Spyware - The Ever Changing Threat
Over the last decade, spyware has progressed from a simple application that generates pop-up ads and spam email to a full-fledged security threat. As advertising companies like 180 Solutions and DoubleClick continue to lose money, the focus of spyware vendors is rapidly shifting to covert means of deploying their applications onto a system in order to continue revenue generation. In order to facilitate this, spyware developers are bringing in experts to design applications that can slip through network security and continue to subvert security measures by embedding fail-safe mechanisms in the operating system and changing application properties, which the security industry is labeling "mutating" and "hyper-mutating spyware." In addition, spyware vendors are utilizing custom-coded attacks that are designed to target a specific operating system, browser, and in extreme cases, corporate networks. The current methods of detecting and removing spyware are quickly proving ineffective against custom-coded and mutating spyware because the signature files utilized by your typical spyware removal tool cannot keep up with the changing spyware applications. Furthermore, once a threat has compromised a system, the spyware application has the opportunity to stop any security applications in use on the system. Network security administrators will need to shift their mindset on the spyware threat from it being a simple nuisance to a full-blown security breach. Utilizing layered security measures provides the best means for stopping spyware at the front-end (gateway) and detecting/removing threats that penetrate the security perimeter.
Understanding the Threat
Rootkits are the latest buzz word in the spyware sector. While the threat of rootkit bundling is becoming more prevalent, the existing malware threats are often overlooked. Spyware applications can bundle a number of applications, including keystroke loggers, phone dialers, packet sniffers, and remote control software. More importantly, spyware is a covert threat, which means it does not want to be found and will be designed to evade detection.
Defeating the Threat
As I stated earlier, layered security is the best method for defeating spyware, which I classify into the following categories: network, desktop settings, and desktop applications.
Network: If you are running a firewall, lock down the ports and block sites known to deploy spyware. Also, turn up your logging to monitor both inbound and outbound traffic. This will allow you to identify where an application is sending requests on the Internet. If you are fortunate enough to use a content filter or intrusion detection application, set it to search for malicious scripts and applications. There are a number of appliances on the market to lock down network traffic.
Desktop Applications: I run a combination of anti-virus and anti-spyware applications. Most anti-spyware applications are signature based. However, there are a couple out there that enter the realm of Host-based Intrusion Prevention (HIPS). These applications provide the best detection and removal of both known and mutating spyware by analyzing the behavior and context of an application. Context, or manner in which the application operates, provides additional parameters to determine if the application is a potential threat. This allows you to identify such potential threats and take action against the application, even if it does not match a known spyware signature. Additionally, turn on the real-time protection options in the anti-spyware application to prevent browser hijacking, block ActiveX, lock the registry, and check the memory for running applications. Packet sniffers, network monitors, and command line utilities provide detailed information on the communications channels opened by the spyware application.
To reiterate, spyware is becoming an evasive threat, thereby making traditional means of identifying and removing it inadequate. By utilizing best practices for your network security and incorporating layered security measures, you will be able to address the spyware issue before it poses a significant threat to your network integrity.