Bruce Edwards began to understand that spyware was more than a consumer PC problem when his users started complaining loudly about poor performance and an increase in pop-up ads. But it wasn’t until after he’d checked all of his organisation’s PCs that Edwards understood the full scope of the problem.
“My customer workstations were really gummed up,” said Edwards, LAN administrator at the Administrative Office of the Courts in Little Rock, Arkansas. All 200 machines in his offices were running a wide range of spyware, and many were running multiple programs.
The programs ran in the background without the users’ knowledge, downloading information on Web surfing activities and uploading advertising in the background for use in pop-up ads. As the volume of these hidden programs grew, they began using up system resources and choking off network bandwidth. Annoyed with all the pop-up ads, some users downloaded free pop-up blocker programs that installed even more spyware.
Spyware programs discreetly install themselves on PCs, establish a back channel over which to download information about the user and typically upload advertisements — often over HTTP Port 80. Programs designed specifically to deliver targeted advertising are also called adware. But adware and other types of software that install without the user’s explicit consent and establish background communications — including surveillance programs, key loggers, remote control tools and Trojans — are also described as spyware.
Companies have traditionally viewed spyware as a nuisance that’s best handled by desktop support groups. But IT organisations are beginning to view it as a security risk as well because spyware is becoming more common and the programs are growing more sophisticated.
Edwards used PestPatrol, a spyware scanning and removal tool, to clean up the mess. But the big issue for him isn’t system performance or productivity-sapping pop-ups — it’s the uneasy feeling that these programs have opened an unauthorised communication channel that could put sensitive court documents at risk. He worries that, in addition to downloading data on Web surfing activity, a spyware program may capture user log-in and password information, or that a benign adware program may provide a communications pathway that could be hijacked for uploading more malicious software.
Analysts say that while some adware programs simply monitor Web surfing activity and serve up annoying pop-up ads, others could be stealing email addresses and passwords, allowing background downloads of more malicious software, or sending sensitive data to competitors.
“We think the capability to do that is there,” Gartner analyst, John Pescatore, said.
Spyware applications may install themselves after a user clicks on a pop-up dialogue box, opens an email attachment or downloads freeware. In some cases, unpatched Windows machines may be vulnerable to “drive-by” attacks, in which malicious code embedded in a viewed website exploits Internet Explorer vulnerabilities and lax security settings to install itself without the user clicking on anything.
As spyware accumulates, it consumes increasing amounts of resources. A single program might install upward of 300 files and make 500 registry entries, vice-president of development at PestPatrol, Roger Thompson, said.
Spyware programs may also be used in corporate espionage.
Senior security researcher at network security tool vendor PivX Solutions, Thor Larholm, said a hacker stole one company’s trade secrets by using an adware program’s communications channel to plant a Trojan on corporate desktops.
The adware was set up to communicate with the adware producer’s Web page in order to retrieve new advertisements. The attacker used a “man-in-the-middle” attack to alter the Web page with malicious code that could exploit an Internet Explorer vulnerability on unpatched Windows machines. Because the target company’s PCs were vulnerable, the attacker was able to install the backdoor program.
“By hijacking the adware traffic, he gained access to five machines,” Larholm said.
The attacker spent two months collecting trade information and data on new projects before the hole was detected and closed. The lesson was, he said: “Any kind of unknown code running on desktops is a liability.”
Reports of such nightmare scenarios are rare, but they worry Sean, a security engineer at a large financial services company who asked that his full name and company not be used.
“I don’t think we deal with [spyware] the way we should. I think it’s going to get worse,” he said.
A disruption in day-to-day workflows caused by spyware “could translate into big bucks” for his company, Sean said. But until a major incident occurs, he doubted his organisation would act.
“There’s not enough senior management buy-in to the problem,” he said. “Our hands are full just handling the antivirus stuff.”
Keeping spyware out isn’t easy, users and vendors say. Antivirus software and Web content filters can help. But preventing spyware problems also requires installation of desktop firewall software on every Windows machine to detect and block attempts to install spyware, whether by the user or through the social engineering tricks spyware creators play to get users to click on a misleadingly worded pop-up window. It requires rigorous patching and updating of Windows and Internet Explorer vulnerabilities. And it requires the blocking of all executable email file attachments.
Another way to thwart spyware downloads is by giving Windows XP users restricted access rather than full administrator access to their local machines.
“Linux users would never run the computer as root and read email ... but that’s what Windows users do all the time,” antivirus research director at F-Secure, Mikko Hypponoen, said.
Many spyware programs simply can’t install if the user doesn’t have local admin rights.
“In talking with large companies on a weekly basis ... I’m surprised how many still provide users with full admin privileges on the desktop,” product manager for McAfee VirusScan, Candace Worley, said.
Sean, at the financial services company, acknowledged that many of the more than 100,000 employees in his organisation had full admin rights to their machines. But, he said, it was not practical to lock down the desktop completely, because users demanded some flexibility.
Patching was critical, but it wouldn’t block all exploits, Larholm said.
Until recently he provided a list of unpatched Internet Explorer vulnerabilities on the PivX website. That list once had 32 entries.
“Today, I would estimate that there are still 14 unpatched vulnerabilities,” Larholm said. “About half of those allow for command execution. About half of the remaining ones allow cross-domain scripting.”
Microsoft’s upcoming Service Pack 2 would remedy many of those, he said.
SP2 is expected to create application compatibility issues, but Gartner’s Pescatore recommends implementing it as soon as possible.
“We’ll see a pretty high incidence of breakage, but it’s one you should be doing,” he saids.
Still, SP2 won’t help Sean’s company. It was still using Version 5.5. of Internet Explorer, he said.
Many large corporations weren’t using the most up-to-date versions of their Web browsers because newer versions could break intranet applications.
ThreatLab manager at Clearswift, Pete Simpson, said blocking all executable file attachments was critical because antivirus software didn’t always detect embedded spyware.
Network manager at a UK-based vertical-market software vendor, Pete Munro, once intercepted an email file attachment purporting to be a wedding invitation.
If executed, the attachment would have installed a copy of iSpyNow, a commercial surveillance spyware program.
Munro, who asked that his company not be named, said: “Our source code is very valuable. If anyone stole it, changed it or deleted it, that could cause us a lot of trouble.”
He blocked the attachment at the email gateway. Users are also protected by not having local admin privileges on their machines.
Munro said he was glad the gateway did its job because his antivirus scanner ignored the attachment.
“From their point of view it’s a commercial program,” he said.
Such programs are clearly a threat, yet most antivirus tools and even some anti-spyware programs don’t detect commercial software and adware that include end-user license agreements.
“Vendors producing different types of advertisement software are threatening to sue us because we’re making them look bad,” Hypponoen said.
To avoid such issues, he said his company provided signatures only for malicious programs used for “criminal intent”.
Both Network Associates and Symantec had begun to add some spyware-detection capabilities to their corporate offerings, but both struggle with the same issues.
“The Symantecs and McAfees have been very slow to add spyware capabilities, and it’s not clear to me why — because it’s a big problem,” Pescatore said.
Ultimately, IT organisations don’t care whether spyware programs are legitimate adware, commercial surveillance programs or malware. They need to know about anything that’s not part of the standard system.
“If you have tons of spyware on your machines, you’re letting other companies use your private property to earn money,” Larholm said. “That’s a big corporate liability. If anyone should be monitoring your employees, it should be you.”
10 Tips to stop spyware
1. Keep Windows and Internet Explorer patches up to date.
2. Keep desktop antivirus software signatures up to date.
3. Issue and enforce strict policies on user Web surfing and downloading activities.
4. Use a Web content filtering program to monitor user activity and block access to websites commonly used to disseminate spyware.
5. Install a desktop firewall on every laptop and desktop.
6. Configure an email gateway to block all executable email attachments.
7. Don’t give Windows users local admin privileges.
8. Test Service Pack 2 for immediate deployment on all Windows XP machines.
9. Create a list of known good ActiveX controls and block all others. Lists are available from Symantec, PivX and other security vendors.
10. Use commercial antispyware software to detect and remove existing spyware programs. Look for improved tools that can identify all types of spyware, including commercial programs that include end-user licensing agreements. Expect to see anti-spyware programs with centralised management and control features by year’s end.