About a year ago, Ben Stein, VP of IT infrastructure at online trader OptionsXpress, concluded that spyware was more than just a nuisance--it had emerged as a significant security threat.
"There was nothing huge and new; it reached a critical mass," says Stein. "These are potentially installed on machines where customer service people are logging into customer accounts using internal applications."
Spyware is an umbrella term for two primary applications: annoying but legitimate adware programs, and clearly malicious tools like keystroke loggers, backdoors and sophisticated Trojans.
"Basically, it's anything installed without the user's knowledge, anything with no known benefit to the user, just to a third party," Stein says.
The common characteristic among these programs is that they give third parties unauthorized access to a company's PCs and, by extension, its network.
Most home users would be alarmed to find a keystroke-logger like ISpyNow or a malicious Trojan like NetBus on their PC.
But the same users may be indifferent -- or even appreciative -- when adware pops up and is tailored to their interests. On a corporate network, however, no type of spyware is "benign"; they all present security and productivity problems.
That's why spyware--a longstanding issue with privacy advocates and legislators--is drawing increasing attention from security managers. Some, like Stein, are developing programs to protect their data (see "Taking Spyware Seriously").
Antispyware vendor PestPatrol says there are a half-dozen widely distributed bots with DDoS and backdoor components, and the firm has seen thousands of variants this year alone.
"The same programs are used for spam, extortion (threatening to DDoS the victim's site), sometimes to steal credit cards," says Roger Thompson, VP of development at PestPatrol. "It's people making a buck."
Many of those people are organized criminals operating abroad, typically in the former Soviet bloc and the Far East, who glean profit by stealing credit cards and PINs.
Adware, on the other hand, is completely legal and ethical, privacy issues notwithstanding. Users are generally unaware that they've agreed to install a spy on their PC. Consent is often hidden deep in copious end-user license agreements (EULAs) for programs that will supposedly automate shopping, save passwords, etc. Adware often piggybacks installations of file-sharing programs like Napster and Grokster, or with game, utility and music downloads whose providers are paid by adware networks such as DoubleClick and GAIN.
It's hard to fault users who are conditioned to breeze past EULAs for everything from a Microsoft Update to the latest first-person shooter video game.
While the biggest adware concerns are privacy issues--companies tricking users into allowing them to surreptitiously collect buying and browsing information--security managers have to be concerned that unauthorized programs have user privileges on employees' machines.
"Corporate security is based on the principle of least privilege," says Thompson. "If you don't have to disclose information, you shouldn't."
While the data that adware transmits is generally benign from a corporate perspective, there's no reason, in theory, that adware couldn't compromise more sensitive data. If a company is subject to HIPAA, for example, security managers need to know what kind of data adware is leaking.
Further, adware is often badly written code, created purely for its functionality and full of security holes. Security pros already concerned with the vulnerability of commercial and proprietary software don't want this stuff running on their machines.
Spyware isn't always passive. In fact, many of these applications actively communicate with external servers, scan host systems, call for resident resources, redirect users to unwanted Web sites and drive endless pop-up ads. The end result: frustration that leads to decreased PC usability and increased help desk calls.
"Spyware began to be more prevalent while our overall call volume stayed the same," says Nicholas Twentyfive, senior network analyst for CTG, an IT staffing and solutions company. "Over one-third of the calls to the help desk at this point are related to anomalous activity by spyware."
Even if they aren't malicious, spyware programs are often resource hogs, consuming massive amounts of CPU capacity and memory. Affected machines slow to a crawl, impacting productivity. Spyware programs can damage hard drives, destroy data and require replacement or reformatting, and they generate enormous amount of traffic that can clog networks.
"A recent deluge of network traffic caused by spyware forced a network switch to shut down, blocking Internet access through the entire company," says Annemarie Anaya, IT coordinator for PR firm Eastwick Communications.
Like spam, spyware is attracting congressional attention. The proposed SPYACT (Securely Protect Yourself Against Cyber Trespass Act) requires that consumers receive clear notice before downloading tracking software and prohibits things like keystroke logging, computer hijacking and ads that won't close. The bill includes penalties of up to $33,000 for violations affecting a single computer and up to $3 million for violations that affect multiple computers.
Legislation may force adware purveyors to come clean and may scare off casual attackers, but it won't frighten organized crime or offshore hacker groups that use and exploit spyware. If enterprises want to do something about preventing spyware infections, they'll have to do it themselves.
As with all security issues, fighting spyware needs to be a classic combination of technology, policy, process and people. Enterprise-caliber products are new to the market, and corporations are just now paying serious attention to the problem. OptionsXpress' Stein, for example, relies on a combination of user education, IDS (StillSecure's Border Guard) and Lavasoft's Ad-Aware Pro to control spyware.
Consider the available options:
Policy and education: Organizations that promote a strong security culture, with clear acceptable use policies, an aggressive user education program and, when needed, appropriate disciplinary action for noncompliance, are in better shape than most. Acceptable use policies should prohibit browsing Web sites that aren't work-related, installing unauthorized applications and, of course, opening suspicious or unsolicited e-mail attachments.
These restrictions are critical. Spyware frequently doesn't ask permission, not even deep within EULAs or in misleading pop-up downloads. "Drive-by downloads" install merely by visiting a Web site, installing an application or viewing an HTML e-mail message.
The problem is complicated by the growing number of remote users with high-speed Internet connections, wireless capability and easy remote LAN/WAN access. They use company equipment or home computers, which may not have reasonable security precautions in place, such as AV and personal firewalls.
In addition to user policies, security policies should include regular reviews of firewall policies to block unauthorized outbound traffic. Users' browser settings should be configured to restrict access to suspect sites and limit or prohibit ActiveX controls.
Antispyware technology: If you think your enterprise AV product is protecting your desktops against spyware, think again. In an Information Security lab test2, traditional AV products did a dismal job detecting spyware and popular backdoor tools. Several vendors were reluctant to even touch adware because user consent raises liability issues over treating it as malware.
This isn't the case with antispyware vendors, whose products target everything from tracking cookies to keystroke loggers. There are a number of desktop products whose colorful names leave no doubt to their purpose: Spyware Eliminator by Aluria; AntiSpy by OmiQuad; SpySubtract by Intermute; SpyRemover by Infoworks Technology Company; SpyHunter by Enigma Software Group; and BPS Spyware Remover by Bullet Proof Soft. Patrick Kolla's Spybot-Search & Destroy is a popular freeware tool.
But, even these specialized products have only partial success. Some spyware is notoriously difficult to remove. For example, they'll install multiple copies or even reinstall deleted files. Your best strategy is to install multiple security products to create a layered defense.
These solutions are designed for home users or individual corporate desktops. And, like early desktop AV, they lack the enterprise management tools that companies require.
Some companies are filling this gap. PestPatrol Corporate Edition and Webroot's Spy Sweeper Enterprise each feature a management console that controls installation, deployment and administration. Ad-Aware Pro also includes central management features.
McAfee and Symantec, the 800-pound gorillas in the AV market, are giving spyware serious attention. McAfee has released a stand-alone desktop product, McAfee Antispyware, and Symantec is incorporating antispyware technology into its newest release of Norton Internet Security.
In addition, the proliferation of Web-based attacks and remote users has spawned a growing market of endpoint products that check security compliance before letting remote and/or LAN-based computers on the network.
With all that can be done about spyware, it's disheartening to point out that it's yet another security issue that needs attention. Enterprises should add spyware to the list of security threats to be addressed by their endpoint security products.
"We're taking all the prudent steps we are aware of, and we're mostly able to mitigate [spyware threats] without undo impact," says OptionsXpress' Stein. "But it's just another thing to devote time, resources and people."
About the author:
David Geer is a freelance technology writer based in Ohio.