Clean up that infection


Spyware and adware seem to be plaguing our organization more every day. And as the CTO of a medium-sized financial institution, I know very well that these programs increase risk for the organization.

We have a wide variety of skillsets within the organization, and divergent levels of technical understanding. As a result, we are facing a growing trend of users who click on pop-ups offering free caramel corn or other enticing claims. We also seem to have a fair number of users who uncontrollably follow links and type in websites with little or no recognition of the pain they might be causing themselves, the IT department or the company.

Not only do these pop-ups cause huge frustration, they often cause several network problems. These include flooding the network with traffic, causing more pop-ups, and allowing for the installation of spyware and adware.

So why not simply install a pop-up blocker? Well, pop-ups are not the only culprit – spam, websites, and malicious links can all install spyware and adware without the user knowing. A pop-up blocker may help a little but, again, the problem can emerge by simply clicking on a pop-up that installs the spyware and adware. And these can include key-stroke loggers, backdoors creators, and spam propagators that steal email addresses, redirect web traffic to malicious sites and, the real kicker, download even more spyware and adware.

A well-defined process and tool set is the only way to get widespread detection and resolution in an organization. We recently evaluated and deployed a spyware and adware detection tool from PestPatrol. The tool has been very helpful in identifying infected machines and cleaning up the problem.

Now we can often detect, and sometimes prevent, the problem at inception. Some have argued that the tools are not ready for major deployment, but we believe an organization cannot afford to delay deploying, training, detecting and reducing the threat.

Starting with detection, the spyware and adware tools that we tested were deployed in a networked environment with central logging. This gave us good information as to which PCs and users were the worst offenders. Armed with this information, we began a multi-layered approach to prevent and rid the organization of the problems. This approach has included: enhancing our spam filters so that fewer offers for free caramel corn get through; enabling web filters on the firewall; and proactively blocking detected problem sites.

It also helped immensely to research and block known adware, spyware and virus sites. And, if you haven't already done so, it is crucial to demote users from the administrator role. This can keep the software from installing in the first place.

Even with our diligent clean-up effort, we are still finding some users are being re-infected. We might find ourselves working on it again two or three days later. There are several different options at this point. It is important to note that we have not yet settled on one specific approach.

One option is simply to pick a known good PC image and re-image it. While this fixes the problem, doing this will destroy any audit trail or evidence of the infection. So if you're looking to maintain evidence for future use, this might not be a good option.

Another methodology is to go through the original clean-up process a second time. This time, use a second or third tool. Sometimes, it could take several tools to find the problem and several strategies to remove it.

The next strategy we use is to take the repeat offenders and change their internet connectivity rules. While we block a large number of non-acceptable sites, the internet is still very open. For those users who keep getting into trouble, we change their access to a small restricted set of sites – mainly business-related – and any other sites desired by the user must be pre-approved. This will at least keep the PC from being re-infected while you can deal with the human and policy elements of the problem. It will also keep the PC from either stealing or re-directing traffic while the problem is researched.

Adware and spyware problems are a growing trend that will get worse according to most industry predictions. Given the risks associated with spyware and adware, it is important to have a strategy to keep your network safe.

Embracing and deploying tools that help combat the problem sooner rather than later will help minimize the risk. Such deployments will also help you begin to revisit the policy and human element questions so that you have a well-defined, documented process.

Kirk Drake is CIO at the National Institute of Health's Federal Credit Union

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.