Security
Archive Article:
The spying game: How spy ware threatens corporate security
A Sophos white paper
May 2005
SUMMARY
This paper defines spy ware, investigating what it can do and why it
threatens the network security of businesses. The prevalence of spy ware is
highlighted and the ways in which it can install itself are described.
Methods for protecting computers and networks are also discussed.
Spy ware defined
Opinion is divided on the definition of spy ware, since it is often used as
an umbrella term for a whole range of malicious and non-malicious software.
Examples include joke programs, ad ware, Trojans, internet cookies, homepage
re-set programs and dialers (software that connects computers to premium
rate phone lines). Some malicious spy ware presents a security threat
because of its ability to secretly record and steal confidential
information, or maliciously alter an affected computer . by opening a
backdoor to allow access to hackers, for example. Other kinds of spy ware
are more of a threat to productivity than security. One example of this is
ad ware software that can collect information on users surfing habits and
displays advertisements while another program is running. Ad ware usually
informs users of its intended function before it is installed, but since
this
information is often hidden amongst hundreds of lines of dense legal text,
some ad ware sits on the border of being legitimate.
However, it is malicious spy ware that threatens corporate security, mainly
through data theft, hacking and network damage. Examples of malicious spy
ware include Trojans and system monitors such as keystroke loggers, which
can steal data such as passwords typed into a keyboard. Other
programs can turn on webcams and microphones, allowing hackers to spy on
computer users. In the context of this paper, all discussion of spy ware
relates to malicious spy ware, i.e. that which is installed secretly,
without consent, and threatens the security of networks.
A widespread problem
Although spy ware has been around for some time, the actual number of
affected computers is not known. However, evidence suggests that the problem
has become widespread. A SpyAudit report conducted by ISP Earthlink and
Webroot Software performed 2.07 million scans in the first six months
of 2004, finding 332,809 system monitors and 366,961Trojan horses1.
Spy ware is certainly recognized as an increasing security threat. In a
survey of 600 North American businesses by IDC, spy ware was ranked as the
fourth greatest threat, ahead of spam, hackers and cyber terrorism. The only
areas viewed as bigger threats than spy ware were viruses, internet worms
and damage through employee errors2.
The threat to business
The fact that spy ware can become installed and active on a computer or
network without the user's permission or knowledge makes it a particular
threat to businesses, since it can cause harm in a variety of ways if left
undetected.
Data theft
One of the main security threats is the ability of spy ware to steal
important or confidential information. A type of spy ware known as a "system
monitor" does this by running in the background, recording what is typed
into a keyboard and sending the information to another location. Once
installed, the software starts reporting the next time the computer is
unlike spy ware, some ad ware informs the user of its intended function
before installation, but this information is often hidden amongst hundreds
of lines of text. Spy ware can steal confidential business information,
leaving companies vulnerable in several ways.
2 Sophos white paper online. This kind of spy ware can steal financial data,
spreadsheets, personnel records, bank account numbers, passwords or any
other information typed into the affected computer. A damaged reputation,
the loss of money or competitive advantage and an increased risk of
litigation can all result from this data theft.
Hacking
As well as capturing data, spy ware can download other malicious programs or
leave computers vulnerable to hackers. Backdoor Trojans can allow hackers
unrestricted access to a computer system when it is online, and are a
particular risk for computers with broadband internet access. These Trojans
can enable hackers to take control of a computer in a variety of ways, such
as deleting project plans, altering stock records, downloading porn or
controlling the user's mouse and keyboard. Some other Trojans can capture
screenshots or turn on webcams, allowing hackers to spy on computer users.
For the IT administrator this kind of attack is potentially worse than a
virus, since viruses are at least limited by the set commands in their code
and will behave predictably. Humans,
who have assumed control of a computer system, can react to the information
they find and change tactics accordingly, making the threat unpredictable.
Zombie attack
Spy ware can also be a very effective tool for spammers, who can use it to
gather email addresses or take information and customize spam emails (for
example, by using the names of colleagues found on a user's hard disk)
thereby increasing response rates. Using a backdoor Trojan as described
above,
spammers can also take over a vulnerable computer or web server and force it
to send out their emails for them, thus making the email appear to be from a
legitimate source.
Computers that have been hijacked in this way are known as "zombies". Sophos
estimates that as much as 40% of spam is being sent from zombie computers
without the user's knowledge.
Network damage
Network performance can also suffer as a result of a spy ware attack, as the
software places extra demands on the system. For a business, this can mean
disruption and decreased productivity while the software remains undetected,
and extra resources spent on finding and clearing up the problem.
How spy ware becomes installed
There are several ways in which spy ware can become installed on a computer.
It can be installed by a virus, or when a user clicks on a weblink or opens
an attachment in an email.
Most spy ware requires some user action to install it on a computer, such as
downloading an ostensibly useful or desirable piece of software (a
peer-to-peer file sharing program, for example) which may carry the spy ware
hidden within it. Users may also be duped into downloading spy ware
in other ways, for example a pop-up message might appear which prompts them
to download a software utility they "need". Once the user agrees, usually by
clicking "OK" on an agreement box, the spy ware is installed.
In some cases spy ware can become secretly installed by exploiting security
vulnerabilities in a web browser such as Internet Explorer. In this case a
user only has to visit a certain website or view an HTML email message for
spy ware to install itself onto their computer. This kind of secret
installation is known as a "drive-by download". It can happen if the
security settings on a computer are set too low or if an unpatched version
of a web browser is being used. Finally, if security regarding passwords or
physical access to desktop computers is lax, spy ware can be loaded onto a
computer by a person using a CD or USB drive.
How to protect against spy ware
There are some basic measures that can be taken to protect a network, such
as educating users to be cautious when opening attachments and downloading
and installing software. Enforcing a sensible company-wide internet policy
will help prevent accidental downloads, and making sure passwords are kept
secret will help prevent unauthorized access to desktop computers. It is
useful to deploy technology such as personal firewalls to control unwanted
communication with the internet Ensuring that the security settings on web
browsers are turned on and kept to a high setting will also provide a
measure of protection. Spy ware and other kinds of malicious code are often
designed to exploit security vulnerabilities. Whenever these are discovered
in software, the manufacturers issue security patches for users to download.
It is important to keep up to date with the latest patches for whichever
browser is being used. However, the most effective way to protect against
spy ware is
to use an integrated security solution to stop malicious spy ware both at
the email gateway and on individual computers. Sophos Anti-Virus, provides
protection from all malicious spy ware. It does not currently block
non-malicious software such as "ad ware" that seeks permission for
installation and discloses if it is going to pass information. By exploiting
security vulnerabilities, spy ware can
secretly install itself when a user visits a certain website or views an
email message.
THE SPYING GAME: HOW SPY WARE THREATENS CORPORATE SECURITY 3
© Copyright 2005. Sophos Plc.
All registered trademarks and copyrights are understood and recognized by
Sophos.
No part of this publication may be reproduced, stored in a retrieval system,
or transmitted by any form or by any means without the prior written
permission of the publishers.
Boston, USA . Mainz, Germany . Milan, Italy . Oxford, UK . Paris,
France.Singapore .
Sydney, Australia . Vancouver, Canada . Yokohama, Japan (albeit usually not
very openly) in case users do actually want to allow this communication.
This policy of blocking all malicious software while allowing users to judge
whether they want the non-malicious applications, enables Sophos to
provide 100% protection against real harm, while minimizing the impact on
legitimate business use of software. Sophos Anti-Virus provides
award-winning protection against malicious software of all kinds on
desktops, remote laptops and fileservers in companies of any size, while "Sophos
PureMessage" guards the email gateway, giving combined protection from
malicious spy ware, viruses and spam.
PureMessage and Sophos Anti-Virus employ Genotype, spam and virus detection
technology respectively, giving proactive protection against variants of
spam campaigns, spy ware threats and other malware. With policy enforcement
from PureMessage, organizations also gain liability protection, meet
regulatory compliance, and increase productivity. A suite of management
tools enables both Sophos Anti-Virus and PureMessage to be easily installed
and updated, and both come with 24-hour technical support. In addition
SophosLabs., a global network of threat analysis centers,
ensures a rapid response to any new virus or spam threat anywhere in the
world, 24 hours a day.
Incorporated in 1985, Sophos protects 35 million business users from
organizations of all sizes in more than 150 countries. For more information
on how Sophos can protect your business, visit www.sophos.com, email nasales@sophos.com,
or call toll-free 1-866-866-2802.
Sources
1 http://publications.mediapost.com[.Spy ware Report Raises
Broader Questions.. By Larry Dobrow, 5 August 2004.]
2 Brian E Burke, .Worldwide Secure Content Management
2004-2008 Forecast Update and 2003 Vendor Shares: a
Holistic View of Antivirus, Web Filtering, and Messaging
Security. IDC, 2004.
There are several ways to stop spy ware, but the most effective is to
protect both the email gateway and desktop with an integrated software
solution.