New Era of Deadly Spyware Approaches

Spyware is so prevalent that it is becoming nearly impossible to find computers that do not contain at least some intrusive code lurking on the hard drive or buried deep within the Windows Registry.

Spyware is any technology that aids in gathering information about a person or organization without the receiver’s knowledge. On the Internet, spyware is code that is executed on someone’s computer to secretly gather information about the user and secretly relay it to interested parties at a designated Web site or e-mail address.

A recent report from Earthlink and Webroot found that one out of three computers could contain spyware that secretly records and captures personal information. The same survey found more than 500,000 copies of Trojan horses and surveillance software on users’ hard drives.

Once just an annoyance, spyware now has become a major security problem for small business users and corporate IT departments. The cost of stolen personal and corporate data may soon be dwarfed by the added costs of finding malicious code, eradicating it and preventing its reintroduction.

Security experts warn that spyware is becoming so sophisticated that new strategies are needed to combat a new age of malicious lurking. One solution, say software makers, is a shift to security programs that use proactive scanning. That approach, they say, is more effective in blocking spyware than traditional reactive programs.

Spreading the News

Finjan Software has pioneered the proactive secure content management approach since the company’s founding in 1996. This method uses underlying behavior-blocking technology to defend against new, previously unknown threats rather than relying on traditional signature-based updates.

Finjan Software last month began using the Internet to combine its marketing message with a consumer-education seminar on what it calls the new era of Internet security threats. The Web broadcasts are hosted by Finjan CEO and founder Shlomo Touboul and Vice President for Product Management Itzy Sabo.

Their presentations are made to preregistered attendees who log into an audio conference room on Finjan’s Web site. The presentations provide live voice broadcast supplemented with visual displays. Audience members can ask questions using a headset or via the message screen.

The topic of a recent Web seminar addressed the newest spyware threats and how to defend against them. The seminar provides Finjan with a forum to explain the severity of the spyware problem and show how its Vital Security Suite helps to address that problem.

New Propagation Channels

Sabo told the seminar audience recently that the newest spyware threats are spreading through three methods. The first is the most traditional and relies on the computer user to actually take an action to unknowingly unleash the spyware code.

Traditional delivery methods resemble those used by viruses, he said. Spyware is delivered via Web mail and e-mail attachments, shared network folders, misconfigured firewalls and instant-messaging and peer-to-peer applications.

A second delivery method is more sophisticated and relies on social engineering tactics. These are designed to get the computer user to click on a provided link, open an attachment or install a free program.

The newest delivery method requires no interaction by the computer user except normal Web surfing. Dubbed “drive-by downloading,” spyware code is delivered to computer users’ machines when they visit an infected Web site or view pop-up ads that contain special active content coding.

According to Sabo, because many computer programs and Web site processes rely on active content, traditional defenses that block all active code no longer are reliable. Active content involves JavaScript, VBS script, ActiveX and Java applets.

New Era Attacks

Both Touboul and Sabo told TechNewsWorld and seminar audiences that two new threats are creating new limits for what used to be separate activities of virus and spyware infections. Over the last two months, a new infection mechanism has appeared. This new threat combines activities to create a multistage or blended threat.

Two specific new era threats are the Scob Trojan and the WebMoney Trojan. What makes them especially scary, said Sabo, is that their payload can be programmed to carry out any instructions. So far, the payload is delivering a keylogger program to steal bank logon information.

These two infections mark the start of a new era of spyware, Sabo said. Using new technology of “drive-by” downloads and blended threats, the intensity of spyware infections are increasing rapidly.

Scob Infection

Unlike other spyware threats, Scob is a Trojan that activates before encryption occurs. This cripples the ability of traditional virus and spyware scanners to block it.

Scob is hidden in an active code vehicle and downloads a keylogger. It is a multistage, blended attack. Once the malicious code is slipped into a computer in an infected ActiveX control through the browser, it then contacts another Web site to download the spyware executable.

So far, the payload is a keylogger program. But security experts are worried that the same Scob mechanism can just as easily contain even more dangerous payloads.

“The Scob payload deliver can deliver any code to do anything without the computer user ever knowing what is happening,” Sabo said.

WebMoney Infection

The Webmoney Trojan hides undetected in a Windows Help File or CHM file. Like Scob, it is a multistage blended attack.

The CHM file is used to unpack the compressed spyware code, Sabo said. Once unpacked, WebMoney installs a .gif file, which is activated through a pop-up ad displayed on a browser window.

The .gif file then runs an executable program that contains the instructions to wait for a signal to activate the keylogging program.

That signal comes when the user visits a financial Web site that already contains infected code. To prevent detection by the financial Web site’s security system, the Web site’s URL might be spoofed so the user isn’t actually at the Bank of America Web site, for instance.

SSL Web sites are just as vulnerable to this infection as are unsecured Web sites, Sabo said.

Proactive Versus Reactive Protection

“Traditional protection methods are reactive. What’s needed is a proactive approach,” Sabo said.

Only programs that provide adjusted policies for different corporate needs will successfully control these new, highly sophisticated spyware attacks, he said.

Finjan’s suite of Vital Security solutions offers spyware controls for a variety of environments. It is a proactive behavior-based security package that combines certain tactics, such as URL filtering, spam control, content filtering and SSL scanning.

It integrates all of this onto a single security platform that provides multiple lines of defense through one single management console for centralized policy setting, management and reporting.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Security

Technewsworld Channels