Combating Spyware in the enterprise

www.syngress.com

Syngress is committed to publishing high-quality books for IT Professionals and

delivering those books in media and formats that fit the demands of our cus￾tomers. We are also committed to extending the utility of the book you purchase

via additional materials available from our Web site.

SOLUTIONS WEB SITE

To register your book, visit www.syngress.com/solutions. Once registered, you can

access our solutions@syngress.com Web pages. There you will find an assortment

of value-added features such as free e-booklets related to the topic of this book,

URLs of related Web site, FAQs from the book, corrections, and any updates from

the author(s).

ULTIMATE CDs

Our Ultimate CD product line offers our readers budget-conscious compilations of

some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect

way to extend your reference library on key topics pertaining to your area of exper￾tise, including Cisco Engineering, Microsoft Windows System Administration,

CyberCrime Investigation, Open Source Security, and Firewall Configuration, to

name a few.

DOWNLOADABLE EBOOKS

For readers who can’t wait for hard copy, we offer most of our titles in download￾able Adobe PDF form. These eBooks are often available weeks before hard copies,

and are priced affordably.

SYNGRESS OUTLET

Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt

books at significant savings.

SITE LICENSING

Syngress has a well-established program for site licensing our ebooks onto servers

in corporations, educational institutions, and large organizations. Contact us at

sales@syngress.com for more information.

CUSTOM PUBLISHING

Many organizations welcome the ability to combine parts of multiple Syngress

books, as well as their own content, into a single volume for their own internal use.

Contact us at sales@syngress.com for more information.

Visit us at

374_Spyware_FM.qxd 6/30/06 4:47 PM Page i

Brian Baskin

Tony Bradley

Jeremy Faircloth

Craig A. Schiller

Ken Caruso

Paul Piccard

Lance James

Spyware in the

Enterprise

Combating

Tony Piltzecker Technical Editor

374_Spyware_FM.qxd 6/30/06 4:47 PM Page iii

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc￾tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be

obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is

sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to

state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other

incidental or consequential damages arising out from the Work or its contents. Because some states do not

allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation

may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working

with computers, networks, data, and files.

Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author

UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The

Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is

to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned

in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

001 HJIRTCV764

002 PO9873D5FG

003 829KM8NJH2

004 387GGDWW29

005 CVPLQ6WQ23

006 VBP965T5T5

007 HJJJ863WD3E

008 2987GVTWMK

009 629MP5SDJT

010 IMWQ295T6T

PUBLISHED BY

Syngress Publishing, Inc.

800 Hingham Street

Rockland, MA 02370

Combating Spyware in the Enterprise

Copyright © 2006 by Syngress Publishing, Inc.All rights reserved. Except as permitted under the

Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by

any means, or stored in a database or retrieval system, without the prior written permission of the pub￾lisher, with the exception that the program listings may be entered, stored, and executed in a computer

system, but they may not be reproduced for publication.

1 2 3 4 5 6 7 8 9 0

ISBN: 1-59749-064-4

Publisher:Andrew Williams Page Layout and Art: Patricia Lupien

Acquisitions Editor: Erin Heffernan Copy Editor:Audrey Doyle

Technical Editor:Tony Piltzecker Indexer: Odessa&Cie

Cover Designer: Michael Kavish

374_Spyware_FM.qxd 6/30/06 4:47 PM Page iv

Acknowledgments

v

Syngress would like to acknowledge the following people for their kindness and sup￾port in making this book possible.

Syngress books are now distributed in the United States and Canada by O’Reilly

Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible, and we would

like to thank everyone there for their time and efforts to bring Syngress books to

market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko,

Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark

Wilson, Rick Brown,Tim Hinton, Kyle Hart, Sara Winge, Peter Pardo, Leslie Crandell,

Regina Aggio Wilkinson, Pascal Honscher, Preston Paull, Susan Thompson, Bruce

Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn

Barrett, John Chodacki, Rob Bullington, Kerry Beck, and Karen Montgomery.

The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian

Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother,

Miguel Sanchez, Klaus Beran, Emma Wyatt, Chris Hossack, Krista Leppiko, Marcel

Koppes, Judy Chappell, Radek Janousek, and Chris Reinders for making certain that

our vision remains worldwide in scope.

David Buckland, Marie Chieng, Lucy Chong, Leslie Lim,Audrey Gan, Pang Ai Hua,

Joseph Chan, and Siti Zuraidah Ahmad of STP Distributors for the enthusiasm with

which they receive our books.

David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen

O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing

our books throughout Australia, New Zealand, Papua New Guinea, Fiji,Tonga, Solomon

Islands, and the Cook Islands.

374_Spyware_FM.qxd 6/30/06 4:47 PM Page v

374_Spyware_FM.qxd 6/30/06 4:47 PM Page vi

vii

Technical Editor

Tony Piltzecker (CISSP, MCSE, CCNA, CCVP, Check Point

CCSA, Citrix CCA), author and technical editor of Syngress

Publishing’s MCSE Exam 70-296 Study Guide and DVD Training

System, is a Consulting Engineer for Networked Information

Systems in Woburn, MA. He is also a contributor to How to Cheat at

Managing Microsoft Operations Manager 2005 (Syngress, ISBN:

1597492515).

Tony’s specialties include network security design, Microsoft

operating system and applications architecture, as well as Cisco IP

Telephony implementations.Tony’s background includes positions as

IT Manager for SynQor Inc., Network Architect for Planning

Systems, Inc., and Senior Networking Consultant with Integrated

Information Systems.Along with his various certifications,Tony

holds a bachelor’s degree in Business Administration.Tony currently

resides in Leominster, MA, with his wife, Melanie, and his daugh￾ters, Kaitlyn and Noelle.

Brian Baskin (MCP, CTT+) is a researcher and developer for

Computer Sciences Corporation. In his work he researches,

develops, and instructs computer forensic techniques for members of

the government, military, and law enforcement. Brian currently spe￾cializes in Linux/Solaris intrusion investigations, as well as in-depth

analysis of various network protocols. He also has a penchant for

penetration testing and is currently developing and teaching basic

Contributors

374_Spyware_FM.qxd 6/30/06 4:47 PM Page vii

viii

exploitation techniques for clients. Brian has been developing and

instructing computer security courses since 2000, including presen￾tations and training courses at the annual Department of Defense

Cyber Crime Conference. He is an avid amateur programmer in

many languages, beginning when his father purchased QuickC for

him when he was 11, and has geared much of his life around the

implementations of technology. He has also been an avid Linux user

since 1994, and he enjoys a relaxing terminal screen whenever he

can. He has worked in networking environments for many years

from small Novell networks to large Windows-based networks for a

number of the largest stock exchanges in the United States.

Brian would like to thank his wife and family for their con￾tinued support and motivation, as well as his friends and others who

have helped him along the way: j0hnny Long, Grumpy Andy,

En”Ron”,“Ranta, Don”,Thane,“Pappy”,“M”, Steve O.,Al Evans,

Chris pwnbbq, Koko, and others whom he may have forgotten.

Most importantly, Brian would like to thank his parents for their

continuous faith and sacrifice to help him achieve his dreams.

Brian wrote Chapter 5 (Solutions for the End User) and Chapter

6 (Forensic Detection and Removal)

Tony Bradley (CISSP-ISSAP, MCSE, MCSA,A+) is a Fortune

100 security architect and consultant with more than eight years of

computer networking and administration experience, focusing the

last four years on security.Tony provides design, implementation,

and management of security solutions for many Fortune 500 enter￾prise networks.Tony is also the writer and editor of the About.com

site for Internet/Network Security and writes frequently for many

technical publications and Web sites.

I want to thank my Sunshine for everything she has done

for me, and everything she does for me and for our family each day.

She is the glue that holds us together and the engine that drives us

forward.

I also want to thank Erin Heffernan and Jaime Quigley for

their patience and support as I worked to complete my contribu￾374_Spyware_FM.qxd 6/30/06 4:47 PM Page viii

ix

tions to this book. Lastly, I want to thank Syngress for inviting me

to participate on this project.

Tony wrote Chapter 1 (An Overview of Spyware) and Chapter 2

(The Transformation of Spyware)

Jeremy Faircloth (Security+, CCNA, MCSE, MCP+I,A+, etc.) is

an IT Manager for EchoStar Satellite L.L.C., where he and his team

architect and maintain enterprisewide client/server and Web-based

technologies. He also acts as a technical resource for other IT pro￾fessionals, using his expertise to help others expand their knowledge.

As a systems engineer with over 13 years of real-world IT experi￾ence, he has become an expert in many areas, including Web devel￾opment, database administration, enterprise security, network design,

and project management. Jeremy has contributed to several Syngress

books, including Microsoft Log Parser Toolkit (Syngress, ISBN:

1932266526), Managing and Securing a Cisco SWAN (ISBN: 1-

932266-91-7), C# for Java Programmers (ISBN: 1-931836-54-X),

Snort 2.0 Intrusion Detection (ISBN: 1-931836-74-4), and Security+

Study Guide & DVD Training System (ISBN: 1-931836-72-8).

Jeremy wrote Chapter 3 (Spyware and the Enterprise Network)

Craig A. Schiller (CISSP-ISSMP, ISSAP) is the President of

Hawkeye Security Training, LLC. He is the primary author of the

first Generally Accepted System Security Principles. He was a coau￾thor of several editions of the Handbook of Information Security

Management and a contributing author to Data Security Management.

Craig is also a contributor to Winternals Defragmentation, Recovery, and

Administration Field Guide (Syngress, ISBN: 1597490792). Craig has

cofounded two ISSA U.S. regional chapters: the Central Plains

Chapter and the Texas Gulf Coast Chapter. He is a member of the

Police Reserve Specialists unit of the Hillsboro Police Department

in Oregon. He leads the unit’s Police-to-Business-High-Tech

speakers’ initiative and assists with Internet forensics.

374_Spyware_FM.qxd 6/30/06 4:47 PM Page ix

x

Craig wrote Chapter 4 (Real SPYware—Crime, Economic

Espionage, and Espionage)

Ken Caruso is a Senior Systems Engineer for Serials Solutions, a

Pro Quest company. Serials Solutions empowers librarians and

enables their patrons by helping them get the most value out of

their electronic serials. Ken plays a key role in the design and engi￾neering of mission-critical customer-facing systems and networks.

Previous to this position, Ken has worked at Alteon, a Boeing

Company, Elevenwireless, and Digital Equipment Corporation.

Ken’s expertise includes wireless networking, digital security, and

design and implementation of mission-critical systems. Outside of

the corporate sector Ken is cofounder of Seattlewireless.net, one of

the first community wireless networking projects in the U.S. Ken is

a contributor to OS X for Hackers at Heart (Syngress, ISBN:

1597490407).

Ken studied Computer Science at Daniel Webster College

and is a member of The Shmoo Group of Security Professionals.

Ken has been invited to speak at many technology and security

events, including but not limited to Defcon, San Diego Telecom

Council, Society of Broadcast Engineers, and CPSR: Shaping the

Network Society.

Ken wrote Chapter 7 (Dealing with Spyware in a non-Microsoft

World)

Paul Piccard serves as Director of Threat Research for Webroot,

where he focuses on research and development, and provides early

identification, warning, and response services to Webroot customers.

Prior to joining Webroot, Piccard was manager of Internet Security

Systems’ Global Threat Operations Center.This state-of-the-art

detection and analysis facility maintains a constant global view of

Internet threats and is responsible for tracking and analyzing

hackers, malicious Internet activity, and global Internet security

threats on four continents.

374_Spyware_FM.qxd 6/30/06 4:47 PM Page x

xi

His career includes management positions at VistaScape

Security Systems, Lehman Brothers, and Coopers & Lybrand.

Piccard was researcher and author of the quarterly Internet Risk

Impact Summary (IRIS) report. He holds a Bachelor of Arts from

Fordham University in New York.

Paul wrote Chapter 8 (The Frugal Engineer’s Guide to Spyware

Prevention)

Lance James has been heavily involved with the information secu￾rity community for the past 10 years. With over a decade of experi￾ence with programming, network security, reverse engineering,

cryptography design and cryptanalysis, attacking protocols, and a

detailed expertise in information security, Lance provides consulta￾tion to numerous businesses ranging from small start-ups, govern￾ments, both national and international, as well as Fortune 500’s and

America’s top financial institutions. He has spent the last three years

devising techniques to prevent, track, and detect phishing and online

fraud. He is a lead scientist with Dachb0den Laboratories, a well￾known Southern California “hacker” think tank; creator of

InvisibleNet; a prominent member of the local 2600 chapter; and

the Chief Scientist with Secure Science Corporation, a security soft￾ware company that is busy tracking over 53 phishing groups.As a

regular speaker at numerous security conferences and a consistent

source of information by various news organizations, Lance is rec￾ognized as a major asset in the information security community.

Lance wrote Appendix A (Malware, Money Movers, and Ma Bell

Mayhem!)

374_Spyware_FM.qxd 6/30/06 4:47 PM Page xi

374_Spyware_FM.qxd 6/30/06 4:47 PM Page xii

xiii

Contents

Chapter 1 An Overview of Spyware . . . . . . . . . . . . . . . . 1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Spyware: Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

How Spyware Works . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Why Spyware Is Not a “Virus” . . . . . . . . . . . . . . . . . .5

Commonly Seen Spyware . . . . . . . . . . . . . . . . . . . . . . .5

Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Malware: Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

How Malware Works . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Commonly Seen Malware . . . . . . . . . . . . . . . . . . . . . . . .8

Adware: Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

How Adware Works . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Commonly Seen Adware . . . . . . . . . . . . . . . . . . . . . . . .10

Parasiteware: Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

How Parasiteware Works . . . . . . . . . . . . . . . . . . . . . . .11

Commonly Seen Parasiteware . . . . . . . . . . . . . . . . . . . .12

Phishing: Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

How Phishing Works . . . . . . . . . . . . . . . . . . . . . . . . . .12

Commonly Seen Phishing Attacks . . . . . . . . . . . . . . . . .14

PayPal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

eBay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Citibank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Washington Mutual . . . . . . . . . . . . . . . . . . . . . . . . .17

IRS Tax Refund . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Botnets: Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

How Botnets Work . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Commonly Seen Botnets . . . . . . . . . . . . . . . . . . . . . . . .19

374_Spyware_TOC.qxd 6/30/06 5:15 PM Page xiii

xiv Contents

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .24

Chapter 2 The Transformation of Spyware . . . . . . . . . . 27

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

The Humble Beginnings . . . . . . . . . . . . . . . . . . . . . . . . . . .28

Targeted Marketing . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

Hitting the Internet Target . . . . . . . . . . . . . . . . . . . . . . .30

Selling Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Adware Evolves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Making a Name for Itself . . . . . . . . . . . . . . . . . . . . . . .34

All Roads Lead to Microsoft . . . . . . . . . . . . . . . . . . .34

The Making of a Buzzword . . . . . . . . . . . . . . . . . . .34

The Early Effects of Spyware . . . . . . . . . . . . . . . . . . . .35

Early Means of Prevention . . . . . . . . . . . . . . . . . . . . . . .35

Spyware in the Twenty-First Century . . . . . . . . . . . . . . . . . .38

How Spyware Has Evolved . . . . . . . . . . . . . . . . . . . . .38

Increased Use of Spyware

in the Commission of Criminal Acts . . . . . . . . . . . . .39

Antispyware Legislation . . . . . . . . . . . . . . . . . . . . . . . . .41

The Future of Spyware . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .46

Chapter 3 Spyware and the Enterprise Network . . . . . 49

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Keystroke Loggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

How Keystroke Loggers Work . . . . . . . . . . . . . . . . . . .53

Known Keystroke Loggers . . . . . . . . . . . . . . . . . . . . . .56

KeyGhost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

KEYKatcher/KEYPhantom . . . . . . . . . . . . . . . . . . .57

Invisible KeyLogger Stealth . . . . . . . . . . . . . . . . . . . .58

Spector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

Boss EveryWhere . . . . . . . . . . . . . . . . . . . . . . . . . . .59

Known Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60

374_Spyware_TOC.qxd 6/30/06 5:15 PM Page xiv

Contents xv

Trojan Encapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

How Spyware Works with Trojan Horses . . . . . . . . . . .63

Known Spyware/Trojan Software . . . . . . . . . . . . . . . . .65

D1Der . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65

Sony Digital Rights Management . . . . . . . . . . . . . . .66

Kazanon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67

Spyware and Backdoors . . . . . . . . . . . . . . . . . . . . . . . . . . .68

How Spyware Creates Backdoors . . . . . . . . . . . . . . . . .68

Known Spyware/Backdoor Combinations . . . . . . . . . . .70

A Wolf in Sheep’s Clothing: Fake Removal Tools . . . . . .71

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .77

Chapter 4 Real Spyware—Crime,

Economic Espionage, and Espionage . . . . . . . . . . . . . . 79

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

White to Gray to Black—

Increasing Criminal Use of Spyware . . . . . . . . . . . . . . . . . .81

White to Gray—Ethical to Unethical . . . . . . . . . . . . . . .82

Hacker Ethic to Criminal Ethic . . . . . . . . . . . . . . . . . . .82

Unethical Practices for the Benefit of Companies . . . . . .84

Spyware for Government Use . . . . . . . . . . . . . . . . . . . .86

It’s All in the Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Targeted, Networked Spyware . . . . . . . . . . . . . . . . . . . .89

Phishing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

Botnets Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93

The Botnet-Spam and Phishing Connection . . . . . . .99

Phishing Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

What to Look For . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106

Internet Resources . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Reporting Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108

Law Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . .110

Antiphishing Consortiums . . . . . . . . . . . . . . . . . . . . . .112

Antiphishing Software Vendors . . . . . . . . . . . . . . . . . . .115

Bot Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116

Detecting Bots on a Host . . . . . . . . . . . . . . . . . . . . . .116

374_Spyware_TOC.qxd 6/30/06 5:15 PM Page xv