www.dbebooks.com - Free Books & magazines www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our solutions@syngress.com Web pages. There you will find an assortment of value-added features such as free e-booklets related to the topic of this book, URLs of related Web site, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE EBOOKS For readers who can’t wait for hard copy, we offer most of our titles in download- able Adobe PDF form. These eBooks are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our ebooks onto servers in corporations, educational institutions, and large organizations. Contact us at sales@syngress.com for more information. CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Contact us at sales@syngress.com for more information. Visit us at Brian Baskin Tony Bradley Jeremy Faircloth Craig A. Schiller Ken Caruso Paul Piccard Lance James Spyware in the Enterprise Combating Tony Piltzecker Technical Editor Acknowledgments v Syngress would like to acknowledge the following people for their kindness and sup- port in making this book possible. Syngress books are now distributed in the United States and Canada by O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible, and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown,Tim Hinton, Kyle Hart, Sara Winge, Peter Pardo, Leslie Crandell, Regina Aggio Wilkinson, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn Barrett, John Chodacki, Rob Bullington, Kerry Beck, and Karen Montgomery. The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Chris Hossack, Krista Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, and Chris Reinders for making certain that our vision remains worldwide in scope. David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, Joseph Chan, and Siti Zuraidah Ahmad of STP Distributors for the enthusiasm with which they receive our books. David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji,Tonga, Solomon Islands, and the Cook Islands. vii Technical Editor Tony Piltzecker (CISSP, MCSE, CCNA, CCVP, Check Point CCSA, Citrix CCA), author and technical editor of Syngress Publishing’s MCSE Exam 70-296 Study Guide and DVD Training System, is a Consulting Engineer for Networked Information Systems in Woburn, MA. He is also a contributor to How to Cheat at Managing Microsoft Operations Manager 2005 (Syngress, ISBN: 1597492515). Tony’s specialties include network security design, Microsoft operating system and applications architecture, as well as Cisco IP Telephony implementations.Tony’s background includes positions as IT Manager for SynQor Inc., Network Architect for Planning Systems, Inc., and Senior Networking Consultant with Integrated Information Systems.Along with his various certifications,Tony holds a bachelor’s degree in Business Administration.Tony currently resides in Leominster, MA, with his wife, Melanie, and his daugh- ters, Kaitlyn and Noelle. Brian Baskin (MCP, CTT+) is a researcher and developer for Computer Sciences Corporation. In his work he researches, develops, and instructs computer forensic techniques for members of the government, military, and law enforcement. Brian currently spe- cializes in Linux/Solaris intrusion investigations, as well as in-depth analysis of various network protocols. He also has a penchant for penetration testing and is currently developing and teaching basic Contributors viii exploitation techniques for clients. Brian has been developing and instructing computer security courses since 2000, including presen- tations and training courses at the annual Department of Defense Cyber Crime Conference. He is an avid amateur programmer in many languages, beginning when his father purchased QuickC for him when he was 11, and has geared much of his life around the implementations of technology. He has also been an avid Linux user since 1994, and he enjoys a relaxing terminal screen whenever he can. He has worked in networking environments for many years from small Novell networks to large Windows-based networks for a number of the largest stock exchanges in the United States. Brian would like to thank his wife and family for their con- tinued support and motivation, as well as his friends and others who have helped him along the way: j0hnny Long, Grumpy Andy, En”Ron”,“Ranta, Don”,Thane,“Pappy”, “M”, Steve O.,Al Evans, Chris pwnbbq, Koko, and others whom he may have forgotten. Most importantly, Brian would like to thank his parents for their continuous faith and sacrifice to help him achieve his dreams. Brian wrote Chapter 5 (Solutions for the End User) and Chapter 6 (Forensic Detection and Removal) Tony Bradley (CISSP-ISSAP, MCSE, MCSA, A+) is a Fortune 100 security architect and consultant with more than eight years of computer networking and administration experience, focusing the last four years on security.Tony provides design, implementation, and management of security solutions for many Fortune 500 enter- prise networks.Tony is also the writer and editor of the About.com site for Internet/Network Security and writes frequently for many technical publications and Web sites. I want to thank my Sunshine for everything she has done for me, and everything she does for me and for our family each day. She is the glue that holds us together and the engine that drives us forward. I also want to thank Erin Heffernan and Jaime Quigley for their patience and support as I worked to complete my contribu- ix tions to this book. Lastly, I want to thank Syngress for inviting me to participate on this project. Tony wrote Chapter 1 (An Overview of Spyware) and Chapter 2 (The Transformation of Spyware) Jeremy Faircloth (Security+, CCNA, MCSE, MCP+I, A+, etc.) is an IT Manager for EchoStar Satellite L.L.C., where he and his team architect and maintain enterprisewide client/server and Web-based technologies. He also acts as a technical resource for other IT pro- fessionals, using his expertise to help others expand their knowledge. As a systems engineer with over 13 years of real-world IT experi- ence, he has become an expert in many areas, including Web devel- opment, database administration, enterprise security, network design, and project management. Jeremy has contributed to several Syngress books, including Microsoft Log Parser Toolkit (Syngress, ISBN: 1932266526), Managing and Securing a Cisco SWAN (ISBN: 1- 932266-91-7), C# for Java Programmers (ISBN: 1-931836-54-X), Snort 2.0 Intrusion Detection (ISBN: 1-931836-74-4), and Security+ Study Guide & DVD Training System (ISBN: 1-931836-72-8). Jeremy wrote Chapter 3 (Spyware and the Enterprise Network) Craig A. Schiller (CISSP-ISSMP, ISSAP) is the President of Hawkeye Security Training, LLC. He is the primary author of the first Generally Accepted System Security Principles. He was a coau- thor of several editions of the Handbook of Information Security Management and a contributing author to Data Security Management. Craig is also a contributor to Winternals Defragmentation, Recovery, and Administration Field Guide (Syngress, ISBN: 1597490792). Craig has cofounded two ISSA U.S. regional chapters: the Central Plains Chapter and the Texas Gulf Coast Chapter. He is a member of the Police Reserve Specialists unit of the Hillsboro Police Department in Oregon. He leads the unit’s Police-to-Business-High-Tech speakers’ initiative and assists with Internet forensics. x Craig wrote Chapter 4 (Real SPYware—Crime, Economic Espionage, and Espionage) Ken Caruso is a Senior Systems Engineer for Serials Solutions, a Pro Quest company. Serials Solutions empowers librarians and enables their patrons by helping them get the most value out of their electronic serials. Ken plays a key role in the design and engi- neering of mission-critical customer-facing systems and networks. Previous to this position, Ken has worked at Alteon, a Boeing Company, Elevenwireless, and Digital Equipment Corporation. Ken’s expertise includes wireless networking, digital security, and design and implementation of mission-critical systems. Outside of the corporate sector Ken is cofounder of Seattlewireless.net, one of the first community wireless networking projects in the U.S. Ken is a contributor to OS X for Hackers at Heart (Syngress, ISBN: 1597490407). Ken studied Computer Science at Daniel Webster College and is a member of The Shmoo Group of Security Professionals. Ken has been invited to speak at many technology and security events, including but not limited to Defcon, San Diego Telecom Council, Society of Broadcast Engineers, and CPSR: Shaping the Network Society. Ken wrote Chapter 7 (Dealing with Spyware in a non-Microsoft World) Paul Piccard serves as Director of Threat Research for Webroot, where he focuses on research and development, and provides early identification, warning, and response services to Webroot customers. Prior to joining Webroot, Piccard was manager of Internet Security Systems’ Global Threat Operations Center.This state-of-the-art detection and analysis facility maintains a constant global view of Internet threats and is responsible for tracking and analyzing hackers, malicious Internet activity, and global Internet security threats on four continents. xi His career includes management positions at VistaScape Security Systems, Lehman Brothers, and Coopers & Lybrand. Piccard was researcher and author of the quarterly Internet Risk Impact Summary (IRIS) report. He holds a Bachelor of Arts from Fordham University in New York. Paul wrote Chapter 8 (The Frugal Engineer’s Guide to Spyware Prevention) Lance James has been heavily involved with the information secu- rity community for the past 10 years. With over a decade of experi- ence with programming, network security, reverse engineering, cryptography design and cryptanalysis, attacking protocols, and a detailed expertise in information security, Lance provides consulta- tion to numerous businesses ranging from small start-ups, govern- ments, both national and international, as well as Fortune 500’s and America’s top financial institutions. He has spent the last three years devising techniques to prevent, track, and detect phishing and online fraud. He is a lead scientist with Dachb0den Laboratories, a well- known Southern California “hacker” think tank; creator of InvisibleNet; a prominent member of the local 2600 chapter; and the Chief Scientist with Secure Science Corporation, a security soft- ware company that is busy tracking over 53 phishing groups.As a regular speaker at numerous security conferences and a consistent source of information by various news organizations, Lance is rec- ognized as a major asset in the information security community. Lance wrote Appendix A (Malware, Money Movers, and Ma Bell Mayhem!) [...]... the spyware Most users will simply click OK without reading or fully understanding the legally binding EULA they are agreeing to, though Figure 1.1 Kazaa Desktop and the EULA for InstaFinder The more malicious or insidious spyware programs don’t even provide the courtesy of notifying you through a EULA, though.They simply install themselves as a part of, or in addition to, some other software you install... make the advertising more intelligent, or targeted, to what the user might actually be interested in By tracking the Web sites the user visits and logging the types of things the user is interested in, vendors can customize their ads to target the user and hopefully generate more business than random ads would How Adware Works The original concept of adware is much purer and does not include the questionable... drop in performance Why Spyware Is Not a “Virus” Spyware differs from a virus primarily from the standpoint that it does not replicate or propagate on its own By definition, a virus is capable of replicating itself and sending itself out to infect other computers A spyware application installs only when the user initiates it, either by agreeing to install it through the EULA, by unwittingly installing... address, or other details that might help them apply for credit in your name or otherwise steal your identity Having one piece of personal information such as this may not be helpful, but putting a few pieces of information together can help them guess or infer other pieces of information.They can use this type of information inference to pull separate, apparently innocuous information together into a more... the EULA in its entirety InstaFinder is an example of an adware or spyware program that does, in fact, explain up front what the software will do .The EULA for InstaFinder www.syngress.com An Overview of Spyware • Chapter 1 (see Figure 1.1), which the user can click on to read before installing the Kazaa Desktop, details the activities the software will do and what the user’s rights are related to the. .. she is trying to hook a fish by luring it in with the right bait When computer attackers go phishing, they are trying to hook a victim using the phishing message as the bait Phishing is an attempt to lure a user into surrendering their username, password, or other personal and sensitive information, by pretending to be an official request from a legitimate business, most often a large financial institution... to the phishing scam attacker Tools & Traps… Finding the Real Domain Phishing scams typically use a spoofed Web site to lure their victims How can you tell whether the Web site you are visiting is really the Web site you think it is? First, never click on links from within an e-mail message to get to the Web site Leave the e-mail message, open a new Web browser window yourself, and enter the domain... many other types of intrusions on a host.To compare it to something in the nontechnical world, it would be similar to asking someone for some aspirin, but in return getting acetaminophen, ibuprofen, or some other pain reliever In this chapter, we are going to set aside a number of pages to pull back from this grouping of concepts As such, we will define what spyware is and compare and contrast it against... However, the misspelling of the word “place” as “palce” is one hint that the message is not legitimate Hovering your mouse over the URL link will also display the true URL behind the link in most browsers TKO NOTICE: eBay Registration Suspension Dear eBay Member, We regret to inform you that your eBay account has been suspended due to the violation of our site policy below: False or missing contact information... periodically so that the thief can review it for any useful information If you have accessed your bank account or other sensitive Web sites, the keystroke logger will capture your username and password, allowing the thief to log in and remove all of your money Even if the thief does not get the user credentials necessary to drain your checking account, they may gather other information such as the names of . acknowledge the following people for their kindness and sup- port in making this book possible. Syngress books are now distributed in the United States and Canada by O’Reilly Media, Inc .The enthusiasm. more information. CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal. reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and