Don't be Spooked by Spyware
IN THE 1984 BLOCKBUSTER Gremlins, Billy receives an exotic pet as a gift and is cautioned to keep it away from water and not to feed it after midnight. Billy’s failure to adhere to these restrictions causes the pet to multiply, and its offspring transform into a marauding band of vicious monsters.
In the real world, the e-gremlin known as spyware is just as dangerous and prolific, as evidenced by a 2004 National Cyber Security Alliance and AOL survey which found that 80 percent of 329 home computers were infected with spyware. But like Billy, computer users do not recognize the threat. The survey found that only about half of those polled believed themselves to be infected.
Corporate rates of infection may be lower, but companies still need to be aware of how spyware gets onto their systems, the problems it can cause, and what safeguards work best.
Before we look at solutions, let’s look at what spyware is and how it works. As the name implies, spyware is code that logs a user’s activity and collects personal information, then sends that information to a third party.
Spyware creates several problems. For one thing, it can take over system resources and slow Internet response time due to the heavy load it puts on a network (though it does not attempt to spread or replicate like a worm or virus does). In a corporate environment, sluggish systems translate directly to financial loss.
A more serious problem is that a spyware program may delete or alter files to hide its presence; even worse, it can open a backdoor to communicate with other networks, which is one way that it will secretly send personal or proprietary data to a third party.
Spyware can also easily download and install malicious code. Apart from what the malicious intent of that code might be, when code is installed without supervision, it causes many systems to hang or crash—a common symptom of a contaminated system.
How it happens. There are many ways a user’s computer can get infected with spyware. The most common vector of infection is a user looking to get a program for free. Many types of spyware are bundled with applications such as photo editors and filesharing software; when a user downloads and installs this piece of freeware or shareware from the Internet, he or she is often getting spyware in the process.
Similarly, some standalone applications— \for example, some Internet relay chat (IRC) clients—contain a built-in spyware mechanism as well that monitors user activity and logs keystrokes.
Drive-by infection. Some malicious applications use a “drive-by download” to infect computers. In this situation, infection occurs when users visit a Web page that they think is legitimate but that has been maliciously configured to exploit a vulnerability in the popular Internet Explorer Web browser.
Users can prevent this type of infection by installing security patches or switching to alternative browsers such as Firefox. Many users are not taking these simple precautions, however, meaning that they are not protected against this type of exploit.
Adware. Adware, a relative of spyware, has traditionally been a less pernicious and more acceptable form of software. It, too, is typically found within free software, and it displays an advertisement when the program is running. These advertisements help the software creators recover the cost of programming and maintaining the software.
Recently, however, many adware vendors began implementing spyware components into their software. The result was software that evolved from a simple advertising medium to an active program that can monitor user activity and even report that activity back to a third party.
Symptoms and Risks
How do you know if you’ve got spyware on your computer? There are a number of common symptoms. These include seeing many pop-up windows even if using a pop-up blocker; a Web browser that links to a site without any help from the user; toolbars or bookmarks not installed by the user; new taskbar icons and applications; increased network activity when the system should be idle; sluggish PC performance; and frequent crashes.
As noted, when spyware is at work, it can do a number of things. Monitoring the activity of the user is most common—it can log keystrokes into a file that is sent off to some third party, and otherwise gather any information contained on the infected computer.
It may also hijack a home page so that a user is directed to an unwanted Web page each time he or she logs onto the Internet. In addition, it may redirect Web searches to another search engine, or even show advertisements for “antispyware programs” that claim to clean infected systems of spyware, though they are unlikely to be legitimate.
What can be done to stop the menace of spyware? In the movie Gremlins, the solution was fairly simple: the hero discovers that gremlins are highly flammable and have a severe allergic reaction to sunlight.
Unfortunately, our real-life e-gremlins are much harder to dispose of. Traditional solutions such as firewalls and antivirus software are of limited value in fighting spyware, as in most cases people are installing the program containing spyware willingly—even if they don’t understand what the risks are—and drive-by infections circumvent these solutions.
If home users have any type of protective measure at all, they typically rely on a desktop-based antispyware application. These programs operate in the same way as desktop antivirus solutions. Manually or automatically triggered at certain hours, the program updates its database of signatures and scans the system for known spyware components. It then displays the results of the scan and may or may not offer remedies.
At home, where spyware is merely a nuisance, such remedies may be adequate if administered frequently (though it’s unlikely that the majority of home users are any more diligent about checking for spyware than they are about updating their antivirus programs, if indeed they have such software installed at all).
Businesses, however, cannot tolerate the presence of even a single spyware component in the entire network. In such environments, the problem with a desktop solution is clear: these are only effective after the computer has already been infected. In such cases, a spyware cleaner will be a remedy offered too late.
The law. Fighting spyware with litigation is difficult, as much of it technically operates within the boundaries of the law (though admittedly within the grey areas). That’s because when a user downloads a program that has embedded adware or spyware, he or she is typically given an end-user’s license agreement (EULA) that contains some information about the program’s intention.
EULAs are often long, murky, and filled with legalese, and few if any users read them; most will simply click “OK” and install the free program.
Legislation. Two pieces of legislation related to spyware are in the works. One, known as the Internet Spyware (I-SPY) Prevention Act of 2005, would impose fines and prison sentences on those who illicitly access a computer to commit a federal offense or to transmit personal information with an intent to defraud the victim or cause damage to his or her computer. That bill has been passed by the House and at press time had been passed by the Senate’s Committee on the Judiciary but had not come up for a full Senate vote.
The second, H.R. 29, known as the Spy Act, was also introduced early this year and was sent to the Senate in May where, as of press time, it had been referred to the Committee on Commerce, Science, and Transportation. This bill would give jurisdiction to the Federal Trade Commission and is focused more on the specific technology in use rather than, as in the case of I-SPY, the crimes being committed.
Technology. One effective option is an antispyware solution that runs at the organization’s Internet gateway—where the network ends and the Internet begins. Like a firewall, these solutions create a barrier between the outside world and the shielded system.
Made by a variety of vendors (including the author’s company), these systems typically operate on two levels. First, they use signatures and behavioral tags to identify and block the ability of spyware to install files. Second, they recognize the protocols typically used by each spyware program to communicate with an outside computer to transmit collected information or update its own code, and block these transmissions.
A case in point. To understand how a gateway system works, let’s look at the case of Charles Hibnick. Hibnick is the chief systems security architect for Florida-based AvMed Health Plans, which offers health insurance plans throughout the state. Earlier this year, AvMed began to research ways to ensure that spyware didn’t become a risk to the health of the company’s network and its nearly 800 Windows desktops.
According to Hibnick, AvMed is using products from a number of vendors to defend against cyberthreats, including CheckPoint firewalls and McAfee’s IntruShield intrusion prevention system (IPS). McAfee’s antivirus solution is running on desktops.
But Hibnick was worried that the company was relying too much on one company for protection. “IPS is great for certain kinds of things,” Hibnick says, “but we very much as a philosophy like the idea of having two distinct vendors acting as our filters.” That, he says, is because “no one signature army is going to be the answer” to complete protection.
A consultant recommended Aladdin Knowledge System’s eSafe solution to protect against spyware. The Aladdin eSafe appliance protects against spyware in four ways at the same time.
First, it blocks the exploits that allow drive-by infections. Second, it identifies and blocks some spyware by typical components such as ActiveX code that can, for example, change a Web browser or a user’s home page. Third, like an antivirus program, it uses signatures, which are updated automatically, as well as a process known as heuristics, which blocks programs that display certain behaviors, to identify and block malicious programs.
Lastly, it blocks communications between any desktop spyware component and the remote spyware server. That way, even if spyware is installed directly onto the desktop by, say, a user with an infected CD, the program will not be able to send information out to a third party.
Because of the volume of e-mail and Web traffic into and out of the company, Hibnick opted to purchase two of the appliances, one situated between the firewall and the Internet, the other inside the firewall. While the price paid by AvMed is not public information, in general the suggested pricing for 500 users of eSafe, including antispam and Web-filtering modules, is roughly $26,000, with an annual fee of about $15,000, which includes regular updates to signatures and URL and spam filters.
Since the company opted to try out the latest version of Aladdin eSafe, which at the time was still being beta-tested, a support engineer from Aladdin came to AvMed to help Hibnick’s team install the devices. Setup went nearly flawlessly, requiring only minor tweaking so that it would inspect all incoming FTP communications.
Hibnick says that eSafe is doing its job well and that there has been no noticeable effect on throughput (the speed at which traffic comes into and goes out of the network). He has noticed that the number of alerts from desktop filters has diminished considerably since installing the product, confirming that spyware is effectively being blocked. Hibnick hopes to compile detailed blocking statistics in the future.
In addition to blocking the spyware that was making its way to desktops before, Hibnick says that AvMed is using the product to enhance protection against instant messaging (IM) and peer-to-peer (P2P) applications. “IM and P2P vendors are so tricky and do everything they can to get around” company defenses, he says, and eSafe blocks those programs from connecting to other IM or P2P partners.
The layers of protection around the network overlap to some degree, and Hibnick emphasizes that he likes to have different vendors’ products doing different things. For example, Aladdin eSafe notices the occasional piece of malware that has skirted the firewall and IPS, while those products help filter out some spyware.
“Better you have two opinions, and if that means some false positives, I’ll live with it, versus the chance that you become monolithic with a philosophy of security and end up letting something in because their philosophy was sidestepped,” he says.
Hibnick has only two complaints, and he levels them equally at all the vendors of his security hardware. The first is that they target Visual Basic (VB) and Java applications somewhat indiscriminately. “None of them do a really good job of discerning different kinds of VB and Java; they tend to do it in a sledgehammer mode,” he says.
“A lot of VB and Java is what makes the Web rich, but on the other hand, they are both potential things that can be painful for us” because they can harbor malicious code such as spyware. Hibnick says he’d like to have much more granular control over specific VB and Java code to be blocked.
His second concern is that despite the ever-simpler graphical user interfaces that come with these types of products, they are still not as easy to use as they should be. He calls these interfaces “overly geeky” and says that an administrator—who has many responsibilities beyond tending to these products—“has to stare at screens for a while trying to figure out how to navigate tabs so he can get to what he thinks he’s supposed to get to.”
He says that his IPS vendor has lent him an engineer for 60 days, recognizing that it can use the experience to improve the product, and he wishes Aladdin would do the same.
In Gremlins, chaos is triggered when the hero’s well-meaning father buys his son a cute, furry creature as a gift. To prevent e-gremlins from wreaking similar chaos, it’s important to station a screener at the door to ensure that any unwanted “gifts” remain ungiven.
Tomer Honen is a virus researcher and support engineer on the eSafe Content Security Response Team (CSRT) at Aladdin Knowledge Systems Ltd, which is based in Israel.