Nathan, et al,
(Apologies in advance for a lengthy post.) I agree that a proactive
approach is preferred, and a number of different techniques are
available. I believe in multiple layers of defense, and using these, a
majority of spyware/adware/crapware is entirely eliminated.
1) end user education
2) administrator rights
3) setting and locking IE security
4) central DNS- or IP-based blocking
5) workstation registry protection
End User Education
As with any safe computing practice, good hygiene begins with users.
Users should be taught:
- limit web surfing to work-related sites
- do not accept any offer generated by a web page
- click "no" to unsolicited software installs
- never click an advertisement
- never download or install games or other software
- never modify IE's security settings
US-CERT's tips are great:
http://www.us-cert.gov/cas/tips/ST04-016.html.
Our default workstation image includes Internet Explorer security
settings that eliminate most all adware and spyware. We use custom
security settings, but IE's "High" security setting for the internet
zone will kill most all spyware/adware. (It will also break some web
sites.)
In many cases techs or users modify those settings unnecessarily. Two
practices can avoid this problem:
Administrator Rights
Users should remain users wherever possible. In general, users have no
need of administrator rights on their workstations, yet in most cases
they are granted these rights. Without administrator rights, new
software can not be installed, and many security settings are off
limits. This reduces the ability of junkware to install, and helps to
protect us from viruses and worms as well.
Setting and Locking IE Security
Keep IIS security settings restrictive. Certain IE settings control
most junkware installs ("Run Active-X controls and plug-ins" = disable
or prompt, and "Active Scripting" = disable or prompt, etc). Those
settings can be applied to users, groups, or specific workstations at
login with GPOs delivered via SMS or other desktop management tools like
Novell's ZENWorks or others. If high security causes problems with
certain websites, users can be allowed to add sites as needed to their
Trusted Zone.
Central DNS- or IP-based Blocking
Most adware and spyware comes from a relatively limited number of
sources. Access to those sources can be blocked centrally by breaking
name resolution for their domains. When a web page includes an element
such as an active-x control that downloads a spyware program, that
element is generally pulled from a different server on a domain such as
1stpagehere.com. When the HTTP request asks the name server to resolve
the name to an IP address, if the IP address returned is invalid
(0.0.0.0), or resolves to the loopback address (127.0.0.1), no
connection is ever established. Blank boxes are seen on web pages
instead of ads (though the content is unaffected), pop-ups never appear,
and active-x controls aren't downloaded.
This trick is accomplished one of two ways. Maintained lists of
advertising server names are available in either standard HOSTS file
format, or as DNS zone files. The HOSTS file format can be applied to
our DNS servers, or to our caching proxy. As a zone file, it can be
imported and integrated with our existing DNS services. Either method
would need periodic updating. Both methods are capable of quick
modification for problem resolution. See
http://www.bleedingsnort.com/blackhole-dns/ and
http://www.mvps.org/winhelp2002/hosts.htm for excellent technical
descriptions with links to compiled lists.
But junkware sometimes relies on connections to IP addresses, not host
names. Many of those IP addresses are well known (like Gator, for
example), and centrally managed blocking can take place at the perimeter
firewall. See http://www.geocities.com/yosponge/blockips.txt for a
list.
Workstation Registry Protection
Lots of spyware installs itself in the registry using very specific and
well-known CLSIDs. The Windows registry has the ability to lock and
protect specified areas, so lists of known spyware CLSIDs have been
compiled into registry files that set a "kill bit" on those keys to lock
them. Later attempts to install the active-x control into a locked
registry key then fails.
Registry lock files can be centrally managed and pushed to workstations
at user login by login scripts, SMS, ZENWorks, etc. These locks can be
integrated into the base workstation image provided to users. Lists are
available from
http://www.javacoolsoftware.com/spywareblaster.html
http://www.spywareguide.com/blockfile.php
Finally, for cleaning already affected hosts, a combination of two or
three spyware scanner/cleaner solutions run in safe mode has always
taken care of most any adware.
Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA
It is often easier to not do something dumb than it is to do something
smart.
-- Marcus Ranum
"Nathan Kline" <nathank@borisch.com> 10/26/2005 10:53:10 AM >>>
What about the proactive spyware treatment? Everything that's been
said
here is reactive. I'd rather it not even get on my machine in the
first
place. A couple practices that I personally use are:
1. Turn on the option to ask me about all cookies, say "yes" only to
the ones needed (most browsers are capable of this in privacy
settings).
This can be a little annoying at first because you feel like you're
saying yes and no to every website that you go to ... But after a
while,
you don't have to worry about it nearly as much because it remembers
your choices.
2. Using Firefox instead of IE (I've found this to be one of the most
helpful anti-spyware measures). Actually READ the EULAs for "free"
software that you install to see if they come bundled with adware /
spyware (sometimes they actually tell you!).
3. Not saying that reactive treatment is bad, because I do use those
measures as well ... MSAS running and scanning my computer daily as
well
as Spybot S&D ... But using the proactive methods that I use, I will
MAYBE get 1 tidbit of adware on my machine a month or so and it's
almost
always been easily removed by one of the afore mentioned reactive
programs.
Nathan
IS Admin
