Anti-Virus Information Exchange Network Statement on Spyware

Have you read the latest issue of our digital (IN)SECURE Magazine? If not, do it now.

Over the past several years, software termed SpyWare has invaded personal computers world-wide and caused increasing problems for users and organizations alike. Members of AVIEN (Anti-Virus Information Exchange Network) take this threat seriously and call upon all parties involved, including vendors of security software, leaders in organizations, and government officials alike to increase their dedication to fighting this problem.

Spyware acts in a variety of ways, including leaving backdoors into computer systems for data theft, system exploitation and malicious utilization, installing software bots and zombies that can be remote controlled and often used for Spamming activities. In all cases, the principle at stake is that users need to be able to manage the software on their systems in the way most suitable for them.

While the software companies that produce spyware may make claims about the legitimacy of their products, and point to the End User License Agreements as evidence that the user accepted the installation of the software, the fact remains that it is a rare case that this software will display a clear and unmistakable indication of the intended actions of the software. Burying intentions in the middle of long legalese is not the same as having a screen pop up and ask the user to agree with the software sending his personal information to someone else, to installing software that will give control of his machine to others, etc etc.

Furthermore, if a user changes his mind about any software that has been installed on his system, regardless of the category it might fall into, tools should be available to allow the total removal of that software and any components it installed. Spyware, by its very nature, often consists of parts which are not only hard to detect for the average user, but also can be installed in a manner which makes its removal more difficult than normal.

Legislators can also take an active role, defining what sorts of actions by software need to be openly declared and explicitly agreed to by users.

According to a recent presentation at a security conference, in 2000 approximately 70% of signatures for malware added to a vendor’s database was for detecting self-replicating threats (typically viruses). By 2004, this ratio had changed dramatically, with self-replicating threats only representing slightly less than 20% of the new threats with the rest comprised of malicious software that included spyware.

AVIEN member Robert Kinsey comments on security software vendor’s response to the problem “I would say the vendors are sorely lagging in their responsiveness to this threat and are only now beginning to incorporate spyware/adware detections in their main desktop Anti-Virus tools. Spyware is poised to match other malware in its pervasive choke-hold on computer users because spyware uses the computer user as its vector. Clearly the biggest problem with many spyware is not just that it gets on a system simply by visiting an unscrupulous web site but the seeming lack of self- control on the part of the companies employing spyware to dig as much data about a user or their system to include account info and passwords.

These web sites are making it so that simply browsing what should be a free resource of information is becoming just as much a threat as any other malware attachment or internet-aware attack.

Henk K. Diemer, CISSP and AVIEN member working in the Infrastructure Security Management department of a major global Bank, has been part of a small inter-banking task force studying this problem for banks. He says: “Banks face a growing risk due to Spyware, as ‘banking’ is such a nice target. The old strategy ‘strengthen the weakest link’ is failing here because we seem unable to identify what is the weakest link quickly enough today. We don’t see the ordinary home user deal with Spyware prevention soon, just like s(he) never did so with viruses, worms prevention. And bank internal systems are still rather well protected for Spyware (provided of course the malware defense is sound and kept up to date 7×24). So banks today pick other priorities to invest in. But we -malware fighter in banks – see a fast growing global problem not to be left to the whims of vendors of solutions in ‘the market’.

We recommend looking at the trends and past current contractual obligations and procedures, and to begin to exchange more incident data from large firms, banks, and ISPs with governmental bodies (CERTs, NHTCUs, etc.) and also to push a little more money to the large service providers. This would help prevent Banking Spyware reaching banking users. This data sharing is just beginning, and explains the current stand-still situation and why most financial organizations seem to always wait for a wake-up call from their Anti Malware fighters, and for shares to drop due to Spyware for online banking.

We also found that the banking spyware situation is comprised of 7 interconnected, global challenges that need more attention:

1: On-line banking is today a major Spyware target – Spyware affects and targets at least 3 different environments for banking, nowadays:
– the home or customer environment (important issue)
– the banking or corporate environment (not too much of an issue)
– the public environment/ Internet use and control which includes e-mail use, IRC, P2P sub networks, data storage: the big issue)

2: CISO’s /IT management awareness of the potential problem and current weaknesses is weak: banks start(ed) to outsource AV management security services but then struggle to implement a ‘working’ communication structure/procedures for handling and controlling Spyware /Banking Trojans incidents with all involved providers. At best, there is the old procedure to deal with the common, known viruses and bugs with Microsoft software patches. Banks often fail to arrange for timely countermeasures to deal with the complex patching of many more security ‘holes’: those the banking Trojans rely on (e.g. browser and application / protocol exploits, weak self defence of common security applications and the actual time-lines for a full company-wide patch to be completed.

3: Sound data about the size of and risks inherent in the (potential) Spyware problem is absent: banks do not like to share data as either they don’t have it or ‘internal politics forbid sharing’. Next, we see a lot of hype, hoax and hysteria, also from the Anti Spyware industry which largely treats banks the same as home users or small businesses.

4: Risk assessment for Spyware needs much improvement: highly targeted, low probability local, high risks, hype factor etc is so unlike viruses. Few methods deal well with external risks or confidentiality issues, ‘loss of trust’ that comes with Spyware incidents.

5: Detection, scan and removal of Spyware: Anti Spyware tools that really do what is needed (real time detection and prevention) are not widely available yet and I think banks etc. hope they still can wait.

6: Signature based scanning is no longer working “at all times”: some Anti Spyware vendors must now deal with 100 new variants per day and customers and banks cannot update so frequently.

7: Liability issues: some spying code may be legal depending on where an organization is located, ULA and what local laws consider. And most IT managers as well as governments transfer parts of this risky area to many other parties up to the point nobody is accountable or responsible any more.

So the question is: who should care about Spyware and has no commercial interest? What if Europe needs a different approach from regions like USA, Brazil, East Europe or China? Banks face today a communication problem, due to the complex banking regulations, privacy laws and the volume of the information and local policies to wade through. It is very good to see that new bodies step forward (APWG, APACS-UK, FIS_ISAC, Honeynet to name a few) to do more research in this area as banks are – well – banks.”

Scott Paladino, CISSP, System Engineer/Architect with a major computer systems outsourcer, which has an active presence in AVIEN, also expresses concern about the spyware issue: “I am concerned about the spyware phenomenon in regard to public and media response. Significant technology “solutions” exist that purport to alleviate or block “spyware” and “adware” long before other technologies (frequently the comparison is against antivirus technologies). The result has been a mini-bubble of industry growth around spyware. It has inflated costs and resulted in deployment of tools that, while beneficial in some cases, typically result in minimal benefit. Additionally, true hucksters are in the market selling “technologies” that themselves propagate spyware, adware, and other intrusive applications.

It is, in fact, the research that occurs around spyware that is generating the greatest benefit “it’s origins, purpose, and motive are all becoming well understood.

My focus is on reducing the mystique and hysteria around viruses and spyware to the basic information security fundamentals. The issue is still, at its heart, one of information security. Availability, confidentiality, integrity, and assurance. Only the delivery mechanisms, over time, have changed. The motives behind spyware remain the same.

The technical and business challenges around spyware revolve around several of the goals of information security. Unfortunately for all involved, spyware (in all its forms) has enabled a business model shift for organized crime. We are not talking about syndicates, or “the mob”, of course, but more around planned behaviors that facilitate sophisticated criminal activity. There is no clear means to directly combat this shift at this time, other than detecting already existing technologies, detecting abnormal or unauthorized behaviors, or by education.

Corporations continue to be engaged in general “feel good” practices of open internet use for their employees, rather than white-listing web resources based on content, purpose, reliability, and reputation. For an individual, on her own PC at home or elsewhere, that is acceptable. For any corporation, without regard to its industry, that practice is to be engaged in at the peril of the business and its leadership.

From the perspective of operations and management, policy and standard, a business MUST be treated with the greatest/highest levels of security. Everyone must endeavour to achieve the highest standards and promote them in our networks. This includes scanning of inbound and (especially) outbound traffic, correlating and analyzing security events, centrally management anti-malicious code systems including combined IDS/IPS solutions, and identifying all devices connected to a client network.

These are the basic of good security practice.

However, more should be done in a proactive manner. Least privilege on client workstations must at least be considered, then attempted. White- listing of allowable web resources(through cooperation with the active antispyware community). And, of course, alerting on outbound traffic originating from workstations at the firewall.

Adding these last points to our interaction with government law enforcement means all security professionals should be able to at least help with the problem. We should have a pragmatic view that most purveyors of spyware act in relatively lawless areas, but once we identify one area of issue, mitigation can be applied appropriately for a network. An example might be generally blocking access to .ru domains, but allowing white-listed .ru access.

My goal in dealing with any malicious network activity, whether it’s spyware or viruses of various sorts, is maintaining the integrity and reliability of the client network.”

In summary, the concerned professionals represented by AVIEN take this opportunity to issue an urgent request to all businesses to increase their focus on the spyware threat before it becomes unmanageable. Appropriate internet usage policies and enforcement, real time detection and prevention of spyware in memory, and increased sharing of data on the threat posed by spyware are all necessary tools that need to be implemented in any organization dedicated to protecting their own data and intellectual property as well as that of their customers. The risk to these business assets cannot be overstated.