Spyware used to be thought of as a consumer problem. Now it has IT’s full attention, and it’s no wonder.
In a survey of US Computerworld subscribers with IT security responsibilities conducted for this story, 79% of the 577 respondents say they’ve had problems with spyware in the past 12 months, and 71% say they see it as a threat to their organisations. While spyware’s major impact has been on the help desk because of spyware-related system reliability and performance issues, the unwanted programs are also viewed as a growing security threat — one that 84% of respondents say is increasing.
The good news is that IT organisations are finally starting to get the kinds of tools that are needed to bring the problem under control. The evolution of centrally-managed, enterprise-class antispyware tools for the desktop, and the emergence of spyware-savvy gateways for the network perimeter, are helping IT organisations identify and eliminate spyware programs and block new ones from infecting business PCs. Although the tools are new and still maturing, 41% of our survey respondents say they are already using enterprise-ready antispyware software.
At TelCove, the use of enterprise antispyware software has cut help desk call volumes by about 30%, says Windows server administrator Anthony Waters. The help desk at the Pitsburg telecommunications company fields calls from 1,500 users in 72 offices. As spyware-related calls to the help desk skyrocketed late last year, the task of cleaning PCs with stand-alone antispyware tools and re-imaging badly infected machines became overwhelming. “It was just crazy,” Waters says.
Last December, Waters added McAfee’s AntiSpyware Enterprise to his antivirus software and deployed it on the desktops using McAfee’s Policy Orchestrator software. Early on, the software didn’t catch all spyware programs and, in some cases, programs it had supposedly removed came back. “But, as we got different [updates], that part has improved,” Waters says. This spring, he also upgraded all PCs to Windows XP with Service Pack 2, a move that helped eliminate several Windows and Internet Explorer vulnerabilities that spyware programs are known to exploit. Now, Waters says, spyware-related help desk calls have almost been eliminated.
A year ago, few enterprise-ready antispyware tools were available. Today, every major antivirus software vendor has an offering for the problem that Microsoft says was responsible for one out of every three Windows system crashes last year. Although the tools are still maturing, IT is going ahead with deployments, according to IDC analyst Brian Burke. “It’s now the third-most-implemented security software, after antivirus and firewalls,” he says.
While IT organisations worry that spyware can potentially be used to steal sensitive data, just 6% of the Computerworld survey respondents who reported spyware problems cited a resulting loss of organisational data or intellectual property. But more than half reported increased help desk activity resulting from spyware infections.
Commercial adware continues to cause reliability and performance issues for business users. Twenty-two percent of respondents reported that the more insidious programs — Trojans, keyloggers, diallers and remote-control programs — resulted in break-ins, while 14% experienced destruction of data or programs. The reason those numbers aren’t higher is probably because such exploits are increasingly being picked up by other security layers.
At TelCove, for example, desktop antivirus software has caught diallers and Trojans. But information security professionals also worry about data loss through malicious use of the mechanisms and communication channels that adware uses.
“The main issue is the kinds of things that come through Ports 80 and 443, which are the general business ports. It’s hard to block those,” says Randy Sanovic, general director of information security at General Motors. Antispyware tools address those concerns.
Help desk calls tend to underreport the scope of the spyware problem because users don’t complain until their systems have become almost totally unstable. They wait until “they can’t tolerate it any more or you have a complete breakdown of the computer,” says Paul Bryan, director of product management for client security at Microsoft.
Peter Wallace knew from help desk call volumes that he had a spyware problem at AAA Reading-Berks, a car club. But the extent of the infection surprised even him. When he ran eTrust PestPatrol across the organisation’s 90 machines, he found that 70% had problems. Deployment of the antispyware software cut the time he spent addressing spyware issues from 20 hours a week to a few minutes a day reviewing reports, he says.
Sam Curry, vice president of eTrust security management at Computer Associates International, says the company’s PestPatrol customers typically find 25 to 90 instances of spyware per PC. Statistics like that are what worry GM’s Sanovic and other IT executives who haven’t yet deployed antivirus tools enterprisewide. “What you don’t know is the problem with spyware. If you don’t look, you don’t know when you are exposed,” Sanovic says.
Gateway appliances on the network are also getting better at blocking spyware activity. At Exchange Bank, an intrusion-prevention appliance from Internet Security Systems blocks spyware activity, says Bob Gligorea, information security officer at the Californian bank. “The ones it doesn’t catch [during download], it catches when they try to go to the internet,” he says. His staff then issues a trouble ticket to remove the spyware. Gligorea also plans to add web filtering software and ISS’s Proventia Desktop to detect and block spyware activity.
At the Philadelphia Stock Exchange, Gene Peters has been holding off buying desktop antispyware tools, but he’s being proactive at the network perimeter. His web filtering software, from SurfControl, recently blocked a potentially dangerous spyware download. “We think it would have downloaded a Trojan,” says Peters, director of information services at the exchange.
Fortunately, the spyware never got out of the internet cache, but Peters is far from complacent. “We got lucky that [the website disseminating the spyware] was not a legitimate site in our URL list,” he says. This year he plans to evaluate desktop tools as a complement to his network defences.
Some 55% of survey respondents say they haven’t yet purchased enterprise-class antispyware tools. GM’s Sanovic is waiting for enterprise antispyware offerings from the bigger security software vendors to mature before jumping in. “It’s difficult at first look to determine if a lot of the products are ready for corporate environments,” he says.
Peters says the add-on products he’s tested from the antivirus vendors do offer centralised management and reporting, but haven’t been as effective as the single-user versions from smaller vendors.
More than half of the readers surveyed ranked currently available tools as only “somewhat effective” at detecting, removing and preventing the installation of spyware. The tools received their highest marks for detection but were seen as less effective at removal and prevention. “Some [products] do a great job at detecting spyware but a horrible job at removing it. How good is that to me?” Peters says. As a result, some organisations are using multiple tools to help address the problem.
Ricky Stewart uses Spybot Search & Destroy and other stand-alone utilities in addition to eTrust PestPatrol. “Spybot finds things that PestPatrol doesn’t,” says Stewart, who supports 350 users at Cornell University’s athletic department. “That’s why I’ve always gone with multiple programs.”
At this point, says Sanovic, “everyone is treading water, looking for the best they can get.” Fortunately, the products are improving rapidly.
Most IT organisations aren’t excited about loading yet another security agent onto the desktop but see no alternative. “You can’t have your help desk involved in trying to resolve hundreds of thousands of user problems,” says Sanovic. Antispyware and antivirus software are also beginning to merge into a single client, says Gartner analyst John Pescatore.
Meanwhile, the same signature-based detection technology is being integrated into gateway products such as Blue Coat Systems’ Spyware Interceptor and McAfee’s Secure Web Gateway. While gateways can help prevent the installation of spyware in the office, they can’t prevent users who travel from bringing back spyware, nor can they remove it. Most organisations will require a combination of desktop and gateway tools to get the job done. But gateways won’t work in all cases. For Waters, the cost of procuring them for 72 offices is just too high.
Initial enterprise antispyware tools were also budget busters, but that’s changing rapidly. “We’ve seen the pricing of enterprise spyware deals drop very dramatically, from as much as US$40 (NZ$57) per seat to as little as US$2 per seat,” says Pescatore.
Waters says his deal worked out to a little under US$8 per seat to cover 1,500 users. In the long run, as antispyware becomes just another feature in security software suites, the add-on pricing model could disappear entirely, he says.
Software suites should also offer better integration over time. Peters says he’d like to see web antispyware tools communicate with his web content filters, so when spyware is detected on the desktop, the source web site is automatically added to the list of blocked URLs. “That way, you won’t have the same process recurring,” he says.
Ultimately, even the best antispyware tools can’t treat the root cause of the problem. As with antivirus software, vendors must continually update signatures to keep up with professional programmers hired by the adware developers.
“The financial incentives in spyware are much greater than anything else except direct hacking,” says Sanovic.
Wallace is disgusted by the problem. “I would like to see the people responsible for the spyware in a public execution,” he says. But he’s resigned to the need for antispyware tools for the foreseeable future. “I’m not happy that I have to spend money for licensing to keep my machines clean,” he says. “But I have to protect my systems and my users from this stuff.”
Plugging the Windows hole
Corporate IT organisations aren’t the only ones worried about spyware.
With most attacks aimed directly at Windows, Microsoft has responded in the past year with the release of Windows XP service pack 2 and other patches designed to close some of the more glaring security holes through which spyware insert their applications on users’ machines.
Pop-ups are now blocked. So-called drive-by downloads, where users could pick up spyware simply by viewing a web page in Internet Explorer, are also much more difficult to pull off. And other exploits, such as dialog boxes that won’t take no for an answer, are gone, too.
Earlier this year, Microsoft acquired antispyware software maker Giant Company Software. Its product, rechristened Microsoft Windows AntiSpyware, was released as a free beta on January 16, and it already has about 20 million users, says Paul Bryan, director of product management for client security. An enterprise version is planned.
Although Microsoft was criticised last summer for downgrading its suggested action against some adware programs it detects from “quarantine” to “ignore”, Windows AntiSpyware has “pretty good preventive capabilities,” says Gartner analyst John Pescatore.
So, is Windows a harder target? Not really. Most of Windows SP2’s security improvements have been “circumvented” by adware developers, claims Thor Larholm, senior security researcher at PivX Solutions in Newport Beach, California.
Pescatore agrees. “It’s still possible to go to a website, click on something and get a browser help object installed,” he says. Adware developers are not only moving forward with new techniques, they’re also exploiting newly discovered vulnerabilities.
Larholm has already run into one new technique. “In the last couple of months, we’ve seen a surge in the amount of spyware that uses rootkit technology to hide its presence from antispyware products,” he says.
Bryan concedes that there’s only so much Microsoft can do. Windows Vista, which is due next year, will bring other improvements, such as the disabling of ActiveX controls by default, and user account protection that requires standard users to get admin credentials before they can install an application.
But spyware is a moving target. “What you see is a morphing of spyware over time,” Bryan says.
“It’s getting trickier and more challenging to deal with.”