RE: IPS Blocking Spyware?

["David Endler" <dendler () tippingpoint com>]

Hi Jerry,

I am the director of the Digital Vaccine group within TippingPoint. 

TippingPoint's UnityOne IPS stops installations of certain known and
unknown spyware, as well as detecting and/or blocking the information
transfer between pre-infected hosts and spyware servers.  I'll offer a
little detail behind our approach.

The majority of today's spyware is silently installed with other
software (e.g. Kazaa) or through Internet sites leveraging IE ActiveX
controls, Browser Helper Objects (BHO), security holes in the browser
itself, and obfuscation with browser and html tricks.  

The UnityOne blocks only those HTTP sessions that indicate a spyware
installation attempt by filtering through to the unique ActiveX and BHO
CSLIDs that we've researched. We prioritized our initial coverage around
the top offenders based on the quarterly spyware audit reports of
Webroot and Earthlink and since continue to release updates each week.

We've also recently seen a surge in sites taking advantage of the latest
IE vulnerabilities to install spyware, specifically the IE iframe and IE
CHM redirection vulnerabilities - the UnityOne also blocks these types
of exploitation attempts as you would expect from an IPS.  Spyware
installation is also facilitated by a slew of other suspicious HTML
acrobatics that you can block according to your organization's security
policy and stance.

Detecting the phone-home communications from spyware is useful for
tracking down infected systems to apply desktop cleaners.  These filters
tend to be very specific to each spyware's modus operandi.
Unfortunately not all IT groups have ownership of all of the computers
within their network (e.g. ISP, universities, etc.).  For these
customers, simply blocking the spyware chatter alone often proves to be
a nice reclamation of network bandwidth and almost always eases the
strain on proxy servers.  We also prioritized these set of filters
around the Webroot and Earthlink studies.

We've received a very positive reaction from our customers so far.  If
you would like more information please feel free to contact me directly.

-dave 


-----Original Message-----
From: Murtland, Jerry [mailto:MurtlandJ () Grangeinsurance com] 
Sent: Friday, December 03, 2004 8:16 AM
To: 'Maynor, David (ISS Atlanta)'; Ron; focus-ids () securityfocus com
Subject: RE: IPS Blocking Spyware?

The better question is how/where does it stop the spyware?  You can have
companies stop spyware from communicating your information to external
web servers via http all day long with a strongly maintained web filter,
but if you don't stop it from installing on your systems, your chasing
your tail!
I have yet to see a product that is able to stop it from actually being
installed, and yes, I'm aware of disabling ActiveX.  But if a company
uses ActiveX in some of their web apps, what can they do?  I see it as
more of a file search tool, which means it's still reactive and would be
as maintenance intensive as .dat/.nav file updates.  Some companies
boast that their product can stop spyware, well I can't speak for
Tipping Point, but if they don't stop it from being installed, they
haven't stopped it.

Jerry


-----Original Message-----
From: Maynor, David (ISS Atlanta) [mailto:dmaynor () iss net]
Sent: Thursday, December 02, 2004 9:56 AM
To: Ron; focus-ids () securityfocus com
Subject: RE: IPS Blocking Spyware?
Importance: Low


I could be wrong but if memory serves me correctly TippingPoint has
rules for 28 pieces of spyware. Double check with a sales rep, but that
number is stuck in my head for some reason.

-----Original Message-----
From: Ron [mailto:iago () valhallalegends com]
Sent: Tuesday, November 30, 2004 11:36 AM
To: focus-ids () securityfocus com
Subject: IPS Blocking Spyware?

I've recently heard that Tipping Point's IPS appliance now blocks
spyware programs.  Has anybody else heard this / experimented with this?

Thanks!

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--



------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--



------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------