyware
                                                                                        Server

     Desktop
   Anti-Spyware
     Programs
   (Stand-alone      S                   S                  S                    S                 Centrally define
     Or Agent)                                                                                 Desktop Anti-Spyware
                                                                                              policies, initiate desktop
                                                                                             audits, & monitor desktop
                                                                                                Anti-Spyware agents


46 BUSINESS COMMUNICATIONS REVIEW / AUG 2006
sneaks in on thumb drives. It is therefore sensible     definition, including the ability to customize scan
to combine prevention with detection.                   depth, permitted exclusions, prohibited Non-
    Spyware may be harder to classify and eradi-        BizWare, quarantine/delete actions, signature
cate than conventional viruses, but anti-spyware        updates and audit schedules. Larger enterprises         Network-based
defenses can be deployed in network locations           may prefer group-based policies that can apply
similar to those used for anti-virus: on the desktop,   different lists and schedules to regular users,         solutions allow
at the network edge, and as a managed service           administrators and high-value systems.                  for more uniform
(Figure 2).                                                 Enforce centrally-managed policies with con-
■ Desktop Anti-Spyware—Many host-resident               figuration locks, preventing users from adding
                                                                                                                enforcement
anti-spyware programs are available as consumer         their own exceptions or disabling spyware protec-
packages or enterprise solutions. Features vary,        tion. However, some exceptions may be necessary
but most provide start-up scans, on-demand scans,       for employees to do their jobs. For best results,
and real-time memory/file/application monitors.         choose a policy engine that lets you selectively
On-demand scans can provide periodic audits, but        permit end user changes, but disable end user
real-time monitoring is essential to avoid compli-      prompting except where required to meet business
cated cleanup. Fortunately, anti-spyware has            needs.
evolved from spotting consequences to quaranti-             Businesses may also need real-time monitoring
ning spyware before damage is done.                     and historical reporting features that let adminis-
    Anti-spyware programs have long detected            trators identify where and when spyware has been
potentially-unwanted changes to cookies, registry       encountered, and steps that were taken to auto-
keys, hosts files, browser zones and running ser-       matically remediate it. Look for threat assessment
vices—signs that spyware is being installed. Some       aids, like the ability to single out un-remediated
anti-spyware programs can block activities that         hosts and filter by spyware type/severity.
presage spyware installation, like suspicious               Larger enterprises should also consider scala-
ActiveX execution and browser helper object             bility, including server/database platform require-
installation. Most anti-spyware programs use sig-       ments, hierarchical/group views, update distribu-
natures to compare Web and other application            tion, integration with enterprise desktop and net-
objects to thousands of known culprits, preventing      work management systems and cost per desktop.
installation of NonBizWare, hacker tools, keylog-           Enterprise anti-spyware solutions available
gers, trojans and worms. To keep up with new spy-       today include Computer Associates eTrust Pest
ware that morphs, behavior-based detection is           Patrol, eSoft Desktop Anti-Spyware, Futuresoft
being added to some anti-spyware programs. And          DynaComm i:scan, Lavasoft Ad-Aware Enter-
to detect evasive threats like rootkits, anti-spyware   prise, McAfee Anti-Spyware Enterprise, Shavlik
programs have also started to monitor activity          NetChk Spyware, Sunbelt CounterSpy Enterprise,
with lower-level drivers.                               SurfControl Enterprise Threat Shield, Tenebril
    Anti-spyware options like scan location/depth       Spy Catcher Enterprise, Trend Micro Anti-Spy-
and exclusions can be helpful—for example,              ware Enterprise and Webroot Spy Sweeper Enter-
ignoring an IM client used for business or your         prise.
own website’s adware cookies. Most anti-spyware         ■ Network Anti-Spyware—A healthy crop of
programs keep a local log of detection results,         anti-spyware appliances has emerged to comple-
with hot links to spyware definitions, ratings and      ment desktop anti-spyware. Stopping spyware at
advice. However, anti-spyware programs may or           network trust boundaries avoids over-dependence
may not provide automated spyware removal (see          on desktop defenses. Network appliances let you
the section on “Remediation”).                          uniformly enforce anti-spyware policies on all
    Some consumer anti-spyware programs pro-            users, including contractors and visitors. When a
vide free scanning, but require a paid license to       new threat emerges, or you decide to permit busi-
activate advanced features. Because spyware             ness use of a P2P program, anti-spyware appli-
detection varies, running more than one program         ances can apply the modified policy immediately.
can be useful, and combining a paid program with        Appliances provide a single point for spyware
free tools is common. Freely-available consumer         quarantine, reducing the risk of desktop infection
anti-spyware programs are available from many           and costly clean-up. Finally, anti-spyware appli-
sources, including Microsoft Windows Defender,          ances are less likely to fall victim to spyware, like
SpyBot-S&D and WinPatrol.                               malware that tries to disable desktop security pro-
    Why spring for a commercial desktop anti-spy-       grams.
ware program? Vendors that offer both free and              However, network anti-spyware is no panacea.
commercial anti-spyware tend to reserve the most        As with any perimeter defense, anti-spyware
valuable features—notably real-time monitoring          appliances cannot stop installation of spyware that
and automated removal—for paid customers.               originates inside the network (e.g., NonBizWare
Moreover, SMBs and enterprises require features         installed from USB stick). Network-based solu-
that are absent in consumer anti-spyware pro-           tions must balance security and performance to
grams:                                                  avoid becoming bottlenecks. They may not excel
    Businesses should look for centralized policy       at making per-user exceptions or desktop

                                                                                      BUSINESS COMMUNICATIONS REVIEW / AUG 2006   47
                        remediation. Finally, network anti-spyware can-        and incident response around multi-function secu-
                        not protect laptop users when they work (and           rity appliances from vendors like McAfee, Trend
                        surf the Web) remotely.                                Micro, SonicWALL and WatchGuard. Providers
Malicious                   Combining desktop and network anti-spyware         can spin anti-spyware modules for these and other
                        creates a layered defense that is more robust and      security appliances into new anti-spyware offer-
spyware removal         resilient than either would be alone. In fact, some    ings, accompanied by professional services like
is not for the          vendors offer both solutions, leveraging common        spyware remediation.
                        components like management tools and signature
faint of heart          databases.                                             Phase Three: Rigorous Remediation
                            What functions can you expect from an anti-        Spyware prevention and detection can reduce the
                        spyware appliance?                                     need for remediation, but hosts that are already
                        ■ A network appliance is a convenient place to         infested with spyware must be cleansed before
                        filter outbound HTTP requests, blocking installer      applying prophylactic measures.
                        downloads, known spyware URLs, and black-list-             Relatively benign threats like adware cookies
                        ed domains.                                            and NonBizWare programs can often be removed
                        ■ A network appliance can also strip active con-       manually without difficulty. Temporary files,
                        tent from HTTP responses, including ActiveX            browser caches, cookies, and play-by-the-rules
                        controls, Java applets, scripts and banned             programs can be deleted with standard desktop
                        S/MIME types.                                          tools like Disk Cleanup and Add/Remove Pro-
                        ■ After filters are enforced, an appliance may use     grams. Unfortunately, removing more tenacious
                        signatures to scan inbound application payloads,       adware, bots and trojans without crippling the host
                        quarantining suspicious data objects.                  can be very tricky. Malware that morphs to elude
                        ■ A network appliance may also block adware            detection can affect each host in a slightly differ-
                        and spyware back channels, including P2P proto-        ent fashion. Rootkits are especially tough to scrub
                        cols like ICQ and malware that sneaks out on port      because they replace OS files and use hidden
                        80.                                                    processes.
                            Some anti-spyware appliances operate as Web            As a result, malicious spyware removal is not
                        proxies with the ability to scan SSL-encrypted         for the faint of heart. Vendor knowledge bases and
                        HTTP (e.g., Finjan Vital Security Web Appliance,       public forums like CastleCops offer manual spy-
                        Bluecoat SG). Some watch for standard protocol         ware removal advice, but most businesses should
                        deviations, vulnerabilities and associated exploits    rely on automated clean-up using desktop anti-
                        (e.g., Aladdin eSafe Gateway). Some appliances         spyware programs. In addition to real-time quar-
                        focus on spyware (e.g., 8e6 R3000 Enterprise           antine, some anti-spyware products include roll-
                        Internet Filter), while others combine anti-spy-       back/restore capabilities that can recover critical
                        ware with many other network defenses (e.g.,           files over-written by spyware. On Windows XP
                        eSoft Threatwall). Finally, many anti-spyware          SP2 hosts, Microsoft’s Malicious Software
                        appliances operate as in-line gateways (e.g., Face-    Removal Tool (MSRT) can be used to delete the
                        time RTGuardian, McAfee Secure Web Gateway),           most prevalent malware.
                        but some offer out-of-band spyware detection               When spyware removal fails or produces ques-
                        (e.g., Mi5 Enterprise SpyGate).                        tionable results, rebuilding the desktop can be
                        ■ Anti-Spyware Services—Managed security               required for recovery to a trustworthy state. For
                        services are generally aimed at those short on IT      companies that already maintain standard desktop
                        staff, security expertise, and capital. As spyware     images and regular data backups, re-imaging may
                        concerns grow, new managed anti-spyware ser-           be time-consuming but tolerable. Others may find
                        vices are expected to emerge for individuals and       repeated spyware remediation costly enough to
                        businesses.                                            justify investment in the aforementioned practices,
                            Windows Live OneCare illustrates this trend at     reaping benefits beyond spyware relief. Those
                        the desktop. OneCare Protection Plus is a sub-         without previously-saved desktop images may
                        scription-based managed security service that          find themselves with little choice but to disconnect
                        combines desktop anti-spyware, anti-virus, and         the infested host from the Internet, quickly back
                        firewall defenses. OneCare primarily targets indi-     up critical data to CD, reformat hard disks, and
                        vidual consumers, but can also be used by small        reinstall the operating system and applications
                        businesses that prefer not to configure, monitor, or   from scratch.
                        maintain desktop security programs. Other ven-             Alternatively, some experts recommend brows-
                        dors have also announced subscription-based            ing the Web from virtual machines (e.g., VMware
                        desktop security services that will include anti-      Workstation, Microsoft Virtual PC). This kind of
                        spyware, notably McAfee Falcon and Symantec            “sandboxing” can insulate your real operating sys-
                        Norton 360 (aka Genesis).                              tem, letting spyware damage be undone simply by
                            At the network edge, providers that deliver        discarding the compromised virtual machine.
                        CPE-based managed security services are adding         Those who routinely use virtual machines for
                        anti-spyware. Many already wrap expert provi-          other reasons (e.g., software development and
                        sioning, 24/7 NOC monitoring, threat assessment        testing) may find this approach very helpful.

48 BUSINESS COMMUNICATIONS REVIEW / AUG 2006
Conclusion
Fighting spyware may seem like an uphill battle,
but it is a campaign that most of us have little
choice but to wage. Over a 15-month period,
Microsoft’s MSRT alone removed 16 million
instances of malicious software from 5.7 million
computers, 62 percent of which housed at least
one backdoor trojan. Even the most computer- and
security-savvy Internet users occasionally fall vic-
tim to spyware. Given the financial gain that dri-
ves spyware, these pests will undoubtedly contin-
ue to proliferate. For spyware, the best defense is
a strong offense: taking reasonable steps to pre-
vent and detect spyware can reduce your risk of
compromise and your need for expensive remedi-
ation

   Companies Mentioned In This Article

  8e6 Technologies (www.8e6.com)
  Aladdin (www.aladdin.com)
  Bleeding Snort DNS Black Hole project
    (www.bleedingsnort.com/blackhole-dns/)
  Blue Coat (www.bluecoat.com)
  CastleCops (wiki.castlecops.com/PIRT)
  CERT (www.cert.org)
  Computer Associates (www.ca.com)
  eSoft (www.esoft.com)
  FaceTime (www.facetime.com)
  Finjan (www.finjan.com)
  Futuresoft (www.futuresoft.com)
  Google (www.google.com)
  Lavasoft (www.lavasoft.com)
  McAfee (www.mcafee.com)
  Mi5 Networks (www.mi5networks.com)
  Microsoft (www.microsoft.com)
  Shavlik (www.shavlik.com)
  SonicWALL (www.sonicwall.com)
  StaySafeOnline.org
    (www.staysafeonline.org)
  StopBadWare.org (www.stopbadware.org)
  Sunbelt (www.sunbelt-software.com)
  SurfControl (www.surfcontrol.com)
  Symantec (www.symantec.com)
  Tenebril (www.tenebril.com)
  Trend Micro (www.trendmicro.com)
  WatchGuard www.watchguard.com)
  Webroot (www.webroot.com)



                                                       BUSINESS COMMUNICATIONS REVIEW / AUG 2006   51