PART - I

Spyware Risk:
It's Time to Get Smart
By David M. Piscitello, President, Core Competence

Many users vaguely understand the security risks, privacy invasions, and performance costs associated with having spyware secretly and maliciously installed on their computers. Fewer users know the many forms spyware takes and the truly evil activities it performs. Beyond a general sense that spyware is uninvited, malicious software, average users know very little about it.

Until recently, people have dismissed spyware as less important to contend with than viruses and spam. I believe spyware poses an even greater threat than viruses and spam. Spyware can be as debilitating as the nastiest of viruses. The financial threats spyware poses are far ranging and more serious than e-mail credit card scams (phishing), and the privacy issues and liabilities spyware exposes are grim. Small and medium business must understand what spyware is and the threats spyware poses. In this, the first of two articles, I'll explain why spyware represents greater risk than you might have realized. In the second article, we'll analyze spyware solutions, and pick the best.

A spyware sampler
To simply call spyware uninvited software is misleading. Spyware installed on your PC can modify the Windows Registry and add dynamic link libraries (DLLs) and download program files (DPFs, e.g., hostile ActiveX or Java VM objects) to your system. Some spyware exploits Web browsers (especially Internet Explorer) by installing ActiveX controls, browser helper objects (BHO), and toolbars, or by modifying browser Internet options, including home pages, favorites lists, and context menu items. Some spyware even alters TCP/IP settings and hosts files.

Online spyware encyclopedia and glossaries identify tens of thousands of malicious code considered spyware. Some commonly encountered types of spyware include:

􀂃 Adware
􀂃 Browser session hijackers
􀂃 Remote Administration Tools (RATs)
􀂃 Tracking agents
􀂃 Double agent spyware

Let's take a brief look at how each of these adds to your risk. Not all adware is (technically) spyware, but many experts feel that even permission-ware is spyware when it delivers unsolicited advertising. Common delivery methods include unrequested browser windows (popups) and ad-sponsored applications. There are currently nearly 800 ad-sponsored and spyware-encumbered software offerings. This diverse group includes free versions of games (Midnight Oil Solitaire); FTP clients (FTP Works); e-mail clients(Eudora; music players; Web and system utility software; and more, often coming with a catch. The software developer receives revenue from advertisers who display advertising in windows or toolbar features of the so-called freeware. Some adware (e.g., FlashTrack) tracks a user's Web activities and search queries. It then sends this information to advertising servers like Aureate and Aveo, which return targeted advertising (commonly, popup ads) based on keywords and phrases. As many parents know, even seemingly benign keywords like "kittens" can expose their children to objectionable material, including pornography.

Browser session hijacking is a kind of virtual world bait-and-switch. Spyware (Icoo, WurldMedia, Xupiter Toolbar, Lop, BonziBuddy, CoolWebSearch) redirects browser sessions and search queries, taking users to Web sites and search engines they didn't intend to visit.

The hijacked user can be exposed to undesirable or suspect content and advertising. The hijackers earn referral commissions and affiliate fees by selectively referring the user to an ecommerce site that offers some service or product similar to the site the user intended.

Certain Remote Administration Tools (RATs) and keyloggers are examples of Trojan horse spyware. As the names imply, these give attackers administrative control, or extraordinary eavesdropping and intercept capabilities. Acting remotely, an attacker can intercept and log user keystrokes, monitor application and browser activities, and even intercept WebCam streams. BackOrifice and Sub7 are examples of attacker RATs and pose a DDoS threat. Commercial RATs like NetObserve and Spyagent are ostensibly sold for "legitimate tracking" by managers, parents and suspicious spouses. The recent and notorious Bankhook. A is a keystroke-logging BHO delivered as an attachment to an e-mail message. Once installed, Bankhook tries to find banking account access data on a PC.

Tracking agents, Web bugs, and data miners are virtual dumpster divers. They can monitor your Web browsing, shopping, e-mail, and instant messaging activities, and might gather system configuration and personal information as well. Some tracking companies use this information to deliver targeted advertising, but others sell or abuse what they gather. Alexa, a popular search toolbar, is also a data miner. Transponder/VX2 mines e-mail addresses, browser histories, and also scrounges data from Web forms and configuration files. Gator/GAIN (now Claria) claims to be permission-ware, but anti-spyware experts claim the client, which auto-completes forms and saves passwords, tracks user buying habits. Double agent spyware. Sadly, some software that advertises as anti-spyware is itself spyware . Users download trial- or freeware versions of so-called security software they expect will remove adware, only to learn that these versions are in fact adware. Reputable antispyware vendors like PestPatrol and Kephyr Labs identify RedV EasyInstaller and SpyBlast as spyware. If you think there's no worse behavior than this, think again: some anti-spyware (SpyWiper) hijacks home pages, hoping to scare unwitting users into purchasing their product (virtual protection racketeering!).

Assessing the spyware threat level
In the vernacular of Homeland Security, the spyware "threat level" is somewhere between Elevated and High. If your business operates in a regulated environment, place the threat level between High and Severe. Consider these threats:

􀂃 Disclosure of sensitive or regulated information. Spyware that tracks browser activity doesn't distinguish between intranet or Internet requests. Hyperlinks, browser histories, favorites lists, and cached Web form data can contain business records, proprietary information, trade secrets, credit card and personal data, medical and financial data, and account passwords, which may be abused by the collection agent or sold to third parties.

􀂃 Users may fall victim to felony-class criminal acts. Keyloggers reveal sensitive personal and company information, including passwords, credit card and financial information, and potentially embarrassing personal information. An intercepted Web Cam stream might reveal embarrassing activities. The opportunities spyware creates for fraud, identity theft, and personal or business-targeted extortion should be taken very seriously.

􀂃 Loss of productivity. Spyware steals CPU and bandwidth while it is running. Spyware isn't the best-written software in the world and commonly causes system instability and the dreaded blue screen of death . Spyware removal is often non-trivial, disruptive, or destructive. Some spyware remains on your system after you have uninstalled the freeware, and some might reinstall itself if not entirely removed. If spyware extensively infests your network, you can spend as much time repairing and remediating systems as you would following a virus incident or backdoor attack.

􀂃 System and Network Intrusions. The information collected by trackers, miners and RATs is gold for any attacker engaged in an information gathering expedition, which is the preparation stage in a targeted attack. Hosts identified in hyperlinks and system configuration information help attackers map networks and services. Some organizations (unwisely) transmit account names and passwords in plain text across intranet links. Need I say more?

􀂃 Tarnished brand image and loss of business. Your company can be affected by spyware, even if every computer you operate is spyware-free. If hijacking spyware victimizes your company, you'll lose sales opportunities when users are redirected away from your site, to a competitor. Hijacking spyware has also been used to scam companies who pay fees for advertising referrals. A disreputable ad company, hired to drive traffic to e-merchant sites of its patrons, might embed spyware in a "must have" toolbar. The spyware replaces the user's default search engine, and sends users to
pages of its patrons, even when they are not a suitable match. The patrons pay for these contrived referrals but often do not derive the expected revenue per clickthrough.

􀂃 Exposure to litigation. Some employees may react strongly to the delivery of objectionable, especially sexually explicit advertising, and may respond by claiming sexual harassment. Whether the claim has merit or not, the publicity, court time, expense, and loss of credibility can be more than your company wants to deal with.

I hope I've convinced you that spyware is a serious threat. In my next article, I'll describe methods to identify and remediate systems infected with spyware, and methods to provide ongoing protection. I'll also recommend spyware removal and blocking software to assist you in these processes, along with some emerging "best antispyware" practices.

Resources
C| net: The spyware that loved me
Dave Piscitello's Anti-spyware Resources page

PART - 2

Spyware Remediation:
It's Not "Mission Impossible"

By David M. Piscitello, President, Core Competence

This is what a serious spyware problem looks like:

The speedy PCs you recently purchased for your employees have slowed to a crawl. Your employees' browsers start with an unfamiliar home page and unseemly advertising. You try to visit Google to search an item, but the search page your browser presents looks nothing like Google, and the search results bear no resemblance to your queries. Popup ads appear more frequently than ever, even in applications that you never imagined supported popups, and even when you're not on line. Your credit company calls to confirm whether an employee recently purchased nine plasma TVs through your Small Business Loan.

You've got spyware! doesn't generate the same pleasant anticipation as You've got mail!, does it? Small and medium businesses are ripe targets for spyware, but they don't have to remain so. SMBs can implement an effective anti-spyware program without making a large-enterprise-sized investment. By adopting programs and practices recommended here, and carefully selecting legitimate anti-spyware helpware, you can mount an effective defense against this serious problem. Follow the steps below and you'll break spyware's stranglehold on your network.

Step 1. Education
Your employees must understand the serious problems spyware creates. Begin by circulating the companion to this article ("Spyware Risk: It's Time to 'Get Smart'") inside your organization. Post lists of known adware and spyware. Identify the many forms spyware assumes and the symptoms spyware exhibits. Incorporate spyware detection and removal into your help desk (support) process. Don't paralyze your employees with fear, but encourage them to act wisely, within the guidelines you've adopted in your Acceptable Use Policy.

Step 2. Policy
If antivirus software is mandatory for all employees, make anti-spyware software mandatory as well. (If anti-virus is not mandatory on your network, read no further until you've implemented an anti-virus program!) Incorporate safe browsing practices in your acceptable use policy: teach users how to distinguish between deceptive and legitimate advertising. Incorporate safe installation practices: teach
users how to distinguish adware licenses from true free-, share- and commercial-ware licenses. You may want to restrict or prohibit anyone but administrators from downloading free- and shareware, or from installing programs at all. If these rules seem too Draconian for your corporate culture, ask employees to identify business-related software that might increase productivity. Then, investigate this software, and arrange to host it on an intranet server. Public peer-to-peer applications are notorious sources of spyware.

Many companies already block P2P because of the liabilities related to copyrights infringements. Spyware prevention provides additional justification for such a policy. Finally, explicitly indicate that this policy applies to all computers that will connect to the company network. It's not uncommon today for SMBs to prohibit any non-company-administered computer from its network.

Step 3. Detect, Remove, and Protect!
Spyware and adware detection can be as simple as installing and running a single removal program. Small businesses can take advantage of some of the free or inexpensive standalone spyware removal tools. Three "general purpose" spyware detection and removal tools to consider are SpyBot - Search and Destroy and Javacool's one-two punch, Spyware Blaster and Spyware Guard. SpyBot - Search and Destroy (donation ware) scans for and removes spyware. The intuitive reports identify the pest and the components affected. Spybot allows selective removal, provides logging, backup and recovery mechanisms (system restore points), and free updates to the pest database and software. SpyBot's immunization component is compatible with Javacool's products; in fact, it recommends you use Spyware Blaster for additional ActiveX protection. Combined, Spyware Blaster and Spyware Guard provide protection against unintentional downloads and the installation of malicious ActiveX controls, and adware. They block browser hijacking and can restrict actions of spyware and tracking sites in Internet Explorer and Mozilla/Firefox. Javacool provides automatic updates for both products. Javacool's products are donation ware. They are free for personal and educational use and ask businesses for a small annual fee for updates.

Two consumer-grade commercial products, Webroot's SpySweeper and Alluria's Spyware Eliminator, provide similar features. Both offer toll-free and e-mail customer support. Medium businesses might be better off investigating and investing in corporate editions (network versions) of commercial anti-spyware such as Computer Associates' PestPatrol, and Dynacomm's I:scan. These provide centralized administration of installation, configuration, and scheduled operation. Commercial anti-virus software companies are expanding their product lines to include anti-spyware.

Check with your vendor to see if you can leverage an existing investment in central AV administration to deal with spyware.

Step 4. Expanding your arsenal
Some spyware is really nasty. Detection and removal can be a labor-intensive task involving several tools. It's not uncommon to find a tool that removes some but not every trace of spyware. If you choose the freeware route, you will eventually compile a toolkit to detect and repair altered Registry entries, ActiveX controls, browser helper objects, and list items in Startup or IE folders, and hidden, installed applications. Some tools excel in detecting adware and hostile cookies. Others are better at detecting Registry or browser issues, and some help resolve those irksome "Uninstall incomplete" situations. No list of antispyware tools is exhaustive, but I use and recommend the following:

ANTI-SPYWARE TOOL PURPOSE
LavaSoft's AdAware Very good removal tool for unwanted adware and cookies. Free and commercial versions. AnalogX CookieWall This cookie manager lets you keep cookies you want, "one-time allow" a cookie, block cookies you don't want, and even browse the contents of a cookie. Freeware.

Merijn's HijackThis! In my opinion, the nmap of spyware detection. It identifies changes from default IE and registry settings, installed BHOs and DPFs, and more. Donation ware.

UR I.T. Mate Group's PUI Program Unistaller Information shows the uninstall string information from the System Registry, identifies programs that cannot be uninstalled, and detects certain spyware by its uninstall behavior.

Freeware.
Kephyr's Bazooka Anti-spyware work in progress. Strong on scanning capabilities but weak on removal. Provides a commendable online encyclopedia of spy and adware. Donation ware. IE-SPYAD Adds domain names of known disreputable advertisers to the Restricted sites zone of Internet Explorer. Don't assume that consumer grade anti-spyware offers a comprehensive package of detection and removal tools. Some engage in near-deceptive advertising by boasting they detect more pests than their competitors. When tested, these proved to contain many false positives: Watchguard users will be amused to learn that Spywaremover identifies one of the dynamic link libraries that supports FSM (al_crypt.dll) as spyware, and Spy-AdExterminator identifies Citrix's GoToMyPC as spyware. Judge comparative reviews with a grain of salt as well. Some reviews for spyware software may be biased. None of the spyware reviewed at Spyware Removers Review proved as effective as programs I've mentioned. A better review is at TopTenReviews.com. A good way to decide what tools best suit your organization's needs is to download and compare. First, choose a system that shows symptoms of spyware infestation. Odd as it sounds, you might want to use an employee's home computer (in my case, I used my son's). Install your anti-spyware products, and one by one, scan for spyware. Don't remove the spyware or you'll taint the comparison (a better methodology would be to create a disk image and restore this each time, but the crude comparison yields pretty good results in less time). Save or capture the results and compare. To see how valid the results are, use pestware encyclopedias from Pest Patrol and Kephyr, or use Google.

Step 5. Spyware defense in depth
An effective spyware strategy applies the time-tested security strategy of layered defenses. Consider implementing some of these additional precautions and countermeasures:

􀂃 Maintain current patch levels for Windows OS and Internet Explorer (if your organization uses a browser other than IE, keep current with new versions and patches for this software as well).

􀂃 Monitor bug reporting lists for browser and Operating System vulnerabilities that might offer exploit paths for spyware.

􀂃 Configure safe ActiveX security settings.

􀂃 Block Ad servers. Resolve domain names of known ad servers to 0.0.0.0 in a hosts file or at your DNS, or identify restricted sites in IE (see IE-SPYAD, above).

􀂃 Add known Ad servers list in your firewall's blocked sites or WebBlocker denied sites lists on your firewall (Note: the list is very long so you may wish to start with the frequent and repugnant offenders).

􀂃 Block potentially dangerous file types by content type (S/MIME type) at your firewall using HTTPProxy.

􀂃 Stay informed. Visit some of the many valuable Spyware discussion and resource sites. Spyware is frustrating and dangerous. It deserves as much attention as spam and antivirus. Employing these measures will help you maintain productivity and good performance. They will also protect your users from privacy violations and identity theft, and guard your company from spyware-related liabilities.