TechWeb

Security Heavyweights Join Spyware Fight

Apr 27, 2005 (02:04 PM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=162600097


You already know that spyware is getting worse. A lot worse. Spyware writers, spurred on by financial gain, are working in a frenzy to make your life miserable.

And while there have been many antispyware improvements lately, the old approach of scan-and-pray just isn't enough any more. Instead, you need new capabilities, new strategies, and most of all, you need more help.

Now that a few really heavy hitters are entering the anti-spyware field, you might actually get it.


Previously By Wayne Rash
VoIP 911 Problems Could Kill You

Stupid Security Tricks

Securing Your Starbucks Experience

Recommended PC Anti-Spyware Products

Some Simple Things You Can Do To Protect Against Disasters

Choosing The Right Personal Firewall


Both Symantec and Microsoft now have free betas of their antispyware applications. Symantec released beta of its first antispyware product last week. Microsoft introduced its Antispyware software in January and updated Microsoft Antispyware in February. McAfee brought out the enterprise version of its anti-spyware package in January; the consumer version came out a year ago.

Microsoft, Symantec, Sunbelt Software and others are creating global spyware reporting networks. When a user's computer encounters a new type of spyware, it can (with permission) upload the details to company researchers, who then analyze the spyware and create a means of dealing with it, which is then distributed in a subsequent update. Computer Associates is working on this capability, but doesn't have it yet. While a few companies have been doing something like that for some time, both Microsoft and Symantec have huge user bases, and that means the vendors will get better information sooner. It also means that there are new, big teams of programmers finding solutions, which, with the changing nature of spyware, can be important, since smaller teams may become overwhelmed by the sheer enormity of the task.

For example, one new technique reported by McAfee is a type of spyware that sets up concurrent processes that monitor each other. When one is found and deleted, one of the other processes will restore it. Fighting this type of threat is a lot harder than just scanning for a signature and deleting.

In addition, companies are banding together to create a common database of spyware, to create a naming convention, and to develop ways of sharing the information, while not letting out the proprietary details of what they do to kill spyware when they find it. Microsoft, Symantec and Computer Associates are all part of industry alliances that are working on open standards for this sharing, in much the same manner in which anti-virus vendors share their virus identifications. Unfortunately, some antispyware vendors aren't joining the alliance.

The battle is also becoming much more serious. One researcher told me that one reason spyware is getting better so quickly is because there's money involved. Virus and worm writers were mostly just hobbyists. But spyware distribution exists to retrieve specific information, and that information is used to make money, whether it's credit card numbers or where you surf on the Web. As the battle gets more serious, it's important to pay close attention to what you choose for an anti-spyware package. Here are some ideas:




1. Check to see what the program does when it looks for spyware. Is it simply scanning for signatures? Is it also looking for suspicious activity? While some freeware packages just scan for known spyware, more advanced packages also monitor the actions of software that's running on your machine, and when that software starts doing something suspicious, such as installing without permission, or sending out information without asking, it gets flagged.

2. Find out if the anti-spyware package has automatic update capabilities. An out-of-date package, or one that you have to update manually, is more likely to miss spyware than one that's automatically updated.

3. Find out how the company gathers spyware intelligence. An automatic global reporting process helps to ensure that the latest spyware is taken out of action as soon as possible. Even if you don't want to participate in reporting spyware on your own network, you can still benefit from others who are willing to report.

4. Try to find out if the company making the anti-spyware package you're considering is participating in industry efforts to create a naming standard and a method of sharing data so that one company's spyware find can benefit everyone. The better the reporting and the bigger the database, the better the chance you'll detect the bad stuff early.

5. Look for a package that monitors data as it enters and leaves the network, or that performs frequent automatic background scans. You don't want a package that you have to tell to perform a scan. If you have to depend on remembering to run the anti-spyware package, you'll eventually forget.

6. Make sure that the package you select gets your permission before just killing what it thinks is spyware. Not every program that has spyware-like actions is necessarily spyware, so you should get the final say.

7. If you're using your computer for business, then make sure that the anti-spyware package you choose keeps a log. Your auditors will want to see evidence that you're keeping up with new legal requirements for protecting the privacy of your customers and business partners. Spyware, incidentally, is becoming a huge concern for businesses that are subject to Sarbanes-Oxley, HIPAA and other federal privacy requirements. Spyware that manages to access and leak protected information can result in huge liabilities.

As you can see, the growth of spyware has big and disturbing implications. It used to be that the main way you got spyware was by visiting Web sites of dubious quality. Now you don't have to do that at all. Spyware will seek you out, and use you as a vector if it can. And once it gets itself into your computer it will take some real effort to get it out. Just detecting spyware and cookie signatures, as the old freeware packages once did, is no longer enough. Not only do they no longer solve the problem, but they tend to give a false sense of security.

Fortunately, the battle against spyware is finally ramping up, and the big guns are being brought to bear. But you still have to do your part, which is to practice safe computing by keeping your security software up to date, using a firewall, and avoiding dubious surfing activities. It's unlikely that spyware will be eliminated everywhere, if only because too many people won't take even the easiest of steps. But at least you can keep your head above water.

Wayne Rash is a writer based near Washington, DC. He was one of the first to create secure networks for the military and for other government organizations, and he has written about security for over twenty years. You can reach him at wayne@rash.org. Contact the editor of Security Pipeline at mwagner@cmp.com.