Archive for the ‘Spyware’ Category.

Belt and Suspenders

CounterSpy end of life occurred on June 1st.   I saw a post from someone whose company runs both a commercial antivirus product and CounterSpy.   They were wondering what secondary product they could replace it with.   I’m having flashbacks to 2007.

In the mid-part of last decade mainstream antivirus products were slow to adjust to the onset of spyware.  User’s computers would routinely get loaded down with browser toolbars and software that would serve ads, hijack pages and steal data.   To combat this, products like PestPatrol and Webroot Spysweeper were deployed in the enterprise.   (CounterSpy came out just after I made a purchasing decision so it wasn’t evaluated).

Eugene Kaspersky wrote, “there is no such thing as spyware”.   He branded “spyware” a marketing term designed to sell new product when your existing anti-malware solution should be enough.   It was a controversial stance if only because the major antivirus venders in the US at the time were playing wait and see.    The few of them that stuck their toe in the water by detecting adware/spyware were sued.  The terms of service were plain as day the plaintiffs argued.  

Eventually we got to a point when, in my opinion, antispyware became redundant.   I’m surprised to see anyone still WANTING to implement/manage a second anti-mailware product, and that users would accept that overhead.    I think if you need a second anti-malware product, then the first isn’t doing very good job.

From the GFI link, it looks like they are offering free upgrades to VIPRE.   In the forum, it sounds like you could use that as a scheduled scan but you wouldn’t want to run two real-time antivirus scans at once.  

Obviously I think a single antimalware solution is more than capabile.   If yours isn’t, I would suggest looking at alternatives such as VIPRE, SOPHOS, and Symantec Endpoint Protection.

A more complimentary add-on would be url blacklisting.   I’ve written before about how a product like BlueCoat ProxyClient extends filtering to the laptops when they are outside the corporate network.   Some anti-malware products may even have something like that natively.

What do you think?   Are secondary scanners necessary for every day use?

Article:Flash Ads launch clipboard hijack

Link
We all know that malicious ads can be hosted by legit sites. Generally being fully patched (including third party apps) is a good protection against most attacks other than social engineering.
Ryan Naraine of The Zero Day Blog over at ZDNet reports that malicious Adobe Flash ads are being used to hijack the clipboard until the browser is closed.
I kind of expected to be protected against this because I set IE to prompt before allowing programmatic access to the clipboard. A proof of concept quickly disproved that theory.
Further searching the feeds I read regularly finds mention of this a week ago in the Spywaresucks blog.
Then this guy says he’s seen it back in July.
The domain injected into the clipboard is for rogue software antivirus 2008 xp. The domain has been used for bad going back to at least April 2008.

Subpoena in a Civil Case

The SANS ISC Diary has a good write up of the Subpoena in a Civil Case malicious email. Wish I had seen that before investigating the copy our CEO received.
The message is from subpoena@uscourts.com with a display From of United States District Court. It says

YOU ARE HEREBY COMMANDED to appear and testify before the Grand Jury of the United States District Court at the place, date, and time specified below.

It has a link to download a document on the matter. The website prompts to install a malicious activeX control.
The malware we received doesn’t seem to be the same file the ISC is reporting.

Webroot State of Internet Security

Webroot has posted the Q107 State of Internet Security.

16 Percent of Companies Aren’t Concerned about Spyware

http://www.networkworld.com/columnists/2007/032607edit.html

In a recent study about spyware by Nemertes Research, Senior Vice President Andreas Antonopoulos was surprised to find that 16% of the companies examined were not concerned about the threat.

The article notes that the reason for this isn’t lack of computer security spending at the companies in question. Nor is it because the companies are small. Frustratingly the article doesn’t explore further why this is the case. Perhaps its in the study, but since that study is cited but not linked we are left to speculate.
Perhaps the companies are not concerned because they’ve solved the problem.
Eugene Kaspersky believe that spyware should be addressed by antivirus vendors, not a separate product. Perhaps these companies feel their antivirus is good enough.
Perhaps they use HIPS and feel that prevents the spyware from being installed in the first place.
Perhaps uses aren’t given local administrator right.
Perhaps they just have bigger concerns.
At our company we’ve used an anti-spyware product ever since enterprise ready anti-spyware became available.

Eschelbeck Slams Windows Defender

I was a fan of Gerhard Eschelbeck when he was with Qualys. He’s been pretty much off my radar sense he took the CTO position at Webroot. Today he comes out swinging against Windows Defender as reported in Information Week.

“If you look at the [Defender] data points, they speak for themselves,” says Eschelbeck. “Defender didn’t block 84% of the tested malware. That’s not the kind of performance users are hoping for.” Eschelbeck says that his firm’s research team tested Defender against a suite of Trojan horses, adware, key loggers, system monitors, and other unwanted programs, all of which were gathered from in-the-wild threats. Webroot’s own Spy Sweeper blocked 100% of the threats.

Hmm, so in tests where they gathered the malware, their own antispyware program detected everything and the competitors didn’t do so well. That’s quite a shock.
Take a look at Sunbelt Software’s response when Webroot and Veritest released results last spring.

Eschelbeck also slammed Windows Defender, and by connection, Vista’s security, for infrequent updates. Microsoft currently issues spyware definition updates every seven to 10 days, he says. Webroot, meanwhile, identifies approximately 3,000 new traces of spyware every month. “Users can’t wait for a week or so to have their anti-spyware signatures updated,” says Eschelbeck.

So Eshelbeck is comparing frequency of updates to number of detections added. Apples/Oranges anyone? Hopefully that is the writer’s mistake.
I know nothing about Windows Defender frequency of updates. I do like that it uses an established update channel like Windows Update. However, I prefer my anti-malware apps on the desktop to check for updates hourly.

The IM Blocker is working

Getting hit with some spyware laden links here at work. Our blocker got it no problem. But for everyone without IM protection watch out for
hxxp://nsl-school.org/?id=18388
hxxp://nsl-school.org/?id=winning_list
hxxp://mytermex.com/?news_id=18388
hxxp://mytermex.com/?id=virus_shield
hxxp://nsl-school.org/?id=news X-(
http changed to hxxp to avoid anyone accidently infecting themselves. If you go to the sites, you’re on your own.

Practicing Safe Surf

In other news the sky is blue. Porn sites are sleazy. and everything isn’t as it seems on myspace.
http://sourcewire.com/releases/rel_display.php?relid=27686&hilite=

A survey of over 600 UK respondents showed that young men are significantly more likely to be infected with spyware than their female counterparts. The likelihood of infection was increased by the risky online behaviour of young males, such as opening instant messages (66%), downloading files (65%) and visiting adult entertainment sites (56%).

“The chances of becoming infected with spyware rapidly increase when performing certain online behaviour, such as visiting adult entertainment sites or social networking sites such as MySpace.com”,  said David Moll, CEO of Webroot. “These sites have become a breeding ground for spyware.”

MVP in Spyware pushing?

Should antispyware detect cookies?

Suzi Turner asks, “should antispyware products detect cookies” in her latest blog entry at ZDNet.
Here is some test results from Ben Edelman on how various antispyware programs treat cookies.
I’m coming at this from the perspective of a corporate information security guy. Several years ago, I started an initiative to purchase enterprise ready antispyware. It was readily apparent that spyware was a problem. Users were installing unlicensed copies of software like adaware and spybot s&d. After reviewing the “free” license, it was apparent that the company could be liable to software piracy charges, particularly since the corporate helpdesk was often the party installing this software. We purchased Webroot Spysweeper Enterprise to resolve this issue.
When we rolled out Webroot, one of the common complaints I heard was that it wasn’t detecting as much. The “free” antispyware products were deleting all the cookies and including that in the detected spyware count. I find that disingenuous.
I debated turning on the cookie detection in Webroot, but it seemed like I was losing cookies that were remembering my login information on various sites. My Techtarget cookie was a regular target.
I continued the rollout without enabling cookie detection. There have been many versions of Webroot Spysweeper since then. I wonder if its time to take another look at detecting cookies.