Spyware following spam into the enterprise - TechUpdate

Tech Update Security

David Berlind's Reality Check

Spyware following spam into the enterprise

By David Berlind
May 31, 2004

Add your opinion

Forward in

Format for

When spam first started showing up on the technology radar as a problem, it was mostly a problem for consumers and individuals whose personal data (especially e-mail addresses) was easy pickings for spammers building databases. But it wasn't long before corporate e-mail systems were overwhelmed as well. Now, spyware is apparently following in spam footsteps. In fact, just like spam, spyware has already earned itself a workshop at the Federal Trade Commission that was dedicated to the problem--a rare and dubious "honor." Now, security software vendors are responding in kind with anti-spyware solutions that target businesses and enterprises.

Spyware is a genre of malware, which, when taken together with viruses, worms, and spam, is seen by many as completing the ecosystem of unwanted and surreptitiously installed software. Spyware generally includes two forms of unwanted system behavior. The first is, by virtue of its name, a process that spies on what users do with their systems (logging keystrokes in many cases) and then "phoning home" with any sensitive data that may have been collected through its surreptitious activities. Many consumers who have fallen prey to spyware have unknowingly transmitted their credit card information to those working the controls on the other end of a spyware pipe.

In addition to capturing sensitive information, spyware alters the behavior of target systems by hijacking the home and search page settings of Internet Explorer, often resetting them to advertising-bearing sites we never wanted and driving a desktop-cluttering cascade of pop-up advertisements. In addition to the way these behaviors can compromise sensitive information and negatively impact productivity, they also can be a drag on system resources, often depriving other applications of processor bandwidth and memory, thereby causing an overall and often unexplainable system slowdown.

Now, according to Christine Stevenson, vice president of marketing at Webroot, an anti-spyware solution provider, certain types of organizations--especially those with a lot to lose--are becoming sensitized to the risks of spyware. Citing privacy legislation, such as HIPPA, Stevenson said guarding data is about protecting privacy as much as it is about guarding corporate assets.

Against that sort of legal backdrop, it may not matter whether companies have already been adversely impacted by spyware. Just knowing that the threat of spyware is out there may be enough to motivate businesses to put the countermeasures in place before it's too late. "Too late" could be legal action taken on behalf of some federal agency, or worse, a mass exodus of disenchanted customers.

Based on the feedback I received for a story that I wrote about how my privacy had been violated, it's clear that it doesn't take much of a privacy transgression to upset customers (or potential customers). Switching costs on the Web are relatively low-- a competitor is only a click a way. A question for enterprises is how much extra money and time they're willing to spend for the peace of mind that an anti-spyware solution can provide above and beyond the other security solutions, such as firewalls that are designed to keep malware out and sensitive data in.

Anti-spyware is one of those categories in which a plethora of freely downloadable utilities are available to address the problem. The most well known of this crop is LavaSoft's Ad-aware. In almost all cases, the free utilities get the basic job done, but lack some essential features that users of anti-spyware shouldn't be without. The purveyors of those utilities offer more functionally complete versions, ranging in price from $25 to $50 per system. For example, the paid versions Ad-aware offer a more proactive form of real-time protection than the free version, which is more of a reactive product that users must run when they suspect their systems are afflicted with some form of spyware. Likewise, Webroot has a freely downloadable version of Spy Sweeper, but it's a static version that doesn't benefit from Webroot's ever-improving knowledgebase about spyware.

Some companies might not be inclined to spend additional dollars on anti-spyware solutions because they think they're already covered by the anti-virus and firewall solutions they have in place. According to Stevenson, businesses have to be careful not to be lured into a false sense of security against spyware by anti-virus solutions or firewalls. Neither sufficiently targets the problem. "Spyware is different enough that it requires solutions that are dedicated to the problem" said Stevenson. "A firewall may intercept a spyware's attempt to phone home, but that's not all spyware does. In most cases, it won't stop the pop-up advertising and it won't deal with spyware's negative impact on system performance. Firewalls won't remove the spyware either."

Firewalls and anti-spyware products like Webroot's Spy Sweeper actually complement each other. Whereas a firewall can cut off certain network data streams at the pass, anti-spyware products are a lot like anti-virus products in terms of dealing with the complicated process of removal and eradication.

End users may think of spyware as viruses--software that they never intended to install on their systems but somehow ended up there anyway. But, spyware is nothing of the sort. Its goal isn't to destroy a system, and it usually doesn't exploit a vulnerability in the way viruses and worms do. "Spyware usually gets installed after users agree to an End User License Agreement (EULA) for something else they're installing and think they need. Spyware writers are very clever in the way they piggy back such installation routines," said Stevenson. "They do it in a way that users don't realize that they're installing a bunch of programs instead of just the one that they wanted."

According to Stevenson, the type of software that typically masks the installation of spyware are programs that promise to personalize systems with American flags or smiley faces as the mouse pointer. By doing so, users inadvertently authorize the installation of spyware, mostly because the installation routine isn't fully disclosing what the software will do (another problem that state and federal legislation may eventually address). This is one reason that spyware is a lot like spam. Since it shows up on the system through legitimate channels, it's hard to separate spyware from the software that legitimately belongs on the system.

Like anti-virus software, anti-spyware products like Spy Sweeper use forensics to weed out spyware from legitimate software. For starters, spyware usually leaves some tell-tale fingerprints on systems that any decent spyware database should recognize. Spy Sweeper, for example, also watches for a laundry list of red flag behaviors. "Anything that unnecessarily consumes system resources raises red flags," said Stevenson. "If the software is running but there's no way to uninstall it, that's a red flag. If the software is missing entries in the system's registry or it re-installs itself after being uninstalled, those are huge red flags too. We look for attempts to change settings in Internet Explorer such as the default search and home pages. The more of these criteria that a particular piece of software meets, the higher the likelihood that it's spyware."

In response to the demand for anti-spyware from enterprises, Webroot is modifying the architecture of its stand-alone product to make it play better in networked environments. For example, whereas the stand-alone versions of Spy Sweeper get their database updates from Webroot's Web site, users of the enterprise version will work off a central database on the corporate network, which in turn retrieves its updates from Webroot. Using this architecture, administrators will also be able to create and distribute policies that govern Spy Sweeper's behavior. For example, administrators will be able to create and distribute a list of allowable software that Spy Sweeper should overlook when trying to spot spyware. The schedule for the periodic system scans that look for spyware is also centrally controlled. For mobile users who aren't connected to the corporate network where the spyware database resides, scans will occur when the notebook system re-attaches to the corporate network (either locally or through a VPN).

The enterprise version of Spy Sweeper 3.0 isn't shipping yet. Stevenson expects the company to release the software this summer at a per-seat discounted rate from the $29.99 stand-alone version of the software.

If the art of spyware detection is tricky, removal is even trickier, which is why a solution that offers scripted removal of anti-spyware, such as Webroot's forthcoming enterprise offering, can benefit enterprises. "One reason enterprises are beginning to approach us is that spyware is beginning to show up on their user's systems and the IT personnel simply don't have the time to figure out how to remove it by hand," Stevenson said.

In April, at least two other companies--Zone Labs (a division of CheckPoint Software) and Symantec--began offering spyware detection as a part of their centrally managed enterprise offerings. However, neither Zone Labs Integrity Clientless Security nor Symantec's Client Security and Symantec Anti-Virus Corporate Edition offerings, both of which offer centrally managed spyware detection, have any way of automatically removing spyware. According to Brian Foster, Symantec's director of enterprise product management, "We don't offer much in the way of removing spyware right now. But later this year, we'll release upgrades to our offerings that includes that functionality."

Both Symantec and Zone Labs will be offering anti-spyware remediation through a single managed client for desktops. Based on the assumption that enterprises don't want multiple touch points for client security management -- one for anti-virus, one for personal firewall, one for intrusion detection, and so on -- Zone Labs recently announced that Computer Associates' anti-virus technology will be integrated into its centrally managed firewall offering. To further close the gap, Zone Labs, which is playing catch-up to one-stop-shop corporate security suites like Symantec's, will probably have to partner to provide spyware removal capabilites--perhaps with Webroot. Symantec plans to develop its anti-spyware capability, Foster said.

Given that Spy Sweeper and numerous other spyware solutions only work with Windows systems, administrators of Windows networks will be quick to point out that there is at least one other non-anti-spyware solution to spyware. Some enterprises lock down their desktops in a way that prohibits the installation or execution of all but those corporately endorsed applications. Using administration tools from Microsoft, the seemingly benign installation routines that spyware often piggybacks on when surreptitiously sneaking into systems would never be allowed to run in the first place. Similar controls can be asserted over thin-client environments, such as those based on Citrix and Windows Terminal Server.

For those environments where end users are permitted to install software on their own--environments that greatly outnumber the ones that are totally locked down--and for other organizations that like to show that they're doing everything within their power to protect the privacy of customers, patients, and other constituents, the cost of an enterprise solution will be worthwhile.

You can write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.

Talkback
Most Recent of 54 Talkback(s)

Thread View
Flat View

Has anyone tried barracuda anti spam ware and anti spyware products: Hi All ,
I would like to welcome my self to the group as this is my first time..!!
while browsing through this thread i realised that a dedicated solution like a barracuda at the bussiness plac... (Read the rest); Posted by: rakshitupl@... Posted on: 11/14/05 You are currently: a Guest | Log in | Terms of Use