Security

Scrubbing Servers with PestPatrol

Viruses have become so common that few ISPs or enterprises would consider turning up a public server without protection. Unfortunately, virulent e-mail is not the only type of pesky pest to worry about.

by Lisa Phifer Vice President of Core Competence, Inc. [June 14, 2002]

Anti-virus products scan disk boot sectors, files and messages for viruses, worms and macros—malicious executables that spread by replication. For example, W32Klez is a mass-mailing worm that replicates by using the Windows address book to send mail using its own SMTP engine. Nimda compromised Microsoft IIS to download itself to Website visitors, open file shares, and create guest accounts. Viruses like these range from resource-wasting nuisance to serious threat—unfortunately, they are not the only pests to worry about.

Patrolling for pests
PestPatrol, a two-year-old start-up located in Carlisle, Pa., classifies non-viral (non-self-replicating) infestations as "pests." Some pests—notably trojans and worms—are detected by traditional anti-virus products, but others are not. PestPatrol's desktop scanner complements traditional anti-virus software by detecting worms, remote administration trojans, denial of service agents, hacker tools, spyware, and cookies that compromise user privacy. Currently, PestPatrol scans for 44,157 pests in 9,994 "families", summarized online.

A trojan is malicious code masquerading as something harmless, like a joke or screen saver. For example, the BackOrifice remote administration trojan (RAT) installs a stealth server that gives a remote client complete control over the infected system. Trojans like SubSeven and UseNet have been known to crash systems, delete, modify or send files to an attacker, and capture keystrokes (including passwords).

Distributed denial-of-service (DDoS) agents are attack programs designed to cripple another system or network, preventing the victim from performing its job. The Stacheldraht distributed DDoS tool that hit several big sites in early 2000 used RPC to exploit an snmpXdmid vulnerability. Compromised UNIX and Linix hosts across the globe became zombies, launching flood attacks against Yahoo, eBay, and Amazon, upon request by a master controller.

Hacker tools include password crackers, port scanners, flood generators, sniffers, mail bombers, and virus or trojan creation tools. Discovering one of these tools where you don't expect it is a wake-up call—the infected system has probably been compromised and further investigation is warranted.

Spyware programs like Radiate open back channels: unauthorized outbound connections that "phone home" data about systems, users, and Internet activity. Adware compromises privacy with consent; Spyware does so without explicit approval. Installers for purposeful programs like CuteFTP, Gator, and MP3 Downloader infest systems with these pests. Because few of us bother to read license fine print, the distinction between Adware and Spyware is a moot point for many end users.

Cookies are data tokens, implanted as you surf the Web. They can productively preserve session state between site visits. They can also record sensitive data that you would rather not have stored anywhere. SexTracker and DoubleClick are considered Spyware cookies because they are used by multiple sites—allowing one site learn about activity that occurred when you visited another site. If this breach of privacy bothers you, PestPatrol can delete these cookies and suggest how to squash them for good.

Why ISPs should care about pests
PestPatrol finds trojans like SubSeven and worms like Sircam—but so do anti-virus solutions from Symantec, McAfee, and others. How do these products compare? According to a PestPatrol-sponsored competitive test byNSTL, PestPatrol offers broader detection—especially for hacker tools, DDoS agents, and Spyware. Other vendors might quibble about percentages; success rates clearly depend on the testbed. However, the important question is really this: Are the extra pests detected by PestPatrol important to your ISP business?

At the 2002 ISP Business Expo in April, Pete Cafarchio, PestPatrol vice president of business development, explained how service providers can benefit from pursuing these pests, both internally and externally.

ISPs can use PestPatrol, in conjunction with anti-virus software, to better defend customer server farms, their own production servers, and employee desktops. DDoS attacks, launched from inside or out, disrupt business, resulting in lost revenue and customer dissatisfaction. Cafarchio cited CloudNine Communications as one dire example—a British ISP that was literally "hacked out of existence" in January this year.

Chuck Russell, Senior Partner at Collective Intelligence, an application service provider (ASP) based in Harrisburg, Pa., echoed this concern. "Customer satisfaction is our primary business driver for using PestPatrol," said Russell. "We need to deliver appropriate quality and level of service, but you can't do either if your clients are worried about security. Credibility and integrity are everything—when it comes to confidence, you have one shot at getting it, but a lot of chances to lose it. Pest Patrol is one of the tools we use to ensure that we're addressing attack risks—not just for ourselves, but for our clients."

Go to page 2: It's The Law >