Taking Aim at Spyware

By Tom Schmidt

As if today's enterprises didn't already face the complex and daily challenge of addressing spyware and adware, these programs are growing increasingly sophisticated, with some programs exhibiting traditional virus behaviors to avoid detection.
Case in point: earlier this month, a computer programmer named Mark Russinovich discovered that copy-protection software on CDs produced by Sony BMG was cloaked by a technique that involves a "rootkit," which is designed to hide and protect the software on the user's computer. The discovery prompted some security observers to label the software spyware because it also sends Sony BMG some information about what CDs are being played.
But the story doesn't end there. While the rootkit technology hid the copy protection from view, it also left a hole open that could hide other software. It didn't take long for virus writers to exploit that hole, modifying an old Trojan horse to take advantage of the powerful cloaking provided by the Sony software.
Confronted with the mounting challenges posed by spyware and adware -- including decreased productivity, increased calls to the help desk, loss of privacy, and potential legal liability -- what can enterprises do to regain control of their environment and their systems?

Espionage on a global scale
The extent of today's spyware problem can be gauged by the results of a survey conducted recently by Webroot Software. Earlier this quarter, Webroot polled professionals managing the information security compliance initiatives in various corporate organizations. Nearly all (98 percent) thought spyware was a threat to their organizations; more than two-thirds thought it was a serious threat. More than 80 percent said the worst kinds of spyware (such as keyloggers, system monitors, and Trojan horses) that can access confidential records represent an immediate threat. And the vast majority of respondents (97 percent) worry that spyware could access employee data, steal intellectual property, or access company or customer information. Despite these figures, many corporations surveyed have yet to protect their information with suitable antispyware software.
Concerns about spyware have also been exacerbated lately by reports that are emerging about a U.S. government investigation into a massive cyber espionage ring, code-named Titan Rain. It appears that, since 2003, a group of hackers in southern China have been conducting wide-ranging assaults on U.S. and other government targets to steal sensitive information. In each of the attacks, the method of stealing the confidential information was the same -- keystroke logging, which is a form of spyware.
Said a U.K. spokesman for the National Infrastructure Security Coordination Center: "We know this is affecting 50 countries -- it could be seen as an attack on the Western World."
Call it espionage on a global scale.

The importance of a common definition
To keep pace with the considerable changes in the security environment, the best antispyware approach needs to focus on clear definitions, hands-on risk analysis of spyware and adware programs, and helping customers understand and control what is on their systems through guidance and customizable tools.
CIOs need to make a distinction between threats such as viruses and possibly undesirable applications such as spyware and adware, which are categorized as security risks. Beyond spyware and adware, security risks also include dialer programs, remote access utilities, hacking tools, and other types of applications that may or may not be wanted on a system.
Recently, the Anti-Spyware Coalition proposed a formal definition of spyware that reads as follows:
"Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

Material changes that affect their user experience, privacy, or system security;

Use of their system resources, including what programs are installed on their computers; and/or

Collection, use, and distribution of their personal or other sensitive information."

The advantage of this definition is that it describes functionality, which in turn allows a particular application to be classified according to its risk profile.

Risk assessment and classification
A risk classification system enables users to make better-informed decisions about what to keep and what to remove from their computers. Using a risk calculator, this system classifies the overall impact of applications in four different categories, providing a final designation of the application as a "high," "medium," or "low" risk along with a recommendation as to how to proceed. The four categories are: performance impact, privacy impact, ease of removal, and stealth.

Performance impact
One of the more troubling aspects of spyware for IT administrators has to do with its unexpected impact on network performance. System crashes, bogged-down Internet connections, and unusual Web browser behavior all fall into the category of performance impact. Programs that score higher in this category can produce wasted hours of troubleshooting, increased calls to the IT help desk, and disruptions. A sample of application behavior considered for performance impact includes the following:

• Does the program slow down the system or network connection?
• Does the program impact system stability?
• Does the program launch pop-up advertisements? If yes, how frequently?
• Does the program serve as a means of downloading and installing other security risks (e.g., additional spyware and/or adware)?
• Does the program replace the browser home page or alter search options/behavior?

High risk = Significant impact on system stability and/or performance

Medium risk = Frequent pop-up windows, home page replacement, redirection of Web pages and search results

Low risk = Minimal impact on system performance

Privacy impact
The privacy impact of a security risk application indicates the extent to which it captures information about users for use by a third party (i.e., the spyware or adware company). The information captured by the program ranges from basic Web browsing behavior to sensitive data such as user names and passwords. A sample of application behavior considered for privacy impact includes the following:

• Does the program share confidential, sensitive information such as financial institution account numbers and passwords, other account numbers and passwords, credit card and Social Security identifiers, or other international equivalents?
• Does the program share less sensitive data such as tracking of Web surfing habits?
• Does the program present a privacy policy that is consistent with the program's behavior?

High risk = Release of confidential, sensitive information such as financial institution account numbers and passwords, other account numbers and passwords, credit card and social security identifiers, or other international equivalents

Medium risk = Tracking Web browsing and other similar user behavior, absence of a privacy policy (e.g., in an End User License Agreement), privacy policy inconsistent with observed behaviors

Low risk = No or minimal privacy impact

Ease of removal
Behavior for this category ranges from applications that can be easily removed using a vendor-provided uninstall program, to spyware and adware applications that embed themselves deep within the machine and are almost impossible  to remove. A sample of application behavior considered for ease of removal includes the following:

• Does the program avoid uninstall by a user, including unsolicited re-install and techniques, to restart user-terminated processes?
• Does the program offer a non-functional or incomplete uninstall program so that a security risk application continues to operate in spite of the user's wishes?
• Does the program lack an uninstall feature or fail to register in the Microsoft Windows Add/Remove Programs area?

High risk = Avoidance of uninstall, non-functional or incomplete uninstall

Medium risk = Lack of uninstall or self-guided uninstall instructions

Low risk = The security risk program can be effectively removed using a standard uninstall feature so that it no longer runs on the computer and minimal or no traces remain.

Stealth
Some programs attempt to install themselves without the user noticing, and then remain hidden in order to prevent detection and removal. Stealth behavior can include a completely "silent" or unnoticeable installation or concealed operations. It can also include programs that inform a user of installation, and are easily visible on the machine. A sample of application behavior considered for stealth includes the following:

• Does the program install itself silently, with little or no indication to the user?
• Does the program lack a user interface?
• Does the program conceal its processes?
• Do the program's processes hide themselves from the user using an obscure name (e.g., ~tmp001)?
• Do the program's processes hide themselves from the user using a common name that would normally be overlooked (e.g., explorer.exe, svchost.exe)?
• Is the user notified of the presence of the program only through a EULA? Does the EULA appear to relate to a different program?

High risk = Exhibits most or all stealth behaviors such as silent install, no user interface, and concealment of application processes

Medium risk = Exhibits some but not all stealth behaviors such as silent install, no user interface, or concealment of application processes

Low risk = Normal installation and application behaviors

Conclusion
More than ever before, today's enterprises require defense in depth to tackle the problems created by unwanted spyware and adware. Also, the solutions they deploy at the client and network levels must provide real-time scanning, automatic detection and removal, and integrated tools for remediating the side effects of spyware.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.