Spyware vs Viruses

October 8th, 2009

Unique Challenge of Spyware

 

Important Differences to Know About Spyware and Viruses

 

Spyware and computer viruses might appear to have more in common than not, they are both malicious programs, they both impact system stability, and the effects of both can range from being a nuisance to inflicting serious damage. They are also both programs that require specialized tools for their removal. While these two different types of malicious programs might closely resemble each another at first glimpse, there are significant differences:

 

• Unlike viruses, the motivations behind spyware are financial, which has driven rapid technical innovation and broad distribution.

 

• Spyware is curiously difficult to locate for research, requiring specialized, proactive methods for discovery.

 

• Removing spyware is especially complicated and problematic because newer versions are highly adept at remaining on a system.

 

• The business impacts of spyware are greater, as it compromises privacy, threatens assets and affects productivity beyond even the damage caused by viruses.

 

The bottom line is that spyware presents a unique and serious problem that requires its own dedicated defenses. As spyware rapidly proliferates today, its well-funded developers are creating increasingly sophisticated versions, and it is clear that solutions devoted to handling the intricacies of spyware are necessary. The first line of defense is education, and understanding the unique threat spyware poses is the first step in a practical plan for protection.

 

Designed to Hide

One important way spyware is distinguished from viruses is discoverability. Antivirus vendors are able to deploy passive techniques for identifying new viruses, such as “honey-nets” that capture the malicious programs as they replicate themselves across the Internet. Because antivirus vendors can rely on these more passive research methods, they have not been as prepared for the active approach necessary to combat the unique challenges of spyware detection.

 

In order to maintain a definitions database that will effectively defend its users from newly released forms of spyware, an anti-spyware provider must actively seek out new threats and their source location. Keeping up with hundreds of adware companies and thousands of spyware writers is a daunting task. Furthermore, it is becoming even more specialized as increasingly advanced forms of spyware morph into new variations requiring more sophisticated approaches.

 

There are several approaches to spyware research, but each is technically challenging and resource intensive. One of the more interesting approaches used involves using webcrawler technology to find new threats before they can infect end users. This automated scanning of the Internet to identify new forms of spyware involves proprietary technologies and a specific understanding of spyware and its unique properties.

 

Difficult to Remove

Once installed on a system, the presence of spyware on the PC can be insidious. While viruses typically take the form of a single executable and might affect a few registry entries, spyware typically impacts multiple registry entries and potentially leaves dozens of application files spread across the hard drive or deep within the hardware. Sophisticated techniques are required to locate and remove these many components created by spyware applications.

 

In addition, spyware is becoming increasingly sophisticated in its staying power. New spyware programs use complex approaches, such as running separate processes that monitor each other. These programs are capable of reinstalling components and repopulating registry entries that have been removed. They are also capable of randomizing various elements of the program so that they leave a different footprint and are harder to track. To further complicate matters, if left unchecked many spyware applications are capable of downloading additional programs.

 

Consider for example the insidious spyware program called “Look2Me”. This malicious application gets deep inside your system. It uses Internet Explorer as the launching point to insert another file into the Windows area that controls system start up processes. By hooking itself in this way, it tricks your computer into believing that it is a critical process that must not be removed. If attempts are made to remove the files or their registry entries, Look2Me can automatically reboot the computer to restore itself.

 

Compared to spyware, the newly identified virus W32.Mydoom. CF@mm is malicious, but much less difficult to remove. The W32.Mydoom.CF@mm virus is a mass-mailing worm that rapidly propagates by mailing itself to addresses gathered from the compromised computer. It copies itself to a Windows system folder and modifies up to three registry entries so it can load when Windows starts up, but removal is as simple as deleting its file and erasing the text strings that it has inserted in the registry. Antivirus programs are designed for this type of task.

 

When faced with more difficult removal efforts, antivirus programs are not sufficient. Even just to remove some viruses, leading anti-virus vendors have had to build completely separate custom removal tools. Removing aggressive spyware is even more difficult. To be effective, an anti-spyware program must engage in the complex, multi-step process of extracting the spyware components and removing the traces left behind throughout the system. Spyware removal requires highly specialized techniques that are different from the fundamental processes performed by antivirus software.

 

Different Impact

Another important difference between spyware and viruses is the impact they make on computers and their users. Viruses are developed to cause mischief by clogging networks, bringing down systems, or in some cases, deleting information. Spyware, however, is designed to execute even more malicious objectives. In the hands of cyber criminals, spywares impact can be devastating, enabling them to violate personal privacy, access proprietary information, and steal financial assets. This was the case in a recent headline-making cyber theft in which spyware was used to steal $423 million from Sumitomo Mitsui bank.

 

In addition, even legitimate” adware programs make a significant negative impact on productivity. They often slow system performance, cause PC crashes, and result in lost time while infected systems are repaired. According to a Microsoft estimate, spyware causes more than half of Windows system crashes1, and Dell announced in 2004 that  a full 25% of the calls to its support staff were from users who had experienced degraded system performance caused by spyware2.

 

Unique Distribution

The way in which spyware proliferates is also different from viruses. For one, there are often more variants. While viruses may have a few variants or encourage copycat efforts, spyware is often programmatically designed to spin off its own variations, which can lead to a substantially greater number of spyware programs to contend with.

 

 In addition, while viruses are typically designed to spread themselves openly and obviously across networks, spyware is generally unwittingly downloaded and installed by computer users. Spywares focus is on stealthy delivery, and thus it proliferates more “silently”, which makes it more difficult to determine the scope of its dissemination. While antivirus solutions are focused on combating the more visible spread of viruses and worms, a spyware protection solution must be adept at exposing stealthy delivery methods.

 

Financially Motivated

Another important differentiator between spyware and viruses is the motivation for their creation in the first place. Viruses are often created by individuals or small groups with the intent of causing a nuisance, or testing their programming skills at the expense of others. Spyware, on the other hand, is financially motivated and represents a growing industry estimated at $2.5B. 

 

Backed by legitimate organizations with substantial financial resources, spyware is becoming increasingly sophisticated, and increasingly more difficult and complex to manage. With a strong financial motivation behind its advancement, spyware protection will continue to require highly specialized techniques.

 

Conclusion

In summary, spyware is uniquely difficult to identify, and it becomes entangled in the systems it infects, making its removal extremely complicated. Spywares impact can be dramatically different from that of viruses, resulting in significant loss to theft of assets and decreased

productivity. Finally, because it is financially motivated and backed by increasing investment from a thriving industry, spyware is advancing rapidly and becoming progressively more complex.

 

When examined more closely, it is apparent that spyware has very different properties from viruses. Understanding the unique properties of spyware is the first defense against its dangers. Dealing with spyware is a complex challenge that requires specialized techniques. Today more than ever, computer users need to rely on a dedicated solution designed specifically to help navigate the unique threats of spyware.

 

1 Brian Arbogast, Microsoft (corporate vice president of the Identity, Mobile and Partner Services Group

within Microsoft’s MSN and Personal Services Division), at a Federal Trade Commission spyware workshop,

according to a Microsoft press release on April 20, 2004 (http://www.microsoft.com/presspass/

features/2004/apr04/04-20Spyware.asp)

2 Ed Maguire, Merrill Lynch comment, Security Software: Gartner Security Summit Highlights, June 10, 2004

Posted in Uncategorized | No Comments »

Technical Terms & Definitions

October 8th, 2008
D.O.D. Wipe
DOD wiping is a standard that the Department of Defense created to
ensure data on their hard drives was unrecoverable. The process
involves storing random data over top of the contents of the entire
hard drive. The more this is done, the less recoverable the sensitive
information is. DOD 5220.22-M (the US DoD security manual) requires
that the drive be overwritten three times, but more is better.
DSL (Digital Subscriber Line)
Common Usage: Customers (typically individuals
or small businesses) who simply want to use
their existing phone lines for Internet connectivity.
Must be within 18,000 feet of a central office.  

Definition: A high-speed Internet connection
delivering data over existing telephone lines at a
transmission speed between 128Kbps-10Mbps.

DS1 (Digital Signal Level 1)
Common Usage:
Customers (typically small to medium businesses) that need
a high-speed Internet connection, multiple phone lines, or
a combination of the two.  

Definition: A service that provides a dedicated
connection from your premises to a long distance switch,
providing the user with a multi-channel, high-capacity digital
circuit for voice and/or data applications. DS1 can be
provisioned by channels for data, voice, or any combination
up to 24 channels.

T1 (Trunk Level 1)
Common Usage:
Customers (typically small to medium businesses) requiring
high-speed Internet connections, point-to-point data transport
customers, and multi-line voice capability.  

Definition: A digital transmission link with a
total speed of up to 1.544 Mbps. Mostly synonymous with DS1.
A T1 Internet connection’s cost
is comprised of two parts: the local loop charge or the
phone circuit that connects your location to the Internet
point-of-presence (POP), and the actual Internet bandwidth
access port charge.

ISDN
Common Usage: Businesses that need Internet connections
beyond 18,000 feet from a central office.  

Definition: A one- or two-channel digital connection.
Each channel can transmit at 64 Kbps, and can be used for data
or voice capability.

T3 (Trunk Level 3)
Common Usage: Customers (typically medium to large businesses)
needing high-speed Internet, point-to-point data transport, and/or
multi-line voice capability.  

Definition: Is synonymous with a DS3 (Digital Signal Level 3).
A T3 transmits at a rate of 43.232 Mbps and consists of 28 T1 circuits.

OC3 (Optical Character Level 3)
Common Usage: Larger business that need high-speed Internet
connections, point-to-point data transport customers, and multi-line
voice customers.  

Definition: Transmits at a rate of 155 Mbps, and is equivalent
to 84 T1 circuits. An OC3 is termed a “fiber connection.”

OC12
Common Usage: Larger business that need high-speed Internet
connections, point-to-point data transport customers, and multi-line
voice customers.  

Definition:Transmits at a rate of 622 Mbps, and is equivalent
to 4 OC3 circuits.

OC48
Common Usage: Larger business that need high-speed Internet
connections, point-to-point data transport customers, and multi-line
voice customers.  

Definition: Transmits at a rate of 2.5 Gbps, and is equivalent
to 4 OC12 circuits.

OC192
Common Usage: Phone companies, large Internet Service Providers
(ISPs), and large companies offering streaming media services (video,
music, Internet teleconferencing, etc.). Other customers may acquire
an OC192, but most will never fully utilize it.  

Definition: Transmits at a rate of 9.6 Gbps, and is equivalent
to 4 OC48 circuits.

Posted in Reference | No Comments »

Networking & Multi-Tenant Internet

October 8th, 2008

Networking of computer systems has become a must in today’s world. It is no
longer restricted to offices and corporations — people today have networks
even in their houses and apartments.
Data transfers have grown as new technology emerges, and soon, as the
Internet gets faster, video conferencing over the internet will be flawless.
The size and speed of the Internet has grown exponentially over the past few
years, and the demand for high-speed residential access is growing with it.

Networking Defined:

Networking is the act of connecting 2 or more computers together. This is
generally done using a cable known as CAT5e (from the name of the standard
describing the cable’s properties).

Today, though, we are not limited to wired infrastructures — a network can
also incorporate wireless connections (commonly known as Wi-Fi) for easier
use with mobile technology. Computer networking in its simple form is no
different than people networking with others. Both are used to share
ideas and information, collaborate, and pass along some form of data.

Whether you have 5 computers or 200, you will need to network them in order
to get anything done. The reason is simple – you need to share data,
resources, and internet – among many other tools.
If you are building new offices or need to network your current location,
New Age Digital can help you get wiring, set up the network’s infrastructure,
and provide and configure high speed internet access.

New Age Digital even has a solution for
networking Multi Tenant Facilities in
the Richmond, Virginia and surrounding areas.
If you have a building with multiple tenants and would like to provide them with
High Speed Internet access
then
call us and we will do a site survey . We can also provide
Internet access and server capabilities for a Multi Tenant office.

Significant Benefits Of Our Multi Tenant Solution

  • Significant generation of non-rental income
  • Unlimited users/entities are licensed on one server
  • An excellent marketing differentiator for your property – market with an advantage
  • Attractive facility for prospective tenants/purchasers
  • Extremely cost-effective, with significant savings and the ability to make direct profits

Posted in Uncategorized | No Comments »

Selectable Outgoing Email Addresses under Outlook with Exchange

December 10th, 2006

Exchange Server offers great support to receive email addressed to multiple domains, but does not allow users to choose which address they would like to use when sending outgoing messages.

Let’s say John Doe at Company abc.com runs Small Business Server 2003 and has a side business with the domain name xyz.com. John can easily receive email to jdoe@abc.com and jdoe@xyz.com. But when Joe sends an email, the recipient will see it comes from jdoe@abc.com. Joe has no option to send the email so it appears to come from jdoe@xyz.com.

This can be resolved by adding an SMTP account to the Outlook profile on the workstation. While not a perfect solution, it does allow users to select which email address they would like recipients to see. This solution is recommended for small sites where the administrative overhead is low and where only a few outgoing domains need to be selectable.

This solution has the following strengths:

  1. Little or no modification needs to be made to Exchange.
  2. It works great on single Exchange servers and SBS servers.
  3. Email to all domains is still delivered immediately to the user’s Exchange mailbox. There is no need to have separate Personal Folder stores or profiles that users will forget to check and backup.

This solution has the following weaknesses:

  1. The Outlook client will need an account added to the profile of each user that needs to have multiple outgoing addresses. An account will need to be added for each outgoing address (other than the primary). Multiple Outlook profiles on one computer or users that use Outlook on multiple computers will increase the administration burden.
  2. While the alternate email address will show on the recipient’s copy, the email headers will still show the Exchange server’s primary domain. Most recipients won’t even know how to check email headers, but this solution is not appropriate when the appearance of complete separation of the domains needs to be achieved.
  3. Outgoing addresses are not selectable under Outlook Web Access.
  4. Outgoing email will always show the user’s primary address unless an alternate is selected. The user must select the alternate SMTP account even when replying to an email sent to the alternate email address. For example, John receives an email sent to jdoe@xyz.com (his primary is @abc.com). When John replies to the email he must select the xyz.com SMTP account when he sends the email or else his reply will go out as jdoe@abc.com.

These instructions will assume the user has administrative access to the Exchange and DNS servers on the network or is the administrator of a Microsoft Small Business Server. We will also assume the servers are running Windows 2003, Exchange 2003, and Outlook 2003 or SBS 2003. 2003 is not a requirement, but some steps will vary on other versions of SBS, Windows Server, and Outlook.

The first step in the process is to add the additional domains to the recipient policy on the Exchange server if it has not already been done. This will allow the Exchange Server to receive email sent to the additional domain(s).

  1. Open Exchange System Manager, or drill down to your Exchange instance on the Server Management Page for Small Business Server.
  2. Open Recipients and click on Recipient Policies.
  3. Right click the Default Policy and select Properties.
  4. Select the E-mail addresses tab and click New.
  5. Select SMTP address and fill in the additional domain name with the @ symbol prefix (@xyz.com) and click OK.
  6. You may modify the primary SMTP domain if desired, then click OK.
  7. Repeat for each domain you want to add.

At this point, your users can receive email sent to the additional domain only if you edit each user account and add the address for them. I recommend right clicking the Default Policy and selecting Apply this policy now. This will make the additional domain active for all users. In effect, it creates a secondary email address for all of your Exchange users in the Default Policy (normally everyone).

Now DNS needs to be setup. External DNS is provided by a wide range of providers. You will need to contact your domain host to setup the necessary record for DNS. This may be your web hosting company or the company you registered the domain with. You will want to add an A record and MX record for the outside or public IP address of your Exchange server for the additional domain. A CNAME record that aliases an existing A record is fine, or you can use an existing A record. Please contact your domain host if you need help. You can contact us at New Age Digital if you would like to change your hosting service. We can assist with all of the details. This will need to be done for all domains for which you wish to receive email.

Next we will add the domain to your internal DNS server. This will normally be your Small Business Server or PDC in a multi-server environment.

  1. Open your DNS MMC console. Normally accessed through Administrative Tools.
  2. Right click Forward Lookup Zones and select New Zone.
  3. Click Next on the New Zone Wizard and select Primary and click Next.
  4. Choose the appropriate selection on the next screen. Normally the default is correct.
  5. Enter your additional domain name (xyz.com) and click Next.
  6. Normally you will not want dynamic updates, but this may vary depending on your needs. Dynamic updates are not necessary for this setup. Click Next and Finish.
  7. Right click the domain you added and select new A record. You may need to expand the tree on the left side of the MMC console to activate the add function.
  8. Enter the prefix for the A record in the name field. This should match the A record setup on the external DNS servers for the domain. For example, if an A record, mail.xyz.com, was setup on the external DNS servers, enter mail in the name field.
  9. Type in the local IP address of your Exchange server and click Add Host. Please note that this is the internal IP address – not your outside or public IP address.
  10. Repeat for each domain that you wish to use for outgoing email.

Add a new account to each Outlook profile on each computer that will need to send email out using the new email address.

  1. In Outlook, select Tools, Email Accounts.
  2. Select View or change existing email accounts and click Next.
  3. Select Add, select POP3, and click Next.
  4. Fill in the fields on the POP3 Internet account settings screen as follows:
  5. Name . As you would like it to appear to recipients, usually the users full name.
  6. Email address – The full email address using additional domain (jdoe@xyz.com).
  7. Both POP3 and SMTP servers will be the host you setup in DNS (mail.xyz.com).
  8. The username should be the login name of the user to the domain or Exchange server (jdoe).
  9. The password is the user’s domain or Exchange password.
  10. Do not test the account settings (see below). Click Next and Finish.
  11. Make sure the Exchange account is still the default and that the user’s mailbox is the delivery location for all accounts by clicking on each account.
  12. Repeat for each outgoing address you wish to add.
  13. Repeat for each user and each Outlook profile that your users will use to send outgoing email on the additional addresses.

    14. Most Exchange servers do not have POP3 enabled by default. It does not need to be enabled, nor do we need to make any firewall or router changes to allow POP3 traffic. The next step will be to disable the POP3 half of the new account. This will negate the need to make any changes to Exchange. It will also remove conflicts with some antivirus scanners with email scanning ability, and improve the speed of retrieving new messages. Exchange is already setup to receive incoming mail on the additional domains and that email will be delivered directly to the user’s mailbox on receipt.

Posted in Outlook | No Comments »

Reset Symantec Antivirus Corporate Password

November 10th, 2006

It can be quite frustrating to take on a new client
and not be able to access the Symantec Antivirus
Console or Symantec Secuity Center Console because
the password was never recorded. Here are a couple
of options for recovering from that situation.

The first thing to try is the default password “symantec”.

Older versions of Symantec Antivirus (before version 10)
have a password to access the console. This can be reset
by stopping the Symantec Antivirus services in the
Microsoft Services MMC and changing a registry key.
Changing this key will set the password back to the
default, but must be done with the services stopped.
Open regedit and change the following key’s value and
restart the services.

HKLM\SOFTWARE\INTEL\LANDesk\VirusProtect6

\CurrentVersion\ConsolePassword

Value: 1084A085DC6BD2D755D4D6A7726

Symantec Antivirus version 10 has both a login name
and password. This can be reset by using the iforgot.exe
program that is located under the
Program Files\Symantec\Symantec System Center\Tools folder.
You will need to know the login name for the iforgot.exe
program to reset the password.

Posted in Password Recovery | No Comments »

« Older Entries