SECURITY Dealing With Adware And Spyware

SECURITY

Dealing With AdwareAnd SpywareLisa Phifer

Lisa Phifer is anowner and principalconsultant at CoreCompetence, anetwork securitytechnology consultingfirm based in ChesterSprings, PA. A 25-yearveteran ofthenetworking industry.Lisa has been battlingthe spyware scourgesince 2001. She can bereached atlisa @ corecom. com.

You'll need a hybrid of host-and network-basedapproaches, as well as thesecurity professional'sgreatest asset: Constantvigilance.

If early viruses like BubbleBoy and LoveBugmake you pine for simpler times, then you areprobably waging war against this millenni-um's far more tenacious foe: The stubborn

crop of spyware that now infests three out of fourPCs. From pesky adware like BonziBuddy tomalicious malware like Trojan-Down loader-Zlob,spyware is literally choking corporate desktopsand networks. Responsible for one out of fourhelp desk calls and half of the PC crashes report-ed to Microsoft, spyware is draining IT resourcesand business productivity.

Worse, spyware is now morphing from nui-sance to nightmare. Those seeking financial gainthrough spyware have evolved from trackingcookies and intrusive pop-up ads to more selectiveand insidious methods. For example, drive-by-downloads are installing exploit code onto PCsthat merely visit websites, without user interac-tion. Phishing trojans are monitoring browseractivity, waiting to capture identities and creden-tials during on-line banking transactions. Keylog-gers are harvesting sensitive ^ ^ ^ ^ ^ ^ ^ ^ ^data from victims, violating ^privacy laws and industry reg-ulations.

ment just by reducing spyware remediation cost.Webroot estimates that help de.sk calls, resurrect-ing compromised workstations and the resultingdown time run about $250 per user, per year (acalculation is shown in Figure 1).

Potential return on investment does not endthere. Spyware not only slows desktops; it sapsworker productivity and hogs bandwidth. Accord-ing to SurfControl, ISPs find that peer-to-peerspyware programs (e.g., Grokster, KaZaA,Limewire) generate up to 70 percent of networktraffic. Spyware that exposes private data mayresult in embarrassing public disclosure, costlycustomer notificafion and compliance violationsthat bring hefty fines. Spyware is also a popularvector for executing electronic crimes like identi-ty theft and on-line fraud. In one well-publicizedcase, 22 Israelis were anested for using spywareto commit corporate espionage. Wbite data theftcosts are notoriously difficult to quantify, thegravity of such incidents cannot be denied. Busi-ness consequences are already significant, andwill continue to escalate as spyware grows morevirulent.

Unfortunately, defeating spyware is harderthan evading conventional viruses. Spyware is anypotentially-unwanted program that makes unde-sirable changes to your computer and/or collectsinformation about user activities, without consent,usually for financial gain. That definition may befine in the abstract, but making concrete decisions

Stamping Out SpywareAssociated business risks aremaking it impossible for com-panies to ignore spyware. TheRadicati Group projects thatanfi-spyware spending willgrow from $103 million in2005 to more than$1 billion by 2009. Manycompanies can justify invest-

FIGURE1 Cost Of Spyware (A Calculator)

Number of Workstations: 11000

Average Hours to Re-image:

Hourly Value of Employee Time;

Re-image Rate:

Average Cost per Help Desk Call;

Monthiy % Chance of Spyware Call:

Totai Cost of Spyware:

Source: Webroot

4 4 BUSINESS COMMUNICATIONS REVTEW / AUG 2006

Use BCR's Acronym Dircclnrv ;il

about which programs are really spyware can bedifUcult.• Annoying Adware—Many programs monitoractivity, but when does that become a breach ofprivacy? Cookies retain personal information—usernanies, passwords, preferences—so that web-sites can improve user experience. But some cook-ies share tracking data with third parties that deliv-er pop-tips and banner ads; those installed withoutuser consent are called adware cookies. And thenthere are programs like WeatherBug and Surf-SideKick thai display sponsor ads while they run.Such adware programs may or may not obtainconsent to track and share personal data throughend user license agreements^—which most userssimply accept without reading.

• Nebulous NonBizWare—Many workersinsUill non-business software on corporate PCs,from IM and softphones to multi-user games andpeer-to-peer file sharing. Beyond reducing pro-ductivity. NonBizWjire establishes communica-tion "'back channels" that could be exploited topenetrate or attack a corporate network.

NonBizWare may also expose employers tolegal liability as.stKiated with distribution of copy-righted music, pirated software and pornographicmaterial. Therefore, even though NonBizWaremay not "spy" on users, many anti-spyware solu-tions treat these potentially-unwanted programs asanother form of spy wjire.• Menacing Malware—A growing percentageof spyware is malicious software intended to dam-age a computer, steal data, or create an attack plat-fonn. For example, browser hijackers like Cool-WebSearch_xplugin change home pages, redirectWeb searches, and misdirect URLs to phishingpages and pay-to-play search engines. Keyloggerslike SpyBuddy record document edits, email,instant messages, chat room conversations andWeb form responses by relaying user keystrokesto remote attackers. Botnets use worms or trojansto plant drones like SoberQ that listen for IRCcommands instructing them to relay spam or joinDDoS attacks. Trojan downloaders like Zlob andWstart hide in attachments and downloads, open-ing back doors through which other programs canbe remotely installed. Rootkits like NTRootKitare trojans that operate as hidden system files, let-ting attackers gain unrestricted access to a "root-ed" computer. And tbe list goes on.

Unlike adware and NonBizWare, there is littleroom for interpretation here: Malware rarelybelongs on any system.• Rogue Anti-Spyware—Finally, spyware itselfhas created an opportunity for rogue anti-spy-ware—programs like SpyAxe, Winhound, andSpy Trooper that use pop-up ads and scare tacticsto convince users lo download phony anti-spywareprograms. When executed, many of these roguesgenerate "false positive" warnings that houndusers into purchasing clean-up programs or paidfeature licenses.

These are but a few of thousands of pieces ofcode congregating under the spyware umbrella.They illustrate that spyware is extremely diversein delivery method, installed behavior and poten-tial impact. These characteristics make spywarechallenging to detect, and even more challengingto mitigate. In .short, spyware is a complex threatthat is most effectively addressed through multi-phase, multi-layered defenses.

Phase One: Proactive PreventionThe old adage, "An ounce of prevention is worth apound of cure" certainly applies to spyware. Oncespyware has been installed on a host, it can beextremely difficult to return that host to a trust-worthy state. Efficient spyware defense starts withproactive steps intended to circumvent populardelivery methods.

Spyware has a penchant for social engineer-ing—from tricking users into clicking on fakepop-ups to bundling trojans with enticing share-ware. We cannot depend on users to "do the rightthing," but we can still benefit from spyware edu-cation. Many on-line resources exist, includingStopBadWare.org. StaySafeOnline.org. CERTCyber Security Tip ST{)4-016. and knowledgebases published by reputable anti-spyware ven-dors. But take care to avoid rogue anti-spyware—see www. spywarewarrior.com/rogue.anti-spy-ware, htm.

Spyware often makes its way onto a desktopthrough a Web browser. Secure browser configu-ration can help to stop hijackers and drive-bydownloads. ActiveX controls are a spywarefavorite; disabling unsigned ActiveX is a simplebul valuable step. Disabling Java applets can alsobe helpful, but more likely to cripple legitimatewebsites. These and other browser configurationtips can be found online, including bltp://cyber-coyote.org/security/browsers.shtml. Companiesshould disable user prompting, enforcing activecontent and plug-in settings with a desktop man-agement tool like Active Directory Group PolicyObjects.

Many adware cookies and browser hijackerscan be neutralized by configuring browser Privacysettings to disable third-party cookies and blockpop-ups. Exceptions can be made for legitimatewebsites that require these features to operate cor-rectly, preferably by importing a company-definedlist of permitted sites. Pop-up blockers are freelyavailable from many sources, including tbe Win-dows XP SP2 upgrade for Intemet Explorer andthe Google Toolbar.

Use Intemet Explorer's Restricted Site Zone(or equivalent features in otber browsers) to blockaccess to known adware and spyware silcs. But donot attempt to populate tbis list manually. Instead,use a tool like JavaCool SpywareBlaster to con-figure this banned site list, and update that list reg-ularly as new sites emerge.

Many spyware programs need administrative

Spyware has a

penchant for

social

engineering

BUSINESS COMMUNICATIONS REVIEW / AUG 2006 4 6

It is necessary to

combine

prevention with

detection

rights to install themselves, overwrite OS files ordisable security measures in an effort to evadedetection. Those threats can be crippled or neu-tralized by browsing the Web from a Least-Privileged User Account (LUA), Never browse theWeb as administrator. If you must, use a free toollike Microsoft DropMyRights to downgrade priv-ileges when launching your browser (or any otherIntemet application).

A significant percentage of spyware has beendesigned specifically to exploit Intemet Explorerfeatures or vulnerabilities. Diligent patching canmake a big difference, as can upgrading to a newerversion of IE. Security improvements found in IEversion 7 include ActiveX opt-in, a "No Add Ons"mode, a "Fix My Settings" option, and better pro-tection fi-om cross-domain scripting attacks. Orconsider using an alternative browser like Firefoxfor general Web surfing, reserving IE forknown/trusted sites that do not work well other-wise. Alternative browsers may be a less popularspyware target, but they still require secure con-figuration and patching.

Browsers may be spyware's favorite target, butmany other applications can fall victim. For exam-ple, email can carry spyware in file attachments,

or contain embedded URLs for spyware websites.This risk can be reduced by using non-IE viewerswhen displaying HTML content, using applica-tion settings to disable active content and scriptexecution, stripping risky file attachments, andflagging deceptive URLs. Spam filtering can alsoweed out many dangerous messages before usershave an opportunity to get themselves in troublewhen reading them.

Finally, spyware and adware do their dirtywork by communicating with third parties. Pre-venting back-channel communication literallyrenders these programs mute. DNS black holescan be used to resolve host names and domainnames that are known to propagate spyware to (heloopback address 127.0.0.1. Entries can be addedto desktop HOSTS files. DNS Servers, or both,using lists maintained by the Bleeding Snort DNSBlack Hole project.

Phase Two: in-Depth DetectionThese proactive steps, coupled with persistentpatching, list maintenance, and configurationenforcement, can significantly reduce spyware.But prevention is never foolproof Spyware sitesmove, users add exceptions, and NonBizWare

FiGURE2 Layered Defense

AdwareNonBizWareKey loggers

Trojan DownioadersRootkits...

SpywareSite

Enforce Anti-Spyware policiesusing on-demand scans and

real-time monitoring to disablerisky requests and content,block cookies and pop-ups,

detect and quarantine/deleteSpyware objects

NetworkAnti-Spyware

Appliance

Block HTTP requests to Spyware sitesFilter responses for banned objects

Scan messages for Spyware signatures^ Block Spyware back-channels -^

DesktopAnti-Spyware

Programs(Stand-alone

Or Agent)

DesktopAnti-Spyware

Server

Centrally defineDesktop Anti-Spyware

policies, initiate desktopaudits, & monitor desktop

Anti-Spyware agents

4 f i BUSINESS COMMUNICATIONS RHVltW / AUG 2(K)6

sneaks in on thumb drives. It is therefore sensibleto combine prevention with detection.

Spyware may be harder to classify and eradi-cate than conventional viruses, but anti-spywaredefenses can be deployed in network locationssimiiar to those used for anti-virus: on the desklop,at Ihe network edge, and as a managed service(Figure 2).• Desktop Anti-Spyware—Many host-residentanti-spyware programs are avaikibie as consumerpackages or enterprise solutions. Features vary,but most provide start-up scans, on-demand scans,and real-time memory/fiie/apphcation monitors.On-demand scans can provide periodic audits, butreal-time monitoring is essential to avoid comph-cated cleanup. Fortunately, anti-spyware hasevolved from spotting consequences to quaranti-ning spyware before damage is done.

Anti-spyware programs have long detectedpotentially-unwanted changes to cookies, registrykeys, hosts files, browser zones and running ser-vices—signs that spyware is being installed, Someanti-spyware programs can block activities thatpresage spyware installation, like suspiciousActiveX execution and browser helper objectinstallation. Most anti-spyware programs use sig-natures to compare Web and other applicationobjects to thousands of known culprits, preventinginstallation of NonBizWare. hacker tools, keylog-gers, trojans and wonns. To keep up with new spy-ware that morphs, behavior-based detection isbeing added to some anti-spyware programs. Andto detect evasive threats like rootkits, anti-spywareprograms have also started to monitor activitywith lower-level drivers.

Anti-spyware options like scan location/depthand exclusions can be helpful—for example,ignoring an IM client used for business or yourown website's adware cookies. Most anti-spywareprograms keep a local log of detection results,with hot links to spyware definitions, ratings andadvice. However, anti-spyware programs may ormay not provide automated spyware removal (seethe section on '"Remediation").

Some consumer anti-spyware programs pro-vide free scanning, but require a paid license toactivate advanced features. Because spywaredetection varies, running more than one programcan be useful, and combining a paid program withfree tools is common. Freely-available consumeranti-spyware programs are available from manysources, including Microsoft Windows Defender,SpyBot-S&D and WinPatroI.

Why spring for a commercial desktop anti-spy-ware program? Vendors that offer both free andcommercial anti-spyware tend to reserve the mostvaluable features—notably real-time monitoringand automated removal—for paid customers.Moreover, SMBs and enterprises require featuresthat are absent in consumer anti-spyware pro-grams:

Businesses should look for centralized policy

definition, including the ability to customize scandepth, permitted exclusions, prohibited Non-BizWare, quarantine/delete actions, .signatureupdates and audit schedules. Larger enterprisesmay prefer group-based policies that can applydifferent lists and schedules to regular users,administrators and high-value systems.

Enforce centrally-managed policies with con-figuration locks, preventing users from addingtheir own exceptions or disabling spyware protec-tion. However, some exceptions may be necessaryibr employees to do their jobs. For best results,choose a policy engine that lets you selectivelypermit end user changes, but disable end userprompting except where required to meet businessneeds.

Businesses may also need real-time monitoringand historical reporting features that let adminis-trators identify where and when spyware has beenencountered, and steps that were taken to auto-matically remediate it. Look for threat assessmentaids, like the ability to single out un-remediatedhosts and tllter by spyware type/severiiy.

Larger enterprises sbould also consider scala-bility, inciuding server/database platform require-ments, hierarchical/group views, update distribu-tion, integration with enterprise desktop and net-work management systems and cost per desktop.

Enteqirrise anti-spyware solutions availabletoday include Computer Associates eTrust PestPatrol, eSoft Desktop Anti-Spyware, FuturesoftDynaComm i;scan, Lavasoft Ad-Aware Enter-prise. McAfee Anti-Spyware Enterprise, ShavlikNetChk Spyware, Sunbelt CounterSpy Enterprise,SurfControl Enterprise Threat Shield. TenebrilSpy Catcher Enterprise. Trend Micro Anti-Spy-ware Enterprise and Webroot Spy Sweeper Enter-prise.• Network Anti-Spyware—A healthy crop ofanti-spyware appliances bas emerged to comple-ment desktop anti-spyware. Stopping spyware atnetwork trust boundaries avoids over dependenceon desktop defenses. Network appliances let youuniformly enforce anti-spyware poiicies on allusers, including contractors and visitors. Wben anew threat emerges, or you decide to permit busi-ness use of a P2P program, anti-spyware appli-ances can apply the modified policy immediately.Appliances provide a single point for spywarequarantine, reducing the ri.sk of desktop infectionand costly clean-up. Finally, anti-spyware appli-ances are less likely to fall victim to spyware, likemalware that tries to disable desktop security pro-grams.

However, network anti-spyware is no panacea.As with any perimeter defense, anti-spywareappliances cannot stop installation of spyware thatoriginates inside the network (e.g.. NonBizWareinstalled from USB stick). Network-based solu-tions must balance security and performance toavoid becoming bottlenecks. They may not excelat making per-user exceptions or desktop

Network-basedsolutions allowfor more uniformenforcement

BUSINESS COMMUNICATIONS REVIEW / AUG 2006 4 7

Malicious

spyware removal

is not for the

faint of heart

remediation. Finally, network anti-spyware can-not protect laptop users when they work (andsurf the Web) remotely.

Combining desktop and network anti-spywarecreates a layered defense that is more robust andresilient than either would be alone. In fact, somevendors offer both solutions, leveraging commoncomponents like management tools and signaturedatabases.

What functions can you expect from an anti-spyware appliance?• A network appliance is a convenient place tofilter outbound HTTP requests, blocking installerdownloads, known spyware URLs, and black-list-ed domains.• A network appliance can also strip active con-tent from HTTP responses, including ActiveXcontrols, Java applets, scripts and bannedS/MIME types.• After filters are enforced, an appliance may usesignatures to scan inbound application payloads,quarantining suspicious data objects.• A network appliance may also block adwareand spyware back channels, including P2P proto-cols like ICQ and malware that sneaks out on port80.

Some anti-spyware appliances operate as Webproxies with the ability to scan SSL-encryptedHTTP (e.g., Finjan Vital Security Web Appliance,Bluecoat SG). Some watch for standard protocoldeviations, vulnerabilities and associated exploits(e.g., Aladdin eSafe Gateway). Some appliancesfocus on spyware (e.g., 8e6 R3(XX) EnterpriseInternet Filter), while others combine anti-spy-ware with many other network defenses (e.g.,eSoft Threatwall). Finally, many anti-spywareappliances operate as in-line gateways (e.g.. Face-time RTGuardian, McAfee Secure Web Gateway),but some offer out-of-band spyware detection(e.g.. Mi5 Enterprise SpyGate).• Anti-Spyware Services—Managed securityservices are generally aimed at those short on ITstaff, security expertise, and capital. As spywareconcerns grow, new managed anti-spyware ser-vices are expected to emerge for individuals andbusinesses.

Windows Live OneCare illustrates this trend atthe desktop. OneCare Protection Plus is a sub-scription-based managed security service thatcombines desktop anti-spyware, anti-virus, andfirewall defenses. OneCare primarily targets indi-vidual consumers, but can also be used by smallbusinesses that prefer not to configure, monitor, ormaintain desktop security programs. Other ven-dors have also announced subscription-baseddesktop security services that will include anti-spyware, notably McAfee Falcon and SymantecNorton 360 (aka Genesis).

At the network edge, providers that deliverCPE-based managed security services are addinganti-spyware. Many already wrap expert provi-sioning, 24/7 NOC monitoring, threat assessment

and incident response around multi-function secu-rity appliances from vendors like McAfee, TrendMicro, SonicWALL and WatchGuard. Providerscan spin anti-spyware modules for these and othersecurity appliances into new anti-spyware offer-ings, accompanied by professional services likespyware remediation.

Phase Three: Rigorous RemediationSpyware prevention and detection can reduce theneed for remediation, but hosts that are alreadyinfested with spyware must be cleansed beforeapplying prophylactic measures.

Relatively benign threats like adware cookiesand NonBizWare programs can often be removedmanually without difficulty. Temporary files,browser caches, cookies, and play-by-the-rulesprograms can be deleted with standard desktoptools like Disk Cleanup and Add/Remove Pro-grams. Unfortunately, removing more tenaciousadware, bots and trojans without crippling the hostcan be very tricky, Malware that morphs to eludedetection can affect each host in a slightly differ-ent fashion. Rootkits are especially tough to scrubbecause they replace OS files and use hiddenprocesses.

As a result, malicious spyware removal is notfor the faint of heart. Vendor knowledge bases andpublic forums like CastleCops offer manual spy-ware removal advice, but most businesses shouldrely on automated clean-up using desktop anti-spyware programs. In addition to real-time quar-antine, some anti-spyware products include roll-back/restore capabilities that can recover criticalfiles over-written by spyware. On Windows XPSP2 hosts, Microsoft's Malicious SoftwareRemoval Tool (MSRT) can be used to delete themost prevalent malware.

When spyware removal fails or produces ques-tionable results, rebuilding the desktop can berequired for recovery to a trustworthy state. Forcompanies that already maintain standard desktopimages and regular data backups, re-imaging maybe time-consuming but tolerable. Others may findrepeated spyware remediation costly enough tojustify investment in the aforementioned practices,reaping benefits beyond spyware relief. Tbosewithout previously-saved desktop images mayfind themselves with little choice but to disconnectthe infested host from the Internet, quickly backup critical data to CD, reformat hard disks, andreinstall the operating system and applicationsfrom scratch.

Alternatively, some experts recommend brows-ing the Web from virtual machines (e.g., VMwareWorkstation, Microsoft Virtual PC). This kind of"sandboxing" can insulate your real operating sys-tem, letting spyware damage be undone simply bydiscarding the compromised virtual machine.Those who routinely use virtual machines forother reasons (e.g., software development andtesting) may find this approach very helpful.

4 8 BUSINESS COMMUNICATIONS REVIEW / AUG 2006

ConclusionFighting spyware may seem like an uphill battle,but it is a campaign that most of us have littlechoice but to wage. Over a 15-month period.Microsoft's MSRT alone removed 16 millioninstances of malicious software from 5.7 millioncomputers, 62 percent of which housed at leastone backdoor trojan. Even the most computer- andsecurity-savvy Intemet users occasionally fall vic-tim to spyware. Given the financial gain that dri-ves spyware. these pests will undoubtedly contin-ue to proliferate. For spyware, the best defense isa strong offense: taking reasonable steps to pre-vent and detect spyware can reduce your risk ofcompromise and your need for expensive remedi-ation n

Companies Mentioned In This Article

8e6 Technologies (www.8e6.eom)

Aladdin (www.aladdin.com)

Bleeding Snort DNS Black Hole project(ww w.bieedingsnort .com/bl ackhole-dn s/)

Blue Coat (www.bluecoat.com)

CastleCops (wiki.castlecops.com/PIRT)

CERT (www.cert.org)

Computer Associates (www.ca.com)

eSoft (www.esoft.com)

FaceTime (www.faeetime.com)

Finjan (www.finjan.com)

Futuresoft (www.futuresoft.com)

Google (www.google.com)

Lava.soft (www.lavasoft.com)

McAfee (www.mcafee.com)

Mi5 Networks (www.mi5networks.com)

Microsoft (www.microsoft.com)

Shavlik (www.shavlik.com)

SonicWALL (www.sonicwall.com)

StaySafeOnline.org(www.staysafeonline.org)

StopBadWare.org (www.stopbadware.org)

Sunbelt (www.sunbelt-software.com)

SurfControl (www.surtcontrol.com)

Symantec (www.symantec.eom)

Tenebril (www.tenebril.com)

Trend Micro (www.trendmicro.com)

WatchGuard www.watchguard.com)

Webroot (www.webroot.com)

Add It To Your Mix.42% of BCR's subscribers makefinal purchasing decisions.

BCR readers wiii spend morethan $80 biilion this year on:

• Internetworking

• IP-telephony

• Convergence

• Data communications

• Internet

• Network management

• Video/multimedia

BUSINESSCOMMUNICWIONS

REVIEW

National Sales DirectorRobert PavonePhone: 212/600-1280Fax: 212/600-1220Email: [email protected]

BUSINESS COMMUNICATIONS REVIEW / AUO 2006 6 1