Spying on Spyware

A new patent-pending antispyware technology 'listens' for spyware based on its network behavior

A University of Michigan researcher has developed antispyware technology that doesn't try to stop spyware from entering your computer -- it targets it after it's on the machine.

"It's nearly impossible to prevent your computer from being infected with spyware or other malware, especially [if you're] not an expert user," says Kevin Borders, who is now trying to patent the so-called Web Tap technology, which he created as part of his PhD. "So instead of trying to prevent [infection], the goal of Web Tap is to detect spyware once it's gotten into the computer and send out information to a spyware host."

Web Tap can also detect rootkits, which often send information via Web requests, says Borders, president and founder of Web Tap Security, the startup that will market the product. It can also help companies detect an employee leaking sensitive corporate data, he says. But Web Tap doesn't eradicate spyware or rootkits; it leaves the cleanup to host-based malware removal software, and even recommends which tools to use.

Most antispyware packages use signatures to scan for known threats, but Web Tap can detect unknown spyware. It sits at the edge of the network, not in the client, and detects spyware based on outgoing Web traffic. "It looks for general activity characteristics for spyware on the network," says Borders, such as outbound bandwidth in Web requests, or regular visits to certain Websites.

Spyware can be detected by its unusual network behavior, Borders explains. Unlike a typical user browsing an external Website and getting data, "spyware doesn’t need to go get information... It needs to send [the user's] personal information away from the Web server."

Anomaly detection accuracy in IDS/IPS products has been spotty, notes Jeremiah Grossman, CTO of White Hat Security. "It's possible Web Tap found a better way to identify spyware at the HTTP layer versus looking at the network generically."

But Randy Abrams, director of technical education for antivirus vendor Eset, says the trouble with Web Tap's approach is that not all spyware programs send large amounts of data.

"I think this type of approach may have the potential for good application to threats such as bot-infected machines, but not for a lot of spyware," Abrams says. "Many spyware programs send relatively little data compared to streaming video, music, and pictures. Bot-infected machines that are used to send spam, DDOS, or host porn seem more likely candidates for this type of approach."

So how does Web Tap differ from an IDS/IPS? It doesn't use signatures nor try to catch spyware at the door. "This looks for hosts that are already compromised with spyware. It assumes you're going to get spyware," Borders says. To avoid false positives, Borders says Web Tap plans to add a whitelist function to the software as well, so you can allow Webmail, for instance, which could be mistaken for spyware activity.

Web Tap Security is currently offering free beta versions of Web Tap Enterprise and Web Tap Personal that find and alert users to spyware, but don't yet provide recommendations for how to eradicate it. Both run on Windows, but Web Tap plans to add Fedora Core 4 and 5 versions, as well as a virtual appliance that runs with VMWare.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights