Combating The Hidden Dangers Of Adware

The Web, not email, poses the biggest security threat to systems

To most companies, the perception is that the biggest threat to their users’ security continues to come from email and Spam.

In today’s world, corporate communications systems are totally reliant on giving their employees Web access and email to conduct their business. Take away access to email and the Web for most employees, and they’d claim their productivity would fall. So the focus today of most IT security vendors and corporate security budgets is still on protecting email traffic.

But is e-mail really the biggest threat?

If you were a burglar looking to attack a domestic property, you’d surely choose the weakest, least protected point to gain access to property. The same applies to anyone who would attack your company’s infrastructure searching for the weakest link. It’s not the already well-protected email system they’ll attack; it’s the comparatively less well-protected, and so vulnerable, Web traffic.

The Web is undoubtedly a prime channel for attack, because the defence mechanisms are less clear-cut. It is a couple of years since the Code Red worm exploited a known vulnerability in Microsoft IIS server to attack end user desktops. And in those two years, little has changed. Although there is standards work on security in train, there is no accepted security standard for Web sites to provide any guarantee of data safety for a website you are surfing to, and so nothing to prevent the risks to your business from Web traffic.

At the heart of the problem is Adware, which is bandwidth consuming, presents privacy and security concerns, can cause stability and performance problems where it is installed and is distracting to employees. In fact, most employees who are allowed to surf the Web at work probably have some form of Adware on their workstation. The bandwidth consumption alone is enormous as Adware can account for up to 50% or more of a company’s network traffic.

Adware is a form of Spyware. Often installed without the user’s consent, as a drive-by download, or as the result of clicking some option in a deceptive pop-up window, Adware may be bundled with other software or downloaded in peer-to-peer (P2P) networks such as music-swapping sites. Once installed, the software follows a user’s Internet surfing habits, and delivers advertisements based on these habits. Such Spyware also engages in more deceitful practices such as monitoring keystrokes to gather confidential information, such as a user’s e-mail address, location, or even credit card information.

And the problem is only getting worse. One antivirus alert group recently predicted that exploits and Adware account for over 60 per cent of security problems for home users. The group suggested Adware and unwanted content transmitted via email and the Web will continue to increase in 2005, with programs becoming increasingly complex, combined with content such as Spam and Phishing as the year progresses.

On average, at least 13 Adware components can be found on every user’s machine. Its prevalence is becoming more of a threat than email-borne worries because most consumers use Internet Service Providers that proactively scan and clean email viruses before being delivered to the consumer. But they cannot do the same for Web traffic.

How do you prevent this insidious Adware taking hold of your machine?

Content filtering is the best way forward. But the market penetration of Content Security products is about 30%. So, 70% of users don’t have protection in place, despite needing it now. Ironically, the market penetration of firewalls is far over 90% – but firewalls don’t help prevent Web Ad attacks. Firewalls check authentication but not transmitted content. Antivirus scanners have no signature file in the AV database for most Adware and do not analyse content or provide any customisable filters to stop it.

There is really no other way of protecting against Adware than adopting proper perimeter and desktop protection, putting proactive filtering defence in place. To take an analogy, proactive filtering is the moat that guards a mediaeval castle. The castle also has high walls and a drawbridge to protect it, but it is the moat that is the first line of defence, the deterrent for any would-be attacker.

The risk posed by Web traffic means that all traffic can be considered to be potentially harmful. No company can afford to allow these threats to get access to its network, and even SSL encrypted Web traffic must be considered.

By using proactive filtering, you prevent Adware by effectively deploying a shield, proactively stripping the content and code that enables Adware to be downloaded, installed and executed from Web based traffic at the gateway – i.e. before it can cross your moat and mount an attack.

Proactive filtering does not replace conventional anti-virus technology, but complements it to maximise protection and performance. A classic virus pattern can only protect against one particular attack after it has been found, perhaps already spreading via the Web.The proactive scanner does not look for a known virus that can be caught faster by a pattern-based scanner. Instead, proactive filtering offers a three way approach that verifies digital signatures and in so doing, blocks any untrusted program code; screens and blocks any suspicious code based on its potential behaviour; and finally, filters out any potentially harmful code that tries to exploit any vulnerabilities on the client.

Even with a new incident, proactive filtering can either block the attack, or even when it needs to be updated, can block the whole class of potential attacks using the same mechanics or scheme of attack. A Content Security Management (CSM) suite is perhaps the best example of how proactive filtering can protect a business from Adware by encompassing reactive and proactive protection across all forms of web, FTP and SMTP based traffic

Other solutions to Adware include ensuring that your system does not have a vulnerability that can be exploited. Keeping your Windows operating system fully patched is an obvious thing you can do to ensure security, as well as disabling the Windows Messenger Service, which can dish up unwelcome advertising on unsuspecting users. Disabling the service will prevent both the pop-ups and the exploit.

Adware may remain a threat to your Web users, but by adopting proactive filtering, you can ensure that the only unwanted advertisements they see are on TV.

Don't miss