Spy Wars

TREAT YOUR COMPUTER AS YOU TREAT your car. If you replace your aging brakes and tires before they fail, it’ll save you a lot of money and frustration in the long run.

Randy Williams, MIS director at Victoria Independent School District in Victoria, Texas, thought that was a reasonable way to explain why staff and faculty should check regularly for updates to the antivirus and antispyware tools his team had installed during the summer. The response, though, wasn’t what he had imagined.

“A lot of them said they don’t change the oil in their cars, so why should they do maintenance on their computers,” Williams says. “Using the car analogy didn’t seem to catch on.”

With seven technicians managing a 4,500-computer network, it was impossible for Williams’ team to update every machine manually. As a result, they’d wind up with about 35 calls a week from teachers who couldn’t get online to access their Web-based grade books and from staff whose computers wouldn’t even boot up.

The culprit was clear: spyware, stealth software that downloads onto unsuspecting victims’ computers and sends information back to its creators. Spyware can slow computer performance, cause frequent system crashes or, in the case of adware (a category of spyware), produce out-of-control pop-up ads.

Once downloaded, spyware programs are hard to remove because they contain so many pieces, warns spyware researcher Eric Howes, who analyzes antispyware tools and posts the information on SpywareWarrior.com. “They just litter the system with all sorts of files and registry data,” he says. If not cleaned entirely, the programs can resuscitate themselves. “You can have 100 files, and you can remove 99, but if you miss that one, [the spyware problem] comes back.”

Schools are learning very quickly that it takes an arsenal of tools and a lot of due diligence to stem the tide of spyware, including software, end-user education and strict policies.

“Spyware is constantly changing,” warns Peter Firstbrook, an IT security analyst at Gartner, a Stamford, Conn.-based research firm. “This is an arms race.”

All Hands on Deck

Last fall, some unusual traffic patterns appeared on the network at Saint Stephen’s Episcopal School in Bradenton, Fla. Computers were timing out while trying to connect to the Internet. Using a network analysis tool, the school’s three-person technology team discovered that the bulk of the traffic was originating from a computer lab with 21 machines.

Inside the lab, thousands of spyware and adware programs were replicating themselves. One machine was infected with 1,500 spyware programs, recalls David Snodgress, director of technology and media services. The programs were also communicating back and forth with the companies that created them.

His team cordoned off the lab from the rest of the network, and the traffic levels dropped substantially. “We got it fast enough,” Snodgress says. The team cleaned the lab in about a day and a half using Spybot-Search & Destroy and Ad-Aware, two freeware products that detect and remove spyware.

“It was a slow process because no matter how good the spyware or adware [cleaner] is, it always misses something, and then you have to find a manual fix,” Snodgress explains.

One fix involves deleting programs in the directory, but you need to know what you’re doing or you may delete needed files. In many cases, the spyware runs as a process in the operating system, so the infected computers have to be put into safe mode before running the utilities.

Prior to the outbreak, the school had been using spyware detectors, but the definitions hadn’t been updated in a while. “We weren’t paying attention when it happened,” Snodgress admits. “We’ve become a lot more aware of [spyware] because of that.”

Their best guess was that students picked up the spyware from game sites loaded with pop-up ads offering free MP3 downloads. As a result, Snodgress’ team blocked the gaming site category on the school’s content filter and started updating definitions about once every two to three weeks.

Snodgress plans to try a year's subscription to Symantec’s AntiVirus Corporate Edition. The latest edition, released earlier this year, includes enhanced protection from spyware and adware. He likes the idea of managing the spyware utility centrally, which he can’t do with the freeware tools.

Snodgress says his most successful antispyware strategy has involved implementing the Firefox Web browser from Mozilla Foundation. Many spyware programs were designed to expose flaws in Internet Explorer, so Snodgress hides all traces of that browser and encourages users to try Firefox instead. However, some Web sites are compatible only with Microsoft browsers, so he hasn’t completely eliminated Internet Explorer from the network. “Internet Explorer’s always there if I need it,” Snodgress adds.

For schools that have standardized on Internet Explorer, the Windows XP Service Pack 2 addresses many of the flaws, and Microsoft has released a free beta antispyware tool for Windows.

Building an Arsenal

Using a variety of tools makes sense, says antispyware analyst Howes. In some cases, new policies or configurations can help. For instance, by creating limited user accounts instead of giving end users administrative privileges, schools can stop spyware in its tracks.

On many networks, users can install software, modify the registry and change settings. “That’s very convenient, but if you can do it, every [piece of] software that gets installed on your computer also can do it,” says Howes.

He suggests tightly configuring firewalls and using automatic software updates. Some schools may even consider a gateway solution, which can help filter out unwanted sites. There are dedicated spyware gateway solutions, but they’re still fairly basic, says Howes.

“No solution is 100 percent,” Howes adds. “You’re always going to need a layered approach.”

Teach the Teachers

Internet surfers encounter limitless temptations, visiting dubious sites, and downloading smiley faces, songs or weather reports with reckless abandon. They may even be enticed by ads offering free spyware scans to ensure their computers aren’t infected. Such offers are often a source of spyware.

In October 2004, America Online and the National Cyber Security Alliance, a Washington, D.C.-based nonprofit group that teaches safe online practices, surveyed 329 home users, and 73 percent said they felt their computer was “very safe” or “somewhat safe” from viruses. However, scans of the respondents’ machines found spyware or adware on 80 percent of them.

At Saint Stephens, Snodgress has held workshops so staff could look out for signs of spyware, especially in student labs. His team also advises them to use antispyware products if their computers experience problems.

Many people who had thought their computers were just getting old were amazed when spyware scans turned up hundreds or thousands of instances of spyware. When they cleaned them, they’d wind up with like-new computers, says Snodgress.

At Victoria Independent School District, Williams recognizes the value of educating end users, but points out that “teachers want to teach. They don’t want to be messing with their computers.”

Another challenge is that the average age of computers in the Victoria district is six years, and many are still running on Windows 95 and 98.

In the last few years, Williams’ team has focused on getting the infrastructure in place and improving bandwidth so he can centrally perform software installations and upgrades. The district is now in the process of implementing Computer Associate’s eTrust PestPatrol Anti-Spyware for the enterprise, which has centralized management capabilities.

Snodgress thinks that the market will soon get a handle on spyware as we know it today. However, he is convinced this is just the first of many generations. “We’re going to invest a lot of money in spyware-filtering software,” Snodgress predicts, “and then someone’s going to come out with something new that’s going to completely circumvent it.”