Spyware Among Us

May 1, 2007 12:00 PM, By Sandra Kay Miller

Spyware has been pegged by Secure Computing, San Jose, Calif., as the top security issue for enterprises this year. A growing problem, this insidious code can tunnel right through the corporate firewall, allowing data hemorrhage and intruder access to the private network.

Unlike early malware, such as viruses and worms, spyware was not initially considered malicious by most organizations — only a nuisance. Trojans and back doors were routinely installed on systems by administrators and vendors for easy access and maintenance. There are also numerous commercial software programs used for legitimate purposes, such as monitoring computer usage and remote administration.

But about five years ago, Ryan Hicks, who manages EarthLink's spyware research team, began to see a shift in malware. “Before, there were miscreants off in the shadows doing what they were doing for amusement, egotistical reasons and to enhance their reputation,” Hicks says. The majority of threats were replicable code, such as viruses and worms; trojans and keyloggers were a minor blip on IT departments and security researchers' radar screens.

Today, the driving force behind the majority of malware is criminally motivated and based upon spyware technology. Organizations worry less about having their Web sites defaced or being on the receiving end of a distributed denial-of-service attack and more about having data or intellectual property stolen.

“Companies don't care about the hackers as much, but what they do care about is keeping their names out of the headlines over losing 30,000 credit card or social security numbers,” explains Shon Harris, lead author of Grey Hat Hacking: The Ethical Hackers Handbook. Forrester Research, Cambridge, Mass., estimates that security breaches cost organizations between $90 and $305 for each stolen record, meaning customer information leaks of private data can cost hundreds of thousands of dollars in recovery costs as well as customer ill will, lawsuits, fines or worse, business closure.

Veteran security researcher, Roger Thompson, CTO at Exploit Prevention Labs, a New Kingstown, Pa.-based technology company, agrees. During the course of his 20-year career in the security industry, Thompson has also watched spyware morph into an organized network of crime, costing global organizations billions of dollars annually. Last year's Computer Economics' Malware Report listed the total cost of viruses, trojans, worms and related threats at $14.2 billion for 2005.

Hicks likened the fight against spyware to an arms race. “The bad folks are constantly using new technologies to remain undetectable or to keep reinfecting hosts. It's a battle that isn't going to go away anytime soon,” he explains.

“Threats are becoming much more sophisticated and harder to spot,” says Dmitri Alperovitch, principal research engineer at Secure Computing, a global enterprise security company. Thompson credits the rise of exploits being launched via a Web browser. “When you open a browser, you're creating an instant tunnel right through the firewall. Firewalls are really good at keeping out network worms, and e-mail filters are good at keeping out e-mail worms, but when you open a browser, you are authorizing pretty much whatever wants to go on to come straight through the firewall,” he explains.

Joshua Lin, director of business development and marketing for CP Secure, Cupertino, Calif., makers of gateway scanning appliances, supports Thompson's view. “Today, 90 percent of malware that CP Secure customers reported was coming in through Web traffic.”

The exploits tunneling through the firewall are also changing. “It used to be that exploits would install 20 megabytes of adware, but I haven't seen much of that lately,” Thompson says. What he is seeing is the installation of root kits and post-loggers. Rootkits, like spyware, are not all used for malicious intent. However, when combined with malware to cloak running processes, files or system data from the operating system in an effort to avoid detection from security scanners, rootkits pose a significant threat.

Even more frightening for users, Thompson refers to post-loggers as “key-loggers on steroids.” Unlike a key-logger that only records keystrokes, a post-logger records everything sent via a Web-based form. Post-loggers pose an especially serious problem for organizations conducting Web-based transactions thought to be secure. “If you think about logging into a bank account, you put in the user ID and password and hit submit. What it's doing is a ‘post’ as opposed to a ‘get' and because these things are .dlls, they actually load as part of the browser and therefore become part of the exploit. It doesn't matter if it is an SSL connection, it's seen as part of the browser,” Thompson says.

Recently, Thompson and his fellow researchers uncovered an exploit using Google's AdWords advertising system to infect unsuspecting users with malware. Criminals posted ads to Google for legitimate, trusted organizations, including the Better Business Bureau. However, when users clicked on the ad, they were instead redirected to a malicious Web site that tried to exploit a known Microsoft Internet Explorer vulnerability. Systems without the latest security patch from Microsoft were infected with a post-logger coded to steal confidential account access information from customers of 100 different banks. “The Google attack signals an escalation in the tactics used by the bad guys to take advantage of unpatched vulnerabilities in common software programs,” Thompson says.

Unfortunately, even administrators who stay on top of installing patches and keep their systems up-to-date can still be infected with spyware. In March 2007, fully-patched Windows machines (even those with Vista) running Internet Explorer 6 and 7 fell victim to a zero-day attack using Trojan code that exploited an unknown Windows animated cursor bug.

At this point, most organizations “shrug their shoulders and take the hit,” Thompson says.

On the upside, while the number of malicious Web sites and spyware code are infinite, exploits are the limiting factor. “The thing about exploits is they tend to get re-used,” Thompson says. Security vendors, such as Exploit Prevention Labs, are designing scanners that can spot exploits in the bit stream and kill the processes through the device driver.

Hicks and his team are constantly examining emerging and known spyware in an effort to keep the signature files for EarthLink's antispyware engine current. “We send out updates several times a week,” Hicks says.

Furthermore, EarthLink and nearly 50 other technology organizations, security vendors, academics and consumer groups have banded together to form the Anti-Spyware Coalition in an effort to build uniformity around the definitions and best practices regarding spyware and other potentially unwanted technologies.

Dealing with security issues has primarily been reactionary. Unfortunately, when it comes to Web-based delivered spyware, precautionary measures, Web filters and intrusion prevention systems (IPS) have not proved agile enough to compensate for the rapidly changing environment of the Internet as Thompson pointed out, “Stuff that was there a month ago isn't there now.”

Despite the increasing threats from zero-day attacks, Thompson recommends organizations remain as current as possible with patching their systems in an effort to stave off spyware.

“You have to really look at all the points on the network where you can really protect yourself at the edge, gateway and at the desktop level as well. No single solution is foolproof. By varying the places where you provide protection throughout your infrastructure, you increase the chance that the threat will be filtered out one way or another,” Alperovitch adds.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue