"It's not technically feasible to stop spyware. You will not be able to stop this technically "This problem lives at the legal-technical boundary. We can't go around arresting people," said Dan Kaminsky, senior security researcher and founder of Seattle-based Doxpara Research, speaking on a spyware panel at the recent Black Hat USA 2006 event. "We need to create standards that clearly delineate legitimate code from illegitimate code where you throw people in jail."
In a number of
Boulder, Colo.-based antispyware vendor Webroot Software Inc. compiles quarterly statistics on the spread of spyware, and its latest figures, which are due to be published later this month, show that about 31% of PCs unknowingly harbor at least one Trojan.
The U.S. Department of Justice, Federal Trade Commission and a host of industry coalitions have made stopping spyware a top priority, but their efforts have met with limited success.
Eileen Harrington, a deputy director in the FTC's Consumer Protection Bureau, said her commission is hamstrung by statutory limitations in its efforts to stop spyware distribution. She said the FTC is working to get broader authority, especially in regard to investigations that cross international boundaries.
"It sounds lame to sit up here and say there's only so much we can do, but it's true," Harrington said. "We all know saying, 'Don't do that anymore' in a civil action isn't that effective. It's very tough under the law to get financial remedies. We're pushing for new statutory authority to help us do our job internationally."
Harrington also said a recent appeals court decision that set forth strict guidelines on how and when the FTC can force organizations to surrender ill-gotten money could seriously harm the commission's ability to win judgments against spyware distributors.
"The effect of the decision has been troubling to us because we'd have to name every single affiliate [in a spyware distribution network] and trace every dime," she said. "Needless to say, we don't necessarily agree with the court's decision."
She added, however, that the FTC does have a large settlement with a spyware distributor in the works that will require the company to pay back all of the money it made through spyware.
In the meantime, spyware distributors are becoming more creative and devious. Stealthy malware that hides its presence on machines and collects confidential data is now the norm, the panelists said.
"We're seeing a huge increase in the usage of rootkits and custom packing and encryption algorithms," said Gerhard Eschelbeck, CTO and senior vice president of engineering at Webroot.
Kaminsky suggested that a modified form of whitelisting could hold some promise for preventing spyware infections.
Implementing such an approach is a tough task, however. Defining good and bad programs through their behavior is extremely difficult, given that some legitimate applications can exhibit rootkit-like behavior on occasion, and vice versa, the panelists said.
"The challenge is how you manage your whitelist," Eschelbeck said.
Meanwhile, University of Maryland professor William Arbaugh warned attendees that rootware is being found with increasing frequency. Spyware's evolution has been vicious for security managers who have watched it move beyond collecting surfing data for marketing purposes to dropping Trojans bearing keyloggers. These attack vectors have put sensitive personal and corporate information at risk, and the addition of stealth technology to the mix further muddies the vision of a security manager.
Two prevalent examples - -MiniKeylogger and Powered Keylogger -- not only log keystrokes, but monitor file operations along with browser and email activity, all the while hiding their processes, directories, registry entries via the use of a driver. Two others, the MyFip and Fanbot worms, hook themselves into physical memory rather than the kernel.
"These two are nasty because they're worms; once they get in your system, they start looking for other targets," Arbaugh said. "You could end up spending a few late nights and weekends re-imaging your systems, provided of course that you have a good image to use."
Rootkit detection is not impossible, however. Bitwise integrity calculates a hash value of files or operating system components in memory. That database of information is used as a baseline for comparisons with the current state of files or the OS. Deviations could indicate tampering.
Signature-based detection searches files or memory looking for known rootkit code. The drawback here, like with antivirus, signatures must be updated frequently or the user is vulnerable to attack.
Behavioral detection is possible, but not as effective because of a high rate of false positives. This method creates a state machine of system calls, and looks for deviations. Unless the system is constrained, it's close to impossible to determine if a rootkit is responsible for deviations, or if they're due to normal system operations.