Case study: Hardcore spyware among the 'missing'

By Anne Saita, News Director 15 Jul 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

SAN DIEGO -- Steven Gelfound had unintentionally helped create quite the quagmire. The 35 desktops within one unit of his organization were being inundated with an unmanageable number of pop-up ads. Then employees noticed their homepages redirected to unsavory sites, indicating the browser had been hijacked. Next, the machines' host files and registries were involuntarily edited; no sooner was one version of spyware removed, then another hidden within systems emerged during a reboot.

Systems suddenly running tons of applications in the background slowed to a crawl. Then PCs began to crash. Within three months, each PC within the enterprise was loaded down with 200 new spyware programs -- daily.

The cause of the escalation was already well known at the office. In fact, it was core to the business. Employees devoted most of their work days to checking out child porn.

Gelfound is IT director for the National Center for Missing & Exploited Children, the organization founded by "America's Most Wanted" host John Walsh to hunt down missing and abused children. As the nation's premiere resource center for child protection, the 21-year-old agency has handled more than 313,000 tips to help recover some 92,000 missing children. The 35-employee Exploited Child Unit in particular is charged with finding and helping prosecute child predators. Much of that research involves surfing Web sites and chat rooms focused on child pornography -- an industry well known for seeding extremely aggressive, malicious spyware that's rarely, if ever, reported to authorities by its customers.

"As you can imagine, going to these Web sites and porn chat rooms created for us a huge problem," Gelfound told an audience Thursday at the Burton Catalyst conference in San Diego. Complicating the non-profit organization's dependency on Internet research, and subsequent spyware infestations, was its close network ties to law enforcement. The center's Exploited Child Unit analysts provide information to international, federal, state and local authorities investigating child abuse, often through online channels. Some of the spyware carried Trojan-like keyloggers.

Recent spyware coverage Is Firefox spyware's next target? SearchSecurity's Security School spyware removal checklist Series: Spyware Black & White

"We were really astonished to find keystroke loggers coming in through spyware, and not worms and viruses as we'd always thought," said Gelfound. Such spyware, he added, was "in images and everyday downloads and instant messaging sessions. You could not get on the Internet without running into instances of spyware."

The economic toll of spyware
At the height of its massive infestation, The National Center for Missing & Exploited Children was running Windows 2003 servers and Windows XP on desktops. Antivirus software scanned e-mail servers and desktops, while multiple firewalls and an intrusion detection system monitored traffic coming into the network from various ports. However, the conventional security tools were no match for the porn industry.

So Gelfound's IT team installed pop-up blockers and antispyware freeware to help detect and delete malicious programs. But the rate of infestation remained the same.

Meantime, the lost hours from downtime or diversions were adding up. Technicians on the help desk did little but

Security Seven Awards TechTarget's Information Security magazine, SearchSecurity.com and Information Security Decisions have created the Security Seven Awards to recognize the achievements of leading information security practitioners in seven vertical industries. Winners will be chosen from the financial services, telecommunications, manufacturing, energy, government, education and health care industries. To nominate an individual for the Security Seven Awards, please complete the form and return it to securityseven@infosecuritymag.com by Aug. 1, 2005.

field calls from exasperated Exploited Child Unit employees, devoting up to five hours daily solely on spyware remediation, which essentially meant cleaning out registries and then rebuilding machines. This left little time to resolve help desk tickets from other employees, further paralyzing productivity. Business-critical issues were being pushed aside. At the same time, Exploited Child Unit analysts were unable to do their work as well, frustrating a workforce with a passion for helping exploited children and hunting down their captors.

Gelfound's IT department considered their options, particularly in light of the limited resources available to the private, non-profit organization. The center researched and tested several products, including new hardware, such as Sun Rays or Macintosh computers known to be less attractive to spyware authors. "We just couldn't afford it," the director deduced. So members investigated software that would work with the existing platform, such as Norton GoBack, the Firefox Web browser, and various antispyware and data security softwares.

The process of pest removal
In the end, the center decided on Computer Associates' eTrust PestPatrol to control the infestations. Gelfound said PestPatrol's centralized management and proactive approach were key in the decision. It also was easy to install, allowing for quick implementation and immediate results. "The first day we ran it, it found a thousand pieces of spyware across the network," he said. "The next day, hardly any spyware was found."

Gelfound had read favorable reviews of The Mozilla Foundation's Firefox, freeware built upon the Netscape browser but with enhanced security features. The team believed those tools would stop unauthorized downloads better than Internet Explorer, which had suffered from a spate of widely publicized, exploitable vulnerabilities. It installed the free browser along with Norton GoBack, software that as its name suggests is used to restore systems via incremental backups.

The results after deploying the software were phenomenal, Gelfound said. Spyware infestations dropped dramatically: from 200 incidents a day to, at most, three a week. Spyware-related help desk calls shrunk from six daily to about one a month. To date, the National Center of Missing & Exploited Children's PCs remain spyware-free.

"It enabled us to focus on what we're supposed to," Gelfound said, "which is protecting children."

Tags: Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary