Spyware war may be a losing battle, experts say

Black Hat 2006: Spyware is a top concern among security professionals, but experts say there may be no technology that can stop its spread. Instead, the spyware battle may need to be waged on a different front.

The spyware problem has gotten so bad, experts said at the recent Black Hat 2006 that it is unlikely it can ever be solved on a technical level. Instead, the solution will have to come from regulators and law enforcement agencies.

"It's not technically feasible to stop spyware. You will not be able to stop this technically "This problem lives at the legal-technical boundary. We can't go around arresting people," said Dan Kaminsky, senior security researcher and founder of Doxpara Research, speaking on a spyware panel at Black Hat USA 2006 . "We need to create standards that clearly delineate legitimate code from illegitimate code where you throw people in jail."

Kaminsky on Net neutrality

Dan Kaminsky's annual "black ops" session at Black Hat usually serves as a pulpit for new research on standard protocols, but this year Kaminsky took on the bigger topic of Net neutrality and unveiled details of an open source tool he's developed that will test whether certain packets are treated differently by carriers and ISPs.  

Net neutrality is a term that underscores the presumed neutrality of IP networks, which are designed to transport data from point to point. Protocols higher up the stack may inspect packets for content, but not the IP layer.  

Some carriers and ISPs, Comcast for one according to Kaminsky, may treat some traffic like encrypted VPN data differently.Net neutrality keeps this from happening.  

"Telcos selectively censor traffic so as to maximise revenue from those who'll pay most," Kaminsky said.  

Kaminsky's tool does estimates the amount of TCP bandwidth used by a pair of nodes on the same network. It monitors dropped packets, which are a source of intelligence about other traffic passing through a network and learn what the carrier defines as interference or second-class traffic.  

Net neutrality is currently being debated in Congress. Some Democrats are backing an amendment to a proposed telecommunications bill that would guarantee equal treatment of Internet traffic regardless of source or destination.  

AT&T and Verizon oppose the neutrality provisions, saying it would restrict their ability to offer services. Comcast, for example, offers a premium $95-a-month service to allow video and encrypted traffic to pass.  

"This has absolutely nothing to do with video," Kaminsky said. "Your VPNs are being threatened. Tell your bosses."

 --Michael S. Mimoso,  Information Security magazine

In a number of recent surveys involving spyware, administrators have listed it as their top security concern. Trojans, keyloggers and other stealthy malicious programs have replaced mail-borne viruses and worms as the weapons of choice for attackers looking to plant their wares on thousands or millions of machines.

Antispyware vendor Webroot Software compiles quarterly statistics on the spread of spyware, and its latest figures, which are due to be published later this month, show that about 31% of PCs unknowingly contain at least one Trojan.

The U.S. Department of Justice, Federal Trade Commission and a host of industry coalitions have made stopping spyware a top priority, but their efforts have met with limited success.

Eileen Harrington, a deputy director in the FTC's Consumer Protection Bureau, said her commission is hamstrung by statutory limitations in its efforts to stop spyware distribution. She said the FTC is working to get broader authority, especially in regard to investigations that cross international boundaries.

"It sounds lame to sit up here and say there's only so much we can do, but it's true," Harrington said. "We all know saying, 'Don't do that anymore' in a civil action isn't that effective. It's very tough under the law to get financial remedies. We're pushing for new statutory authority to help us do our job internationally."

Harrington also said a recent appeals court decision that set forth strict guidelines on how and when the FTC can force organisations to surrender ill-gotten money could seriously harm the commission's ability to win judgments against spyware distributors.

"The effect of the decision has been troubling to us because we'd have to name every single affiliate [in a spyware distribution network] and trace every dime," she said. "Needless to say, we don't necessarily agree with the court's decision."

She added, however, that the FTC does have a large settlement with a spyware distributor in the works that will require the company to pay back all of the money it made through spyware.

In the meantime, spyware distributors are becoming more creative and devious. Stealthy malware that hides its presence on machines and collects confidential data is now the norm, the panelists said.

"We're seeing a huge increase in the usage of rootkits and custom packing and encryption algorithms," said Gerhard Eschelbeck, CTO and senior vice president of engineering at Webroot.

Black Hat USA 2006

Check out SearchSecurity.com's special coverage of Black Hat USA 2006 as reporters from SearchSecurity.com and Information Security magazine post the latest news and tidbits from Las Vegas.

Kaminsky suggested that a modified form of whitelisting could hold some promise for preventing spyware infections.

Implementing such an approach is a tough task, however. Defining good and bad programs through their behaviour is extremely difficult, given that some legitimate applications can exhibit rootkit-like behavior on occasion, and vice versa, the panelists said.

"The challenge is how you manage your whitelist," Eschelbeck said.

Read more on Hackers and cybercrime prevention