Spy Versus Spy: Is Somebody Spying on You?

Spyware is on a fast track to replace spam and viruses as the most annoying consequence of Internet usage.

Anybody who uses the internet has likely experienced spyware. Constant pop-up advertising windows that multiply like rabbits, home pages re-directed to a salacious web site, strange search bars diverting you from Google or Yahoo, and mysterious CPU and bandwidth spikes, are all symptoms of a spyware infestation. IT managers responsible for thousands of desktop PCs are dealing with this stuff everyday. Annoying certainly, a drain on IT resources maybe, but is it really a security threat? How bad is it out there anyway? And what can corporations do to clean up PCs and keep them clean?

What is Spyware?

Although there is no formal definition, Spyware is generally considered to be any software that relays private information to a third party without proper authorization. However to sort out the security risks a broader range of programs known as "extended threats" needs to be defined.

Extended threats:

  • Adware: Software that runs targeted advertisements on a PC. This type of program often monitors web surfing patterns to target ads to users. It is typically running with permission of the users in exchange for free version of the program or service, but can also be silently downloaded by "distributors" that get paid by Adware developers to deliver Adware software. Some Anti-spyware programs also consider shared cookies to be Adware.
  • Spyware/ Keystroke logger / screen capture: Software that records keystrokes and screen shots and can be replayed later to reconstruct a user session. These products are very dangerous and can be used to steal passwords and confidential information, which can be used to provide full access to corporate systems and files.
  • Dialer: A program that permanently changes dialup ISP numbers to expensive toll numbers.
  • Hacking tools: Programs, such as Trojans or password crackers, which can be used to hack into other systems.

Most "Anti-spyware" vendors detect all of these extended threats but the industry was born out of the irritating effects of Adware, the most visible and common extended threat. McAfee reports that as much as 96 percent of extended threats on consumer PCs are Adware. To sensationalize the issue, vendors and the general press are constantly mixing up the potentially devastating security impact of spyware/keystroke loggers, which are rare, with Adware, which is significantly more common and benign.

How do end users get infected?

Adware typically offers some benevolent purpose such as screen savers, password managers, browser skins, or download accelerators, so end-users sometimes download it willingly without understanding the advertising subsidy. In most cases, consent will be buried deep in the end user license agreement (EULA) but end-users rarely read EULAs. Adware developers are paid by the number of deployments of their software so they will use any means they can to sneak software onto users systems. In some cases, Adware developers will trick end users into installing their programs (for example the installation prompt is; "To install this program, please click no"). Even when Adware programs aren't tricking users, their distributors may be. Adware developers often pay web site owners for each copy of Adware they deliver to visitors' desktop. These distributors are less worried about prosecution or negative publicity, and have proven adept at developing silent drive-by downloads.

Beyond Adware, extended threats such as spyware and keystroke loggers are usually deployed to specific targets by hackers. These programs include utilities that quietly install and hide the program. In addition to software keystroke loggers, there are also hardware keystroke loggers that can be installed in-line between the keyboard and the PC by anyone with physical access to the machine. These miniature storage devices simply log all keystrokes. When the hacker later retrieves the device, the contents can be inspected with any text editor. These devices are impossible for software to catch and can only be prevented with physical security measures.

Hacking tools represent future risk. It is the equivalent of finding lock-picking instruments in someone's desk drawer. They may have not yet been deployed, but their mere presence may indicate someone is considering a new career in Hacking.

What are the risks of extended threats?

Even if Adware is not typically a security risk, it does have a significant impact on the organization including;

  • loss of personal productivity as end-users attempt to cope with changing browser behavior and annoying pop-up ads,
  • Increase workload for help desk personal tasked with manually cleaning desktops,
  • Loss of bandwidth for corporate activities due to spurious advertising traffic,
  • Potential hostile work place liability from failure to protect end users from salacious web sites.

Keystroke loggers and other hacking tools represent the most serious security threat. Several organizations have lost valuable corporate information including passwords and usernames to these devices. One software company lost significant revenue when source code for new gaming software was stolen via a remote keystroke logger and posted on the Internet.

We should note that event thought Adware is currently not a significant security threat, the programming techniques used to get a foothold on PCs and communicate outside the Firewall are inevitably going to be exploited by virus and other malware writers. So defending against Adware provides protection against more serious future threats.

Defeating extended threats

Much like Spam, Adware will rapidly transform to avoid detection and removal. Keeping PCs clean will require a multi layered defense and remediation strategy including;

  1. Educated users on the danger of freeware and Internet downloads
  2. Tighten the Web gateway policy with URL filtering and download restrictions
  3. Tighten IE Settings and maintain the most current version of IE
  4. Lockdown desktops to prevent new applications from loading
  5. Use two factor authentication
  6. Selectively use single purpose anti-spyware tools to clean up desktops
  7. Push your Antivirus vendor to include more extended threats in their signature files
  8. Deploy enterprise anti-spyware tools only as last resort

The first step is to educate users so that they understand the risks of shareware and freeware. Next, tighten the web gateway settings by using a combination of URL filtering to block known Adware sites and download filtering of CAB, and OCX files. It will be difficult for URL filtering databases to keep up with all the sources of infection (the distributors), however blocking the Adware, servers can neuter Adware programs and reduce spurious bandwidth consumption. Gateway controls will be ineffective for remote access and teleworkers that are not routed through the corporate gateway, so client defenses are also necessary.

On the client side, make sure that IE security settings are high and that IE is properly patched and maintained. Using alternative browsers is not recommended as a corporate strategy due to the cost of the conversion, the residual presence of IE, and the lack of centralized management for alternative browsers. Moreover, security by obscurity is rarely effective for long.

Locking the PC by limiting the software that can be deployed on a desktop to a white-list of known corporate and productivity applications is clearly a best practice. However, the average large organization has between 1,500-2,000 distinct desktop applications. Maintaining a sanctioned white-list of acceptable applications, evaluating new software, and dealing with numerous exceptions tends to increase the cost of desktop administration. As a result, 80 percent of organizations only lock desktops in groups where there is a small static group of common applications. The problem with a partial lockdown approach from a security perspective is that the employees that resist desktop lockdown are typically IT staff and senior executives. These exempt groups typically have a higher risk of infection and the results of compromise are more damaging. Still locking down 50 percent of users can make the problem more manageable.

Desktop lockdown is the most effective solution to prevent keystroke loggers from loading on desktops. However, ITO must keep in mind that keystroke loggers do not necessarily need to be on the victim's machine to steal passwords. An attacker might install a keystroke logger on their own machine, or a kiosk, and then trick a user with higher access rights to use the compromised machine thus exposing their password and username. Organizations concerned primarily about keystroke loggers should consider using two factor authentications to minimize the damage of password theft.

Although organization's want a more comprehensive and proactive desktop solution, most enterprise tools are not mature enough for large scale corporate deployment. Moreover, tests have shown that none is more than 65 percent effective at catching known Adware. Within the next 12-16 months, we expect Antivirus vendors will have the best solution for enterprise wide desktop protection. Indeed, Trend Micro recently added about 3,800 spyware signatures to its database in Office scan 6.5, however it has limited clean up capability. Computer Associates recently acquired PestPatrol and is working on integrating it with CA's eTrust suite. In the mean time, most organizations are taking a tactical approach to Adware by arming the help desk with consumer Anti-spyware tools (such as Spybot, Pestpatrol, Adaware and Webroot) to clean up infected PCs as they are identified. IT mangers should begin to track Adware infection rates and help desks remediation effort in order to develop trending information and future justification for new tools to combat extended threats.

The war against Adware is just beginning. It is likely to have a similar lifecycle to Spam. CSOs should expect a continuing arms race between solutions providers and Adware developers for at least the next 24 months. We expect a combination of gateway and desktop controls from incumbent and trusted security vendors will be most effective and efficient defensive strategy.

Copyright © 2004 IDG Communications, Inc.

The 10 most powerful cybersecurity companies