For technical consultant Donal Casey, the following scenario is becoming ever more familiar. Two companies, one in insurance and one a legal firm, contact his firm, Diagonal Security, with similar symptoms. Both have noticed strange traffic on their networks, both have reported that home pages of users had changed and could not be changed back. Pop-ups were even more annoying and aggressive than usual.
One company believed that a virus had gotten on to the network and began an investigation and thorough scan of the network and computers to find out what virus was present and try to eradicate it. The team there drew a blank.
The other company knew exactly what the problem was and called in Casey. Spyware had drilled its way into their infrastructure and was making users' lives a misery, with slowed-down computers and erratic behavior. The IT department was naturally worried about what this malware had done, and whether important data had been lost. These problems often become serious because many users often don't know what spyware is or even that it exists, but a lot will know its effects. Spyware costs businesses a lot of money, not just in lost bandwidth, but in lost productivity.
According to figures from anti-spyware company Webroot, the average computer has 25 pieces of spyware installed on the hard drive. Webroot puts the cost of removing spyware from the desktops of a 1,000-user organization at around $160,000 a year.
Computer manufacturer Dell attributes 12 percent of support requests made to it to malware and, in a recent survey by TechRepublic on its news website, nearly eight in ten respondents ranked spyware among the top three IT priorities for this year. This does not begin to include the cost of possible intellectual property loss or rogue dialers making calls to premium-rate numbers through modems.
So why is spyware causing so much trouble, and what can be done about it? Money is at the heart of this growing threat. Research by Webroot in May put a figure of $2 billion on the amount earned by the spyware "industry."
"Unlike virus creators, who focus on gaining personal notoriety, spyware creators are motivated by profit," says Boris Yanovsky, vice-president of security services at SonicWall.
"This is why spyware is more intrusive and pervasive than viruses, harder to detect and harder to remove."
But the situation in spyware is much more complicated than in virus propagation. Virus writers are criminal regardless of the motivation, whether profit or fun. Spyware is different, because some firms involved in what we perceive as nuisance or malicious software regard themselves as legitimate businesses.
"Spyware does not have the simple binary good/bad nature of anti-virus," says Roger Thompson, director of malicious content research at Computer Associates. "There is a spectrum, with criminals at one end and innocent websites at the other. The lines of demarcation are getting fuzzier between ad-herders [so-called legitimate operators] and bot-herders [criminal]." Thompson says it is getting more difficult to tell the legitimate operators from the criminals.
These "legitimate" businesses can have very dubious practices – surfing to a particular website can pop up a window enticing a user to download a free program that is hard to close unless you click on the OK button. Unknown to the user, when they click on the license agreement they agree to let the program spy on their surfing habits, among other things. They can also try to stop the user uninstalling the software. Most people don't read these agreements carefully, and this is what spyware and adware writers take advantage of.
Ken Dunham, director of infosec intelligence analysis company iDefense, cites the example of electronic greeting cards which, once the user agrees to the license agreement, installs a mass mailer that trawls through a user's Outlook address book and then sends itself to everyone in that file. He said these were "technically equivalent to mass-mailing worms." The legal aspect – the fact that people have "agreed" to install adware/spyware – provides a headache for vendors selling anti-spyware products in what to call such software without inviting lawsuits.
"So the difficulty facing some vendors is what to term software like this, which might be legally OK, but is morally questionable," he says. He prefers the term "potentially unwanted software."
Thompson says that whatever the status of adware/spyware legitimacy, what is happening now is intolerable. He also points out that "when things get tough for legitimate operators, it is naive to think they won't step over the line at some point in the future."
So what can the organization under attack from spyware, adware et al do to remove and exclude such software, given there are certain legal issues to bear in mind? One problem is that, unlike most viruses, spyware can sit quietly on a PC without anyone noticing.
"It can be downloaded to a computer without a user having to actually do anything wrong," says Fran Howorth, practice leader at analyst Bloor Research. "So it can sit there watching what they are doing without them realizing it. And it can sit there for six months or so without doing anything, meaning that no one will be looking for the particular exploit it is carrying, because it no longer appears to be active."
Yanovsky says that dealing with the problem at the desktop is complex. "Some client-based solutions are more effective than others, but mostly the cleaner can't do a complete job, or does other damage that results in needing to re-image the affected machine."
He adds that blocking spyware at the gateway is even more important than blocking viruses. Howorth agrees, and says that organizations should consider putting in "intrusion prevention capabilities at the perimeter, as well as sitting inline on the most precious resources."
Security policies must be maintained, communicated and enforced alongside a system for quarantining infected resources on to a secure parallel virtual infrastructure. Howorth urges the use of identity management technologies "to ensure and audit good use of corporate resources." Strong authentication is needed to make sure users are who they say they are, and that their resources have not been hijacked.
Dave Kole, a director at Symantec Security Response, goes even further. He suggests that what is needed here is a different approach: "We need to educate not only end-users, but also administrators as to what constitutes spyware."
Casey, our man from Diagonal Security, says the gateway is the important area of all this. There needs to be URL blocking of spyware sites, and spyware should be in antivirus signature databases.
"Content filtering is important, and outbound traffic needs to be examined for suspicious activity. But this doesn't work unless it is centrally managed," he points out.
There also needs to be an overview of all the desktops, and policies enforced to lock down the desktops and ensure unused ports are closed down.
"This will have a big effect in cutting down spyware," says Casey.
His view is that policy enforcement is central to making a successful defense of the network. "If you don't do that, you are then opening yourself up to a lot of bad things," he concludes.
