Dec 31 2009

Counter Intelligence

Agencies learn they can fight back and win the war against the Web's newest public enemy: spyware.

Photo: Forrest MacCormack
"We're trying to operate an enterprise, and letting thousands of people take risks is an enterprisewide risk," USAID's Phil Heneghan says of why his agency limits users' systems privileges.

Phil Heneghan isn't big on surprises, at least not on the job. So as information systems security officer for the Agency for International Development, he scans each of the 8,000 PCs on USAID's 80-nation network about 10 times a month to ensure each is identically configured.

"We operate pretty much in a preventative mode," Heneghan says. "It helps everybody to be buttoned down."

But despite his compulsive system scans, Heneghan started to notice some irregularities popping up, one by one, on machines scattered around the world. Gator, Hotbar and music-sharing software would show up on the network, and they were definitely not part of USAID's standard PC package.

He instantly recognized the notorious programs as spyware—stealth software that downloads onto unsuspecting users' computers and sends information back to the programs' creators.

Spyware can slow computer performance, cause frequent system crashes or in the case of adware—a category of spyware—produce out-of-control pop-up ads. It can render a PC unusable, capture sensitive information or zap network bandwidth by constantly communicating with its controller.

And spyware is pesky. Once downloaded, the programs are notoriously difficult to remove because they tend to seed their code in multiple places on a system, warns spyware researcher Eric L. Howes, who analyzes antispyware tools for, an online resource where members offer advice on dealing with spyware.

Electronic Litterbugs

"They just litter the system with all sorts of files and registry data," Howes says. If not scrubbed from a system, the programs can resuscitate themselves. "You can have 100 files, and you can remove 99, but if you miss that one, it comes back."

Agencies are fast learning that it requires an arsenal of tools—from software and end-user education to strict policies and vigilance—to stem the tide of spyware.

As with other malware, such as worms and viruses, securing systems against spyware is an ongoing battle because its creators continually revamp the code to exploit new loopholes. "Spyware is constantly changing," says Peter Firstbrook, an IT security analyst with Gartner of Stamford, Conn. "This is an arms race."

With a careful, disciplined approach, agencies can keep spyware from gaining control of their networks, USAID's Heneghan says. And he should know: USAID is the only agency so far to earn an "A+" on the annual computer security report card handed out by the House Government Reform Committee.

"I favor locking down PCs so that people aren't able to inadvertently do things that they shouldn't," Heneghan says. "A lot of people feel that's taking away people's freedom, but we're trying to operate an enterprise, and letting thousands of people take risks is an enterprisewide risk."

At the first signs of spyware on his network, Heneghan instructed IT staff in offices around the world to wipe infected computers clean and start over by reconfiguring them. USAID employees maintain all their work files on network servers rather than their hard drives, so the agency could uninstall and reinstall programs on PCs without worrying about losing any work.

"That's really the only way to do it," Heneghan says. "Once a machine has spyware, the easiest thing is to wipe it clean and start over."

Next, he installed spyware detection and blocking software on the network. He chose AntiSpyware, a plug-in module from McAfee of Santa Clara, Calif., that was easy to integrate with the agency's existing antivirus software, also from McAfee.

Until recently, small makers of dedicated antispyware products for desktop systems offered the best protection, but in the last several months, most antivirus vendors have released enterprise-level spyware products.

Heneghan already had some layers of defense in place before he made his spyware sightings. For instance, USAID uses an intrusion detection system to monitor anomalous activity on the network. At the first signs of spyware, Heneghan can get in and clean a PC before the infection spreads.

A spam blocker on USAID's e-mail gateway provides another layer of protection, turning away messages that may contain links to spyware before the gateway delivers the e-mail to users' mailboxes.

"We've usually found it before it became a problem,"

Heneghan says. "Of course, we're wondering when the next wave will come and someone will figure out how to get around all the spyware module blockers."

With only one or two reports a month of spyware found on the Federal Emergency Management Agency's network, FEMA Cybersecurity Chief Bill E. Martin counts his blessings.

But, he says, it's not luck that keeps spyware under control at his agency. Rather, it's FEMA's two-prong spyware defense strategy.

Step One

First and foremost, Martin's staff teaches end users how to keep themselves safe in the cyberworld. The cybersecurity team sends out regular bulletins to end users that explain, for instance, the dangers of downloading software or providing information on questionable Web sites.

"That's where you have to start," he says. "You have to educate your users."

The next step in the process is to deploy antispyware software enterprisewide.

Many FEMA desktop PCs already run antispyware programs, but the agency is about to install an enterprise-level product from its antivirus vendor that Martin's staff can manage centrally.

Another effective strategy, Martin says, is to configure networks so that end users can't download software to their systems without approval. If they can't download software, then rogue programs can't download automatically.

While the problem of spyware continues to grow, so too does the sophistication of security products and awareness of secure computing practices, and that's what will make a difference in the long run, Martin predicts.

"I think we're going to get a handle on it," he says.

No technology is foolproof, so USAID, like FEMA, devotes time to teaching users how to detect spyware, how it works and how they can take steps to keep their PCs from becoming infected.

Internet surfers encounter limitless temptations. They can download free weather toolbars and stock tickers, listen to online radio programs or click links for information about low mortgage rates.

They can even be enticed by ads offering free spyware scans to ensure their computers are not infected. These types of offers are generally the main source of spyware.

"If you strictly use your office system for work, you're not likely to have a problem," says Rick Kuhn, a computer scientist at the National Institute of Standards and Technology.

But as is often the case, an agency's users won't even realize anything is downloading to their systems. One type of spyware, called a hijacker, redirects browsers to disguised Web sites; users don't even know that they're on illegitimate sites.

To help employees spot risky sites, USAID developed an in-house application called Tips of the Day that delivers a pop-up screen every time a user logs onto the network. The application's screens offer changing pointers about security, and the user must answer a few questions to close a screen. Users' scores are regularly sent to supervisors so the agency can spot areas that require training.

"It makes people pay attention," Heneghan says.

In a comprehensive publication for agencies about broadband and remote-access security, Kuhn and two colleagues offered tips on controlling spyware.

Click Aversion

Like Heneghan's, their strategy consists of a layered approach, with dedicated antispyware software, virus detection software with a spyware component and a spam filter to block e-mail containing links to spyware. But one of NIST's strongest recommendations is to teach users to be careful about sites they visit and links they click on.

"I see e-mail messages all the time that are extremely well disguised to look like they're coming from a bank or some other e-commerce site," Kuhn says. "But if you click on the links, they might ask you for your password or might download malicious software. If you're not extremely careful, you're likely to pick up something."