Is Any Anti-Spyware Enough?

By Drew Bird | Mar 8, 2005 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3488491/Is-Any-AntiSpyware-Enough.htm

Network administrators are a generally conscientious and careful bunch. Their home PC's, for example, are likely to be well protected against almost every type of threat conceivable, from hackers to viruses to adware to spyware. They most likely avoid infection by these threats through prudent downloading, frequent definition updates, and scheduled scans. But are the systems on the networks they administer as well protected? Current opinion would suggest not.

The traditional mainstay of network security, the firewall, it is of little use when combating spyware or adware: A great deal of it uses port 80.
Although spyware is often used as a single term to describe both adware and spyware, it is worth knowing the difference between the two. Adware refers applications that facilitate the display of advertising information on your system, and may include the obvious, like pop-up ads, to the less obvious, such as browser search bar hijacking. Adware watches your browsing preferences and activities, and points you in the direction of sites that match. Likewise it shows you ads that it believes will appeal to your interests.

Spyware, or more accurately system monitoring software, presents a very different set of threats and associated risks. Spyware is software that is capable of recording and transmitting information from keystrokes such as passwords and user ID's. In addition, some spyware software can make it possible for a remote user to access your system across the Internet. Either of these scenarios are enough to give even the most seasoned network administrator nightmares.

If you think your network is safe from either spyware or adware, the chances are you are wrong says Richard Stiennon, VP of Threat Research at Webroot, one of a growing legion of companies producing anti-spyware software. "We estimate that somewhere between 20 percent and 50 percent of Internet-born network traffic is created by spyware or adware." Research by Webroot also reveals that 80 percent of systems on corporate networks have adware installed on them, and more alarmingly, 15 percent have system monitoring software running in the background. "Adware is a headache as it leads to poor performance or system crashes," says Stiennon "but system monitors represent a very real security issue as they record user interactions such as keystrokes and web cam traffic."

Stiennon is not alone in his estimates of the depth of adware and spyware penetration. A spokesperson for Microsoft told us the company believes spyware to be directly responsible for more than a third of application crashes reported to its support staff, and that spyware and adware may be linked to as many as half the crashes its customers experience.

Also on Spyware at ENP

  • Spy on the Spyware with tcpdump
  • RSA: Symantec Battles Spyware, Bots and Microsoft
  • RSA: Microsoft's Free Anti-Spyware Challenges New Market
  • Unlike viruses, which try and trick you into opening a file or installing an application in order to infect your system, a great deal of spyware and adware takes a more straightforward approach. It simply asks for your permission. Each time you install an application, or allow an ActiveX object to run from a Web page, you open the door for spyware or adware to be installed. Of course installing applications or viewing Web pages from known safe sources represents a very low level of risk. But other downloads like small utilities from largely unknown software companies, or active content from a Web site can be another matter entirely.

    Once installed, there is little you can do to prevent one piece of spyware or adware from inviting other pieces of spyware from also installing themselves, and so on, in a ever increasing cycle.

    Like a virus, spyware or adware is an unwanted visitor that can realistically be of no good use. Unlike viruses, however, which often seek to destroy, disable or decommission your PC, spyware or adware is more than happy to let your PC continue to run as well as is absolutely possible. A PC that is running allows ads to be displayed, or information to be collected. A system that is not running is of no use to spyware or adware pushers.

    The problems created by spyware and adware are many and varied. Both threats use valuable processing power and hog bandwidth on your network connection, or cause your PC to crash. On a home system, apart from the very obvious and frightening personal privacy considerations, these problems can be at best extremely annoying. On a corporate network, where the problem is magnified in direct proportion to the number of PC's, and the privacy considerations arguably even more sensitive, spyware and adware presents perhaps the single most significant threat to productivity and security since the advent of hacking or viruses.

    Another problem with spyware and adware is that the processes developed to combat them are still in their relative infancy. Although companies like Webroot, Tenebril, Microsoft, and a host of others are working to produce more effective spyware and adware screening systems with an increasing level of success, the nature of spyware and the companies that make money from it are proving tough nuts to crack.

    Unlike viruses, which are nearly always the malicious prank of an individual with little more to gain that disrupting the status quo, spyware and adware are the tools for business operations worth tens of millions of dollars. This financial incentive leads spyware and adware writers to be extremely resourceful when it comes to ways that they can circumvent commonly deployed protective measures.

    As for the traditional mainstay of network security, the firewall, it is of little use when combating spyware or adware says Chris Carillo, Founder and Head of Development at Tenebril Inc. "A great deal of spyware uses TCP/IP port 80 to send and receive information from the Internet. This means that to block the traffic generated by the spyware or adware, you would have to prevent Internet browsing from within your organization." As you can imagine, this is a step that few organizations are willing to take.

    The big money incentive behind adware and spyware has the companies that create the software employing some very creative measures to ensure that their territories, once established, are safe for as long as possible. This leads to some significant challenges for vendors who make and market spyware detection systems. Unlike viruses, which have a single 'signature' that makes the malicious code identifiable within a file before it is downloaded and installed, spyware or adware presents more of a challenge.

    "Many spyware applications rely on a mutation process that changes the contents of the file, and so makes the common signature matching processes used by anti-virus applications meaningless. A signature that matches now, may not match in, say, six hours" says Carillo.

    This ability to mutate occurs primarily in one of two ways. Either the application connects to a site on the Internet from which a new executable code is downloaded, or the application is simply written to mutate at a given point, such as when a system is restarted.

    Although the latest anti-spyware offerings are become increasingly effective at identifying and removing spyware or adware, anti-spyware authors face an uphill battle when it comes to completely banishing spyware from a system. The problem, says Carillo, is that anything but a complete cleansing of spyware from a PC is ineffective.

    "One piece of spyware inevitably leads to another, and within as short a period as 24 hours, your PC will have as many infections on it as when you started. If you don't remove it all, you may as well not remove any."