spyware – technologie, auswirkungen, massnahmen · spyware is a non-viral application...
TRANSCRIPT
1
Spyware – Technologie, Auswirkungen, Massnahmen
H. LubichIT Security StrategistComputer Associates
2
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
A Word on TerminologyVirus: “An unwanted program which places itself into other programs, which are shared among computer systems, and replicates itself. Note: A virus is usually manifested by a destructive or disruptive effect on the executable program that it affects.”SPAM: The word "Spam" as applied to Email means Unsolicited Bulk Email ("UBE"). Unsolicited means that the Recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content.Spyware: “Any software (that) employs a user’s Internet connection in the background (the so-called ‘back-channel’) without their knowledge or explicit permission.
3
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
What is Spyware?
Spyware is a non-viral application (surveillance tool) that is loaded without the user’s knowledge and can monitor computer activity (Trojans), such as:
- Keystroke tracking and capture- Email logging- Instant messaging usage and snapshots- Modifying application/OS behavior (e.g. CoolWebSearch)
Spyware and adware can increase business risks:- Theft of confidential data- Unauthorized enterprise access- Reduced PC performance- Increased bandwidth waste
The term “spyware” refers to non-viral applications or surveillance tools that are loaded on a user’s PC without a user’s knowledge and monitor computer activity.
What can it do?-- Track and capture keystrokes-- Log emails-- Log instant message usage-- Capture screen shots-- Activate webcams
There are many types of spyware. Some are simply annoying – for example adware – while others threaten security. The more dangerous threats caninvolve theft of confidential data, obtain unauthorized access and threaten privacy.
4
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
How do People Get Infected?
Web browsingUnauthorized downloadsFile swappingEmail attachmentsInstant messagingInstalling “legitimate software”(malicious mobile code)
Spyware can enter a system in several ways, such as through:-- Everyday Web browsing-- Unauthorized software downloads-- Peer-to-peer file swapping-- Email attachments-- Instant messaging and chat sessions-- Spyware bundled in legitimate software (malicious mobile code)-- Hacker Web site downloads-- Drive by installs from Web sites
5
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Malware Becomesa Primary Concern
6
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Spyware Volume and Cost
Dec 03 Mar 04 Apr 04 May 04* June 04* July 04 Aug 04-
100,000
1,000,000
900,000
800,000
700,000
600,000
500,000
400,000
300,000
200,000
1,100,000
1,200,000
Sept 04
1,300,000
1,400,000
1,500,000
*Estimates of average monthly increase
Source: CA Security Advisory Team, Center for Pest Research
Number of Spyware Reports
Microsoft estimates that spyware is responsible for 50% of all PC crashes
Dell reports 20% of its technical support calls involve spyware
Sources: InformationWeek, “Tiny, Evil Things,” George Hulme and Thomas Claburn, April 26, 2004 -and-
http://www1.us.dell.com/content/topics/global.aspx/corp/pressoffice/en/2004/2004_07_20_rr_000?c=us&l=en&s=dhs&cs=19
7
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Spyware Typology
Adware andCookies
Track user activity on the InternetCollect personal information
Pop-Up AdsCollect information for cookiesInterrupt user transactions on the InternetFlood users with ads and freeze machinesInstall utilities that modify user services
HijackersModify content of web pagesBlock access to websitesRedirect users to unintended websitesInstall hidden/backdoor processes and services that are tightly bound to OSDisrupt websites used for mission-critical applications
Spyware (Overt)Gains a remote control capability, which includes searching and reading local filesHas a self-updating capabilityOften includes a network snifferCan usually activate webcam or microphoneUsually logs all keystrokes
SEC
UR
ITY
THR
EAT
SYSTEM DEGRADATION
There are several different types of spyware, each with different threat levels and different effects on system degradation and security. The lowest threats are adware and cookies and the highest is overt spyware. The higher the threat level, the greater the impact on system performance.
8
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Spyware Business Drivers
Indirect Interest- Take over PC to become part of a larger attack (Botnet, e.g. DDOS)- Take over PC to become distribution point for file swapping (music,
software, …)- Steal user credentials (user-ID, password) for later hacking attempt
Direct, Commercial Interest- Steal e-mail addresses for future SPAM distribution- Steal commercially viable data (credit card information, …)- Steal intellectual property- Obtain material for blackmail, or other attacks on user/company
There are several key business drivers that encourage the use of an anti-spyware solution.
1. Proactive spyware management, prevents unauthorized access and information theft, mitigating risk and limiting legal liability.
2. Proactive spyware management helps ensure business continuity to maintain employee productivity, avoid business disruptions and system downtime and reduce bandwidth waste.
3. Proactive spyware management reduces costs by decreasing the number resources required to remediate spyware-infested machines.
9
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Example of Commercial SPAM Offers: eBay
10
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Anti-Spyware Business Drivers
Mitigate risk and limit legal liability- Protect from unauthorized access and information theft - Reduce threat to employees, partners, customers, intellectual
property, regulatory compliance and brandHelp ensure business continuity
- Maintain employee productivity- Avoid business disruptions and system downtime- Reduce bandwidth waste
Reduce costs- Lack of resources to research new threats - Minimize help desk calls due to spyware infestation- Costly impact of spyware infested machines (time and money)
Difficult to remove spyware - re-infection is common
There are several key business drivers that encourage the use of an anti-spyware solution.
1. Proactive spyware management, prevents unauthorized access and information theft, mitigating risk and limiting legal liability.
2. Proactive spyware management helps ensure business continuity to maintain employee productivity, avoid business disruptions and system downtime and reduce bandwidth waste.
3. Proactive spyware management reduces costs by decreasing the number resources required to remediate spyware-infested machines.
11
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
„Phishing“ – Social Engineering „Spyware“
1. Fake E-Mail (Spam)
2. HiddenHyperlink
3. Faked WebseiteTrue Webseite
Fake Pop-Up
<A HREF=www.stealmyinfo.com>www.yourbank.com/myaccount</A>
12
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Anti-Spyware Measures
Multi-Layer Approach Necessary:
- Network and PC Layer:Prevention: Antivirus & anti-spyware scanning (multiple stages)Detection: Firewall/IDSRemediation: Dedicated anti-pest/anti-spyware product
- Policy Layer:Continuously applied patches and updatesVery frequent antivirus/anti-pest updatesContinued end user and administrator education/awareness
13
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Anti-Spyware Complements Traditional Methods
VirusesWormsTrojans
Hack in ProgressRouted AttackPort Scan
Buffer OverflowsIE ExploitsOutlook Exploits
SpywareAdware
Hacker ToolsDistributed
Denial-of-ServiceZombies
KeyloggersTrojans
CA takes an integrated, multi-layered approach to security. eTrust PestPatrolcomplements and interoperates with traditional security technologies including antivirus, firewalls, vulnerability management and anti-spam systems.
14
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
How to Select Anti-Spyware Software
Personal Use (Small Office / Home Office):- Identifies spyware in real-time- Updates spyware definitions automatically- References large spyware information database, with incremental updates- Provides an easy-to-use, intuitive end user interface
Corporate Use:- Central, common management and control
- Enforces scanning and update policies, also for “nomadic” devices- Launches scans on-demand, at scheduled times or at login- Reviews logs- Deploys new users
- Customized alerts and logs- Creates “safe lists” or exclusion files- Consolidates reports- Customizes reports based on workstation, date/time, security risk priority or pest category
- Flexible deployment- Transparent to end users- Unlikely to be bought off the market by a competitor
15
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Internet Spyware-Check: Online & Free
http://www3.ca.com/securityadvisor/pestscan/
16
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.
Spyware Trends
Growing commercial interest of spyware suppliers w.r.t. information (sale and use, e.g. industrial espionage)No clear demarcation between reasonable information mining and illegal information theftPermanently growing efforts to identify and fight spyware ( off-load research to IT-Sec. industry)Growing influence of legal and regulatory requirements
17
© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.