There's a massive battle for browsers going on right now. No, I'm not referring to the epic struggle for market dominance between Netscape and Microsoft way back in the mid-1990s. Today's browser battle is being fought between forces that want to have control over users' browsers: users and administrators versus spyware. If a user merely surfs to the wrong Web site, aggressive malware can install itself on the users' box, steal information and possibly give an attacker remote control of the system.
To defend against such aggressive malware, antivirus tools remain a solid solution. However, some popular antivirus tools don't look for spyware programs installed on browsers. Check your antivirus vendor's feature list to make sure it is explicitly looking for spyware. If your antivirus tool doesn't look for spyware, consider moving to another product that does. If such a change isn't possible in your organization, you should definitely consider augmenting your antivirus deployment with specific tools to defend against spyware.
Several high-quality anti-spyware programs are available on a free basis. The free SpywareBlaster program from Javacool Software provides solid proactive protection and gives good technical details on its activities. Ad-aware, freely available for non-commercial use from Lavasoft, is one of the most comprehensive and easiest to use. Be extremely careful when downloading Ad-aware; numerous other tools pretend to be Ad-aware with similar names such as Ada-Ware, Add-Aware and Adaware. Some of these posers are in fact spyware themselves, masquerading as an anti-spyware program. Get Ad-aware only from the download sites listed at www.lavasoftusa.com and nowhere else.
Beyond antivirus and anti-spyware tools, make sure you educate users in the habits of safe browsing. In your organization's awareness program include specific lessons on not altering browser security configurations and leaving its security setting to at least "Medium" and perhaps even "High". Also, tell users to always click "No" when their browser asks them "Do you want to install and run…" regardless of who the claimed author of the program is. If the dialog box lacks a "No" button, tell them to click on the X in the upper right-hand corner to get rid of it.
Finally, where possible, use an enterprise-wide approach to browser hardening. If your organization is using Internet Explorer, and you've gone through the considerable expense of deploying Active Directory, use Group Policy to tighten browser configurations throughout your organization. If you aren't using AD, you can use the Internet Explorer Administration Kit (IEAK), available from Microsoft at no extra charge, for wide-scale browser management.
About the author
Ed Skoudis is a security consultant with International Network Services, and the author of the books Malware: Fighting Malicious Code and Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses.