Wednesday, December 29, 2004
Spies Among Us
1. Identifying the problem.
This past weekend while troubleshooting several customer computers a horrible discovery was made that has dealt a sever blow to the war on spyware. Utilizing the three alternatives together from our paper it has been determined that it is still not enough to combat spyware, due to recent deployments and changing landscapes of anti-spyware software. The latest versions of anti-spyware software will no longer detect and remove certain well known and notorious spyware applications. In fact not only do they no longer detect key spyware, all references on the anti-spyware vendor’s websites have been removed about the known spyware. Commercial and Freeware anti-spyware has become completely useless in the war on spyware, and there is tremendous loss in trustworthiness in these products. We now have to seek new ways to combat against the epidemic menace that is plaguing everyone’s computers.
Spyware is technical slang for Adware. Adware is software the phones home and reports the actions of the user where the software is installed. Adware attempts to deliver targeted advertising based upon what the user is currently doing. Adware is called spyware because of its monitoring type of behavior and it methods of collecting data. Spyware is typically software that is free and is supported by advertising. However a number of companies have taken this concept beyond simple ad placement. Some spyware software tracks the user, what applications they use, documents they write, web sites they visit, products they buy, credit card numbers, user names and passwords, parses the users address book and monitors over all computer usage. The spyware companies claim that this is done in order to deliver targeted advertising to the user.
2. Defining the criteria, goals, and objectives.
A computer user should be able to surf the internet and do personal computing without the hassle of ads constantly popping up trying to get you to buy Viagra. Today’s computer operating systems are really stable as compared to years past with the constant normal crashing of Windows 98. With operating systems such as Windows XP being more stable that ever, it has allows the rapid propagation of malicious software. This software is often poorly written, unstable, degrades systems performance and causes systems to crash or reboot.
The objective and goals are to allow the user to enjoy the stability of their operating systems and be more productive in there work. The criteria is to completely prevent malicious software from gaining access to the computer and denied it the opportunity to conduct its evil business.
Since desktop based anti-spyware has become less affective in the war against spyware, alternative means must be identified, tested and deployed along with the other methods of spyware prevention as a total combined solution.
3. Evaluating the effects of the problem.
Spyware is not only an unwanted invasion of your personal privacy, but can damage and destroy personal data. For example during the routine maintenance of a computer, one of my techs was asked to uninstall some old junk software. The tech did as she was asked to do and rebooted the computer. The computer attempted to reboot, but was hung in a continuous reboot cycle and failed to start in any mode, normal mode, safe mode or advanced recovery mode. As a result the tech was left with no choice but to reload the computer from scratch as that was the fastest and most economical way to recover from the problem. It was later determined that the computer was infected with spyware called “Blazefind” as it known to cause this very problem as it was not written with the fore thought that a user might uninstall certain software. As a result the spyware cause the continuous reboot, because it could not find the dependent program that it has become a parasite to use.
Spyware also degrade system performance to a point in which the user is waiting for programs to load and process on an otherwise lighten fast computer with the latest and greatest hardware.
The direct results are a loss in user productivity and system stability. This increases labor cost, support costs and an immeasurable amount of loss in intellectual property and trade secrets.
4. Identifying causes of the problem.
The current issue of trusted anti-spyware software not detecting known spyware is being caused by the anti-spyware vendors themselves. Through much testing I have determined that the anti-spyware companies have silently removed from their applications the abilities to detect and remove known spyware from a user’s computer. Also all references to the spyware have been removed from their web sites and can only be found by searching the archives of Google.com’s cached websites. Desktop anti-spyware applications such as Ad-Aware, Spybot, Webroot, and Pest Patrol no longer detect the following list of top 5 spyware applications that we tested in our labs:
· GAIN also known as Gator and Claria http://www.gator.com/
· Hotbar http://www.hotbar.com/
· New.Net http://www.new.net/
· MySearch http://www.mysearch.com/
· SaveNow http://www.whenu.com/
In some cases such as SaveNow this spyware promotes itself to be spyware free and champions the cause to fight spyware. When indeed it is the very evil it declares that it is not. Ad-aware has a web page that defines what it declares to be spyware at their Threat Assessment Center (TAC) http://www.lavasoftnews.com/ms/tac_main.shtml.
Out of curiosity in our labs we decided to test to see if the notoriously well known spyware listed above actually met the TAC criteria, and that maybe the new versions of the software listed above might have stopped their old spyware ways.
We used third party network packet monitoring tools and SPY++ a Microsoft utility to monitor inter program communications and a process monitoring utilities to monitor hidden processes. This process monitoring tool was developed by one of the anti-spyware companies for this type of use on the local desktop to monitor for spyware like activities and communications. The results were no change in spyware behavior for all the listed applications according to the guidelines set by Ad-aware’s TAC.
Having spoken with my attorney about the matter, he concluded that it could be that the anti-spyware companies which are for profit were legally pressured by the spyware companies to have their products removed from the anti-spyware blacklists. This is a big blow to the war on spyware.
5. Framing alternatives.
Since we are losing the battle on combating spyware, desktop anti-spyware software is no longer detecting and removing known spyware, it is imperative that we find other means to combat against the problem.
To recap the three solutions from my learning team paper were stronger server based security policies deployed to the user’s desktop, desktop based anti-spyware, and end user education on spyware awareness. These three methods were recommended to be used as single solution. However one of the alternatives has been dramatically weakens and has become less affective. Other alternatives need to be implemented to strengthen the barriers of entry to spyware infection.
Alternative A: We can do nothing and keep doing things the same old way and continue to trust the anti-spyware companies as they should know what is and is not spyware. However we proved in our lab that the spyware not being detected is still behaving like spyware.
Alternative B: We could develop our own anti-spyware software to detect software that we do not want our users to download and install. The estimated budget to do a project like that would be somewhere between $100,000 to $500,000 in development costs with no guaranty that it will work, or be stable. Venture capital would be required in order to begin development and the development cycle maybe years away before it is ready for use.
Alternative C: We could seek other methods to stop spyware such as using a gateway server that can filter web content. A content web filtering server has a database that can be manually updated as well as subscribe to a service bureau for auto updating. Most content web filters server applications are used to prevent users from going to adult website such as porn sites. They could easily be adapted and updated to block known spyware websites such as http://www.hotbar.com/. Thus the user never makes it to the spyware application’s website. No desktop changes have to be made and most companies only have one entry onto the internet.
6. Evaluating the impacts of the alternatives.
Alternative A: Doing nothing is not a good solution. The spyware problem is getting worse and not having the proper tools to fight against its propagation will greatly impact a company’s bottom-line.
Alternative B: The expense is too great and would take to long to develop and deploy a customer software solution. There is no guarantee that it will work and no guarantee of a return on investment. In the meantime the overall companies will continue to lose productivity and labor cost and support cost could double the price of the self development of the anti-spyware applications.
Alternative C: Using existing security software applications and adapt them to fight a new problem will be a more cost affective solution and the return on investment is an immediate reduction on the loss of productivity, a reduction in labor and support costs. This solution is easy to deploy and will pay for itself in a short period of time. The only negative impact would be the in adverting blocking of legitimate web sites. This is easily overcome by approving the needed web site in the security database.
7. Making the decision.
Alternative C to utilize and adapt existing security software is the most cost effective and complete manageable and trustworthy technical solution to the replacement of the failing desktop anti-spyware software solution. The effort to find, test and deploy this new security software should begin immediately.
8. Implementing the decision.
Once a software package has been decided upon, all customers will be notified of the new option to fight the war on spyware. Once approved by the customer, it will be scheduled, installed, tested and maintained by our techs.
9. Measuring the impacts.
The measurement of success is easy as there will be immediate reduction of the loss of productivity, a reduction in labor and support costs. Additional success will be less user frustration, a peace of mind, secure and protected environments and a better bottom line. This success will ensure that there are no spies among us.