Case Study: Sandbagging Spyware

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Talk to any IT department about its biggest desktop bane and chances are
you’ll hear the same tale of woe about public enemy No. 1 – spyware.

IT staffers, therefore, make a habit of carrying around anti-spyware tools
on thumb drives for that inevitable moment when yet another end user reports
an infection or slow performance. But addressing desktop casualties one
after another is a bit like applying first aid to the victims of sniper
gunfire rather than sending a squad to take out the shooter on the hillside.

“We were spending many hours every week handling spyware attacks on our
desktops,” says Roberto Wong, network administrator at Chun Yu Works Inc. of
Chino, Calif. “It was taking so long to handle some machines that we began
to wonder if it might be cheaper just to supply infected users with a new
workstation.”

Instead the company installed SpyWall by Trlokom Inc. of Monrovia, Calif.
This tool addresses web-based external attacks, as well as actions taken
internally by users that can result in virus and spyware infiltration.

Security Crisis

The corporate world has bought into computer security in a big way over the
past few years. According to International Data Corp. (IDC) of Framingham,
Mass., companies worldwide are spending more than $2 billion on antivirus
software annually, and almost as much on managed security services.

Virtually every enterprise, for example, has invested in some kind of
enterprise desktop firewall product, and most have deployed intrusion
detection systems (IDS). Now the rollout is well underway in anti-spyware
software.

Yet in spite of the vast sums spent to secure enterprise systems, new and
more complex attacks still manage to overcome the defenses and wreak havoc.
At Chun Yu Works (CYUSA) the problem reached critical proportions at the
desktop level.

CYUSA is one of the world’s largest producers of metal fasteners (think
nuts and bolts) with large manufacturing facilities in Taiwan and
California. It is an IBM RS 6000 shop using Windows PCs at the desktop level
and Cisco networking gear. To combat virus challenges, it attempted to use
traditional anti-virus solutions from Symantec Corp. of Cupertino, Calif.,
and McAfee Inc. of Santa Clara, Calif. But the problems persisted.

“Somebody would inadvertently click on an email or go to the wrong area of
the web and get infected,” says Wong. “They’d call us to come fix their
machines.”

Technicians used spyware removal tools such as Ad-Aware by Lavasoft AB of
Gothenburg, Sweden. They’d install the program and clean the system using
the removal utility. If that didn’t work, though, they’d have to take the
desktop back to the IT department, scrub the entire hardware and reload the
OS plus all necessary applications. Wong reports that about 10 percent of
infected machines had to be scrubbed completely.

“Cleaning a desktop took anywhere from one to four hours,” he says.
“Spending more than two hours was simply not cost efficient. In addition,
management expressed concern about lost employee time and productivity.”

When the number of infections rose to more than 5 percent of desktops per
month, Wong realized the situation required a new approach. CYUSA decided to
install SpyWall.

A host-based intrusion detection system (HIPS) for the enterprise desktop,
SpyWall was designed on the premise that most attacks come in via the web
and focus on specific applications. As a result, network-based defenses
often don’t notice the presence of a threat. Witness the problems late last
year with the WMF vulnerability and other zero-day attacks. WMF used two
routes of penetration – the browser or via instant messaging. Those channels
were utilized to attack parts of Windows that were not attached to the
network i.e. this incursion used a regular channel and targeted a component
of the system – and there are tens of thousands of DLLs and other potential
targets that could be impacted in a similar way.

What about anti-virus and spyware – where were these tools during these
threats? Unfortunately, they were largely missing in action. Such software
does a good clean-up job – but only after discovery of a new kind of
exploit. That’s why corporations have to suffer the never-ending cycle of
infection, clean-up, new infection and clean-up.

In response, SpyWall offers a two-pronged strategy. It protects the rest of
the system from such zero-day threats by “sandboxing” the browser (a sandbox
is a container in which untrusted programs can be safely run). By putting a
sandbox around the browser, it restricts the interaction the browser has
with the system. The damage is contained within the sandbox, where it can be
analyzed and eradicated.

This feature cuts down heavily on the amount of overhead associated with
other approaches to HIPS, which attempt to scan every single action by the
system and every application within. Trlokom’s product also protects the
system against end-user originated actions that result in spyware downloads.

“After we put in SpyWall, we didn’t get any more infection for six months,”
says Wong.

Recently, however, he finally did get another call about a spyware problem
on the desktop. Intrigued, he evaluated the machine and found the user
happened to have administrative privileges and had turned off HIPS. Why?
SpyWall prevented him from going to a retail site he needed to visit to
perform his duties. When he couldn’t immediately figure out how to have that
site’s restriction lifted as an exception, he used his admin rights and
disabled the program. Within hours, his system became infected.

WMF – No Problem

How did CYUSA do with regard to the WMF vulnerability? Wong confesses he
didn’t pay much attention to it. As his HIPS defenses had performed well for
many months, he decided to see how they held up under the latest threat.

“We had no problems at all with the WMF vulnerability,” he says. “I just
left Trlokom running and it dealt with it without me having to do anything
at all. It’s good to know that I don’t have to worry about zero-day
attacks.”

Another interesting facet of the CYUSA story is the fact that the firm has
yet to deploy anti-spyware technology. It supplemented AV with HIPS and that
seems to be defense enough against malware.

But Wong believes that when it comes to end users, you just can’t take
anything for granted.

“There will always be some that attempt to defeat the system,” he
concludes. “You have to have a system in place that will take care of you no
matter what anybody tries to do inside or outside the organization.”