Spyware - The Ever Changing Threat

by FreeRider

Over the last decade, spyware has progressed from a simple application that generates pop-up ads and spam email to a full-fledged security threat.  As advertising companies like 180 Solutions and DoubleClick continue to lose money, the focus of spyware vendors is rapidly shifting to covert means of deploying their applications onto a system in order to continue revenue generation.  In order to facilitate this, spyware developers are bringing in experts to design applications that can slip through network security and continue to subvert security measures by embedding fail-safe mechanisms in the operating system and changing application properties, which the security industry is labeling "mutating" and "hyper-mutating spyware."  In addition, spyware vendors are utilizing custom-coded attacks that are designed to target a specific operating system, browser, and in extreme cases, corporate networks.  The current methods of detecting and removing spyware are quickly proving ineffective against custom-coded and mutating spyware because the signature files utilized by your typical spyware removal tool cannot keep up with the changing spyware applications.  Furthermore, once a threat has compromised a system, the spyware application has the opportunity to stop any security applications in use on the system.  Network security administrators will need to shift their mindset on the spyware threat from it being a simple nuisance to a full-blown security breach.  Utilizing layered security measures provides the best means for stopping spyware at the front-end (gateway) and detecting/removing threats that penetrate the security perimeter.

Understanding the Threat

If you want to defeat the spyware threat, you need to understand how the threat works.  The first concept to understand is the deployment methodology.  Most spyware installers actually bundle a number of applications together which results in the installer deploying adware, spyware, and/or malware.  Spyware installers commonly deploy through the following methods: opt-in installations (pays for "free software"), drive by installations (hidden scripts written into web pages), ActiveX installers, and browser exploits (MHTML, JavaScript, etc.).  Unlike viruses, spyware is written by a team of engineers with financial backing which results in spyware companies developing sophisticated applications.  Spyware applications will now embed themselves into the OS to prevent uninstalling the spyware, retrieve updates from the Internet, and download new applications in segments only to compile them at a later time.  So once the spyware installer successfully deploys its payload, the system is compromised.

Threat Assessment

Rootkits are the latest buzz word in the spyware sector.  While the threat of rootkit bundling is becoming more prevalent, the existing malware threats are often overlooked.  Spyware applications can bundle a number of applications, including keystroke loggers, phone dialers, packet sniffers, and remote control software.  More importantly, spyware is a covert threat, which means it does not want to be found and will be designed to evade detection.

Defeating the Threat

As I stated earlier, layered security is the best method for defeating spyware, which I classify into the following categories: network, desktop settings, and desktop applications.

Network:  If you are running a firewall, lock down the ports and block sites known to deploy spyware.  Also, turn up your logging to monitor both inbound and outbound traffic.  This will allow you to identify where an application is sending requests on the Internet.  If you are fortunate enough to use a content filter or intrusion detection application, set it to search for malicious scripts and applications.  There are a number of appliances on the market to lock down network traffic.

Desktop Settings:  This is the second line of defense that most people overlook.  Start by locking down the browser settings so that the common Internet browser options are not set to the default low security level.  For my IE settings, my default settings are locked down to block Java, ActiveX, block all cookies, and prompt for downloads.  If I have a site that I want to access that requires ActiveX, JavaScript, or cookies, I add it to another zone only after I research the site.

Desktop Applications:  I run a combination of anti-virus and anti-spyware applications.  Most anti-spyware applications are signature based.  However, there are a couple out there that enter the realm of Host-based Intrusion Prevention (HIPS).  These applications provide the best detection and removal of both known and mutating spyware by analyzing the behavior and context of an application.  Context, or manner in which the application operates, provides additional parameters to determine if the application is a potential threat.  This allows you to identify such potential threats and take action against the application, even if it does not match a known spyware signature.  Additionally, turn on the real-time protection options in the anti-spyware application to prevent browser hijacking, block ActiveX, lock the registry, and check the memory for running applications.  Packet sniffers, network monitors, and command line utilities provide detailed information on the communications channels opened by the spyware application.

To reiterate, spyware is becoming an evasive threat, thereby making traditional means of identifying and removing it inadequate.  By utilizing best practices for your network security and incorporating layered security measures, you will be able to address the spyware issue before it poses a significant threat to your network integrity.