The Spyware Who Loved Me

By Drew Robb | Posted September 11, 2006

In the James Bond flick, The Spy Who Loved Me, Agent 007 (Roger Moore) had to work with his female Soviet counterpart (Barbara Bach) to find the answer to the disappearance of nuclear missile-carrying submarines. When it comes to computers, the title might shift to "The Spyware Who Loved Me," and the plot could revolve around the mysterious disappearance of spyware once it enters a PC. Such is the tenacity and stubbornness of the latest generation of malware, in fact, that antivirus (AV) and anti-spyware tools are struggling to detect it, never mind eliminate the menace.

"Within two hours of one attack, I had around 100 different kinds of viruses, spyware and pop-ups on my computer," says Otis Archie, vice present of Kuhn Med-Tech Inc., an executive recruiting firm in the medical industry based in San Juan Capistrano, Calif. "This happened despite the fact that I was already using anti-virus, anti-spyware and adware removal tools."

Such defenses proved useless against the onslaught. No matter what he did, the infections always came back. Finally, Archie downloaded a tool named SpyWall by Trolokom Inc. of Monrovia, Calif. It detected and eradicated the trouble in minutes and shored the system up against future attacks.

Shaken, Not Stirred
Bond takes his martinis shaken, not stirred. While the digital threat landscape has been shaken up by improved security technology, many kinds of attacks remain — attacks that can sit on computers undetected for months or even years. If AV and spyware tools stir them at all, they often reinstall themselves the next time the system reboots.

According to CERT, a security research body within Carnegie Mellon University, reported vulnerabilities in applications jumped by over 50 percent in 2005. And the situation is not expected to get better anytime soon due to a new type of threat known as a rootkit that is able to conceal malware form prying eyes. Essentially, rootkits are software tools that conceal running processes, files or system data so that an intruder can maintain access to a system without detection. They are generally packaged with other virulent malware.

"Rootkits are viewed as the kings of malware," says Jayant Shukla, CEO of Trlokom. "They are hardest to detect and remove, cause considerable damage to the network and pose an unprecedented risk to personal information."

Rootkits gain entry via software downloads, secretly bundled with another "free" application. Alternatively, they exploit application vulnerabilities as people surf around the Web, handle e-mail or chat on an Instant Messaging system.

The situation is so bad that none of the well-known AV/spyware vendors do a good job of detecting and removing them. Even the ones that claim some kind of rootkit detection capabilities mainly do it based on signatures, something that can be bypassed easily by newer strains of malware that use polymorphism (this means, literally changing into many forms) or incorporate more advanced rootkit technology.

According to research by AV vendor McAfee Inc. of Santa Clara, Calif., one in seven malware incursions use rootkit technology to hide their actions. By 2008, over 84 percent of all malware are expected to be disguised by rootkits.

License to Kill
Faced with this new breed of threat, many small businesses are finding their daily operations interrupted. It can reach the point where computers are rendered useless. In some cases, the machine has to be wiped clean and the operating system reinstalled.

"One spyware incursion downed my computer for three straight days," says Archie of Kuhn Med-Tech.

His desktop runs Microsoft Windows XP. Understanding the need for strong security, he added Norton Antivirus by Symantec Corp. of Cuptertino, Calif. He kept its signatures up-to-date and diligently upgraded to the latest versions.

A year or two back, however, he realized he had to add further safeguards. He implemented Ad-Aware by Lavasoft AB of Sweden. It provides protection from data-mining, aggressive advertising, spyware and tracking components. The personal edition is downloadable free of charge. This helped ease pop-up pain and eliminated other annoyances that regularly interrupted his workdays. But it didn't handle everything — not by a long shot.

Small Business Threat Glossary
Virus: a program that infects other software
Worm: a program that transmits itself over a    network to infect other computers
Trojan: a malicious program that presents itself as   something innocuous or desirable in order to   tempt you to install it.
Spyware: malicious software designed to   intercept or take partial control of a computer   without your consent.
Adware: software that serves up pop ups and   banner ads or sends marketing data about your   computing habits to other sites.
Keylogger: malware designed to record and relay   keyboard strokes. This is a way to detect   passwords and financial information.
Browser Hijacker: a program that alters your   computer's browser settings and redirects you to   Web sites you had no intention of visiting.
Rootkit: software tools that conceal running   processes, files or system data so that an   intruder can maintain access to a system without   detection.

To address the malware menace, Archie deployed Spybot - Search & Destroy by Safer-Networking Ltd. Again, this brought some relief. But it didn't make his desktop woes go away completely.

"Norton AV, Spybot and Ad-Aware eliminated some of my problems, but sometimes they would tell me that they couldn't clean up specific threats," says Archie. "And in some cases they didn't do any good at all against specific incursions."

One recent threat undermined all his defenses. Once it got in, Archie just couldn't get rid of it. It wreaked devastation for weeks. "This Trojan overwhelmed my screen with pop-ups, was sending out traffic and actively bringing other malware onto my system," he says. "It included regenerating spyware and rootkits that no other product could remove."

Security experts report that malicious code writers are incorporating features that enable the threat to regenerate itself after it has been "cleaned". That's why some spyware appears so invincible. Further, it can even disable the very tools designed to detect and eliminate it. Thus Archie's attempts to clean his system proved futile and it remained inoperative for three straight days.

His tools cleaned up some of the mess. But certain types of malware were indomitable. The AV/anti-spyware applications, he says, did one of three things with regard to stubborn malware: detected them but couldn't clean them; reported the system clean, only for the same threat to remerge stronger than ever; or missed some entirely.

Sometimes his security applications would tell him that the threat had been quarantined. But since they were not completely cleaned, they activated and spread again. For every step forward he made, it seemed he ended up two steps backwards.

"If you don't clean these threats, they reactivate in Windows Explorer and start up all over again," says Archie. "Some of them burrowed deep into the system and we couldn't get them out." A friend recommend that Archie download SpyWall. He started with the trial version. Finally, he had a license to kill spyware and rookits.

"The Trlokom application detected and got rid of 96 separate types of malware on my system," says Archie. "In five minutes it got rid of rootkits and everything else that the other security tools had missed. And my computer stayed clean."

Don't Die Another Day
SpyWall, he says, prevented his system from dying for yet another day. Its rootkit scanner looks deeper than did anything else in his security arsenal, and it detected whatever was lurking inside. You can customize the application to block access to Web sites that are known to be sources of malware. If you're redirected to one of these sites or go there in error, SpyWall blocks the resulting infection.

It achieves this by securing the entry point of almost all malware — the Web browser. A technique known as sandboxing (i.e., isolating) the Web browser prevents spyware from infecting the enterprise. Non-trusted components can run safely in the sandbox, thereby restricting the interaction the browser has with the system. It contains, analyzes and eradicates any damage.

Based on his success, Archie now plans to roll it out to the other desktops at his company. I work all day now without trepidation," he says. "As because it's affordable, I can get SpyWall for our other computers."

SpyWall's client version costs $14.99. You'll find more information and a free trial version on the company's Web site.

Drew Robb is a Los Angeles-based freelancer specializing in technology and engineering. Originally from Scotland, he graduated with a degree in geology from Glasgow's Strathclyde University. In recent years he has authored hundreds of articles as well as the book, Server Disk Management by CRC Press.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date