Spyware infiltrates the enterprise

Spyware and adware are pouring into enterprise desktops. How severe is the threat? And what can be done about it?

This article has been modified from its original version. Certain quoted material has been removed because its veracity could not be confirmed.

Desktops littered with pop-up ads, computers grinding to a halt under the weight of snoopy software, private data snatched off networks and sent to a server somewhere in Siberia or San Francisco … all these unfortunate occurrences can be attributed to spyware, a generic term for software that regularly collects demographic and usage information from a computer and transmits it to a marketing company or other interested parties without the user’s explicit permission.

Spyware is far more intrusive than spam and can cause more real problems than many computer viruses. The more benign versions -- sometimes called adware -- confine themselves to downloading and displaying “targeted” ads and may only be resource hogs. But many spyware applications go farther. They auto-update themselves, alter system configurations, download and install additional software, and access and disclose data stored on computers they infect -- or on any shared network resources that the affected computer can access.

ISP EarthLink offers subscribers a free spyware scanning service. Of the more than 2 million computers scanned since January, one in three harbor spyware, with an average of 28 spyware programs per infected machine. Hardware vendor Dell says 12 percent of the support requests it receives concern spyware. Dell and EarthLink believe their respective support calls and scan requests come mainly from home or small-business users. Are enterprise networks spyware-free?

According to the results of a recent survey conducted on behalf of enterprise security vendor Secure Computing by independent research company TheInfoPro, only 25 percent of polled enterprise IT managers thought spyware was a major problem. That was not the response Tim McGurran, president and COO of Secure Computing, was expecting.

“Frankly, we were surprised that so few enterprises appear to be worried about spyware,” McGurran says. “Statistics definitely show that spyware is a serious problem in the enterprise. Equally disturbing was that the majority of the respondents also said that they have spyware policies in place in their organizations but that the policies aren’t really enforced.”

Secure Computing’s survey didn’t ask IT managers whether spyware was or had been present on their systems. A recent poll by Harris Survey did ask, and 92 percent of polled IT managers said their organizations had been infected with spyware -- with an average of 29 percent of their corporate PCs infected.

Because both surveys were conducted according to accepted rules of research, we’re left with a conundrum: IT administrators admit a large percentage of enterprise computers have been infected and yet insist spyware isn’t a real problem. Enterprise security vendors themselves have only recently begun to take spyware seriously, meaning that the best software for detecting and removing spyware still originates from a handful of small, relatively obscure software vendors.

Click for larger view.

“When a company loses a significant amount of money -- or is the victim of a demonstrable case of corporate espionage -- and it makes a major impact in the newspaper, then corporations will take notice,” says Bruce Schneier, founder and CTO of Counterpane Internet Security. “My guess is that this kind of thing is already happening and will happen with a greater frequency in the future. Criminals, from lone criminals to organized crime, have discovered spyware.”

Spywareor adware?

Businesses aren’t ignoring the spyware issue, but it’s not high on the agenda, says Kevin Harvey, senior technical consultant at technology consultancy Forsythe. “Part of the problem is that spyware isn’t as well understood as other security risks,” he says.

The confusion over what spyware is -- a plague from the darkest corners of the Internet or a nice software present with a small catch from the marketing world -- and the slight but legally actionable difference between it and its less malicious sibling adware make it difficult to develop solutions and strategies to deal with the problem.

Claria, which distributes the Gator software that some refer to as spyware, last year filed a libel suit against an anti-spyware program vendor. The suit was settled out of court when PC Pitstop removed information critical of the company and its software from the PC Pitstop Web site. Claria insists that Gator is not spyware because the software’s behavior is clearly explained in end-user licensing agreements and the people who use Gator software know they are providing their personal information in exchange for free software. Claria claims it currently “serves” more than 43 million consumers who have agreed to receive advertising.

Claria’s argument was borne out during a recent security scan of an enterprise network by Blue Coat Systems, a company that manufactures proxy appliances that control how employees use the Internet. Blue Coat offers companies a free service called a Web Traffic Assessment. During an assessment, Blue Coat installs a proxy appliance onto the network without any policy controls, allowing the appliance to simply log all Web activity taking place on the network. Steve Mullaney, vice president of marketing at Blue Coat, says this has been very effective in helping some large companies identify spyware on their networks.

“Blue Coat recently ran a Web Traffic Assessment for a large Fortune 500 enterprise manufacturing company and found out that the No. 1 visited Web site in corporation was Gator.com,” Mullaney says. “Management did not know what Gator was, and when we told them it was adware/spyware, they were shocked, to say the least.”

How did Gator get on those machines and drive that traffic? Because Blue Coat can pinpoint individual users, management asked some users whether they knew they had spyware/adware on their machines. Surprisingly, the users said yes, they did know. In fact, they had installed Gator and explicitly agreed to receive aggressively served ads in exchange for Gator’s e-wallet application.

“After further probing by IT staff, one user says, ‘Well, I wouldn’t install adware on my computer at home,’ ” Mullaney says. “The IT staff then learned that some of the users didn’t want to slow down their home PC or home Internet connection with adware. The CIO was not amused.”

So Claria may be right -- some users know what they’re getting, and there may be some difference between adware and spyware. But does this matter to anyone but Claria and the people contacted by the company’s lawyers? Some security experts say it does.

“It’s necessary to understand the difference between adware and spyware when addressing how these programs are getting onto corporate networks,” says Gregg Mastoras, senior security analyst at Sophos, a security application vendor. “Adware is usually deliberately installed by a user. It is a noisy application, clearly announcing its presence on a computer through advertisements. You prevent it through policies and user education.”

But spyware, Mastoras says, is stealthier. “Spyware usually installs itself without permission via holes in software or doesn’t come with a clear explanation of its purposes. Spyware is a subtle, under-the-radar application that wishes to remain unnoticed so that it can collect data without interference,” he says.

Aggressive spyware variants pose a severe threat, particularly for companies that subsist on sensitive data. “I know of one major HMO that has a 10-person staff dedicated solely to the eradication of spyware because they feel it is such a risk to their HIPAA compliance,” says John Bedrick, group product marketing manager of system security at McAfee. “We also worked with a major financial institute that was hacked. User IDs and passwords were gathered by spyware and transmitted to a third-world country, and the company’s network was then hacked with remote administrative tools.”

Begone, scum

So what strategies should enterprises use to fend off spyware and adware? As with any vexing problem that has security implications, the solution derives from a combination of policy and technology.

One approach is simply to jettison Internet Explorer. The majority of adware and spyware works only on computers running Microsoft’s operating system and Web browser. Some experts advise switching to the Mozilla’s Firefox Web browser to cut down on “drive-by installs” -- that is, spyware that installs itself without users’ knowledge or explicit permission.

Security experts agree, however, that spyware is sneaking onto corporate desktops largely as a result of user behavior. “Spyware has many vectors, but the critical issue is that the door is opened by user actions. If end-users are allowed to install software and to freely browse the Web, the enterprise is exposed,” says Richard Stiennon, who until recently was a lead security analyst at Gartner and is now vice president of threat research at Webroot Software, a security software vendor.

Policy enforcement should ensure that good users don’t do bad things such as installing silly programs on their desktops or running file-sharing applications that typically harbor a slew of spyware. And good patch management polices should prevent sneaky programs from installing themselves on a computer without the user’s knowledge via security holes in operating systems and Web browsers.

Yet as Sophos’ Mastoras notes, “End-user behavior generally triumphs over protection, patching, and policies. Few organizations are able to actually enforce the policies they create.”

Factor in human behavior, and conventional security technologies alone aren’t up to the task. “Typical large enterprises have firewalls and anti-virus but lack protection at the application layer. More specifically, they lack HTTP protection, which most spyware uses as its primary mode of communication,” Blue Coat’s Mullaney says. “Firewalls have traditionally focused on ports and, to some extent, protocols but have no visibility into content. Furthermore, attempts to extend anti-virus scanning to HTTP historically have failed due to poor performance and false positives that resulted in poor Web experiences for the end-user.”

Enterprise anti-virus vendors such as McAfee, Sophos, and Symantec say they are bolstering their applications’ capabilities of blocking and/or removing spyware and adware. But vendors that offer targeted enterprise anti-spyware apps point out that their products provide a good complement to anti-virus applications, offering focused, comprehensive protection against a specific threat.

Unlike anti-spyware products designed for home users, enterprise editions are fully automated, sweeping the network for infestation however often IT chooses to set the program to scan (most vendors recommend a daily sweep). Spyware can be automatically removed or remotely quarantined, as an administrator chooses.

Enterprise anti-spyware applications such as Webroot Spy Sweeper Enterprise and PestPatrol Corporate also allow system administrators to fine-tune spyware protection by defining safe lists of applications that users can install or run, a feature not yet offered by anti-virus applications. Certain or all types of cookies can be permitted. The applications can also inoculate networks, automatically blocking the installation of known spyware. Because one person’s spyware is another’s useful application, each company can configure auto-blocking to suit its enterprise.

“Good security requires defense in depth,” Counterpane’s Schneier says. “There’s no ‘benefits of inoculation vs. scanning’ argument with spyware; a smart company does both. Security is always a trade-off, and companies always have to weigh the costs of loss vs. the costs of risk mitigation. In this case, it’s a no-brainer. There are easy -- and cheap -- tools that drastically reduce the risk of spyware.”

Counting on countermeasures

Enterprises may find these tools preferable to draconian measures such as preventing users from installing any applications on their computers. Paul Bryan, director at Microsoft’s security business unit, says that the company is addressing the core issues of deceptive software with the goal of ensuring that what’s happening on an individual machine is recognized and controllable.

“Microsoft’s new IE pop-up blocker is turned on by default and cuts down on a key way consumers are enticed and tricked into downloading deceptive software. And unsolicited downloads are now blocked by default,” Bryan says. “We also added additional group policy controls that allow administrators to block downloads in the intranet zone.”

Bryan acknowledges, however, that “XP [Service Pack 2] is not the complete solution by any means. As with most security challenges, there is no silver bullet, but it represents the kind of technology solution that we believe will help all of our customers deal with the spyware problem.”

Most security experts agree that Windows XP Service Pack 2 does a good job hardening its OS against spyware that installs without explicit user permission. And just in time, too. Security experts believe that spyware is quickly getting creepier and more capable.

“We are in the very early stages of spyware,” Forsythe’s Harvey says. “Spyware is likely to become even more stealthy and capture more information as current code is refined. I believe we will hear many horror stories in the coming months about confidential corporate information being divulged through spyware.”

Copyright © 2004 IDG Communications, Inc.

How to choose a low-code development platform