This article can also be found in the Premium Editorial Download "Information Security magazine: 12 security lessons for CISOs they don't teach you in security school."
Download it now to read this article plus other related content.
I'm embarrassed to admit it, but I recently got whacked by spyware. I have no idea how it happened, but the little parasites dug deep into my Registry and eventually overran my system with pop-ups, browser redirects and God-only-knows how many bots and backdoors. It was so bad that I could barely get any work done.
It's really hard to clean your system of this junk, but now that my long spyware nightmare is over, I'm glad it happened. Well, not glad exactly, but the experience was a real eye-opener.
Being infected by spyware reinforces the merits of defense-in-depth security at a system level. Getting rid of it, and preventing it from coming back, requires multiple tools and techniques at different layers. In the end, I discovered that maintaining a spyware-free box requires a combination of rigorous OS updating, strict browser policies over active code, automated scanning and good ol' fashioned elbow grease.
The first thing I did was perform a basic system checkup: I installed missing Windows Up-dates, emptied my TMP folder in Safe Mode, cleaned out my cookie cache, uninstalled rogue applications in Add/Remove Programs, checked my IE settings and ran a full AV scan of my hard disk. This process itself didn't get rid of much spyware, but it ensured I was starting from a solid baseline.
Next, I ran some specialized spyware-removal tools. Unfortunately, none of these completely cleansed my system. I
Ultimately, ridding your system of spyware requires you to roll up your sleeves and dig into the Registry itself, which is like playing with fire if you don't know what you're looking for. First, I backed up the Registry by exporting the file to another directory--that way, if I inadvertently deleted an essential application or system file, I could revert to the backup.
The most important tool in my antispyware arsenal turned out to be HijackThis, a powerful little program that shows you a list of suspect system settings. The danger with HijackThis is that it doesn't discriminate "good" from "bad." Most of these settings are easy to identify as "good" by the path name; Googling those that aren't recognizable quickly tells you if it's spyware. Alternately, several Web sites (e.g., www.spywarewarrior.com) host forums where you can post your HijackThis log. Volunteers will look it over and help you identify which keys and settings to remove, and which to leave alone.
My battle with spyware taught me that, as an industry, we've got a long way to go. Conventional AV is powerless against it, and dedicated spyware-removal tools are incomplete. In a broader sense, it's a fair bet that if your Windows-based client machines are running anything earlier than XP SP2, they're bound to be infected unless you rigorously enforce basic system security policies and processes. (For a good overview within a spyware context, see www.io.com/~cwagner/spyware.)
Never again will I be so blasÉ about spyware. Believe me when I say this: An ounce of prevention is worth a ton of cure, so get to work now before this becomes an epidemic in your shop.
This was first published in February 2005