It’s a problem that’s becoming more and more familiar to IT departments. Users start complaining about poor performance and an increase in pop-up ads, and upon further investigation, it turns out that a large number of PCs have been infected with spyware – some even running multiple programs.
These programs run in the background without the users’ knowledge, downloading information on Web-surfing activities and uploading advertising in the background for use in pop-up ads. As the volume of these hidden programs grows, they begin using up system resources and choking off network bandwidth. Annoyed with all the pop-up ads, some users download free pop-up blocker programs that install even more spyware.
increasing security threat
Spyware programs discreetly install themselves on PCs, establish a back channel over which to download information about the user and typically upload advertisements, often over HTTP Port 80. Programs designed specifically to deliver targeted advertising are also called adware. But adware and other types of software that install without the user’s explicit consent and establish background communications – including surveillance programs, key loggers, remote control tools and Trojans – are also described as spyware.
Companies have traditionally viewed spyware as a nuisance that’s best handled by desktop support groups. But IT organizations are beginning to view it as a security risk as well because spyware is becoming more common and the programs are growing more sophisticated.
Spyware scanning and removal tools can be used to clean up the mess. But that can still leave the uneasy feeling that these programs have opened an unauthorized communication channel that could put sensitive documents at risk. For example, a spyware program may capture user log-in and password information, or a benign adware program may provide a communications pathway that could be hijacked for uploading more malicious software.
Analysts say that while some adware programs simply monitor Web-surfing activity and serve up annoying pop-up ads, others could be stealing e-mail addresses and passwords, allowing background downloads of more malicious software, or sending sensitive data to competitors. “We think the capability to do that is there,” says John Pescatore, an analyst with Gartner Inc.
a significant threat
Spyware applications may install themselves after a user clicks on a pop-up dialog box, opens an e-mail attachment or downloads freeware. In some cases, unpatched Windows machines may be vulnerable to “drive-by” attacks, in which malicious code embedded in a viewed Web site exploits Internet Explorer vulnerabilities and lax security settings to install itself without the user clicking on anything.
As spyware accumulates, it consumes increasing amounts of resources. A single program may install upward of 300 files and make 500 registry entries, says Roger Thompson, vice president of development at PestPatrol Inc. in Carlisle, Pa.
Spyware programs may also be used in corporate espionage. Thor Larholm, senior security researcher at network security tool vendor PivX Solutions LLC in Newport Beach, Calif., says a hacker stole one company’s trade secrets by using an adware program’s communications channel to plant a Trojan on corporate desktops. The adware was set up to communicate with the adware producer’s Web page in order to retrieve new advertisements. The attacker used a “man-in-the-middle” attack to alter the Web page with malicious code that could exploit an Internet Explorer vulnerability on unpatched Windows machines. Because the target company’s PCs were vulnerable, the attacker was able to install the backdoor program.
“By hijacking the adware traffic, he gained access to five machines,” Larholm says. The attacker spent two months collecting trade information and data on new projects before the hole was detected and closed. The lesson, Larholm says: “Any kind of unknown code running on desktops is a liability.”
Reports of such nightmare scenarios are rare, but they worry Sean, a security engineer at a large financial services company who asked that his full name and company not be used. “I don’t think we deal with (spyware) the way we should. I think it’s going to get worse,” he says. A disruption in day-to-day workflows caused by spyware “could translate into big bucks” for his company, he adds. But until a major incident occurs, he doubts his organization will act. “There’s not enough senior management buy-in to the problem. Our hands are full just handling the antivirus stuff,” he says.
Keeping spyware out isn’t easy, users and vendors say. Antivirus software and Web content filters can help. But preventing spyware problems also requires installation of desktop firewall software on every Windows machine to detect and block attempts to install spyware, whether by the user or through the social engineering tricks spyware creators play to get users to click on a misleadingly worded pop-up window. It requires rigorous patching and updating of Windows and Internet Explorer vulnerabilities. And it requires the blocking of all executable e-mail file attachments.
Another way to thwart spyware downloads is by giving Windows XP users restricted access rather than full administrator access to their local machines. Many spyware programs simply can’t install if the user doesn’t have local admin rights.
“In talking with large companies on a weekly basis… I’m surprised how many still provide users with full admin privileges on the desktop,” says Candace Worley, product manager for McAfee VirusScan.
Sean, at the financial services company, acknowledges that many of the more than 100,000 employees in his organization have full admin rights to their machines. But, he says, “it’s not practical to lock down the desktop completely,” because users demand some flexibility.
Patching is critical, but it won’t block all exploits, as there are still many unpatched Internet Explorer vulnerabilities.
Pete Simpson, ThreatLab manager at Reading, England-based Clearswift Ltd., which sells Web and e-mail content filters, says blocking all executable file attachments is critical because antivirus software doesn’t always detect embedded spyware.
Pete Munro, network manager at a U.K.-based vertical-market software vendor, once intercepted an e-mail file attachment purporting to be a wedding invitation. If executed, the attachment would have installed a copy of iSpyNow, a commercial surveillance spyware program. Says Munro, who asked that his company not be named, “Our source code is very valuable. If anyone stole it, changed it or deleted it, that could cause us a lot of trouble.”
Munro blocked the attachment at the e-mail gateway. Users are also protected by not having local admin privileges on their machines. Munro says he’s glad the gateway did its job because his antivirus scanner ignored the attachment. “From their point of view it’s a commercial program,” he says.
Such programs are clearly a threat, yet most antivirus tools and even some antispyware programs don’t detect commercial software and adware that include end-user license agreements.
Ultimately, IT organizations don’t care whether spyware programs are legitimate adware, commercial surveillance programs, or malware. They need to know about anything that’s not part of the standard system. “If you have tons of spyware on your machines, you’re letting other companies use your private property to earn money. That’s a big corporate liability,” says Larholm. “If anyone should be monitoring your employees, it should be you.”
10 tips to stop spyware
1 Keep Windows and Internet Explorer patches up to date.
2 Keep desktop antivirus software signatures up to date.
3 Issue and enforce strict policies on user Web surfing and downloading activities.
4 Use a Web content filtering program to monitor user activity and block access to Web sites commonly used to disseminate spyware.
5 Install a desktop firewall on every laptop and desktop.
6 Configure an e-mail gateway to block all executable e-mail attachments.
7 Don’t give Windows users local admin privileges.
8 Test Service Pack 2 for immediate deployment on all Windows XP machines.
9 Create a list of known good ActiveX controls and block all others. Lists are available from Symantec, PivX and other security vendors.
10 Use commercial antispyware software to detect and remove existing spyware programs. Look for improved tools that can identify all types of spyware, including commercial programs that include end-user licensing agreements.