This article can also be found in the Premium Editorial Download "Information Security magazine: Why business managers are a breed of security professional."
Download it now to read this article plus other related content.
5. Take Advantage of Network-based IPS
Many of the network-based IPSes now have signatures that can detect and block spyware.
Antispyware signatures in tools like TippingPoint's (3Com) UnityOne and McAfee's IntruShield are effective in quashing spyware. They attempt to match specific signatures associated with the spyware installation process or communication with the spyware's controller. Because of the risk of accidentally blocking network traffic with a false positive, these network-based signatures tend to be less sensitive than the detection capabilities of host-based scanners. Still, they provide network-based signatures that augment host-based scanners.
Bleeding Snort offers Snort-based malware rules for IDS/IPS tools. This list contains signatures for almost 1,000 common spyware and other malware samples. With a Snort sensor on outbound HTTP traffic, you can use Snort to identify where spyware is installed in your network.
6. Enlist Outbound Web Proxies
Many large enterprises use a proxy for their outbound Web traffic, giving them a central point for controlling, logging, analyzing and filtering employees' surfing habits. But few organizations take advantage of these capabilities.
Some organizations are using Web proxies to block or detect spyware by running a commercial AV and antispyware scanning tool against the proxy's HTTP cache. Whenever the tool discovers
Also, many spyware programs alter the browser's user-agent string, a behavior you can use to detect installations. Every Web site the infected machine visits will receive the spyware's special user-agent string instead of the browser's default value. Some spyware/adware companies do this so that any participating Web sites associated with the spyware can easily recognize infected systems, allowing the companies to get paid for driving traffic to particular sites.
Another Bleeding Snort project turns this custom user-agent field against the spyware companies by offering a list of the most common user-agent types associated with spyware and aggressive advertisers. Some organizations are using custom filters at their outbound Web proxies or custom signatures in a network-based IPS/IDS based on the Bleeding Snort Spyware User-Agents list. When malicious user-agent types are discovered, users are directed to an internal Web site with instructions on how to proceed.
A handful of organizations are taking this user-agent idea further. For outbound proxy, network-based IPSes/ IDSes can log the user-agent string. You can then use a script to maintain a list of each unique internal IP address accessing the Internet, associate them with user-agent type and monitor for changes. If a given IP changes to another user-agent type in a predefined 24-hour span, there's a significant likelihood that it has been infected. Because it doesn't rely on a prepopulated spyware list, this approach can detect unknown spyware. Spyware User-Agent Detection (SUAD), a free script released by Intelguardians, can analyze Squid proxy logs for this suspicious behavior.
7. Leverage Startup Scripts
A final spyware detection tactic involves using Windows domains to deploy a client script that scans for common spyware files, processes and registry keys during system startup and user logon.
Data, rules and signatures for such scripts are available, including the Spyware Data Website, the Spybot S&D package and the Bleeding Snort malware rule list. When the startup script locates a spyware specimen, it either alerts the user with a dialog box or notifies a security manager.
Organizations have deployed in-house scripts, essentially creating their own customized antispyware scanning capability. Such scripts are typically configured to delete the spyware automatically; some organizations prefer to notify an admin for manual inspection and removal.
No Easy Replacements
Obviously, not every organization will employ each of these tactics, but you should consider the approaches that best suit your needs and infrastructure.
These strategies work in conjunction with enterprise antispyware products. Together, they create synergistic layers of antispyware defense that will help reduce your exposures.
This was first published in June 2005