In-Depth
Sneaky, Sinister, Swindling Software
- By Kathleen Ohlson
- November 1, 2005
Spyware is the "new wave of horror," says Fred Vignes, Zoo Atlanta's information
security director. One of the 10 oldest operational zoos in the U.S., Zoo Atlanta
maintains 200 PCs in its administration, education and curator departments,
as well as at its animal-keeping areas and exhibits, where computers may be
used by visitors. (See "It's all happening at the zoo," on page 40.)
In one recent episode, spyware infected close to 30 percent of the zoo's computers,
causing some PCs to run so slowly they were unable to open simple documents,
and damaging data on others so the systems required complete software overhauls.
"I've come to be more afraid of [spyware] than I was of viruses," Vignes says.
[Spyware] is quieter, and people have many more opportunities to be bitten by
it," Vignes says.
Spyware is stealthy, often lurking for months before users recognize that something
is amiss. While running undetected, spyware may log keystrokes to capture passwords
and credit card numbers, or monitor a user's Web surfing patterns and other
habits that can be used to build a profile that includes details such as name,
gender and home address. More sophisticated spyware can capture screen shots
and relay them to an attacker when the end user enters credit card info in a
retail shopping cart then clicks on the "enter" or "confirm" button in an form.
The result is that spyware can be used for identity theft, to invade an individual's
privacy, compromise a company's infosecurity, alter or destroy data, or replicate
to a point where a system collapses under the weight. The variety of ways spyware
can attack or exploit an end user's system is growing rapidly, several experts
say.
Company | Product |
| Computer Associates International | eTrust PestPatrol Anti-Spyware Corporate Edition |
| Management | Centralized |
| Reports/Alerts | End-to-end logging and reporting |
| Scanning | Real time |
| Manage Definitions | Weekly automatic updates to desktops with new Pest definition files |
| Removal | Removes nonviral malicious code to protect PCs from unauthorized access |
| Detection | Scan memory, specific files/drives and cookies can schedule for scans or trigger remotely |
| Blocking | Internal breaches and external attacks/attempts by monitoring access violations across the enterprise. |
| Quarantine | Administrator can automatically quarantine or delete spyware |
| Personal Firewall | No |
| Cookies, Ad ware, Pop-ups | Detects all non-virus threats |
Company | Product |
| Internet Security Systems | Proventia Enterprise Security Platform |
| Management | Centralized |
| Reports/Alerts | Reporting |
| Scanning | Scheduled |
| Manage Definitions | Checks for new security deployments and software updates |
| Removal | Removes malicious applications |
| Detection | Detects vulnerabilities and attempts |
| Blocking | Identifies and blocks unknown attacks. |
| Quarantine | Quarantines malicious code |
| Personal Firewall | Yes |
| Cookies, Adware, Pop-ups | Detects cookies and adware |
Company | Product |
| McAfee | Anti-spyware Enterprise Edition |
| Management | Desktop |
| Reports/Alerts | Real-time alerts and event logs |
| Scanning | Real time |
| Manage Definitions | Manually or automatically checks for updates, automatically installs weekly updates for one year. Manual or automatic updates with registration |
| Removal | Removes the top 200 spyware threats. Programs such as Kazaa, Gator not quarantined or removed, but their code is stopped when they try to execute. |
| Detection | Scanning and auto-protection |
| Blocking | Blocks persistent Internet ads and pop-ups |
| Quarantine | Quarantines malicious code and deletes cookies and registries |
| Personal Firewall | No |
| Cookies, Adware, Pop-ups | Detects cookies and adwareDetects all, customizable |
Costly too
"We lost a lot of man-hours fixing infected machines," says Carol Myrick, CISSP,
office of enterprise security for the Michigan Department of Information Technology.
You may stop 95 percent of attacks, and even if only 5 percent get through,
it's too much, she says. When spyware severely infected a machine, it would
frequently require doing a clean install to get the PC in working order, she
adds.
Gartner estimates that 20 percent to 40 percent of the calls that enterprise
help desks receive relate to problems caused by spyware or its close cousin,
adware. Fixing problems caused by spyware can tax IT's already limited budget:
According to analysts employed by Burton Group, it costs an average of $290
per PC per year to recover from problems caused by spyware.
"Our staff was spending a lot of time cleaning PCs manually, and the resources
we had to make available in the way of staff" affected the IT department's ability
to tackle more pressing responsibilities, says Jason Malloney, network administrator
at AMTROL, a maker of heating and drinking water systems.
Malloney estimates it takes about an hour to fix a PC infected with spyware.
Company | Product |
| Sunbelt Software | CounterSpy Enterprise |
| Management | Centralized |
| Reports/Alerts | Pop-up window appears in the bottom right of Windows desktop whenever Active Protection detects a possible security violation, suspicious activity, or spyware attempting to install on computer |
| Scanning | Scheduled and real time |
| Manage Definitions | Automatic security updates |
| Removal | Provides drop-lists that allow users to ignore, quarantine or remove certain spyware. |
| Detection | Active Protection detects a possible security violation, suspicious activity, or spyware attempting to install on computer. |
| Blocking | ThreatNet provides ongoing spyware threat information, blocking new spyware. Offers view to blocked events. |
| Quarantine | Quarantined threats won't run on computers |
| Personal Firewall | No |
| Cookies, Adware, Pop-ups | Detects cookies and adwareDetects all, customizableDetects all |
Company | Product |
| SurfControl | Enterprise Protection Suite |
| Management | Network |
| Reports/Alerts | Web-based reporting, summary reports, trend reports, detailed reports |
| Scanning | Real time and scheduled |
| Manage Definitions | LiveUpdate provides an update for antivirus, firewall and intrusion prevention. |
| Removal | Removes malicious applications. |
| Detection | WriteWatch stops malicious files as they enter network .exeWatch stops malicious applications from executing and FileWatch scans network and removes malicious files regularly. |
| Blocking | Layered blocking stops sites such as spyware hosts, suspicious e-mails, P2P file sharing. |
| Quarantine | Quarantines backchannel communications based on the port |
| Personal Firewall | No |
| Cookies, Adware, Pop-ups | Detects cookies and adwareDetects all, customizableDetects allDetects all |
Company | Product |
| Symantec | Symantec Client Security |
| Management | Centralized |
| Reports/Alerts | Alerts and logging |
| Scanning | Real time |
| Manage Definitions | LiveUpdate provides an update for antivirus, firewall and intrusion prevention.Updates to the spyware database from Tenebril's Web site. The Automatic Updates page lets admin control how often the updates occur. |
| Removal | Automatically removes and logs all components of spyware. |
| Detection | Includes Auto-Protect detection detects spyware and grayware installed by GAIN and Kazaa |
| Blocking | Generic exploit blocker stops current spyware before definition is created. |
| Quarantine | Quarantines all malicious if system set for it |
| Personal Firewall | Yes |
| Cookies, Adware, Pop-ups | Blocks cookies and pop-ups |
Company | Product |
| Tenebril | SpyCatcher Enterprise |
| Management | Centralized |
| Reports/Alerts | Reports and alerts provide executivelevel summaries, detailed reporting, and alerts regarding suspicious applications and files. Administrators view which computers may have been infected in an outbreak. |
| Scanning | Real time |
| Manage Definitions | Definitions updated daily |
| Removal | Safe Remediation automatically removes only spyware programs, keeping legitimate programs. |
| Detection | Real-Time Detection immediately identifies emerging spyware before it can attack. |
| Blocking | The Reinstall Shieldblocks new spyware installations and prevents evasive spyware from automatically reinstalling. |
| Quarantine | Suspicious Application Containment immediately quarantines potential spyware and alerts administrators. |
| Personal Firewall | No |
| Cookies, Adware, Pop-ups | Detects all |
Stealth bombers
It's no wonder, then, antispyware has suddenly become big business. Sunbelt
Software, Internet Security Systems, Trend Micro, Symantec, McAfee and many
other vendors market anti-spyware either as standalone products or as a component
of a security suite. Microsoft also has gotten in on the action with a beta
version of Windows AntiSpyware. Market researchers such as IDC forecast sales
of antispyware will top $300 million by 2008, up from $160 million this year.
Anti-spyware products marketed by the top 10 vendors have similar features.
Several of them feature centralized management, scanning and detecting spyware
in real time, blocking programs from executing, and quarantining and eradicating
it when it is found.
Helping you helps us
A complete solution also requires educated end users, security software makers
say. In a recent study, Trend Micro says the majority-83 percent- of corporate
computer users are familiar with the risks of spyware, but about half of them
think IT should be doing a better job helping them better understand the threat.
The study, based on the responses of 1,200 end users in the U.S., Germany and
Japan employed in businesses ranging from one-person offices to major multinational
companies. Not surprising, the study indicates the problem of spyware is escalating,
especially in small and medium-sized businesses.
Spyware is most apparently a problem in the U.S., where 40 percent of respondents
say they have encountered spyware at work, as compared to 14 percent in Japan
and 23 percent in Germany.
Ironically, TM's study also found that most end users admitted they would be
more apt to engage in risky online behavior if they could count on IT to back
them up with support.
Battling the spy masters
In April, AMTROL deployed Websense's Web Security Suite, which is designed to
block spyware, Web-borne viruses, and Trojans that mask key loggers and other
malicious code. "It's really difficult when you're short-staffed, sitting at
people's computers, removing spyware manually, when I need to be doing other
things," Malloney says.
Enterprises that have deployed anti-spyware also have discovered how spyware
is most likely to invade the enterprise, whether through peer-topeer file sharing
services or because end users visited sites that commonly drop spyware or adware
on visitors' machines.
"Our Internet policy was practically nonexistent," Malloney says. "It was loosely
defined: 'Don't go to porn sites; and do your job.'"
After implementing an anti-spyware solution, the IT staff for Greth Homes was
able to take a closer look into its infrastructure. The new home construction
company installed Sunbelt Software's CounterSpy Enterprise software for its
50 users at the main office. CounterSpy offers a centrally managed console for
managing, reporting and cleaning spyware.
"There were a couple of Web sites that consistently caused infections across
the board," says Craig Stonaha, the home builder's information coordinator.
Greth Homes uses CounterSpy to track sites where users are likely to encounter
spyware, "before we feel the pain," Stonaha says. "We can run reports and see
in a month which computers [are clean] and which users were killed by spyware."
Spy vs. spy
According to Forrester Research, businesses are shifting from single-purpose
antispyware solutions to client security suites from companies such as Symantec
and McAfee that consist of anti-virus and anti-spyware tools, personal firewall,
intrusion prevention and other features.
Other enterprises choose to layer their protection, using products from more
than one vendor. For example, Cornell University's athletic department protects
its 300 machines with Computer Associates International's eTrust PestPatrol
Anti-Spyware software and a freeware solution, according to Ricky Stewart, the
department's computer services manager. PestPatrol offers Stewart a centralized
management console to send updates through the network, so Stewart doesn't have
to go physically to each workstation to eradicate spyware that manages to evade
security barriers. Stewart also uses Spybot-Search & Destroy, freeware from
PepiKM Software to hit spyware from another angles. He says the freeware catches
some threats that PestPatrol misses.
"Spyware hasn't gone away 100 percent, but there's been a drastic turnaround
in trouble calls," Stewart says.
"The bad news is that there's some other bad things coming down the pike, but
we don't know it yet. I sometimes wonder who's ahead, but this week it's me,"
Zoo Atlanta's Vignes says.
Company | Product |
| Trend Micro | Enterprise Anti-Spyware |
| Management | Centralized |
| Reports/Alerts | Enterprise-wide reporting |
| Scanning | Real-time layered scanning |
| Manage Definitions | Automatically or manually deploy threat definitions and software updates |
| Removal | Agent-based clean-up services remove spyware on local or remote clients or servers. |
| Detection | Scans for inbound spyware before it infiltrates desktops, as well as outbound spyware communications |
| Blocking | Deletes tracking cookies automatically. Based on signature files using active protection. |
| Quarantine | Doesn't quarantine files that are in use by an active process quarantines or deletes detected spyware on reboot |
| Personal Firewall | No |
| Cookies, Adware, Pop-ups | Detects adware and cookies |
Company | Product |
| Webroot Software | Spy Sweeper |
| Management | Centralized |
| Reports/Alerts | Reporting provides graphical executive summaries, spy reports, status updates, customizable reports and e-mail notification. |
| Scanning | Scheduled and real time |
| Manage Definitions | Provides real-time Internet security updates |
| Removal | Agent-based clean-up services remove spyware on local or remote clients or servers. |
| Detection | The Webroot Comprehensive Removal Technology disables spyware programs detected on a system PC, rendering them ineffective. |
| Blocking | Blocks most common spyware entry points, including changes to system memory, registry entries, host files, startup processes and browser-hijackings. |
| Quarantine | Administrators specify sweep schedules and set policies for automated quarantine. |
| Personal Firewall | No |
| Cookies, Adware, Pop-ups | Detects adware |
Company | Product |
| Websense | Websense Web Security Suite |
| Management | Centralized |
| Reports/Alerts | More than 80 predefined report templates. Customize and schedule reports for distribution via e-mail. |
| Scanning | Scans and classifies more than 350 million Web sites per week for malicious activity. |
| Manage Definitions | |
| Removal | Detects the presence and location of spyware, mobile malicious code, hacking tools and other security risks in the network for removal |
| Detection | Reports on application activity, with detailed forensics to help pinpoint potential problems |
| Blocking | Blocks spyware and keylogger backchannel communications from reaching their host server. Prevents dangerous protocol-based applications from introducing security problems. |
| Quarantine | Real-time desktop quarantines |
| Personal Firewall | No |
| Cookies, Adware, Pop-ups | Detects cookies |
Case Study: It's All
Happening at the Zoo