If you use the latest antivirus packages and run a firewall, you don’t have to worry about spyware intrusion, right? Wrong, say leading security experts.
It is just this type of thinking that is allowing spyware intrusions to overtake computers in both the home and the workplace. Spyware is quickly becoming the second most troublesome computer malady after virus infections.
Spyware can track Web surfing habits and send the results to purveyors of junk mail. It can scan hard drives for sensitive files and send them to a central location run by hackers. Spyware can slow down a computer so much that it renders the machine next to useless.
Separate spyware software offers protections antivirus programs typically don’t handle. Antivirus software and Internet firewalls cannot see spyware. So unless individual computer users and IT departments follow regular search and destroy procedures, their computers will be little more than zombie machines that readily expose sensitive information and make ID theft very easy.
Office Computers No Exception
IT security experts warn that employee Web surfing is a leading cause of the proliferation of spyware on corporate networks. The National Cyber Security Alliance says that nearly nine out of every 10 personal computers at home contains spyware. Those same surfing practices by workers on the job are now starting to give IT managers security headaches.
Spyware is quickly becoming a top security problem for IT network managers. Employees can unwittingly download malicious spyware by surfing the Web. Security experts call it fly-by spyware.
Surfers — whether at home or at work — visit a Web site, stay long enough to read the contents of a page or click on a graphic to view an enlarged image, while unrequested code stealthily slithers onto the hard drive. Spyware is often hidden in image files or piggy backed while downloading free screensavers or other small programs.
With this problem of spyware continuing with alarming growth, companies both big and small are starting to reduce their spyware risk by turning to solutions that help them to monitor employees’ web activities. These solutions provide access control tools that block hackers and prevent the loss of corporate data.
Wavecrest Computing offers one such innovative approach. Wavecrest’s Cyfin Internet monitoring and CyBlock filtering products can help control spyware in two important ways. First, an outbound filtering product allows organizations to prevent employees from accessing high-risk Web sites like those with free games, screensavers, etc. Second, a reporting tool allows managers to spot spyware activity on their networks.
For example, the product recognizes a high volume of outbound Web traffic from a worker’s computer to a single IP address. This is usually an indicator of spyware. Monitoring software is the only way to detect that kind of spike in outbound traffic and identify the source so the problem can be resolved quickly, WaveCrest Computing’s Vice President of business development Dennis W. McCabe said.
New Spyware Trends
Joshua Blanchfield sees several alarming trends developing with new spyware threats. Blanchfield, CEO of Tenebril.com and maker of the revamped SpyChaser 3.0, said finding and ridding spyware from computers now requires highly specialized solutions. Thus, his company has rebuilt the latest version of SpyChaser to meet these new threats head on.
One of the trends his product targets is the ability of the malicious code to keep reinstalling itself. That characteristic of spyware is what makes it so difficult to excise once it infects a machine. Antispyware applications can find instances of the intrusion and remove it. But these existing antispyware products can’t prevent Windows registry entries from reactivating hidden spyware code on subsequent reboots.
“Spyware writers are getting more sophisticated. The writers are working as part of coding groups in cooperation with Trojan writers,” Blanchfield told the E-Commerce Times “These spyware creations can now achieve piggy-back loading of other programs and open back door ports for hackers,” he said.
Blanchfield said another alarming trend is that the spyware applications won’t let antispyware programs uninstall the infecting malicious code. The spyware is able to load into memory early in the boot process so it is already resident before the Windows operating system gains control of it. When antispyware solutions attempt to remove the program, Windows blocks it to protect the integrity of a running program it doesn’t control.
Detection, Removal Different
While spyware may seem similar to viruses and worms, it is much different. Spyware tends to propagate differently and is generally more resistant to quick and easy removal than most viruses. That is why the best solutions aren’t found, at least not yet, in antivirus packages, even if they include basic spyware-blocking features.
“Antivirus programs are quite different from antispyware programs,” Wavecrest Computing’s McCabe told the E-Commerce Times. “Antivirus programs are designed to monitor and prevent potentially harmful files from entering a network from the outside, typically via an e-mail attachment,” he said.
The challenge with spyware, he said, is that it appears to be standard Web traffic, making it very difficult to detect. He offered as an example the fact that malicious spyware code can be hidden in an image on a Web site or in a pop-up ad that an employee clicks while surfing the Web.
The computer security industry is still playing catch up. Antivirus, firewall and browser technology all pre-date the “spyware era” by a number of years. Consequently, they were not designed with the spyware protection as a requirement, McCabe said.
It is the difference in their design structures that create the need for two separate products rather than a bundled software protection solution. Firewalls are configured to allow all Internet traffic to flow in and out of an organization’s network through a particular port. Antivirus software, on the other hand, is designed to scan and block files that might contain viruses but do not directly run in the browser.
“Spyware is taking advantage of security holes in the browser and browser plug-ins like Active X,” McCabe said.
Firewalls are ineffective in blocking spyware. Most spyware programs piggyback on legitimate applications, David Moll, CEO of Webroot, which makes privacy, protection and performance solutions for Internet users, said. Thus, they are able to easily evade standard firewall detection methods. This method allows them to access the Internet freely (typically using port 80) and appear as though they are just typical Internet traffic.
Freebies No Sure Thing
Why buy a program when several free spyware detection and removal products are topping the market in user popularity? The old adage of getting what you pay for may speak volumes in answering such a question, Webroot’s Moll suggested. “How long does free work? We are pretty cheap insurance,” he said.
“Why not just drink tap water instead of cola? It’s free, too,” quipped Edward English, CEO of InterMute, which develops leading Internet protection and content filtering solutions such as SpySubtract and AdSubtract. “Users that want a reliable, robust defense against spyware will choose a commercial, supported software defense. The ‘Free’ card gets users to download software, but with spyware removal, it’s a tricky business,” he said.
English said he has seen freeware programs flag Microsoft programs as spyware and delete them from a PC, rendering the computer or browser useless. He said many InterMute customers had bad experiences from other overly aggressive spyware removal programs.
“Companies that depend on their mission-critical PCs will not want to risk the integrity of their PC security to freeware,” he said.