In-Depth

New Enterprise Tools Attack Spyware

Spyware is a moving target. Pushing out one level of filters just doesn’t cut it any more.

• By Mathew Schwartz
• 12/08/2004

Think your PC is watching you? You might be right. According to the fourth SpyAudit Report, released by Earthlink and Webroot Software, the average computer harbors 26 pieces of spyware.

As part of ongoing research, begun in January 2004, the companies scanned 1.4 million PCs in the third quarter of 2004 and found 28.6 million pieces of spyware—adware, adware cookies, system monitors, and Trojan code. Overall there was a slight decline from the second quarter in each type of code found.

Spyware, of course, can intercept personal and corporate information, including passwords, bank account numbers, and even keystrokes, and based on the SpyAudit results, “spyware remains a serious problem for consumers,” says David Moll, Webroot’s CEO, in a statement. “The upside is that consumer awareness of the threats posed by spyware is rising.”

As spyware awareness increases, so do realizations of its bottom-line impact. According to Forrester Research, Dell “estimates that spyware now triggers more than 20 percent of their support calls.” A Web@Work study from earlier this year says nine out of 10 IT managers at companies with over 100 employees have had spyware infect their organization’s computers; of those infected, 40 percent say spyware infestations are increasing.

Tips for Spyware Eradication

To stop spyware, Forrester Research recommends organizations take a number of approaches, including deploying anti-spyware software and hardware, and install intrusion prevention products. Forrester Research analyst David Friedlander also recommends organizations “educate their users … and enforce sensible browser security settings to help keep their PCs spyware-free.” That sensible Internet Explorer security setting is either medium or high, says the firm, since that will block automatic ActiveX installation—a favorite drive-by installation tactic of spyware sites.

When it comes to anti-spyware software, organizations have a growing number of choices. On the PC front, both Webroot Software’s Spy Sweeper Enterprise and Computer Associates’ eTrust PestPatrol Anti-Spyware offer enterprise-grade anti-spyware software for both detecting and eliminating spyware. Enterprise-grade software features a centralized management console for distributed installation and ongoing management. Giant Company Software’s AntiSpyware Enterprise Edition, due out soon, should offer similar functionality.

Other software, including Websense Enterprise, will block spyware sites, spyware installations, and the spread of malware inside an enterprise. Finally, well-regarded free software, such as PepiMK Software’s SpyBot Search and Destroy and Lavasoft’s Ad-aware will detect and remove spyware, though both lack centralized management capabilities and thus don’t allow one IT administrator to manage multiple installations.

A number of vendors offer intrusion prevention system (IPS) software that combine firewall and behavior blocking; the latter can prevent spyware. Forrester singles out Cisco Security Agent, McAfee Entercept, WholeSecurity Confidence Online, and Finjan’s SurfinShield as leaders. In addition, it notes two other interesting approaches: Sana Security (with a kernel-level defense) and Determina (with an in-memory firewall). Both seek to enforce correct application or operating system behavior, in the process isolating and disabling spyware code until security managers can eradicate it.

Appliances Combat Spyware

On the appliance front, TippingPoint Technologies announced its UnityOne Intrusion Prevention Systems now have anti-spyware filters to block installation and propagation of many types of spyware. “By blocking spyware at the network level, organizations gain the efficiency of one centralized solution that can protect desktops, increase uptime, optimize bandwidth and productivity, and proactively block spyware threats,” says TippingPoint’s chief technology officer, Marc Willebeek-LeMair, in a statement.

TippingPoint says it’s currently blocking the top eight pieces of spyware, per Webroot’s research. In order of most prevalent threats, here’s Webroot’s top-eight list: Gator (a.k.a. GAIN, Claria), Hotbar, Ezula, Cydoor, SaveNow, CoolWebSearch, Altnet, and BargainBuddy.

Webroot classes all of the current top threats as adware, reflecting the often-varied functionality of so-called spyware. “Some of these applications, like Gator or Cydoor, have the ability to not only upload information but also download information as well—updates, ads, it really depends upon the application itself,” says David Endler, TippingPoint’s director of Digital Vaccine. To learn how to block that behavior, “we actually put it on a PC and monitor what it does, and write filters for as many of them as possible.”

The UnityOne anti-spyware functionality appears following customer requests for a way to slow the spread of spyware. “Our customers have been feeling the pain. It’s really transitioned from a nuisance to something they have to throw money at, because it takes away time from the IT staff’s day to have to respond to all the spyware their user base calls in with,” says Endler. A special difficulty with spyware, he notes, is tracing apparent PC problems back to it. End users might see “sluggish or slow-responding systems,” or “when they open their browser it could be five or six pop up ads,” which doesn’t automatically present as a spyware problem. In short, tracing the source of the problem adds to the IT and help desk workload.

The UnityOne anti-spyware update is free and will automatically install as part of the Digital Vaccine service. Expect frequent updates. “Spyware is definitely a moving target. Just pushing out one level of filters just doesn’t cut it. You have to maintain and actually research many of these spyware applications and their variants, because they change,” says Endler.

While the UnityOne filters automatically install, IT managers can also disable them—say, if their security policy doesn’t allow for blocking certain types of traffic. “In general most people would probably not want to add any exemptions, but they’re absolutely configurable per filter, per application, and you can create exceptions per IP address,” he says.

Related Articles

CA Jumps into Anti-Spyware Market
http://www.esj.com/security/article.aspx?EditorialsID=1094

Q&A: Eradicating Spyware in the Enterprise
http://www.esj.com/security/article.asp?EditorialsID=1050

Earthlink Sees Spyware Infestations Increase
http://info.101com.com/default.asp?id=8139