At this moment, computer systems in your organization are probably communicating with companies whose names neither you nor your systems' users have ever heard of, whose countries of origin make them immune to US criminal and civil laws, and whose identities are often purposely obscured. In many cases, these companies have administrative access to systems on your internal network and might be regularly installing software on and making configuration changes to those systems, causing a significant increase in your Web traffic and raising the likelihood that your organization will be the victim of corporate identity theft. If this news takes you by surprise, you aren't alone. The method these nefarious intruders are using—spyware—is one of the most misunderstood risks in the IT industry.
Know the Enemy
Originally, the term spyware referred to a category of surveillance software that law enforcement agencies and others use to monitor a computer user's activity. More recently, the term has taken on a broader meaning that includes any software that monitors or controls a computer without the clear and direct consent of the user. (That definition is now the more common one and the one I use here.) Spyware consists of three main categories: adware, snoopware, and malware.
Adware. Adware is used to deliver advertisements to users or to collect information for use by advertisers. This type of spyware is probably the most common and typically has three objectives: to monitor user activity, to keep the adware software installed and updated, and to display advertisements to the user. Familiar adware includes BargainBuddy, Coolsavings, DashBar, and n-CASE.
Once installed, adware runs either as a standalone process launched at startup or as a DLL attached to an existing process. Adware programs can monitor just about any user activity or configuration information. Figure 1 shows a typical adware operation. The program uses one or more URLs to communicate with Web servers owned by the adware publisher. These publishers often use multiple redundant Web servers to confound content filters. To get its communications through firewalls, adware uses HTTP, often encrypting the data to mask the details of its operations. As a result, adware traffic is usually indistinguishable from general Web traffic within an organization. Adware uses a GUID—often a hardware-specific token (e.g., the affected system's MAC address)—to let the adware publisher maintain a running historical profile of specific activity on the affected system.
The communication between a system running adware and the adware server is initiated either by a specific user activity, such as browsing to a Web site, or on a timed basis. A typical exchange of information involves the adware providing its server with information about recent user activity and the adware server then providing a targeted advertisement based on this activity. For example, a user in your company is planning to attend a conference and goes to a travel Web site to look for a ticket. If the user's computer is running adware, an ad for a different travel site, belonging to the adware publisher's sponsor, might pop up.
Snoopware. Snoopware is used to surreptitiously monitor the activity of a computer user. This software has two objectives: to monitor user activity and to ensure that the monitored user remains unaware of the monitoring. Snoopware is most commonly associated with identity theft and corporate spying. Common snoopware products include Catch Cheat Spy, SpectorSoft EBlaster and Spector, and WinWhatWhere Investigator.
Snoopware integrates with a system in numerous ways, including installing keyloggers, browser plugins, or standalone monitoring processes and even by replacing system software. The information that the snoopware monitors varies from product to product but typically includes screen shots, keystrokes, application activity, Web surfing, Instant Messaging (IM) communications, and email messages.
Snoopware either stores captured information in a database on the local machine or sends the information to a centralized server. Products that locally store the information use encryption and hidden folders to avoid discovery, then use email to regularly deliver the collected information to the monitoring party. The monitoring entity also often has local access to the collected information by way of special hotkeys that the snoopware installs on the monitored system. Snoopware that stores collected information on a remote centralized server sends the information in real time via HTTP Secure (HTTPS). Figure 2 shows a typical distributed snoopware operation, which lets the monitoring entity view the collected information from a remote computer by using a Web browser.
Malware. Malware (short for malicious software) is designed to disrupt the normal operation of a system. Whereas the term malware has traditionally been applied to viruses, worms, and Trojan horses, new types of malware include browser hijackers, parasites, and dialers. Browser hijackers can change a browser's default home page or redirect all Web requests to remote sites. Parasites can alter existing tracking links so that the malware publisher can get referral credits for online purchases. Dialers take over modems connected to the affected system and make remote phone calls (e.g., to pay-per-call pornographic lines). Well-known malware includes CoolWebSearch, MarketScore, New.Net, Mail Wiper Spy Wiper, and Virtual Bouncer. Figure 3 shows a typical malware operation.
Previous
Register
