Sneaky, Sinister, Swindling Software

Sneaky, Sinister, Swindling SoftwareSpyware is the "new wave of horror," says Fred Vignes, Zoo Atlanta's information security director. One of the 10 oldest operational zoos in the U.S., Zoo Atlanta maintains 200 PCs in its administration, education and curator departments, as well as at its animal-keeping areas and exhibits, where computers may be used by visitors. (See "It's all happening at the zoo," on page 40.)

In one recent episode, spyware infected close to 30 percent of the zoo's computers, causing some PCs to run so slowly they were unable to open simple documents, and damaging data on others so the systems required complete software overhauls.

"I've come to be more afraid of [spyware] than I was of viruses," Vignes says. [Spyware] is quieter, and people have many more opportunities to be bitten by it," Vignes says.

Spyware is stealthy, often lurking for months before users recognize that something is amiss. While running undetected, spyware may log keystrokes to capture passwords and credit card numbers, or monitor a user's Web surfing patterns and other habits that can be used to build a profile that includes details such as name, gender and home address. More sophisticated spyware can capture screen shots and relay them to an attacker when the end user enters credit card info in a retail shopping cart then clicks on the "enter" or "confirm" button in an form. The result is that spyware can be used for identity theft, to invade an individual's privacy, compromise a company's infosecurity, alter or destroy data, or replicate to a point where a system collapses under the weight. The variety of ways spyware can attack or exploit an end user's system is growing rapidly, several experts say.

Computer Associates International eTrust PestPatrol Anti-Spyware Corporate Edition
Management Centralized
Reports/Alerts End-to-end logging and reporting
Scanning Real time
Manage Definitions Weekly automatic updates to desktops with new Pest definition files
Removal Removes nonviral malicious code to protect PCs from unauthorized access
Detection Scan memory, specific files/drives and cookies can schedule for scans or trigger remotely
Blocking Internal breaches and external attacks/attempts by monitoring access violations across the enterprise.
Quarantine Administrator can automatically quarantine or delete spyware
Personal Firewall No
Cookies, Ad ware, Pop-upsDetects all non-virus threats
Internet Security Systems Proventia Enterprise Security Platform
Management Centralized
Reports/Alerts Reporting
Scanning Scheduled
Manage Definitions Checks for new security deployments and software updates
Removal Removes malicious applications
Detection Detects vulnerabilities and attempts
Blocking Identifies and blocks unknown attacks.
Quarantine Quarantines malicious code
Personal Firewall Yes
Cookies, Adware, Pop-ups Detects cookies and adware
McAfee Anti-spyware Enterprise Edition
Management Desktop
Reports/Alerts Real-time alerts and event logs
Scanning Real time
Manage Definitions Manually or automatically checks for updates, automatically installs weekly updates for one year. Manual or automatic updates with registration
Removal Removes the top 200 spyware threats. Programs such as Kazaa, Gator not quarantined or removed, but their code is stopped when they try to execute.
Detection Scanning and auto-protection
Blocking Blocks persistent Internet ads and pop-ups
Quarantine Quarantines malicious code and deletes cookies and registries
Personal Firewall No
Cookies, Adware, Pop-upsDetects cookies and adwareDetects all, customizable

Costly too
"We lost a lot of man-hours fixing infected machines," says Carol Myrick, CISSP, office of enterprise security for the Michigan Department of Information Technology. You may stop 95 percent of attacks, and even if only 5 percent get through, it's too much, she says. When spyware severely infected a machine, it would frequently require doing a clean install to get the PC in working order, she adds.

Gartner estimates that 20 percent to 40 percent of the calls that enterprise help desks receive relate to problems caused by spyware or its close cousin, adware. Fixing problems caused by spyware can tax IT's already limited budget: According to analysts employed by Burton Group, it costs an average of $290 per PC per year to recover from problems caused by spyware.

"Our staff was spending a lot of time cleaning PCs manually, and the resources we had to make available in the way of staff" affected the IT department's ability to tackle more pressing responsibilities, says Jason Malloney, network administrator at AMTROL, a maker of heating and drinking water systems.

Malloney estimates it takes about an hour to fix a PC infected with spyware.

Sunbelt Software CounterSpy Enterprise
Management Centralized
Reports/Alerts Pop-up window appears in the bottom right of Windows desktop whenever Active Protection detects a possible security violation, suspicious activity, or spyware attempting to install on computer
Scanning Scheduled and real time
Manage Definitions Automatic security updates
Removal Provides drop-lists that allow users to ignore, quarantine or remove certain spyware.
Detection Active Protection detects a possible security violation, suspicious activity, or spyware attempting to install on computer.
Blocking ThreatNet provides ongoing spyware threat information, blocking new spyware. Offers view to blocked events.
Quarantine Quarantined threats won't run on computers
Personal Firewall No
Cookies, Adware, Pop-ups Detects cookies and adwareDetects all, customizableDetects all
SurfControl Enterprise Protection Suite
Management Network
Reports/Alerts Web-based reporting, summary reports, trend reports, detailed reports
Scanning Real time and scheduled
Manage Definitions LiveUpdate provides an update for antivirus, firewall and intrusion prevention.
Removal Removes malicious applications.
Detection WriteWatch stops malicious files as they enter network .exeWatch stops malicious applications from executing and FileWatch scans network and removes malicious files regularly.
Blocking Layered blocking stops sites such as spyware hosts, suspicious e-mails, P2P file sharing.
Quarantine Quarantines backchannel communications based on the port
Personal Firewall No
Cookies, Adware, Pop-ups Detects cookies and adwareDetects all, customizableDetects allDetects all
Symantec Symantec Client Security
Management Centralized
Reports/Alerts Alerts and logging
Scanning Real time
Manage Definitions LiveUpdate provides an update for antivirus, firewall and intrusion prevention.Updates to the spyware database from Tenebril's Web site. The Automatic Updates page lets admin control how often the updates occur.
Removal Automatically removes and logs all components of spyware.
Detection Includes Auto-Protect detection detects spyware and grayware installed by GAIN and Kazaa
Blocking Generic exploit blocker stops current spyware before definition is created.
Quarantine Quarantines all malicious if system set for it
Personal Firewall Yes
Cookies, Adware, Pop-ups Blocks cookies and pop-ups
Tenebril SpyCatcher Enterprise
Management Centralized
Reports/Alerts Reports and alerts provide executivelevel summaries, detailed reporting, and alerts regarding suspicious applications and files. Administrators view which computers may have been infected in an outbreak.
Scanning Real time
Manage Definitions Definitions updated daily
Removal Safe Remediation automatically removes only spyware programs, keeping legitimate programs.
Detection Real-Time Detection immediately identifies emerging spyware before it can attack.
Blocking The Reinstall Shieldblocks new spyware installations and prevents evasive spyware from automatically reinstalling.
Quarantine Suspicious Application Containment immediately quarantines potential spyware and alerts administrators.
Personal Firewall No
Cookies, Adware, Pop-ups Detects all

Stealth bombers
It's no wonder, then, antispyware has suddenly become big business. Sunbelt Software, Internet Security Systems, Trend Micro, Symantec, McAfee and many other vendors market anti-spyware either as standalone products or as a component of a security suite. Microsoft also has gotten in on the action with a beta version of Windows AntiSpyware. Market researchers such as IDC forecast sales of antispyware will top $300 million by 2008, up from $160 million this year.

Anti-spyware products marketed by the top 10 vendors have similar features. Several of them feature centralized management, scanning and detecting spyware in real time, blocking programs from executing, and quarantining and eradicating it when it is found.

Helping you helps us
A complete solution also requires educated end users, security software makers say. In a recent study, Trend Micro says the majority-83 percent- of corporate computer users are familiar with the risks of spyware, but about half of them think IT should be doing a better job helping them better understand the threat. The study, based on the responses of 1,200 end users in the U.S., Germany and Japan employed in businesses ranging from one-person offices to major multinational companies. Not surprising, the study indicates the problem of spyware is escalating, especially in small and medium-sized businesses.

Spyware is most apparently a problem in the U.S., where 40 percent of respondents say they have encountered spyware at work, as compared to 14 percent in Japan and 23 percent in Germany.

Ironically, TM's study also found that most end users admitted they would be more apt to engage in risky online behavior if they could count on IT to back them up with support.

Battling the spy masters
In April, AMTROL deployed Websense's Web Security Suite, which is designed to block spyware, Web-borne viruses, and Trojans that mask key loggers and other malicious code. "It's really difficult when you're short-staffed, sitting at people's computers, removing spyware manually, when I need to be doing other things," Malloney says.

Enterprises that have deployed anti-spyware also have discovered how spyware is most likely to invade the enterprise, whether through peer-topeer file sharing services or because end users visited sites that commonly drop spyware or adware on visitors' machines.

"Our Internet policy was practically nonexistent," Malloney says. "It was loosely defined: 'Don't go to porn sites; and do your job.'"

After implementing an anti-spyware solution, the IT staff for Greth Homes was able to take a closer look into its infrastructure. The new home construction company installed Sunbelt Software's CounterSpy Enterprise software for its 50 users at the main office. CounterSpy offers a centrally managed console for managing, reporting and cleaning spyware.

"There were a couple of Web sites that consistently caused infections across the board," says Craig Stonaha, the home builder's information coordinator. Greth Homes uses CounterSpy to track sites where users are likely to encounter spyware, "before we feel the pain," Stonaha says. "We can run reports and see in a month which computers [are clean] and which users were killed by spyware."

Spy vs. spy
According to Forrester Research, businesses are shifting from single-purpose antispyware solutions to client security suites from companies such as Symantec and McAfee that consist of anti-virus and anti-spyware tools, personal firewall, intrusion prevention and other features.

Other enterprises choose to layer their protection, using products from more than one vendor. For example, Cornell University's athletic department protects its 300 machines with Computer Associates International's eTrust PestPatrol Anti-Spyware software and a freeware solution, according to Ricky Stewart, the department's computer services manager. PestPatrol offers Stewart a centralized management console to send updates through the network, so Stewart doesn't have to go physically to each workstation to eradicate spyware that manages to evade security barriers. Stewart also uses Spybot-Search & Destroy, freeware from PepiKM Software to hit spyware from another angles. He says the freeware catches some threats that PestPatrol misses.

"Spyware hasn't gone away 100 percent, but there's been a drastic turnaround in trouble calls," Stewart says.

"The bad news is that there's some other bad things coming down the pike, but we don't know it yet. I sometimes wonder who's ahead, but this week it's me," Zoo Atlanta's Vignes says.

Trend Micro Enterprise Anti-Spyware
Management Centralized
Reports/Alerts Enterprise-wide reporting
Scanning Real-time layered scanning
Manage Definitions Automatically or manually deploy threat definitions and software updates
Removal Agent-based clean-up services remove spyware on local or remote clients or servers.
Detection Scans for inbound spyware before it infiltrates desktops, as well as outbound spyware communications
Blocking Deletes tracking cookies automatically. Based on signature files using active protection.
Quarantine Doesn't quarantine files that are in use by an active process quarantines or deletes detected spyware on reboot
Personal Firewall No
Cookies, Adware, Pop-ups Detects adware and cookies
Webroot Software Spy Sweeper
Management Centralized
Reports/Alerts Reporting provides graphical executive summaries, spy reports, status updates, customizable reports and e-mail notification.
Scanning Scheduled and real time
Manage Definitions Provides real-time Internet security updates
Removal Agent-based clean-up services remove spyware on local or remote clients or servers.
Detection The Webroot Comprehensive Removal Technology disables spyware programs detected on a system PC, rendering them ineffective.
Blocking Blocks most common spyware entry points, including changes to system memory, registry entries, host files, startup processes and browser-hijackings.
Quarantine Administrators specify sweep schedules and set policies for automated quarantine.
Personal Firewall No
Cookies, Adware, Pop-ups Detects adware
Websense Websense Web Security Suite
Management Centralized
Reports/Alerts More than 80 predefined report templates. Customize and schedule reports for distribution via e-mail.
Scanning Scans and classifies more than 350 million Web sites per week for malicious activity.
Manage Definitions  
Removal Detects the presence and location of spyware, mobile malicious code, hacking tools and other security risks in the network for removal
Detection Reports on application activity, with detailed forensics to help pinpoint potential problems
Blocking Blocks spyware and keylogger backchannel communications from reaching their host server. Prevents dangerous protocol-based applications from introducing security problems.
Quarantine Real-time desktop quarantines
Personal Firewall No
Cookies, Adware, Pop-ups Detects cookies

Case Study: It's All Happening at the Zoo