Case Study: Sandbagging Spyware

Manufacturing firm eliminates downed desktops by implementing HIPS tool.
Talk to any IT department about its biggest desktop bane and chances are you'll hear the same tale of woe about public enemy No. 1 - spyware.

IT staffers, therefore, make a habit of carrying around anti-spyware tools on thumb drives for that inevitable moment when yet another end user reports an infection or slow performance. But addressing desktop casualties one after another is a bit like applying first aid to the victims of sniper gunfire rather than sending a squad to take out the shooter on the hillside.

"We were spending many hours every week handling spyware attacks on our desktops," says Roberto Wong, network administrator at Chun Yu Works Inc. of Chino, Calif. "It was taking so long to handle some machines that we began to wonder if it might be cheaper just to supply infected users with a new workstation."

Instead the company installed SpyWall by Trlokom Inc. of Monrovia, Calif. This tool addresses web-based external attacks, as well as actions taken internally by users that can result in virus and spyware infiltration.

Security Crisis

The corporate world has bought into computer security in a big way over the past few years. According to International Data Corp. (IDC) of Framingham, Mass., companies worldwide are spending more than $2 billion on antivirus software annually, and almost as much on managed security services.

Virtually every enterprise, for example, has invested in some kind of enterprise desktop firewall product, and most have deployed intrusion detection systems (IDS). Now the rollout is well underway in anti-spyware software.

Yet in spite of the vast sums spent to secure enterprise systems, new and more complex attacks still manage to overcome the defenses and wreak havoc. At Chun Yu Works (CYUSA) the problem reached critical proportions at the desktop level.

CYUSA is one of the world's largest producers of metal fasteners (think nuts and bolts) with large manufacturing facilities in Taiwan and California. It is an IBM RS 6000 shop using Windows PCs at the desktop level and Cisco networking gear. To combat virus challenges, it attempted to use traditional anti-virus solutions from Symantec Corp. of Cupertino, Calif., and McAfee Inc. of Santa Clara, Calif. But the problems persisted.

"Somebody would inadvertently click on an email or go to the wrong area of the web and get infected," says Wong. "They'd call us to come fix their machines."

Technicians used spyware removal tools such as Ad-Aware by Lavasoft AB of Gothenburg, Sweden. They'd install the program and clean the system using the removal utility. If that didn't work, though, they'd have to take the desktop back to the IT department, scrub the entire hardware and reload the OS plus all necessary applications. Wong reports that about 10 percent of infected machines had to be scrubbed completely.

"Cleaning a desktop took anywhere from one to four hours," he says. "Spending more than two hours was simply not cost efficient. In addition, management expressed concern about lost employee time and productivity."

When the number of infections rose to more than 5 percent of desktops per month, Wong realized the situation required a new approach. CYUSA decided to install SpyWall.

A host-based intrusion detection system (HIPS) for the enterprise desktop, SpyWall was designed on the premise that most attacks come in via the web and focus on specific applications. As a result, network-based defenses often don't notice the presence of a threat. Witness the problems late last year with the WMF vulnerability and other zero-day attacks. WMF used two routes of penetration - the browser or via instant messaging. Those channels were utilized to attack parts of Windows that were not attached to the network i.e. this incursion used a regular channel and targeted a component of the system - and there are tens of thousands of DLLs and other potential targets that could be impacted in a similar way.

What about anti-virus and spyware - where were these tools during these threats? Unfortunately, they were largely missing in action. Such software does a good clean-up job - but only after discovery of a new kind of exploit. That's why corporations have to suffer the never-ending cycle of infection, clean-up, new infection and clean-up.

In response, SpyWall offers a two-pronged strategy. It protects the rest of the system from such zero-day threats by "sandboxing" the browser (a sandbox is a container in which untrusted programs can be safely run). By putting a sandbox around the browser, it restricts the interaction the browser has with the system. The damage is contained within the sandbox, where it can be analyzed and eradicated.

This feature cuts down heavily on the amount of overhead associated with other approaches to HIPS, which attempt to scan every single action by the system and every application within. Trlokom's product also protects the system against end-user originated actions that result in spyware downloads.

"After we put in SpyWall, we didn't get any more infection for six months," says Wong.

Recently, however, he finally did get another call about a spyware problem on the desktop. Intrigued, he evaluated the machine and found the user happened to have administrative privileges and had turned off HIPS. Why? SpyWall prevented him from going to a retail site he needed to visit to perform his duties. When he couldn't immediately figure out how to have that site's restriction lifted as an exception, he used his admin rights and disabled the program. Within hours, his system became infected.

WMF - No Problem

How did CYUSA do with regard to the WMF vulnerability? Wong confesses he didn't pay much attention to it. As his HIPS defenses had performed well for many months, he decided to see how they held up under the latest threat.

"We had no problems at all with the WMF vulnerability," he says. "I just left Trlokom running and it dealt with it without me having to do anything at all. It's good to know that I don't have to worry about zero-day attacks."

Another interesting facet of the CYUSA story is the fact that the firm has yet to deploy anti-spyware technology. It supplemented AV with HIPS and that seems to be defense enough against malware.

But Wong believes that when it comes to end users, you just can't take anything for granted.

"There will always be some that attempt to defeat the system," he concludes. "You have to have a system in place that will take care of you no matter what anybody tries to do inside or outside the organization."

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.