Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 
Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Spyware sneaks into the desktop

Once viewed as simply a consumer desktop problem, spyware is increasingly viewed as a corporate liability that IT has to address.
 

Sign up to receive Security Resource Alerts

May 03, 2004 (Computerworld) -- Bruce Edwards began to understand that spyware was more than a consumer PC problem when his users started complaining loudly about poor performance and an increase in pop-up ads. But it wasn't until after he'd checked all of his organization's PCs that Edwards understood the full scope of the problem.


"My customer workstations were really gummed up," says Edwards, LAN administrator at the Administrative Office of the Courts in Little Rock, Ark. All 200 machines in his offices were running a wide range of spyware, and many were running multiple programs. The programs ran in the background without the users' knowledge, downloading information on Web surfing activities and uploading advertising in the background for use in pop-up ads. As the volume of these hidden programs grew, they began using up system resources and choking off network bandwidth. Annoyed with all the pop-up ads, some users downloaded free pop-up blocker programs that installed even more spyware.


Spyware programs discreetly install themselves on PCs, establish a back channel over which to download information about the user and typically upload advertisements—often over HTTP Port 80. Programs designed specifically to deliver targeted advertising are also called adware. But adware and other types of software that install without the user's explicit consent and establish background communications—including surveillance programs, key loggers, remote control tools and Trojans—are also described as spyware.


Companies have traditionally viewed spyware as a nuisance that's best handled by desktop support groups. But IT organizations are beginning to view it as a security risk as well because spyware is becoming more common and the programs are growing more sophisticated.










Spyware Sneaks Into the Office
Image Credit: David Plunkert


Edwards used PestPatrol, a spyware scanning and removal tool, to clean up the mess. But the big issue for him isn't system performance or productivity-sapping pop-ups—it's the uneasy feeling that these programs have opened an unauthorized communication channel that could put sensitive court documents at risk. He worries that, in addition to downloading data on Web surfing activity, a spyware program may capture user log-in and password information, or that a benign adware program may provide a communications pathway that could be hijacked for uploading more malicious software.
Analysts say that while some adware programs simply monitor Web surfing activity and serve up annoying pop-up ads, others could be stealing e-mail addresses and passwords, allowing background downloads of more malicious software, or sending sensitive data to competitors. "We think the capability to do that is there," says John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.


Getting In


Spyware applications may install themselves after a user clicks on a pop-up dialog box, opens an e-mail attachment or downloads freeware. In some cases, unpatched Windows machines may be vulnerable to "drive-by" attacks, in which malicious code embedded in a viewed Web site exploits Internet Explorer vulnerabilities and lax security settings to install itself without the user clicking on anything.


As spyware accumulates, it consumes increasing amounts of resources. A single program may install upward of 300 files and make 500 registry entries, says Roger Thompson, vice president of development at PestPatrol Inc. in Carlisle, Pa.


Spyware programs may also be used in corporate espionage. Thor Larholm, senior security researcher at network security tool vendor PivX Solutions LLC in Newport Beach, Calif., says a hacker stole one company's trade secrets by using an adware program's communications channel to plant a Trojan on corporate desktops.

The adware was set up to communicate with the adware producer's Web page in order to retrieve new advertisements. The attacker used a "man-in-the-middle" attack to alter the Web page with malicious code that could exploit an Internet Explorer vulnerability on unpatched Windows machines. Because the target company's PCs were vulnerable, the attacker was able to install the backdoor program. "By hijacking the adware traffic, he gained access to five machines," Larholm says. The attacker spent two months collecting trade information and data on new projects before the hole was detected and closed. The lesson, Larholm says: "Any kind of unknown code running on desktops is a liability."


Reports of such nightmare scenarios are rare, but they worry Sean, a security engineer at a large financial services company who asked that his full name and company not be used. "I don't think we deal with [spyware] the way we should. I think it's going to get worse," he says. A disruption in day-to-day workflows caused by spyware "could translate into big bucks" for his company, he adds. But until a major incident occurs, Sean doubts his organization will act. "There's not enough senior management buy-in to the problem. Our hands are full just handling the antivirus stuff," he says.


Preventive Measures


Keeping spyware out isn't easy, users and vendors say. Antivirus software and Web content filters can help. But preventing spyware problems also requires installation of desktop firewall software on every Windows machine to detect and block attempts to install spyware, whether by the user or through the social engineering tricks spyware creators play to get users to click on a misleadingly worded pop-up window. It requires rigorous patching and updating of Windows and Internet Explorer vulnerabilities. And it requires the blocking of all executable e-mail file attachments.
Another way to thwart spyware downloads is by giving Windows XP users restricted access rather than full administrator access to their local machines. "Linux users would never run the computer as root and read e-mail ... but that's what Windows users do all the time," says Mikko Hypponoen, antivirus research director at San Jose-based F-Secure Inc. Many spyware programs simply can't install if the user doesn't have local admin rights.
"In talking with large companies on a weekly basis ... I'm surprised how many still provide users with full admin privileges on the desktop," says Candace Worley, product manager for McAfee VirusScan. Sean, at the financial services company, acknowledges that many of the more than 100,000 employees in his organization have full admin rights to their machines. But, he says, "it's not practical to lock down the desktop completely," because users demand some flexibility.


Patching is critical, but it won't block all exploits, says Larholm, who until recently provided a list of unpatched Internet Explorer vulnerabilities on the PivX Web site. That list once had 32 entries. "Today I would estimate that there are still 14 unpatched vulnerabilities. About half of those allow for command execution. About half of the remaining ones allow cross-domain scripting," says Larholm. Microsoft Corp.'s upcoming Service Pack 2 will remedy many of those, he says.


SP2 is expected to create application compatibility issues, but Gartner's Pescatore recommends implementing it as soon as possible. "We'll see a pretty high incidence of breakage, but it's one you should be doing," he says.


Still, SP2 won't help Sean's company. It's still using Version 5.5. of Internet Explorer, he says, noting that many large corporations aren't using the most up-to-date versions of their Web browsers "because newer versions can break intranet applications."
Pete Simpson, ThreatLab manager at Reading, England-based Clearswift Ltd., which sells Web and e-mail content filters, says blocking all executable file attachments is critical because antivirus software doesn't always detect embedded spyware.
Pete Munro, network manager at a U.K.-based vertical-market software vendor, once intercepted an e-mail file attachment purporting to be a wedding invitation. If executed, the attachment would have installed a copy of iSpyNow, a commercial surveillance spyware program. Says Munro, who asked that his company not be named, "Our source code is very valuable. If anyone stole it, changed it or deleted it, that could cause us a lot of trouble."


Munro blocked the attachment at the e-mail gateway. Users are also protected by not having local admin privileges on their machines. Munro says he's glad the gateway did its job because his antivirus scanner ignored the attachment. "From their point of view it's a commercial program," he says.


Such programs are clearly a threat, yet most antivirus tools and even some antispyware programs don't detect commercial software and adware that include end-user license agreements.


"Vendors producing different types of advertisement software are threatening to sue us because we're making them look bad," says Hypponoen. To avoid such issues, he says his company provides signatures only for malicious programs used for "criminal intent." Both Network Associates Inc. and Symantec Corp. have begun to add some spyware-detection capabilities to their corporate offerings, but both struggle with the same issues. "The Symantecs and McAfees have been very slow to add spyware capabilities, and it's not clear to me why—because it's a big problem," says Pescatore.


Ultimately, IT organizations don't care whether spyware programs are legitimate adware, commercial surveillance programs or malware. They need to know about anything that's not part of the standard system. "If you have tons of spyware on your machines, you're letting other companies use your private property to earn money. That's a big corporate liability," says Larholm. "If anyone should be monitoring your employees it, should be you."

















Spyware Rising

Spyware Rising
Source: User reports to PestPatrol Inc.'s web site





Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story
Sidebar: Counterespionage Measures
Spyware Sneaks Into the Office
Sidebar: 10 Tips to Stop Spyware
Sidebar: Legislating Away Spyware
Sidebar: The Cost of Freeware
Spyware Wake-up Call
"You see, this is why we love our Macs.�� I had a good chuckle when I read this..." Read more...
"Dear me. Just because I recently talked about Windows XP SP3's virtues and vices, some people seem to think I've..." Read more...
Read more Security posts or See all Blogs
Srizbi grows into world's largest botnet
Analysis: Why Hewlett-Packard wants EDS
Hackers create their own social network
More top stories...
Hackers hijack a half-million sites in latest attack
Phishers scamming IRS rebates, Burma donors
HP in talks to buy EDS for up to $13B
A role on an IT help desk is what you make of it, tech pros say — just don't get too comfy.
Web-based e-mail may be exposing you to privacy and security dangers you didn't sign up for.
Ever been tempted to replace the mechanical hard drive in your laptop with a shiny new solid-state disk? Our expert did so, and here's what he found.
PARC showed erasable paper and other technologies that adds intelligence to documents with raw text.
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Enterprise-Class Security Zone
Enterprise Solutions Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
The Data Center Management Zone

Ads by TechWords

See your link here
Long Tail Supplier Collaboration - What's In It For You?
Long Tail Supplier Collaboration - What's In It For You?
Download this webcast, free, compliments of Sterling Commerce
Go to the webcast 
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
(Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more.
Download this executive briefing download
Eliminate SPAM, Gain Productivity
Get this white paper now!
(Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
New Fujitsu High-End Itanium Windows- and Linux-Based PRIMEQUEST Servers Offer the Utmost in High Availability
New Fujitsu High-End Itanium-Based PRIMEQUEST Servers Offer Industry-Leading System Management for Linux and Windows
Symantec State of the Data Center Report 2007
View more whitepapers 
Layered Security Solutions
Although basic network security issues have changed very little over the past decade, the network security landscape has changed dramatically. Today's IT professionals still have the primary responsibility of protecting the confidentiality of corporate information, preventing unauthorized access, and defending the network against attacks. Security experts and analysts agree that a security solution comprised of multiple layers is the best defense against today's increasingly sophisticated attacks.

Download this white paper 
Universal Threat Management - Because Conventional UTM is Not Enough!
This white paper, written by Mark Bouchard of Missing Link Security Services, examines the challenges confronting today's enterprises with respect to managing threats on a network. It also discusses the need for "Universal Threat Management", which is a security solution approach for all physical locations within an enterprise that require threat protection.

Download this white paper 
Selecting the Right Threat Management Solution
This short demo will guide you through key considerations for selecting a solution to manage threats on a network. Learn about the popularity of Unified Threat Management (UTM), and how it fits into an overall security solution. Explore critical elements of a network-wide solution for multisite and large network-size deployments and identify the four key features of a threat management solution.

View this demo