Content
McAfee Security Insights
The Expert View: Stopping Spyware
Corporate users’ desktops are littered with potentially unwanted programs ranging from annoying targeted pop-up ads that sap computing resources to keystroke loggers that can whisk away employees’ credit card numbers and other private information. Most enterprise IT managers have vastly underestimated the magnitude of the problem. Just how big is spyware and adware – and more importantly what can enterprises do to stop it from infiltrating their users’ desktops and laptops? We talk with Joe Telafici, Director of Operations at McAfee® AVERT® Labs to understand the state of the problem— and the solution.
Security Spotlight: How big is the spyware problem? And why is it getting worse?
Joe Telafici: It’s massive. It’s been bad and has gotten worse in the last year or two. It’s significantly worse than viruses. There are more machines with potentially unwanted programs (PUPs), particularly adware, than anything else. In most months, 10 to 15 of the top 20 virus hits are for adware and spyware. In corporate environments, we’ve seen reports in which you have to go to number 200 to find a virus. The rest are spyware, adware, and other unwanted programs.
There are two reasons for this proliferation. First, this software has a legitimate purpose. Some people want these programs. When you get Kazaa, you get two or three other programs; if you want them, you should have them. If you’re in IT, you might use a sniffer or remote-control program as part of your job. When the software gets where it’s not intended to be, then it’s a problem.
Second, the tools to identify and remove spyware haven’t been widely available, particularly for corporations. Until IT people have tools that are widely deployed and centrally managed, they won’t know about the problem and won’t be able to address it.
The word ‘spyware’ is heavily loaded. A lot of the truly malicious software are Trojans like password stealers, keystroke loggers and remote-control programs, which are intended for identity theft.
A New Motivation: Money
Security Spotlight: Do you see that the motivation for spyware is mostly financial, such as with identity theft and fraud?
Telafici: In 2003 and 2004, there was the shift from malware as a political statement and the digital equivalent of graffiti to financial gain. It’s hard to say whether the malware authors are learning from the adware vendors or vice versa.
Spy-bots and worms are dropping adware, because presumably the author of the worm is getting money from how many adware programs are installed. Some of the less reputable vendors of PUPs are dropping them via exploits and using the same social engineering tricks that the malware authors have traditionally used.
If you look at the bad end of the spectrum, there’s an intermixing of techniques. At the clean end of the spectrum, a number of adware authors have been trying very hard to clean up their acts. Some have venture-capital funding and are trying to please investors.
Security Spotlight: Does the shift in who is writing spyware make it easier or harder to stop them?
Telafici: In some cases it’s better and in some cases it’s worse. The people writing PUPs are more professional and thorough than two years ago. He’s not a college kid. The author has been coding for 10 years. He tests his creation. He’s making money for his work.
On the good side, it’s a little more predictable. Many programs come with uninstallers, although if people don’t know how they got the software in the first place, an uninstaller doesn’t help. The authors are more above board in how they label the software, including having version information and the real company name.
On the other hand, those folks who don’t care about their reputation are doing some very shady stuff and are using stealth techniques to hide their presence on the systems.
A Matter of Policy
Security Spotlight: Do you have any estimates of how many desktops in corporate America are infected with spyware?
Telafici: Spyware hasn’t been on the radar screen, and the lack of tools is part of the reason. A lot of organizations, while getting much better at requiring anti-virus on desktops, don’t lock down desktop configurations.
A lot of people, especially in the United States, do shopping and non-business related activities at work. Some organizations crack down on non-work usage, but most don’t. Policy enforcement is the best way to keep potentially unwanted programs off the desktops.
Security Spotlight: What can companies do to stop potentially unwanted programs from coming into their enterprises?
Telafici: The biggest single step organizations can take is to look at what rights and privileges users have for their computers. In Windows, everyone is an administrator by default, and administrators can do anything to their machines. Anytime you visit a Web page, you have full rights.
Companies should establish a policy that covers the software employees are supposed to have to do their jobs, whether that’s Microsoft Office or a software development environment. IT should lock down applications on users’ desktops, so they can run only approved applications.
Beyond that, you might want to download this other cool and useful software. Rather than having the rights to download it automatically, you should be able to ask to have the rights temporarily and have the opportunity for someone in IT to review it and say yea or nay.
Security Spotlight: What else can corporations do?
Telafici: IT should force a patching policy, so updates are automatically distributed, and quarantine machines that are not up to date.
A lot of organizations still allow IRC traffic on their networks. A huge number of spy-bots use IRC. While it doesn’t have to do with PUPs necessarily, companies shouldn’t allow that type of traffic. They should lock down specific ports. In terms of adware, there are open source lists of domains that may carry objectionable content. Use a firewall to block access to these domains.
Companies can use a combination of McAfee® Secure Content Management, McAfee® Foundstone® vulnerability management software and McAfee® Desktop Firewall to guard against the problem. McAfee® Anti-Spyware Enterprise will protect against spyware, adware, keyloggers, cookies and remote-control programs.
Security Spotlight: What’s the best way to educate users against installing software that could bring spyware and adware into the enterprise?
Telafici: Education is absolutely critical. People think that it’s their right to install software on their corporate machines. They don’t see the connection between installing a browser toolbar and getting spyware. This software is commonly part of online shopping and gambling sites. People have to take some responsibility for downloading it.
The Role of the Law
Security Spotlight: What about state and federal attempts to stop spyware? By most accounts, CAN-SPAM was ineffective for stopping spam. Can we hope for a better result regarding spyware?
Telafici: Utah passed a law aimed at curbing spyware and California is considering one. The law requires software companies and Web sites to inform users if their software or sites will install spyware and disclose what it will do and what information it will collect. There are also two bills being discussed in the U.S. House of Representatives and one in the Senate.
CAN-SPAM legitimized a whole new way to spam. It hasn’t done anything to dent the flow of spam, and it might have made it worse. There is some concern at our level about any federal legislation that says that these things are bad.
The legislative process can’t keep up with technology. A new technique is developed on a daily or weekly basis. Any attempt to say this particular way is bad is going to have a hard time, unless someone is set to generate the list of bad behaviors and keep it up to date in the same way the Food and Drug Administration does with good and bad drugs. There needs to be a regulatory effort so that the law keeps up with technology.
It may change if agencies like the Federal Trade Commission regulate vendors of this software. The FTC recently shut down Sanford Wallace, the spam king, for business practices. They’re starting to show some interest in this area, but it’s a question of how much budget and time they can dedicate to policing.
Security Spotlight: So what’s the solution?
Telafici: We are having a number of conversations with the rest of the antivirus and anti-spyware community. There are a number of regulatory workgroups where multiple security vendors are developing naming conventions and behavior.
The solution will be driven largely by the security community and the more legitimate PUP vendors, which is largely public sentiment-driven. McAfee is doing what our customers are asking us for, while the other corporations are doing things that their investors or advertisers, who determine their worth, are asking them for.
The technology providers and the community need to come together for the solution. The global nature of the Internet is likely to make any regulatory effort ultimately toothless.
Since this article was written, McAfee has introduced new products that offer similar capabilities. Please see our products section for additional information.
Resources
