|
||
|
|
|
|
Home |
 Printable Version
|
Spyware is a program that gathers information about a user's behavior without his knowledge. Programs that have the ability to scan systems or monitor activity and relay information to other computers or locations in cyber-space are classified as spyware. Among the information that may be actively or passively gathered and disseminated by spyware are: passwords, log-in details, account numbers, personal information, individual files or other personal documents. Spyware may also gather and distribute information related to the user's computer, applications running on the computer, Internet browser usage or other computing habits. Spyware frequently attempts to remain unnoticed, either by actively hiding or by simply not making its presence on a system known to the user. Spyware can be downloaded from web sites (typically in shareware or freeware), email messages, and instant messengers. Additionally, a user may unknowingly receive and/or trigger spyware by accepting an End User License Agreement from a software program linked to the spyware or from visiting a web site that downloads the spyware with or without an End User License Agreement.
Spyware has become an umbrella term for what are better characterized as potentially unwanted programs (PUPs) - software that can allow a hacker to gain control of a computer and access proprietary data.
Defense Tip! Closing Popup Windows:
The safest way to get rid of a pop-up window, especially one that mentions installing software, is to use the ALT+F4 keys, not clicking on the "Cancel" button or the "X" to close the window. In an attempt to dupe users, some spyware reverses the "Cancel" and "OK buttons" or even overwrites the "Cancel" button with an "OK" message. They also can make the "X" part of the activation.
Adware: Delivers advertising as pop-ups, pop-unders, or banner ads, and sometimes tracks web surfing habits. Programs that facilitate delivery of advertising content to the user through their own window, or by utilizing another program's interface are classified as adware. In some cases, these programs may gather information from the user's computer, including information related to Internet browser usage or other computing habits, and relay this information back to a remote computer or other location in cyber-space. Adware can be downloaded from Web sites (typically in shareware or freeware), email messages, and instant messengers. Additionally, a user may unknowingly receive and/or trigger adware by accepting an End User License Agreement from a software program linked to the adware or from visiting a web site that downloads the adware with or without an End User License Agreement.
Bot Networks: Hackers deposit remote control programs onto the computer to try to gain control so they can send out spam and viruses through that computer in an effort to hide their tracks.
Keyloggers: Record every keystroke on a user's computer, letting would-be bank robbers and others gain access to account information, credit card numbers, and other sensitive data.
Home page hijackers: Modify browser settings to redirect users to a new home page, often a search page or those containing questionable content.
Password Stealers: Record user's passwords and the sites they are used to access.
Pharming: the exploitation of a vulnerability in the DNS server software that allows a cracker to acquire the Domain name for a site, and to redirect, for instance, that web site's traffic to another web site. DNS servers are the machines responsible for resolving Internet names into their real addresses - the "signposts" of the Internet.
Phishing: a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords.
An example of a phishing email targeted at PayPal users. In an example PayPal phish, spelling mistakes in the email ("no choise but to temporaly suspend your account"), and the presence of an IP address in the link visible in the tooltip under the yellow box ("Click here to verify your account") are both clues that this is a phishing attempt.
SouthTrust Bank example: In this second example, targeted at SouthTrust Bank users, the phisher has used an image to make it harder for anti-phishing scanners to detect by scanning for text commonly used in phishing emails.
From: SouthTrust
To: xxxxxx@yyyyy.com.br
Subject: SouthTrust Bank: Important Notification
Date: Thu, 16 Jun 2005 23:56:30 -0200 (22:56 BRT)
Many times the user will see that when the URL link in the message is moused over the address does not match what was typed in the message.
Dialers: Programs that use a computer or modem to dial out to a toll number or Internet site, typically to accrue charges. Dialers can be installed with or without a user's explicit knowledge, and may perform their dialing activity without a user's specific consent prior to dialing.
Hack Tools: Tools that can be used by a hacker or unauthorized user to attack, gain unwelcome access to or perform identification or fingerprinting of your computer. While some hack tools may also be valid for legitimate purposes, their ability to facilitate unwanted access makes them a risk. Hack tools also generally: · Attempt to gain information on or access hosts surreptitiously, utilizing methods that circumvent or bypass obvious security mechanisms inherent to the system it is installed on, and/or · Facilitate an attempt at disabling a target computer, preventing its normal use One example of a hack tool is a keystroke logger -- a program that tracks and records individual keystrokes and can send this information back to the hacker. Also applies to programs that facilitate attacks on third-party computers as part of a direct or distributed denial-of-service attempt.
Remote Access: Programs that allow one computer to access another computer (or facilitate such access) without explicit authorization when an access attempt is made. Once access is gained, usually over the Internet or by direct dial access, the remote access program can attack or alter the other computer. It may also have the ability to gather personal information, or infect or delete files. They may also create the risk that third party programs can exploit its presence to obtain access. Such remote access programs generally: · Attempt to remain unnoticed, either by actively hiding or simply not making their presence on a system known to the user, and/or · Attempt to hide any evidence of their being accessed remotely over a network or Internet Means by which these programs provide access may include notifying a remote host of the machine by sending its address or location, or employing functionality that wholly or partially automates access to the computer on which the program is installed.
Trackware: Programs that track system activity, gather system information, or track user habits and relay this information to third-party organizations. The information gathered by such programs is neither personally identifiable nor confidential. Trackware programs are installed with the user's consent and may also be packaged as part of other software installed by the user.
TypoSquatting: Web sites with addresses that are similar to the actual site you're trying to go to. When people make a typing mistake and land on one of these sites there may be an attempt to infect the computer or to take over control.
Viruses, Worms and Trojan Horses: A virus is a program or code that replicates itself onto other files with which it comes in contact; that is, a virus can infect another program, boot sector, partition sector, or a document that supports macros, by inserting itself or attaching itself to that medium. Most viruses only replicate, though many can do damage to a computer system or a user's data as well. A worm is a program that makes and facilitates the distribution of copies of itself; for example, from one disk drive to another, or by copying itself using email or another transport mechanism. The worm may do damage and compromise the security of the computer. It may arrive via exploitation of a system vulnerability or by clicking on an infected e-mail. A Trojan Horse portrays itself as something other than what it is at the point of execution. While it may advertise its activity after launching, this information is not apparent to the user beforehand. A Trojan Horse neither replicates nor copies itself, but causes damage or compromises the security of the computer. A Trojan Horse must be sent by someone or carried by another program and may arrive in the form of a joke program or software of some sort. The malicious functionality of a Trojan Horse may be anything undesirable for a computer user, including data destruction or compromising a system by providing a means for another computer to gain access, thus bypassing normal access controls.
Wi-Phishing: Monitoring the use of unsecured wireless networks in an effort to steal passwords and other identity.
Spyware Issues:
Spyware usually runs surreptitiously - users may not realize that the web site they visited, the email link they clicked on, or the seemingly innocuous software they downloaded has infected their system with spyware. Yet, several telltale signs often lift spyware's veil of secrecy: sluggish system performance, a flood of pop ads or hijacking.
Spyware has gotten the attention of more than a few CIOs simply because it's draining productivity. Spyware poses a bigger threat than temporarily shelving some systems: It also places sensitive corporate information at risk. Spyware can carry keystroke loggers used to swipe your users' identities or can install Trojans designed to transfer files off their computers. Your business' most valuable assets are in jeopardy-including financial reports, customer data and product development plans.
According to Kim Jones, director of global security services for eFunds, "If you get hit with a virus or spyware crashes a system, you take a productivity hit. That's a problem, but it's not near the same concern as data leakage."
Spyware would be easier to combat if its purveyors weren't so savvy. Some spyware apps are written so that they can now monitor the spyware's core processes and reinstall the program if you try to remove it. The craftiest of attackers can even alter the spyware's code each time it runs or change the code to keep it from matching a signature in a antispyware vendor's arsenal.
Knowledge is the best defense: Spyware is a big problem, "significantly worse than viruses," according to Joe Telafici, Director of Operations, McAfee Anti-Virus and Vulnerability Emergency Response Team (AVERT) Labs. "Over the second quarter of 2005, AVERT saw a 12 percent increase in the number of potentially unwanted programs (PUPs) created from the first quarter of 2005, and a 60 percent increase over Q1 2004." Since spyware catches so many users unaware, education may be the best defense. Another tricky thing about spyware is that it's hard to define. Lots of legitimate web sites use cookies or adware to track visitors' activities - but is that spyware? Because of the gray areas, we can't rely on the government or law enforcement to intervene on our behalf. That means the spyware ball is in our court-and now's the time to act.
It's all about the money: Today's spyware authors are highly skilled and motivated. Every day, they create new spyware code-such as hyper-mutating and custom-coded attacks-that is far more difficult to detect and remove than earlier spyware. The big difference between viruses and spyware is money: Most early viruses were digital graffiti designed to gain notoriety and attention; but criminals are leveraging spyware to gain competitive intelligence, commit identity theft and launch phishing attacks. "There's a lot of money to be made here, and these [spyware purveyors] have teams as large or larger than the antivirus and antispyware vendors," explains Soiux Fleming, eTrust director or product management at Computer Associates. "Usually it's a question of whether the program is more of an annoyance or risk that an asset to the user, especially for the grayware programs that have a legitimate purpose and usage," he says. "They are applying techniques from different realms to insure their presence in the machine," he says. "They are using a combination or security and hacking techniques to evade detection and remediation by spyware vendors." Spyware creators are now employing techniques such as shadow processes to monitor the spyware's core processes, and trickling techniques to reinstall the program if a user attempts to uninstall it. Even more frightening is the rate at which spyware is changing.
Anti-spyware software is very useful and effective but cannot pick up 100% of all threats. The system user must be on-guard for suspicious activity. Hyper-mutating spyware updates itself via the web or it is automatically rewritten faster than a signature can be created and distributed. The delayed response provides a window of vulnerability for widespread infection. Meanwhile, custom-coded spyware is maliciously aimed at a particular target rather than the mainstream user community, so no signature is created or distributed. The result: Signature-based solutions are powerless against these new spyware methods. Behavior-based spyware detection also has its limitations. It has difficulty differentiating between destructive and constructive behaviors. Also, it's extremely challenging for IT administrators to create standard behavior-based security policies capable of accurately identifying spyware throughout an enterprise. That's why security policies created with behavior-based solutions tend to be too lenient or restrictive.
"It used to be enough if you didn't open an attachment from an unknown sender." Thanks to the rapidly changing nature of spyware-ranging from troublesome adware to keystroke loggers-those days are gone and aren't likely to come back. It's even possible that once a system is cleaned, [spyware] could just return in the next week or so. Traditional security measures do not address the spyware threat as spyware is often acquired when users download an application or file, visit certain web sites, or click on a pop-up window. Spyware collects potentially sensitive information such as keystrokes, web surfing habits, passwords, email addresses, and instant messaging conversations and transmits it to a spyware host.
System crashes: Microsoft claims half of all computer crashes reported by its customers are caused by spyware and its equivalents. The related support calls are costing the company "millions". And Microsoft is not alone. Information attacks are on the rise-the weapon of choice is spyware.
On-going battle: After two years of fending off browser hijackings and excessive pop-ups, the digitally connected world has finally realized it's fighting a full-scale war against spyware. This constantly evolving threat, whose payloads can include keyloggers and backdoors, has antispyware vendors rushing to stem the tide. Previously, spyware writers could alter their code on a daily, weekly, or monthly basis to make it difficult for antispyware tools to locate and remove their programs. The latest tactic-what Felman tags "hyper-mutations"-results in code modification and changes using application software techniques for automatic updates (so the app doesn't look like a fingerprint in the antispyware vendors' signature databases) each time the program runs. Spyware writers are also heading toward an insidious vector: spyware programs that can insert themselves directly into the operating system. Roger Thompson, director of malicious content research at CA, says that the most difficult technical challenges are posed by rootkits and kernel modification. Thompson is issuing an early warning against code injections, the use of alternate data streams, security token manipulation, pharming and exploitive web sites. Geoff Webb, director of marketing at Futuresoft, believes there will be great changes in the antispyware market over the next few years. Antispyware technology currently in development will focus on monitoring the entire system including the registry, processes and files on every single level. But, Webb says, the downside to this degree of monitoring is the impact on performance. Security and network managers can block sites that are common vectors for spyware, such as gaming and pornography sites and Spyware blacklists are available online and can usually be integrated into a web-filtering product. Antivirus can also be particularly helpful at keeping spyware at bay. CA's Fleming, for example, reports that there is an increasing evidence that worms are being used to set up botnets with spyware payloads. It's also easier and less expensive to use an alternative browser, such as Mozilla's Firefox, rather than Internet Explorer as a machine default browser. Sneakier spyware vectors-such as drive-by downloads, .gif overlays and the use of the scroll bar as the button to accept downloads-are all based on IE vulnerabilities.
User account privileges: Limiting administrative computer rights can also head off spyware installations. By granting rights only to people who need them, businesses to ensure that the majority of users can't download and run ActiveX controls or install software. Desktop users have much to gain by being cautious about spyware. It is a threat to the organization, highlighting recent cases of spyware used to steal sensitive information. Underscore the risk that spyware poses to them, particularly identity theft.
Use caution: Browse very carefully. Because a lot of spyware is distributed through browser-based vulnerabilities, make sure your users understand the importance of keeping their browsers patched and exercising safe surfing habits. The safest way to get id of a pop-up window, especially one that mentions installing software, is to hit the ALT+F4 keys, not clicking on the "Cancel" button. In an attempt to dupe users, some spyware reverses the "Cancel" and "OK buttons" or even overwrites the "Cancel" button with an "OK" message. Read e-mail very carefully. Sadly, email attachments still remain another major vector of spyware propagation. Users should never to run an executable attachment, even if it appears to come from a trusted individual inside your organization, including the CEO or their own manager. Let them know that e-mail with encrypted zip files and text that provide a decryption password are other common spyware tricks to dodge mail filters. When in doubt, run an on-demand scan. Users can run an on-demand scan using the Trend Micro OfficeScan application. The entire computer can be scanned for viruses and spyware threats or any file or folder can be selected to be scanned.
System performance: Never disable AV or antispyware tools. Sometimes the Anti-virus/spyware protection can affect system performance while it is providing continuous protection and detection. But, the performance gained versus the likely risk of letting the door open to spyware and viruses is not worth the risk.
Suspicious behavior: Be on guard for suspicious behavior. Users should call the help desk if they spot a large number of pop-up messages, can't surf to major AV vendor web site, notice new browser toolbars and search boxes or suddenly experience very sluggish system performance.
Check out the other spyware related help tutorials for additional information and to view an informative spyware video presentation.
Additional information from Microsoft on signs of spyware infection can be read by clicking here.
Acknowledgements:
This help article was compiled from several published security articles: A
Supplement to Information Security - The Ultimate Spyware Defense Guide,
Security Insider - Tenebril, Eliminate the Spyware Threat - WEBSENSE,