Spyware protection: How Spyware gets in

For Finding holes in the Web browser

The spyware taking up residence in a computer may be an ActiveX control, a browser snap-in (intended to extend browser functions), a browser helper object, or a standalone executable that is loaded into the user’s computer when he or she visits a Web site that contains the spyware. The spyware may load because of a security setting that is too lax, such as permitting the downloading of unsigned ActiveX controls.
Spyware can also install itself via one of many vulnerabilities that have been discovered in recent years. For instance, it could be an ActiveX control that is specially designed to fool the browser into thinking that the control is coming from a Trusted Sites Zone or Intranet Zone instead of the Internet Zone.
One example of a vulnerability involves a cleverly coded Web page, loaded from a site on the Internet, that is designed to fool a user’s computer into thinking that the page is in the My Computer Zone or the Trusted Sites Zone, instead of properly classifying the page as the Internet Zone. If this malicious Web page has embedded scripts, the victim’s computer will execute those scripts as though they originated in a Trusted Sites Zone. This can result in a script performing almost any imaginable function on the user’s computer.

E-mail programs that display HTML e-mail (such as Outlook, Outlook Express, and Mozilla Thunderbird) are often subject to the same vulnerabilities that have beset Microsoft Internet Explorer in recent years. Often, just displaying a mail message is sufficient for the spyware to get loaded in the user’s computer. This is because Outlook is using the same vulnerable DLLs to display HTML as is used by Internet Explorer.

Hiding in software downloads

Many downloadable software programs — and programs that you can purchase online or over the counter — contain spyware programs that are silently installed when you install the software. Sometimes (but not always), the software’s End User License Agreement (EULA) states that “other programs may be installed.” How many people read the fine print? I must admit that I don’t always read the EULA before installing software. Maybe you should add “carefully read all license agreements” to your list of New Year’s resolutions, no matter what time of year it is now.

Antivirus software and security patches are the best spyware protection software.

1 step to Spyware protection

Spyware protection requires several actions that, in combination, minimize the opportunity for spyware to wriggle its way into your company’s computers. The following sections outline the steps you need to take in order to win the spyware protection wars: You need to rid your system(s) of vulnerabilities and use tools to scan, detect, and block spyware.

Testing for Vulnerabilities
Be sure to know whether a user’s computer contains any of the technical vulnerabilities that permit a Web site (or HTML-coded e-mail message) to illicitly access information, make changes, or implant one or more programs on that system.
Many free and fee-based tools can scan networks and identify specific vulnerabilities on servers and workstations. Some of the more sophisticated tools in this category can even install the appropriate patches on those systems if needed.
Some of the tools for Spyware protection available for this task are
Microsoft Windows Update: This is the friendly, free, Web-based patch installation site, found at http://windowsupdate.microsoft. com.

• Microsoft Baseline Security Analyzer (MBSA): Just go to www.microsoft.com and type MBSA in the search text box. This free tool scans for vulnerabilities but does not install patches.
• Microsoft Automatic Update: This is the free set-it-and-forget-it tool built into Windows 2000 and XP that lets Windows automatically download and install security patches.
• HFNetChkPro: This is a scanning and patching product available at www.shavlik.com. Interestingly enough, Shavlik wrote the scanning engine for this product and also for Microsoft MBSA.
• GFI LANguard: Available at www.gfi.com. This is another scanner-only tool that does not install patches. This is a fee-based tool, but you can get a trial version to see whether it fits your needs.
• Patchlink: Available at www.patch1ink.com. This is another commercial software product; an evaluation version is available.

The size of your organization should influence your choice of tools. Small organizations can consider Windows Update or Automatic Update, but larger organizations should consider bulk scanning and patch installation products.

2 step to Spyware protection:
Patching vulnerabilities

Companies have discovered that unpatched servers and workstations are nothing but trouble and cause costly, disruptive security incidents if left unpatched for long.
Patching systems — whether you’re talking dozens or thousands — is costly and time-consuming, but it’s nowhere near as expensive and disruptive as doing nothing and risking the infiltration of worms, viruses, and spyware. Every organization, whether it has 1 or 100,000 workstations, needs to develop procedures for keeping its system(s) up to date with the latest security patches. Although this can be a daunting task, tools and products are available to help you out, regardless of the number of workstations.
Most of the scanning tools described earlier in this section also install patches.

3 step to Spyware protection:

Scanning and removing spyware
The original — and still the most popular — means for identifying and removing spyware is to run a spyware-scanning program that will search a workstation or server for spyware, list the spyware found, and remove it if the user so desires. But software that blocks spyware before it can be loaded is becoming more popular.
A thorough spyware protection, scanning and removal program must check for spyware in many places, including
Cookies: Although cookie-based spyware is the most benign of spyware, many people are concerned about the Web-tracking capability that such spyware facilitates.
ActiveX controls: As I mention earlier in this chapter, ActiveX is Microsoft’s proprietary technology whereby scripts (short computer programs) can be dynamically loaded from a Web site and executed on the user’s computer. ActiveX is a “client-side” scripting language similar to JavaScript.
Java and JavaScript: Java is a structured computer language introduced in the 1990s; JavaScript, a scripting language similar to Java, is often used as a “client side” scripting language used to execute instructions via a user’s Web browser.
Browser Helper Objects (BHOs): Executable code that Internet Explorer loads into memory and has complete access to everything the browser does and displays. BHOs are used by spyware to track what you are doing and where you are going.
Registry entries: Spyware often creates distinctive Registry entries that facilitate and configure its execution. Registry entries also control a browser’s home page and default search page, among many other settings that spyware often utilizes.
Standalone programs: Computer programs that operate entirely on their own. In the Windows world, a standalone computer program has all of the access privileges of the user who runs it. This applies not only on the computer it’s running on, but to any network resource (such as files on a file server) that the user is able to access.

A typical Spyware protection program scans a computer on demand, and some permit automatic scanning to take place at system startup or on a set schedule. Some of the newest Spyware protection programs will perform on-access scanning, just like a virus scanner. If you have more that just a few workstations to manage, you’ll greatly appreciate automatic downloads, scanning, and blocking. Expecting users to remember to update or scan is unrealistic in most situations, and you probably don’t have time to do it for them.