Spyware war may be a losing battle, experts say

By Dennis Fisher, News Director 07 Aug 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

"It's not technically feasible to stop spyware. You will not be able to stop this technically "This problem lives at the legal-technical boundary. We can't go around arresting people," said Dan Kaminsky, senior security researcher and founder of Seattle-based Doxpara Research, speaking on a spyware panel at the recent Black Hat USA 2006 event. "We need to create standards that clearly delineate legitimate code from illegitimate code where you throw people in jail."

Kaminsky on Net neutrality LAS VEGAS -- Dan Kaminsky's annual "black ops" session at Black Hat usually serves as a pulpit for new research on standard protocols, but this year Kaminsky took on the bigger topic of Net neutrality and unveiled details of an open source tool he's developed that will test whether certain packets are treated differently by carriers and ISPs.   Net neutrality is a term that underscores the presumed neutrality of IP networks, which are designed to transport data from point to point. Protocols higher up the stack may inspect packets for content, but not the IP layer.   Some carriers and ISPs, Comcast Corp. for one according to Kaminsky, may treat some traffic like encrypted VPN data differently.Net neutrality keeps this from happening.   "Telcos selectively censor traffic so as to maximize revenue from those who'll pay most," Kaminsky said.   Kaminsky's tool does estimates the amount of TCP bandwidth used by a pair of nodes on the same network. It monitors dropped packets, which are a source of intelligence about other traffic passing through a network and learn what the carrier defines as interference or second-class traffic.   Net neutrality is currently being debated in Congress. Some Democrats are backing an amendment to a proposed telecommunications bill that would guarantee equal treatment of Internet traffic regardless of source or destination.   AT&T and Verizon oppose the neutrality provisions, saying it would restrict their ability to offer services. Comcast, for example, offers a premium $95-a-month service to allow video and encrypted traffic to pass.   "This has absolutely nothing to do with video," Kaminsky said. "Your VPNs are being threatened. Tell your bosses."  --Michael S. Mimoso,  Information Security magazine

In a number of recent surveys involving spyware, administrators have listed it as their top security concern. Trojans, keyloggers and other stealthy malicious programs have replaced mail-borne viruses and worms as the weapons of choice for attackers looking to plant their wares on thousands or millions of machines.

Boulder, Colo.-based antispyware vendor Webroot Software Inc. compiles quarterly statistics on the spread of spyware, and its latest figures, which are due to be published later this month, show that about 31% of PCs unknowingly harbor at least one Trojan.

The U.S. Department of Justice, Federal Trade Commission and a host of industry coalitions have made stopping spyware a top priority, but their efforts have met with limited success.

Eileen Harrington, a deputy director in the FTC's Consumer Protection Bureau, said her commission is hamstrung by statutory limitations in its efforts to stop spyware distribution. She said the FTC is working to get broader authority, especially in regard to investigations that cross international boundaries.

"It sounds lame to sit up here and say there's only so much we can do, but it's true," Harrington said. "We all know saying, 'Don't do that anymore' in a civil action isn't that effective. It's very tough under the law to get financial remedies. We're pushing for new statutory authority to help us do our job internationally."

Harrington also said a recent appeals court decision that set forth strict guidelines on how and when the FTC can force organizations to surrender ill-gotten money could seriously harm the commission's ability to win judgments against spyware distributors.

"The effect of the decision has been troubling to us because we'd have to name every single affiliate [in a spyware distribution network] and trace every dime," she said. "Needless to say, we don't necessarily agree with the court's decision."

She added, however, that the FTC does have a large settlement with a spyware distributor in the works that will require the company to pay back all of the money it made through spyware.

In the meantime, spyware distributors are becoming more creative and devious. Stealthy malware that hides its presence on machines and collects confidential data is now the norm, the panelists said.

"We're seeing a huge increase in the usage of rootkits and custom packing and encryption algorithms," said Gerhard Eschelbeck, CTO and senior vice president of engineering at Webroot.

Black Hat USA 2006 Check out SearchSecurity.com's special coverage of Black Hat USA 2006 as reporters from SearchSecurity.com and Information Security magazine post the latest news and tidbits from Las Vegas.

Kaminsky suggested that a modified form of whitelisting could hold some promise for preventing spyware infections.

Implementing such an approach is a tough task, however. Defining good and bad programs through their behavior is extremely difficult, given that some legitimate applications can exhibit rootkit-like behavior on occasion, and vice versa, the panelists said.

"The challenge is how you manage your whitelist," Eschelbeck said.

Meanwhile, University of Maryland professor William Arbaugh warned attendees that rootware is being found with increasing frequency. Spyware's evolution has been vicious for security managers who have watched it move beyond collecting surfing data for marketing purposes to dropping Trojans bearing keyloggers. These attack vectors have put sensitive personal and corporate information at risk, and the addition of stealth technology to the mix further muddies the vision of a security manager.

Two prevalent examples - -MiniKeylogger and Powered Keylogger -- not only log keystrokes, but monitor file operations along with browser and email activity, all the while hiding their processes, directories, registry entries via the use of a driver. Two others, the MyFip and Fanbot worms, hook themselves into physical memory rather than the kernel.

"These two are nasty because they're worms; once they get in your system, they start looking for other targets," Arbaugh said. "You could end up spending a few late nights and weekends re-imaging your systems, provided of course that you have a good image to use."

Rootkit detection is not impossible, however. Bitwise integrity calculates a hash value of files or operating system components in memory. That database of information is used as a baseline for comparisons with the current state of files or the OS. Deviations could indicate tampering.

Signature-based detection searches files or memory looking for known rootkit code. The drawback here, like with antivirus, signatures must be updated frequently or the user is vulnerable to attack.

Behavioral detection is possible, but not as effective because of a high rate of false positives. This method creates a state machine of system calls, and looks for deviations. Unless the system is constrained, it's close to impossible to determine if a rootkit is responsible for deviations, or if they're due to normal system operations.

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary