IDS mailing list archives
RE: IPS Blocking Spyware?
From: "David Endler" <dendler () tippingpoint com>
Date: Sat, 4 Dec 2004 12:51:42 -0600
Hi Jerry, I am the director of the Digital Vaccine group within TippingPoint. TippingPoint's UnityOne IPS stops installations of certain known and unknown spyware, as well as detecting and/or blocking the information transfer between pre-infected hosts and spyware servers. I'll offer a little detail behind our approach. The majority of today's spyware is silently installed with other software (e.g. Kazaa) or through Internet sites leveraging IE ActiveX controls, Browser Helper Objects (BHO), security holes in the browser itself, and obfuscation with browser and html tricks. The UnityOne blocks only those HTTP sessions that indicate a spyware installation attempt by filtering through to the unique ActiveX and BHO CSLIDs that we've researched. We prioritized our initial coverage around the top offenders based on the quarterly spyware audit reports of Webroot and Earthlink and since continue to release updates each week. We've also recently seen a surge in sites taking advantage of the latest IE vulnerabilities to install spyware, specifically the IE iframe and IE CHM redirection vulnerabilities - the UnityOne also blocks these types of exploitation attempts as you would expect from an IPS. Spyware installation is also facilitated by a slew of other suspicious HTML acrobatics that you can block according to your organization's security policy and stance. Detecting the phone-home communications from spyware is useful for tracking down infected systems to apply desktop cleaners. These filters tend to be very specific to each spyware's modus operandi. Unfortunately not all IT groups have ownership of all of the computers within their network (e.g. ISP, universities, etc.). For these customers, simply blocking the spyware chatter alone often proves to be a nice reclamation of network bandwidth and almost always eases the strain on proxy servers. We also prioritized these set of filters around the Webroot and Earthlink studies. We've received a very positive reaction from our customers so far. If you would like more information please feel free to contact me directly. -dave -----Original Message----- From: Murtland, Jerry [mailto:MurtlandJ () Grangeinsurance com] Sent: Friday, December 03, 2004 8:16 AM To: 'Maynor, David (ISS Atlanta)'; Ron; focus-ids () securityfocus com Subject: RE: IPS Blocking Spyware? The better question is how/where does it stop the spyware? You can have companies stop spyware from communicating your information to external web servers via http all day long with a strongly maintained web filter, but if you don't stop it from installing on your systems, your chasing your tail! I have yet to see a product that is able to stop it from actually being installed, and yes, I'm aware of disabling ActiveX. But if a company uses ActiveX in some of their web apps, what can they do? I see it as more of a file search tool, which means it's still reactive and would be as maintenance intensive as .dat/.nav file updates. Some companies boast that their product can stop spyware, well I can't speak for Tipping Point, but if they don't stop it from being installed, they haven't stopped it. Jerry -----Original Message----- From: Maynor, David (ISS Atlanta) [mailto:dmaynor () iss net] Sent: Thursday, December 02, 2004 9:56 AM To: Ron; focus-ids () securityfocus com Subject: RE: IPS Blocking Spyware? Importance: Low I could be wrong but if memory serves me correctly TippingPoint has rules for 28 pieces of spyware. Double check with a sales rep, but that number is stuck in my head for some reason. -----Original Message----- From: Ron [mailto:iago () valhallalegends com] Sent: Tuesday, November 30, 2004 11:36 AM To: focus-ids () securityfocus com Subject: IPS Blocking Spyware? I've recently heard that Tipping Point's IPS appliance now blocks spyware programs. Has anybody else heard this / experimented with this? Thanks! ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IPS Blocking Spyware? Ron (Dec 01)
- <Possible follow-ups>
- RE: IPS Blocking Spyware? Maynor, David (ISS Atlanta) (Dec 02)
- RE: IPS Blocking Spyware? Murtland, Jerry (Dec 03)
- Re: IPS Blocking Spyware? Darren Rogers Mailing Lists (Dec 06)
- Re: IPS Blocking Spyware? Kevin (Dec 07)
- RE: IPS Blocking Spyware? David Endler (Dec 06)