Tech companies fight stealth software
Computer security sleuths diligently follow the coded tracks of amorphous thieves.
By DAVE GUSSOW
Published October 31, 2005
[Times photo: Ted McLaren]
Clockwise from bottom: Patrick Jordan and Jarrett Levine, Sunbelt spyware researchers; Alex Eckelberry, company president; and Dave Bove, manager of spyware research.
CLEARWATER - The directions would be incomprehensible to a casual visitor. The Web site is Russian.
But translated at Sunbelt Software in Clearwater, the document gives step-by-step instructions on how a spyware ring wants to attack computers.
"We need to infect user's computer that visits our Web site with maximum efficiency," the translation reads. "And this must be done as fast as possible."
Then there are sites that offer a spyware bazaar, with menus of services . Perhaps it'll cost $50 to set up a denial of service attack that can shut down someone's Web site. It may cost $100 to create a keylogger, a program that records keystrokes and transmits the data to steal personal information.
"This guy is creating a package that other people who want to create spyware applications can use," said Eric Sites, Sunbelt's vice president of research and development.
In the effort to protect computer security, such Web sites give a chilling insight into the scourge known as spyware, stealth software that can do a range of things, from stealing private data to gunking up personal computers.
While the faces behind spyware are hidden, this much is known: It is a growing and increasingly sophisticated problem. The people behind it can be anywhere. And as fast as the security industry can respond, the bad guys can move faster.
Webroot Software, which also does security work, estimates that there may be 300,000 or more spyware distribution Web sites and that as many as 80 percent of PCs have at least one unwanted program.
"These guys are out trying to make money," Sites said.
Keeping tabs on a mobile enemy
Tracking trends in spyware and then developing countermeasures are part of the mission of a team at Sunbelt, which received international attention over the summer for discovering a keylogger run by an international identity theft ring.
But that case also illustrates the difficulties in fighting spyware. The ring is still operating, even though authorities have been investigating it since August.
It has grown from one keylogger to at least 28 variants. It appears that there's a network of at least five Web sites involved. And, according to Sunbelt's estimates, the ring has stolen information from about 8,000 people and businesses.
This case wa s unique because Sunbelt researchers tracked the spyware back to the operating Web sites, where the stolen data were collected. Sunbelt has been working with law enforcement, banks and some of the victims since the discovery.
"It was the most awful feeling," said Alex Eckelberry, Sunbelt's president. "It's really depressing when you watch this stuff."
On the front lines for Sunbelt are 12 researchers and two consultants who monitor thousands of known spyware Web sites, intentionally letting computers get infected so they can examine the code and check for even slight variations from a database of known spyware applications.
As much as people think spyware, viruses and other malicious code are cutting edge, experts say the technical basics haven't changed over the years.
"They're just changing the files and making a little bit different variants," said Patrick Jordan, a senior spyware research analyst. "But they're using the same old stuff, the same techniques."
The spyware goal also remains the same: stealing information. The keylogger discovered by Jordan recorded what people typed on their computers, then transmitted it to the Web sites. Information included everything from financial account numbers to passwords.
Symantec reported this month that it found a spyware application that sends screen shots of retailers' sites when a user visits a page with the word "confirm" on it, indicating a financial transaction, according to a report on Cnet.
For Jordan, the effort consumes his workday and even time at home. Before coming to Sunbelt, Jordan worked as tech support for Jackson Hewitt but tired of the routine of maintaining networks and setting up and fixing computers.
Jordan began his research into spyware from home at night a few years ago, set up his own Web site and became part of a group dedicated to security issues that shares information online through forums and blogs. Sunbelt even touted his hiring in a press release.
Starting his day early with "lots of coffee," Jordan goes through a list of files captured on a "virtual machine," special software that acts as a clean PC so researchers can see what it has picked up. Sunbelt has a database with thousands of malicious codes archived.
When researchers find a new strain of spyware, Jordan and other researchers take it apart, looking at how it works and if there are clues to its origins. Then they add it to the database. The difficulty is that it's a moving target.
"They keep changing copies of the files so they're all doing different things at different times," Jordan said.
In as little as 15 minutes, Jordan and his team can provide a fix for computer users to remove it from their systems.
Jordan would not discuss all his investigative techniques, but he indicated that he and other spyware fighters have their own tricks to ferret out information. Still, it's always a game of catchup.
"We have the intelligence on the enemy," said Dave Bove, Sunbelt's manager for spyware research. "We know their exact location. But every time I shoot a bomb at them, they instantly move out of the way."
Allies in the fight against spyware
The war on spyware is being waged on multiple fronts.
A consortium of companies, including Microsoft, Hewlett-Packard, AOL, Symantec and others, teamed with public interest groups such as the Center for Democracy and Technology this year to form the Anti-Spyware Coalition.
"Sharing knowledge is going to be extremely important in ending this problem," said Ari Schwartz, associate director of the Center for Democracy and Technology.
Among the coalition's goals are to come up with a standard definition of spyware, coordinate the industry response and educate the public about the problem.
Part of the difficulty is differentiating between spyware, which generally include programs that sneak onto computers without the user's knowledge and perform secret tasks, from adware, a form of advertising that includes popups.
The group received more than 400 comments on its initial definitions this summer, according to Schwartz, and released an updated report last week.
Some wanted vague definitions so as not to create loopholes, Schwartz says. Others, particularly ad companies, wanted more specifics they could follow.
While Sunbelt touts industry cooperation as an important part of fighting the threat from spyware, it has so far refused to join the coalition. Eckelberry says he wants to maintain the independence of Sunbelt setting its own standards on definitions while still cooperating and collaborating with others.
Sunbelt also has been very public in its efforts. The company even posts on its Web site legal threats sent from advertising companies that challenge their inclusion in Sunbelt's spyware database, as well as Sunbelt's responses.
Eckelberry describes the openness as "enlightened self-interest." He says companies can modify their behavior, which may lead to an adjustment in their threat level ranking. But it's not a decision made lightly.
"One of the other benefits of going public with a lot of this information is that when an adware company wants to reach out to us again and get their listing modified, they do it in a much more gentle manner," Bove said.
The company also gathers reports from its customers, checks those out against its database and at sites such as Spyware Warrior, and maintains an ongoing threat meter that lets people see which applications are most active.
Sunbel t focuses on business software, including system management and security. The company began offering consumer versions of its security products about three years ago, starting with IHateSpam, then IHatePopups and later CounterSpy, its antispyware product.
In the last three years, the company, the U.S. part of the Sunbelt International Group in France, has doubled its revenue, according to Eckelberry. And much of that increase has come from security work.
Eckelberry describes the consumer aspect of the company's work as something of a public service, selling the products for $20. The emphasis, he says, remains work for business.
Victory starts with the consumer
Sunbelt emphasizes that fighting spyware is a collaborative effort, including sharing information with others in the industry. And consumers play a key role, too.
Security patches for Windows XP are a must, Sunbelt and others say. Jordan says he can visit a suspect site with an unpatched system and get infected. With the patches, it rarely happens, he says. Closing popup boxes by clicking on the X instead of OK also helps.
Even then, the bad guys keep coming up with new tactics. The latest concern is for what is known as rootkits, which burrow deep into the operating system and hide their presence. They also can avoid detection from security software.
Bove likens it to a chess match where the opponent always has the first move, but he is confident in the outcome.
"We generally feel we can't be defeated, because if they can get in, so can we," Bove said.
--Dave Gussow can be reached at firstname.lastname@example.org or 727 445-4165.
[Last modified October 31, 2005, 03:00:27]
[an error occurred while processing this directive]