Spyware – Technologie, Auswirkungen, Massnahmen · Spyware is a non-viral application...

1

Spyware – Technologie, Auswirkungen, Massnahmen

H. LubichIT Security StrategistComputer Associates

2

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

A Word on TerminologyVirus: “An unwanted program which places itself into other programs, which are shared among computer systems, and replicates itself. Note: A virus is usually manifested by a destructive or disruptive effect on the executable program that it affects.”SPAM: The word "Spam" as applied to Email means Unsolicited Bulk Email ("UBE"). Unsolicited means that the Recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content.Spyware: “Any software (that) employs a user’s Internet connection in the background (the so-called ‘back-channel’) without their knowledge or explicit permission.

3


What is Spyware?

Spyware is a non-viral application (surveillance tool) that is loaded without the user’s knowledge and can monitor computer activity (Trojans), such as:

- Keystroke tracking and capture- Email logging- Instant messaging usage and snapshots- Modifying application/OS behavior (e.g. CoolWebSearch)

Spyware and adware can increase business risks:- Theft of confidential data- Unauthorized enterprise access- Reduced PC performance- Increased bandwidth waste

The term “spyware” refers to non-viral applications or surveillance tools that are loaded on a user’s PC without a user’s knowledge and monitor computer activity.

What can it do?-- Track and capture keystrokes-- Log emails-- Log instant message usage-- Capture screen shots-- Activate webcams

There are many types of spyware. Some are simply annoying – for example adware – while others threaten security. The more dangerous threats caninvolve theft of confidential data, obtain unauthorized access and threaten privacy.

4


How do People Get Infected?

Web browsingUnauthorized downloadsFile swappingEmail attachmentsInstant messagingInstalling “legitimate software”(malicious mobile code)

Spyware can enter a system in several ways, such as through:-- Everyday Web browsing-- Unauthorized software downloads-- Peer-to-peer file swapping-- Email attachments-- Instant messaging and chat sessions-- Spyware bundled in legitimate software (malicious mobile code)-- Hacker Web site downloads-- Drive by installs from Web sites

5


Malware Becomesa Primary Concern

6


Spyware Volume and Cost

Dec 03 Mar 04 Apr 04 May 04* June 04* July 04 Aug 04-

100,000

1,000,000

900,000

800,000

700,000

600,000

500,000

400,000

300,000

200,000

1,100,000

1,200,000

Sept 04

1,300,000

1,400,000

1,500,000

*Estimates of average monthly increase

Source: CA Security Advisory Team, Center for Pest Research

Number of Spyware Reports

Microsoft estimates that spyware is responsible for 50% of all PC crashes

Dell reports 20% of its technical support calls involve spyware

Sources: InformationWeek, “Tiny, Evil Things,” George Hulme and Thomas Claburn, April 26, 2004 -and-

http://www1.us.dell.com/content/topics/global.aspx/corp/pressoffice/en/2004/2004_07_20_rr_000?c=us&l=en&s=dhs&cs=19

7


Spyware Typology

Adware andCookies

Track user activity on the InternetCollect personal information

Pop-Up AdsCollect information for cookiesInterrupt user transactions on the InternetFlood users with ads and freeze machinesInstall utilities that modify user services

HijackersModify content of web pagesBlock access to websitesRedirect users to unintended websitesInstall hidden/backdoor processes and services that are tightly bound to OSDisrupt websites used for mission-critical applications

Spyware (Overt)Gains a remote control capability, which includes searching and reading local filesHas a self-updating capabilityOften includes a network snifferCan usually activate webcam or microphoneUsually logs all keystrokes

SEC

UR

ITY

THR

EAT

SYSTEM DEGRADATION

There are several different types of spyware, each with different threat levels and different effects on system degradation and security. The lowest threats are adware and cookies and the highest is overt spyware. The higher the threat level, the greater the impact on system performance.

8


Spyware Business Drivers

Indirect Interest- Take over PC to become part of a larger attack (Botnet, e.g. DDOS)- Take over PC to become distribution point for file swapping (music,

software, …)- Steal user credentials (user-ID, password) for later hacking attempt

Direct, Commercial Interest- Steal e-mail addresses for future SPAM distribution- Steal commercially viable data (credit card information, …)- Steal intellectual property- Obtain material for blackmail, or other attacks on user/company

There are several key business drivers that encourage the use of an anti-spyware solution.

1. Proactive spyware management, prevents unauthorized access and information theft, mitigating risk and limiting legal liability.

2. Proactive spyware management helps ensure business continuity to maintain employee productivity, avoid business disruptions and system downtime and reduce bandwidth waste.

3. Proactive spyware management reduces costs by decreasing the number resources required to remediate spyware-infested machines.

9


Example of Commercial SPAM Offers: eBay

10


Anti-Spyware Business Drivers

Mitigate risk and limit legal liability- Protect from unauthorized access and information theft - Reduce threat to employees, partners, customers, intellectual

property, regulatory compliance and brandHelp ensure business continuity

- Maintain employee productivity- Avoid business disruptions and system downtime- Reduce bandwidth waste

Reduce costs- Lack of resources to research new threats - Minimize help desk calls due to spyware infestation- Costly impact of spyware infested machines (time and money)

Difficult to remove spyware - re-infection is common

There are several key business drivers that encourage the use of an anti-spyware solution.

1. Proactive spyware management, prevents unauthorized access and information theft, mitigating risk and limiting legal liability.

2. Proactive spyware management helps ensure business continuity to maintain employee productivity, avoid business disruptions and system downtime and reduce bandwidth waste.

3. Proactive spyware management reduces costs by decreasing the number resources required to remediate spyware-infested machines.

11


„Phishing“ – Social Engineering „Spyware“

1. Fake E-Mail (Spam)

2. HiddenHyperlink

3. Faked WebseiteTrue Webseite

Fake Pop-Up

<A HREF=www.stealmyinfo.com>www.yourbank.com/myaccount</A>

12


Anti-Spyware Measures

Multi-Layer Approach Necessary:

- Network and PC Layer:Prevention: Antivirus & anti-spyware scanning (multiple stages)Detection: Firewall/IDSRemediation: Dedicated anti-pest/anti-spyware product

- Policy Layer:Continuously applied patches and updatesVery frequent antivirus/anti-pest updatesContinued end user and administrator education/awareness

13


Anti-Spyware Complements Traditional Methods

VirusesWormsTrojans

Hack in ProgressRouted AttackPort Scan

Buffer OverflowsIE ExploitsOutlook Exploits

SpywareAdware

Hacker ToolsDistributed

Denial-of-ServiceZombies

KeyloggersTrojans

CA takes an integrated, multi-layered approach to security. eTrust PestPatrolcomplements and interoperates with traditional security technologies including antivirus, firewalls, vulnerability management and anti-spam systems.

14


How to Select Anti-Spyware Software

Personal Use (Small Office / Home Office):- Identifies spyware in real-time- Updates spyware definitions automatically- References large spyware information database, with incremental updates- Provides an easy-to-use, intuitive end user interface

Corporate Use:- Central, common management and control

- Enforces scanning and update policies, also for “nomadic” devices- Launches scans on-demand, at scheduled times or at login- Reviews logs- Deploys new users

- Customized alerts and logs- Creates “safe lists” or exclusion files- Consolidates reports- Customizes reports based on workstation, date/time, security risk priority or pest category

- Flexible deployment- Transparent to end users- Unlikely to be bought off the market by a competitor

15


Internet Spyware-Check: Online & Free

http://www3.ca.com/securityadvisor/pestscan/

16


Spyware Trends

Growing commercial interest of spyware suppliers w.r.t. information (sale and use, e.g. industrial espionage)No clear demarcation between reasonable information mining and illegal information theftPermanently growing efforts to identify and fight spyware ( off-load research to IT-Sec. industry)Growing influence of legal and regulatory requirements

17


Spyware – Technologie, Auswirkungen, Massnahmen · Spyware is a non-viral application...

Documents

Transcript of Spyware – Technologie, Auswirkungen, Massnahmen · Spyware is a non-viral application...