374_Spyware_FM.qxd 6/30/06 4:47 PM Page i Visit us at w w w . s y n g r e s s . c o m Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our [email protected] Web pages. There you will find an assortment of value-added features such as free e-booklets related to the topic of this book, URLs of related Web site, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE EBOOKS For readers who can’t wait for hard copy, we offer most of our titles in download- able Adobe PDF form. These eBooks are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our ebooks onto servers in corporations, educational institutions, and large organizations. Contact us at [email protected] for more information. CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Contact us at [email protected] for more information. 374_Spyware_FM.qxd 6/30/06 4:47 PM Page iii C o m b a t i n g Spyware in the Enterprise Brian Baskin Ken Caruso Tony Bradley Paul Piccard Jeremy Faircloth Lance James Craig A. Schiller Tony Piltzecker Technical Editor 374_Spyware_FM.qxd 6/30/06 4:47 PM Page iv Syngress Publishing,Inc.,the author(s),and any person or firm involved in the writing,editing,or produc- tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind,expressed or implied,regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights,which vary from state to state. In no event will Makers be liable to you for damages,including any loss of profits,lost savings,or other incidental or consequential damages arising out from the Work or its contents.Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages,the above limitation may not apply to you. You should always use reasonable care,including backup and other appropriate precautions,when working with computers,networks,data,and files. Syngress Media®,Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,”and “Hack Proofing®,”are registered trademarks of Syngress Publishing,Inc.“Syngress:The Definition of a Serious Security Library”™,“Mission Critical™,”and “The Only Way to Stop a Hacker is to Think Like One™”are trademarks of Syngress Publishing,Inc.Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 387GGDWW29 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing,Inc. 800 Hingham Street Rockland,MA 02370 Combating Spyware in the Enterprise Copyright © 2006 by Syngress Publishing,Inc.All rights reserved.Except as permitted under the Copyright Act of 1976,no part of this publication may be reproduced or distributed in any form or by any means,or stored in a database or retrieval system,without the prior written permission of the pub- lisher,with the exception that the program listings may be entered,stored,and executed in a computer system,but they may not be reproduced for publication. 1 2 3 4 5 6 7 8 9 0 ISBN:1-59749-064-4 Publisher:Andrew Williams Page Layout and Art:Patricia Lupien Acquisitions Editor:Erin Heffernan Copy Editor:Audrey Doyle Technical Editor:Tony Piltzecker Indexer:Odessa&Cie Cover Designer:Michael Kavish 374_Spyware_FM.qxd 6/30/06 4:47 PM Page v Acknowledgments Syngress would like to acknowledge the following people for their kindness and sup- port in making this book possible. Syngress books are now distributed in the United States and Canada by O’Reilly Media,Inc.The enthusiasm and work ethic at O’Reilly are incredible,and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly,Laura Baldwin,Mark Brokering,Mike Leonard,Donna Selenko, Bonnie Sheehan,Cindy Davis,Grant Kikkert,Opol Matsutaro,Steve Hazelwood,Mark Wilson,Rick Brown,Tim Hinton,Kyle Hart,Sara Winge,Peter Pardo,Leslie Crandell, Regina Aggio Wilkinson,Pascal Honscher,Preston Paull,Susan Thompson,Bruce Stewart,Laura Schmier,Sue Willing,Mark Jacobsen,Betsy Waliszewski,Kathryn Barrett,John Chodacki,Rob Bullington,Kerry Beck,and Karen Montgomery. The incredibly hardworking team at Elsevier Science,including Jonathan Bunkell,Ian Seager,Duncan Enright,David Burton,Rosanna Ramacciotti,Robert Fairbrother, Miguel Sanchez,Klaus Beran,Emma Wyatt,Chris Hossack,Krista Leppiko,Marcel Koppes,Judy Chappell,Radek Janousek,and Chris Reinders for making certain that our vision remains worldwide in scope. David Buckland,Marie Chieng,Lucy Chong,Leslie Lim,Audrey Gan,Pang Ai Hua, Joseph Chan,and Siti Zuraidah Ahmad of STP Distributors for the enthusiasm with which they receive our books. David Scott,Tricia Wilden, Marilla Burgess,Annette Scott,Andrew Swaffer, Stephen O’Donoghue,Bec Lowe,Mark Langley,and Anyo Geddes of Woodslane for distributing our books throughout Australia,New Zealand,Papua New Guinea,Fiji,Tonga,Solomon Islands,and the Cook Islands. v 374_Spyware_FM.qxd 6/30/06 4:47 PM Page vi 374_Spyware_FM.qxd 6/30/06 4:47 PM Page vii Technical Editor Tony Piltzecker (CISSP,MCSE,CCNA,CCVP,Check Point CCSA,Citrix CCA),author and technical editor of Syngress Publishing’s MCSE Exam 70-296 Study Guide and DVD Training System, is a Consulting Engineer for Networked Information Systems in Woburn,MA.He is also a contributor to How to Cheat at Managing Microsoft Operations Manager 2005 (Syngress,ISBN: 1597492515). Tony’s specialties include network security design,Microsoft operating system and applications architecture,as well as Cisco IP Telephony implementations.Tony’s background includes positions as IT Manager for SynQor Inc.,Network Architect for Planning Systems,Inc.,and Senior Networking Consultant with Integrated Information Systems.Along with his various certifications,Tony holds a bachelor’s degree in Business Administration.Tony currently resides in Leominster,MA,with his wife,Melanie,and his daugh- ters,Kaitlyn and Noelle. Contributors Brian Baskin (MCP,CTT+) is a researcher and developer for Computer Sciences Corporation.In his work he researches, develops,and instructs computer forensic techniques for members of the government,military,and law enforcement.Brian currently spe- cializes in Linux/Solaris intrusion investigations,as well as in-depth analysis of various network protocols.He also has a penchant for penetration testing and is currently developing and teaching basic vii 374_Spyware_FM.qxd 6/30/06 4:47 PM Page viii exploitation techniques for clients.Brian has been developing and instructing computer security courses since 2000,including presen- tations and training courses at the annual Department of Defense Cyber Crime Conference.He is an avid amateur programmer in many languages,beginning when his father purchased QuickC for him when he was 11,and has geared much of his life around the implementations of technology.He has also been an avid Linux user since 1994,and he enjoys a relaxing terminal screen whenever he can.He has worked in networking environments for many years from small Novell networks to large Windows-based networks for a number of the largest stock exchanges in the United States. Brian would like to thank his wife and family for their con- tinued support and motivation,as well as his friends and others who have helped him along the way:j0hnny Long,Grumpy Andy, En”Ron”,“Ranta,Don”,Thane,“Pappy”,“M”,Steve O.,Al Evans, Chris pwnbbq,Koko,and others whom he may have forgotten. Most importantly,Brian would like to thank his parents for their continuous faith and sacrifice to help him achieve his dreams. Brian wrote Chapter 5 (Solutions for the End User) and Chapter 6 (Forensic Detection and Removal) Tony Bradley (CISSP-ISSAP,MCSE,MCSA,A+) is a Fortune 100 security architect and consultant with more than eight years of computer networking and administration experience,focusing the last four years on security.Tony provides design,implementation, and management of security solutions for many Fortune 500 enter- prise networks.Tony is also the writer and editor of the About.com site for Internet/Network Security and writes frequently for many technical publications and Web sites. I want to thank my Sunshine for everything she has done for me,and everything she does for me and for our family each day. She is the glue that holds us together and the engine that drives us forward. I also want to thank Erin Heffernan and Jaime Quigley for their patience and support as I worked to complete my contribu- viii 374_Spyware_FM.qxd 6/30/06 4:47 PM Page ix tions to this book.Lastly,I want to thank Syngress for inviting me to participate on this project. Tony wrote Chapter 1 (An Overview of Spyware) and Chapter 2 (The Transformation of Spyware) Jeremy Faircloth (Security+,CCNA,MCSE,MCP+I,A+,etc.) is an IT Manager for EchoStar Satellite L.L.C.,where he and his team architect and maintain enterprisewide client/server and Web-based technologies.He also acts as a technical resource for other IT pro- fessionals,using his expertise to help others expand their knowledge. As a systems engineer with over 13 years of real-world IT experi- ence,he has become an expert in many areas,including Web devel- opment,database administration,enterprise security,network design, and project management.Jeremy has contributed to several Syngress books,including Microsoft Log Parser Toolkit (Syngress,ISBN: 1932266526),Managing and Securing a Cisco SWAN (ISBN:1- 932266-91-7),C# for Java Programmers (ISBN:1-931836-54-X), Snort 2.0 Intrusion Detection (ISBN:1-931836-74-4),and Security+ Study Guide & DVD Training System (ISBN:1-931836-72-8). Jeremy wrote Chapter 3 (Spyware and the Enterprise Network) Craig A. Schiller (CISSP-ISSMP,ISSAP) is the President of Hawkeye Security Training,LLC.He is the primary author of the first Generally Accepted System Security Principles.He was a coau- thor of several editions of the Handbook of Information Security Management and a contributing author to Data Security Management. Craig is also a contributor to Winternals Defragmentation,Recovery,and Administration Field Guide (Syngress,ISBN:1597490792).Craig has cofounded two ISSA U.S.regional chapters:the Central Plains Chapter and the Texas Gulf Coast Chapter.He is a member of the Police Reserve Specialists unit of the Hillsboro Police Department in Oregon.He leads the unit’s Police-to-Business-High-Tech speakers’initiative and assists with Internet forensics. ix 374_Spyware_FM.qxd 6/30/06 4:47 PM Page x Craig wrote Chapter 4 (Real SPYware—Crime,Economic Espionage,and Espionage) Ken Caruso is a Senior Systems Engineer for Serials Solutions,a Pro Quest company.Serials Solutions empowers librarians and enables their patrons by helping them get the most value out of their electronic serials.Ken plays a key role in the design and engi- neering of mission-critical customer-facing systems and networks. Previous to this position,Ken has worked at Alteon,a Boeing Company,Elevenwireless,and Digital Equipment Corporation. Ken’s expertise includes wireless networking,digital security,and design and implementation of mission-critical systems.Outside of the corporate sector Ken is cofounder of Seattlewireless.net,one of the first community wireless networking projects in the U.S.Ken is a contributor to OS X for Hackers at Heart (Syngress,ISBN: 1597490407). Ken studied Computer Science at Daniel Webster College and is a member of The Shmoo Group of Security Professionals. Ken has been invited to speak at many technology and security events,including but not limited to Defcon,San Diego Telecom Council,Society of Broadcast Engineers,and CPSR:Shaping the Network Society. Ken wrote Chapter 7 (Dealing with Spyware in a non-Microsoft World) Paul Piccard serves as Director of Threat Research for Webroot, where he focuses on research and development,and provides early identification,warning,and response services to Webroot customers. Prior to joining Webroot,Piccard was manager of Internet Security Systems’Global Threat Operations Center.This state-of-the-art detection and analysis facility maintains a constant global view of Internet threats and is responsible for tracking and analyzing hackers,malicious Internet activity,and global Internet security threats on four continents. x