|
Executive summary
Pests is the collective term we use to describe
non-viral malicious code - trojans, remote administration tools,
hacker tools, and spyware. Such code can stealthily gain access to
and hide on computer systems, bypassing traditional security
measures such as anti-virus, firewalls, and intrusion detection
systems.
Pests can allow unauthorized users to breach
firewalls and access sensitive data by assuming the identity of
authorized users. Pests can then allow unauthorized third parties
and disgruntled insiders to access electronic assets (customer
database, financial records, intellectual property, trade
secrets), compromise existing security, destroy customer
confidence, and expose individuals and organizations to
litigation.
Pests are fundamentally different from viruses, in
that they are self-contained programs rather than code fragments,
and so the technology required to detect and remove them is also
fundamentally different from anti-virus software. All pests share
these common characteristics: most people don't know anything
about them, didn't invite them in, don't know they are present,
and don't want them in their system. That is the heart of the
problem. With thousands of files in today's computers, no one
could be expected to know what every single one does. And, without
the technology to help find pests, they can live and thrive in
your system for a long time before anyone finds out they're there
- by which time it may be too late.
Pests have the potential to create even greater
damage than viruses - including significant loss of business,
legal liability, and public relations nightmares.
Protecting your systems against pests
CA Anti-Spyware picks up on the protection of your
network where current products leave off. It is designed to be
used in conjunction with anti-virus software, and has little to no
impact on system performance. PestPatrol, used in conjunction with
an anti-virus product, offers comprehensive and reliable
protection against stealthy malicious code that can result in
downtime, loss of employee productivity and legal liability.
An example of why additional protection
beyond anti-virus was the December 2001 outbreak of BadTrans B.
Every anti-virus company came out with a 'quick fix' to detect and
remove the worm itself, but did you know that the worm left behind
a key logger that may still be hidden on systems you thought were
clean? PestPatrol would have found and removed it.
Pest behavior and impact
Pests can do anything that software can do. Here
are just a few examples:
-
If your PC has ever locked up for no reason, the
CD-ROM drive has started to turn, or you've mysteriously lost
files, you could unknowingly have downloaded a RAT (remote
administration tool), enabling a hacker to control your machine
without you ever knowing. Back Orifice and Sub Seven are well
known RATs.
-
If a disgruntled ex-employee plants a key logger
on critical systems before he's terminated, he can access
confidential data long after he's gone by capturing keystrokes
for passwords. This is what the key logger left behind by the
trojan incorporated into the BadTrans.B worm was programmed to
do.
-
And, how would you like to discover that some
company has secretly planted spyware on your machine and has
been following your surfing habits and transmitting this
information to an outside source?
No network administrator would be happy to find
out that intellectual property, customer data or even ownership of
the corporate web site has fallen into someone else's
(unauthorized) hands.
Unlike viruses, however, there can be 'good'
pests. That is to say, tools such as password cracking programs
are an important part of the system administrator's toolkit, but
in the wrong hands, password crackers can allow unauthorized
individuals to access confidential data unchallenged. PestPatrol
deals with this "gray area" by enabling you to detect the presence
of such a tool only if it's on a PC where you would not expect to
find it - in the accounting or sales departments, for example.
Why are pests on the rise?
Many factors conspire to make today's computer
systems a fertile environment for pest growth.
-
Users have changed. A decade ago, it
seemed that many users were fascinated by the details of their
computer's operation. Many knew that the size of COMMAND.COM in
DOS 5.0 was 47,485 bytes. But today's users tend to regard
computers as just another tool to help them do their job, so
there is less interest in the details of what is going on behind
the scenes. This simply means that, should problem software be
inadvertently introduced to a machine, the number of users that
are equipped to realize what has happened and deal with it is a
much smaller proportion of the total user population.
-
Operating systems are more complex. A
decade ago, DOS consisted of COMMAND.COM and two hidden system
files, and could fit on a low-capacity floppy. Today, the
Windows directory on a typical Windows 98 machine is likely to
have 200 or more directories, 4,500 or more files, and use 600
Mb or more. Today, no user could be expected to know what every
file in their computer does, where it came from, or if it is
even needed.
-
New software cannot be readily inspected
prior to installation. A decade ago, nearly all software
introduced to a machine was installed from a floppy disk. It was
a simple matter to determine the immediate source of that
software, and to scan it for viruses. Today, nearly all software
is introduced to a machine via the Internet. The transfer
process might reveal the overall setup package, but not its
components. Even the size of the basic component often cannot be
determined with precision. And any kind of security check of the
installation package cannot usually be done prior to
installation.
-
Software is installed in obscure ways. A
decade ago, software installations involved little more than
creating a directory and copying some files. Not until DOS 6
were operating system files even compressed. Today, the exact
process followed by an installer is hidden by both the
installation package (often a single file contains dozens or
hundreds of individual files) and installation procedure (an
installer may or may not enumerate files as they are extracted.)
Sometimes, as in the case of an ActiveX, Javascript, or VBScript
component on a web page, there is no evident installation
process at all: the software is simply transferred, installed
and run, sometimes without any user interaction at all.
-
Trusted sources can no longer be determined.
A decade ago, users were counseled to avoid viruses by only
installing software from trusted sources, and to not accept
software from untrusted sources. Users of a decade ago might
call local Bulletin Boards (BBSs), but would rarely make long
distance calls to BBSs across the country, or make international
calls. And at 2400 baud, users spent some time judging the
potential value of software before downloading. Today, all of
the world's software is a local call away, via the Internet, and
can be accessed 30 to 1,000 times faster than it was a decade
ago.
-
There is more problem software. Problem
software, such as viruses, does not become extinct just because
it is hunted. Every piece of malicious code that has ever been
distributed probably still lives, somewhere. In short, the evil
that men do lives long after they are gone.
The real problem is that the rate of emergence of
pests is increasing. The table and graph below report on the
growth of pests in both number of megabytes of pests and total
number, by creation date. These values come from the PestPatrol
database, available for examination at
here.
Figure 1: The number of pests
has increased rapidly over the past few years.
Anti-virus (AV) requires a different approach
Anti-virus vendors have added detection
capabilities for some high-profile pests. They just haven't added
it very well or with any degree of thoroughness or consistency.
There are two main reasons for this:
There have been many pests in the news recently.
In fact, they sometimes seem to be "stealing the show" from
viruses. For example, the "SubSeven Defcon8 2.1 backdoor trojan"
is a trojan, not a virus.
Anti-virus is not enough
Anti-virus
software detects some pests, particularly those that have made the
news. But generally, the pest detection rates of anti-virus
software are pretty low. To illustrate this, we asked the National
Software Testing Laboratory (NSTL) to test PestPatrol's pest
detection capabilities against the three major anti-virus software
packages - Norton AntiVirus, McAfee, and PC-Cillin. Here is a
summary of their findings:
"PestPatrol clearly detects more pests in every
category than any other product tested by finding 86% of the
pests. PC-Cillin 2000 came in a distant second, finding 55%.
Although no product, in its default state, detected every
available pest, it is clear which product provides the better
protection.
"Our testing indicates that pest detection, unlike
virus detection, has not been given strong enough attention by the
computer industry. This may be due to the fact that pests tend to
run silently, and users often don't even know that their systems
are infected. So there is no big outcry by infected owners for
remediation or prevention. As more people become aware of pests
and see the damage that they can do, there should be increased
demand for effective products to detect and clean pests.
"Currently, products tend to do their best
detection with trojan-type pests - detecting a larger percentage
of them. Pests used for hacking or performing Denial of Service
attacks were only modestly detected by the majority of products.
Only PestPatrol was able to detect any spyware pests."
Figure 2: Results of the 11/01
NSTL pest detection tests
Use of anti-virus software is not enough, as many
experts have recently argued. "Antivirus software still does an
excellent job of protecting against viruses in the wild; however,
other products, in association with corporate security policy, are
now becoming increasingly important to safeguard the network and
critically sensitive corporate data." - Datapro
Anti-virus technology is not well-suited for
detecting pests
Viruses do not "install" themselves in a
machine. They do not normally examine the registry, nor do they
make changes to it. They do not reconfigure the machine to ensure
that they run at next boot. The challenge with a virus is to
remove it from the objects it has infected, returning them to a
fully functional state.
Trojans usually do install themselves in a
machine. They frequently modify the registry, and sometimes also
modify .ini files, such as win.ini. Deleting a trojan will cause a
problem if the registry calls for a missing file to be run. Unlike
virus removal, removing a trojan may require editing the registry.
Because a trojan appears to all intents and
purposes to be a normal uninfected program, and lacks jumps, there
is no convenient section of a few thousand bytes from which a
detection scan string might be extracted. To detect a trojan with
a scan string is not difficult. To do so without false alarming on
non-trojans is a great deal more difficult.
The PestPatrol approach
CA Anti-Spyware scans your
system, looking specifically for malicious code. It currently can
detect some 32,000 pests, and the database continues to grow.
PestPatrol is designed to be very fast and can scan 33,000 files
per minute.
How does CA Anti-Spyware differ from anti-virus
software?
CA Anti-Spyware is not an
anti-virus product and it will not remove viruses. PestPatrol
looks for and detects other malicious code, including trojans,
hacker tools, Denial-of-Service attack agents, and spyware. Since
anti-virus products focus on viruses, PestPatrol used in
conjunction with an anti-virus product offers complete and
reliable protection from the full complement of malicious code
that might result in downtime, loss of employee productivity and
dissemination of dangerous code.
How does CA Anti-Spyware stay current?
We
have created a number of tools that automatically manage the
PestPatrol database, trapping new malicious code and constantly
updating the database. Such new files are downloaded and
automatically analyzed.
Information on how to remove this malicious code
from the registry, from ini files, and from the file system is
automatically added to our database. The database
is automatically posted to the web site so that users of
CA Anti-Spyware have access to the latest strings; the product looks
for updates and downloads them automatically, too. The result:
CA Anti-Spyware can detect a
pest within a few minutes of its availability on the Internet and
have the necessary removal information immediately available.
Compatibility with anti-virus
CA Anti-Spyware is designed to work with anti-virus software, not instead of it.
This design required that several conditions be met:
-
the scanning time for PestPatrol needed to be
lightning fast;
-
the product needed to be "lightweight", taking
little machine overhead;
-
the product needed to detect problems that the
anti-virus software missed, with little overlap.
CA Anti-Spyware benefits
CA Anti-Spyware is fast
because its detection algorithms are specifically built for pest
detection. At the time of writing, the database contains 11
different pieces of information on each of 32,000 different pests
- over 350,000 information elements.
CA Anti-Spyware is flexible, with powerful command line
capabilities to facilitate scheduling, network-wide scanning
(including systems connecting to corporate servers via VPN),
reporting, and updating.
CA Anti-Spyware combines speed, a mature database and
automated updating capability offering complete and reliable
protection from dangerous code. Further information and evaluation
software for download may be found
here.
Conclusion
It is clear that anti-virus, while extremely
valuable, is no longer the complete solution to malicious code
management. According to The Hurwitz Group, PestPatrol "will
create a solid tool for fighting against the software that plagues
our networks today. In the corporate world, this provides two
benefits: It protects corporate information that resides on
systems being accessed by infected PCs and reduces the likelihood
of liability associated with corporate PCs acting as "zombies" and
attacking other companies."
Buy CA Anti-Spyware Today! |
