SAN DIEGO -- Steven Gelfound had unintentionally helped create quite the quagmire. The 35 desktops within one unit of his organization were being inundated with an unmanageable number of pop-up ads. Then employees noticed their homepages redirected to unsavory sites, indicating the browser had been hijacked. Next, the machines' host files and registries were involuntarily edited; no sooner was one version of spyware removed, then another...
hidden within systems emerged during a reboot.
Systems suddenly running tons of applications in the background slowed to a crawl. Then PCs began to crash. Within three months, each PC within the enterprise was loaded down with 200 new spyware programs -- daily.
Gelfound is IT director for the National Center for Missing & Exploited Children, the organization founded by "America's Most Wanted" host John Walsh to hunt down missing and abused children. As the nation's premiere resource center for child protection, the 21-year-old agency has handled more than 313,000 tips to help recover some 92,000 missing children. The 35-employee Exploited Child Unit in particular is charged with finding and helping prosecute child predators. Much of that research involves surfing Web sites and chat rooms focused on child pornography -- an industry well known for seeding extremely aggressive, malicious spyware that's rarely, if ever, reported to authorities by its customers.
"As you can imagine, going to these Web sites and porn chat rooms created for us a huge problem," Gelfound told an audience Thursday at the Burton Catalyst conference in San Diego. Complicating the non-profit organization's dependency on Internet research, and subsequent spyware infestations, was its close network ties to law enforcement. The center's Exploited Child Unit analysts provide information to international, federal, state and local authorities investigating child abuse, often through online channels. Some of the spyware carried Trojan-like keyloggers.
The economic toll of spyware
At the height of its massive infestation, The National Center for Missing & Exploited Children was running Windows 2003 servers and Windows XP on desktops. Antivirus software scanned e-mail servers and desktops, while multiple firewalls and an intrusion detection system monitored traffic coming into the network from various ports. However, the conventional security tools were no match for the porn industry.
So Gelfound's IT team installed pop-up blockers and antispyware freeware to help detect and delete malicious programs. But the rate of infestation remained the same.
Meantime, the lost hours from downtime or diversions were adding up. Technicians on the help desk did little but
Gelfound's IT department considered their options, particularly in light of the limited resources available to the private, non-profit organization. The center researched and tested several products, including new hardware, such as Sun Rays or Macintosh computers known to be less attractive to spyware authors. "We just couldn't afford it," the director deduced. So members investigated software that would work with the existing platform, such as Norton GoBack, the Firefox Web browser, and various antispyware and data security softwares.
The process of pest removal
In the end, the center decided on Computer Associates' eTrust PestPatrol to control the infestations. Gelfound said PestPatrol's centralized management and proactive approach were key in the decision. It also was easy to install, allowing for quick implementation and immediate results. "The first day we ran it, it found a thousand pieces of spyware across the network," he said. "The next day, hardly any spyware was found."
Gelfound had read favorable reviews of The Mozilla Foundation's Firefox, freeware built upon the Netscape browser but with enhanced security features. The team believed those tools would stop unauthorized downloads better than Internet Explorer, which had suffered from a spate of widely publicized, exploitable vulnerabilities. It installed the free browser along with Norton GoBack, software that as its name suggests is used to restore systems via incremental backups.
The results after deploying the software were phenomenal, Gelfound said. Spyware infestations dropped dramatically: from 200 incidents a day to, at most, three a week. Spyware-related help desk calls shrunk from six daily to about one a month. To date, the National Center of Missing & Exploited Children's PCs remain spyware-free.
"It enabled us to focus on what we're supposed to," Gelfound said, "which is protecting children."