• United States


Jan 26, 20046 mins

How to fight back against insidious attacks from cookies gone bad.

What is spyware? And what harm can it do to my network? Even in its most innocuous form, spyware is an invasion of privacy.

What is spyware? And what harm can it do to my network?

Even in its most innocuous form, spyware is an invasion of privacy.

Spyware programs such as Cydoor, Gator, and Xupiter install without the user’s knowledge by piggybacking on peer-to-peer file-sharing programs, cute executable images or a long list of freeware.

How to filter Port 80 traffic

Help! I’ve been Web-jacked!

Primarily used for target advertising purposes, spyware tracks a user’s Web habits. Some programs log keystrokes and even capture and transmit screen images.

“These programs are hard to avoid because they come bundled with other things, and it’s not always apparent when they’re installing themselves. And once they’re on computers, they can be difficult, time-consuming and costly to remove,” says Michael Steffen, policy analyst with the Center for Democracy and Technology (CDT) in Washington, D.C.

At its worst, spyware becomes a dangerous tool in the hands of the wrong people.

“Today, spyware’s annoying but relatively benign. But Gartner believes spyware will get more malicious in the future and be used for password harvesting, credit card number theft and other forms of identity theft,” says John Pescatore, a Gartner analyst. Mark Maiffret, chief hacking officer for eEye Digital Security, sees even more sinister uses for spyware, such as capturing and transmitting Microsoft Word and Excel documents to steal corporate secrets.

This is not to mention the unprotected tunnels being opened to the desktops by unknown programs that aren’t coded with security in mind, adds Jeff Horne, researcher for Internet Security Systems, which makes RealSecure intrusion-detection software.

How to avoid spyware

Enforcing employee Internet use policy is your first line of defense, Maiffret says. His advice is:

•  Configure desktop browsers and Outlook using Microsoft Domain Security Policies.

•  Block ActiveX and other executables.

•  Manage scripting.

•  Filter Web content through an HTTP proxy.

•  If necessary, segment certain employees from using the Internet if they don’t need it to do their jobs.

Employees also should be taught how to surf the Web safely, says Ian Poynter, chief security officer for Bit9, a security software start-up. Keep user education simple, he says, by sticking to the following points:

•  Don’t download peer-to-peer programs or anything you’re not sure of.

•  Don’t click on fun images like dancing bears.

•  Don’t download freeware without first checking with IT.

The bottom line, is if you don’t need it to do your job, don’t click on it.

How to detect spyware

Even if you implement all those policies, spyware is likely to get through. Until recently, the only way to detect spyware was to wait for a user to call the help desk, says Shane Allen, network engineer for Special Devices, a Moorpark, Calif., maker of pyrotechnic airbag initiators.

How spyware gets onto your network

Jeff Horne, researcher for Internet Security Systems, lists the five sneakiest ways spyware gets distributed.
Masquerading as a legitimate plug-in to run a movie or music file.
Masquerading as a browser helper object such as a Google toolbar (used primarily in home page redirects).
Hiding out in group directories on peer-to-peer networks such as music-sharing, and then spreading itself by infecting the directories of machines searching those directories for their music selections.
Tricking people into installing their programs. Instead of saying, “To install this program, click yes,” the prompt says, “To install this program, please click no.”
Hijacking Outlook e-mail as if it were a browser (primarily for pop-up ads).

“Users would call and say ‘I can’t open this file. It doesn’t print. I can’t go to the Web.’ So we had to go to the user and re-create what they were doing,” Allen says. “You’d start to see all these different errors because something’s processing in the background.”

Allen moved to a more proactive process in March, when his Web-filtering vendor, Websense, added spyware to a menu of behavioral blocking options in its new product called the Client Application Module (CAM). CAM sells for $25 per seat for a 1,000-user installation and plugs into Websense’s central manager, called Websense Enterprise.

With its daily downloads, Websense Enterprise catches most spyware before it gets on his network’s computers, Allen says.

If spyware does get through, CAM prevents it from executing through a kernel-level filter driver that looks for categorized spyware behaviors in the outbound executables.

In this way, Websense locates spyware that has snuck past front-line defenses. Nigel Smithson, data security officer for Boston Private Bank, uses Websense reports to determine what computers need disinfecting.

“Spyware is the bane of my existence,” Smithson says. He used to deal with spyware reactively. But now he’s lowered his incidents of spyware on all but home-use computers through a combination of commercial tools and freeware for a total investment of about $2,000.

“My way isn’t the be-all, end-all,” he says. “Anti-virus goes some way towards stopping spyware. And we use a desktop tool to clean it up when we suspect there’s spyware on a machine. But certainly, Web filtering prevents most of it.”

How to remove spyware

For spyware that makes it past the Web filter, removal is difficult without an automated spyware removal tool. According to the CDT report on spyware, most spyware is designed to resist un-installation.

“Spyware leaves behind stuff you can’t get rid of that’s buried in places all over the registry. To clean it means tearing down the registry and knowing what files to look into,” says Michael Wood, U.S. representative for Lavasoft, which makes freeware and professional spyware removal software called Ad-Aware. The professional version sells for $39.95 per desktop. Allen uses Lavasoft’s freeware version for those times he needs to eradicate spyware from an infected machine. Smithson also uses a freeware product called Spybot.

Smithson says he tried Ad-Aware, but Spy Bot caught more spyware without a lot of the custom configuration that he had to do with Ad-Aware.

“Because of Websense, we don’t need to put spyware mitigation software companywide. We only use it occasionally when someone has a problem,” Smithson says. “But we do recommend that our home users install it on their machines and run it in the background.”

Other products on the market include InterMute’s SpySubtract, Iolo Technologies’ LLC Mechanic, Sygate’s SSE firewalls and Tenebril’s GhostSurf Pro.

How to protect teleworkers

Ah yes, the home-user bugaboo. Current management tools, such as those from Websense, don’t enforce Web use policy on home-use machines. So only home-use spyware mitigation tools such as Spy Bot and Ad-Aware can protect those machines from spyware.

“Our users take their computers home and browse the Web through an uncontrolled connection. So sometimes they have problems,” Allen says. “We had a high-ranking employee call and complain the other day about his browser getting hijacked. He was visiting some Web sites in Thailand, where one of our major suppliers is located. And he got infected.”

Radcliff is a freelancer writer in California. She can be reached at