Spyware Technologie, Auswirkungen, Massnahmen. H. Lubich IT Security Strategist Computer Associates

Transcription

1 Spyware Technologie, Auswirkungen, Massnahmen H. Lubich IT Security Strategist Computer Associates 1

2 A Word on Terminology Virus: An unwanted program which places itself into other programs, which are shared among computer systems, and replicates itself. Note: A virus is usually manifested by a destructive or disruptive effect on the executable program that it affects. SPAM: The word "Spam" as applied to means Unsolicited Bulk ("UBE"). Unsolicited means that the Recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content. Spyware: Any software (that) employs a user s Internet connection in the background (the so-called backchannel ) without their knowledge or explicit permission. 2

3 What is Spyware? Spyware is a non-viral application (surveillance tool) that is loaded without the user s knowledge and can monitor computer activity (Trojans), such as: - Keystroke tracking and capture - logging - Instant messaging usage and snapshots - Modifying application/os behavior (e.g. CoolWebSearch) Spyware and adware can increase business risks: - Theft of confidential data - Unauthorized enterprise access - Reduced PC performance - Increased bandwidth waste The term spyware refers to non-viral applications or surveillance tools that are loaded on a user s PC without a user s knowledge and monitor computer activity. What can it do? -- Track and capture keystrokes -- Log s -- Log instant message usage -- Capture screen shots -- Activate webcams There are many types of spyware. Some are simply annoying for example adware while others threaten security. The more dangerous threats can involve theft of confidential data, obtain unauthorized access and threaten privacy. 3

4 How do People Get Infected? Web browsing Unauthorized downloads File swapping attachments Instant messaging Installing legitimate software (malicious mobile code) Spyware can enter a system in several ways, such as through: -- Everyday Web browsing -- Unauthorized software downloads -- Peer-to-peer file swapping -- attachments -- Instant messaging and chat sessions -- Spyware bundled in legitimate software (malicious mobile code) -- Hacker Web site downloads -- Drive by installs from Web sites 4

5 Malware Becomes a Primary Concern 5

6 Spyware Volume and Cost 1,500,000 1,400,000 1,300,000 1,200,000 1,100,000 1,000, , , , , , , , , ,000 - Dec 03 Mar 04 Apr 04 May 04* June 04* July 04 Aug 04 *Estimates of average monthly increase Number of Spyware Reports Microsoft estimates that spyware is responsible for 50% of all PC crashes Dell reports 20% of its technical support calls involve spyware Sources: InformationWeek, Tiny, Evil Things, George Hulme and Thomas Claburn, April 26, andhttp://www1.us.dell.com/content/topics/global.aspx/corp/pressoffic e/en/2004/2004_07_20_rr_000?c=us&l=en&s=dhs&cs=19 Source: CA Security Advisory Team, Center for Pest Research Sept 04 6

7 Spyware Typology Spyware (Overt) SECURITY THREAT Adware and Cookies Track user activity on the Internet Collect personal information Pop-Up Ads Collect information for cookies Interrupt user transactions on the Internet Flood users with ads and freeze machines Install utilities that modify user services Hijackers Modify content of web pages Block access to websites Redirect users to unintended websites Install hidden/backdoor processes and services that are tightly bound to OS Disrupt websites used for missioncritical applications Gains a remote control capability, which includes searching and reading local files Has a self-updating capability Often includes a network sniffer Can usually activate webcam or microphone Usually logs all keystrokes SYSTEM DEGRADATION There are several different types of spyware, each with different threat levels and different effects on system degradation and security. The lowest threats are adware and cookies and the highest is overt spyware. The higher the threat level, the greater the impact on system performance. 7

8 Spyware Business Drivers Indirect Interest - Take over PC to become part of a larger attack (Botnet, e.g. DDOS) - Take over PC to become distribution point for file swapping (music, software, ) - Steal user credentials (user-id, password) for later hacking attempt Direct, Commercial Interest - Steal addresses for future SPAM distribution - Steal commercially viable data (credit card information, ) - Steal intellectual property - Obtain material for blackmail, or other attacks on user/company There are several key business drivers that encourage the use of an antispyware solution. 1. Proactive spyware management, prevents unauthorized access and information theft, mitigating risk and limiting legal liability. 2. Proactive spyware management helps ensure business continuity to maintain employee productivity, avoid business disruptions and system downtime and reduce bandwidth waste. 3. Proactive spyware management reduces costs by decreasing the number resources required to remediate spyware-infested machines. 8

9 Example of Commercial SPAM Offers: ebay 9

10 Anti-Spyware Business Drivers Mitigate risk and limit legal liability - Protect from unauthorized access and information theft - Reduce threat to employees, partners, customers, intellectual property, regulatory compliance and brand Help ensure business continuity - Maintain employee productivity - Avoid business disruptions and system downtime - Reduce bandwidth waste Reduce costs - Lack of resources to research new threats - Minimize help desk calls due to spyware infestation - Costly impact of spyware infested machines (time and money) Difficult to remove spyware - re-infection is common There are several key business drivers that encourage the use of an antispyware solution. 1. Proactive spyware management, prevents unauthorized access and information theft, mitigating risk and limiting legal liability. 2. Proactive spyware management helps ensure business continuity to maintain employee productivity, avoid business disruptions and system downtime and reduce bandwidth waste. 3. Proactive spyware management reduces costs by decreasing the number resources required to remediate spyware-infested machines. 10

11 Phishing Social Engineering Spyware 1. Fake (Spam) True Webseite 3. Faked Webseite 2. Hidden Hyperlink Fake Pop-Up <A HREF= 11

12 Anti-Spyware Measures Multi-Layer Approach Necessary: - Network and PC Layer: Prevention: Antivirus & anti-spyware scanning (multiple stages) Detection: Firewall/IDS Remediation: Dedicated anti-pest/anti-spyware product - Policy Layer: Continuously applied patches and updates Very frequent antivirus/anti-pest updates Continued end user and administrator education/awareness 12

13 Anti-Spyware Complements Traditional Methods Viruses Worms Trojans Buffer Overflows IE Exploits Outlook Exploits Spyware Adware Hacker Tools Distributed Denial-of-Service Zombies Keyloggers Trojans Hack in Progress Routed Attack Port Scan CA takes an integrated, multi-layered approach to security. etrust PestPatrol complements and interoperates with traditional security technologies including antivirus, firewalls, vulnerability management and anti-spam systems. 13

14 How to Select Anti-Spyware Software Personal Use (Small Office / Home Office): - Identifies spyware in real-time - Updates spyware definitions automatically - References large spyware information database, with incremental updates - Provides an easy-to-use, intuitive end user interface Corporate Use: - Central, common management and control - Enforces scanning and update policies, also for nomadic devices - Launches scans on-demand, at scheduled times or at login - Reviews logs - Deploys new users - Customized alerts and logs - Creates safe lists or exclusion files - Consolidates reports - Customizes reports based on workstation, date/time, security risk priority or pest category - Flexible deployment - Transparent to end users - Unlikely to be bought off the market by a competitor 14

15 Internet Spyware-Check: Online & Free 15

16 Spyware Trends Growing commercial interest of spyware suppliers w.r.t. information (sale and use, e.g. industrial espionage) No clear demarcation between reasonable information mining and illegal information theft Permanently growing efforts to identify and fight spyware ( off-load research to IT-Sec. industry) Growing influence of legal and regulatory requirements 16

17 17