Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SDK Whitepaper


Published on

SDK whitepaper targeted towards IT decision makers for anti-spyware SDK product.

  • Be the first to comment

  • Be the first to like this

SDK Whitepaper

  1. 1. Aluria Software • 851 Trafalgar Court, Suite 200 • Maitland, Florida 32751 • 1.888.627.4650 Spyware Is Everywhere: A Multi-Layered Solution Is Your Best Defense Introduction Spyware is everywhere and both corporate and home users are faced with protecting against a host of malicious Because spyware attacks threats that attack multiple entry points and cause critical and costly security breaches. The spyware threat is here to are inevitable by design, stay—a billion dollar industry, spyware developers and corporate sponsors are raking in the revenue, tracking user multi-layered protection habits and harvesting personal information for monetary gain. Determined to protect their investment, these entities that includes perimeter, pour millions into developing newer, harder-to-remove spyware varieties that employ sophisticated mechanisms to on-demand remediation evade detection and removal while attacking networks and desktops at numerous entry points. and kernel-level prevention components is Because spyware attacks are inevitable by design, multi-layered protection that includes perimeter, on-demand essential for protecting all remediation and kernel-level prevention components is essential for protecting all entry points against threats that entry points against cause harm. Deploying anti-spyware at the perimeter blocks spyware in real-time from infiltrating the network and threats that cause harm. secures the threat conduit to the outside world, effectively stopping threats from entering the network and infecting computers. Desktop-level protection remediates existing spyware on systems and protects desktops, servers, and laptops from threats that infiltrate via internal entry points. Kernel-level prevention blocks malicious code in real- time, proactively preventing spyware from being installed in the first place. The Aluria family of protection SDKs contain all the necessary functionality needed for a robust and flexible multi- layered gateway, desktop, or dual purpose spyware detection and removal solution. Aluria Gateway Protection SDK™ stops spyware before it even enters the network, well before it reaches its intended desktop target. Aluria Desktop/Server Protection SDK™ allows users in both business and home environments to scan and remove spyware already on the desktop and includes preventative blocking that stops inbound spyware from installing to begin with. Aluria’s two individual but equally effective anti-spyware SDKs can be deployed separately or together to provide comprehensive protection against fast-evolving spyware threats. Spyware Is the Number One Internet Threat Threat motivation Since the early days of the Internet there have been those who abuse it for malicious purposes. Early on viruses were the scourge of the World Wide Web. Written solely for the personal gratification of their authors, viruses were designed to out-do other viruses and became widespread in their infamy. Today viruses have been eclipsed by a threat whose motivation is financial; marketers use spyware to track and influence customer buying behavior, while criminals use spyware to steal any private/sensitive data—customer information, passwords, bank account numbers, etc.—that will benefit them financially. Now a billion dollar industry, analysts report that spyware has replaced viruses as the greatest Internet security threat affecting corporations, and end-users worldwide. Unlike viruses, spyware is designed to harvest sensitive data for © Copyright 2006. All products are trademarks of Aluria Software, a division of EarthLink, Inc. 1
  2. 2. purposes of revenue generation and as such installs and operates quietly and is funded by corporate backers with deep pockets. Designed for stealth, spyware motivation is reflected in its behaviors. To achieve its objective of harvesting information, spyware—unlike viruses that disrupt and draw attention—is made to avoid detection and removal by incorporating sophisticated stealth technologies. Rootkits, for example, use stealth to create a virtually undetectable installation at the root (or lowest) level of the computer where it can perform nearly any function including keylogging and remote access, while keeping processes, registry keys, communication channels, and files hidden from detection. Some spyware programs also include self-repair features to correct any damage caused by removal attempts. The corporate-minded motivation behind spyware development stems from the inexpensive technology’s ability to track user behavior and generate large amounts of advertising revenue. Spyware is a big business and marketing corporations who have access to a myriad of funding and talent continue to develop threats that are increasingly difficult to detect and harder-to-remove than ever before. Threat Function October 7, 1994, the first occurrence of the term spyware emerged in a Usenet post poking fun at Microsoft’s business Given that spyware model. In 2000, a Zone Labs press release referenced the term in regards to Internet security and today the most publishers are constantly relevant and generally accepted definition of spyware comes from the Anti-Spyware Coalition, (an organization made creating new threats that up of public interest groups, trade associations and prominent anti-spyware companies) and reads: are increasingly difficult to detect, harder to spyware – (spī’· wâr) n. - Technologies deployed without appropriate user consent and/or implemented in ways remove, and easier to that impair user control over: a) Material changes that affect their user experience, privacy, or system security; b) Use inadvertently install than of their system resources, including what programs are installed on their computers; and/or c) Collection, use, and ever before, augmenting distribution of their personal or other sensitive information. existing security strategies to include In short, spyware refers to various types of undesirable software—i.e., malware, tricklers, keyloggers, trojans, anti-spyware is a must for adware, dialers, hijackers, and others—that are surreptitiously installed on a computer without explicit permission those who want to use the for the purpose of collecting information that can be subverted to benefit a third party, financially or otherwise. Internet safely. Typically bundled with freeware or shareware, through e-mail, instant messaging or by someone with administrative access, spyware is said to reside on 90% of Internet-connected computers, according to industry experts. Spyware’s actions range from profiling user activity for targeting advertisements to logging keystrokes to gather passwords and credit card information and/or to perform corporate espionage. Most recently, spyware innovations include blended threat and the aforementioned rootkit installations that are sophisticated programs indicative of the level of expertise now being used in spyware attacks. Blended threats—because of their complexity—are particularly insidious, performing many malicious actions including attacking network vulnerabilities with a combination of techniques that allow unscrupulous third parties to gain unauthorized administrative privileges. These newer behaviors are typically beyond the reach of most anti-spyware remediation schemes and are best stopped before they can install, at the kernel level. In order for spyware to go undetected while performing the core function of harvesting user behaviors and data, the surreptitious applications are designed to install without user knowledge in a variety of ways. Many seemingly innocuous activities can lead to spyware infections. The most common method of transmission involves bundling spyware with otherwise legitimate or desirable applications. This type of piggybacking most often occurs with freeware, whose developers allow the product to be installed free of charge in exchange for the right to harvest and sell user information. In most cases, the user is unaware that s/he has agreed to this arrangement because the © Copyright 2006. All products are trademarks of Aluria Software, a division of EarthLink, Inc. 2
  3. 3. request for such authorization is buried deep within the application’s End User License Agreement (EULA) using confusing technical and legal language that few users read, let alone comprehend. Software installation is only one vector of entry for spyware. Other methods of spyware delivery include “drive-by downloads,” where an HTML link serves as a gateway for the undetected installation of spyware applications. This type of clandestine download typically occurs when a user clicks a link in a spam message, an instant messenger (IM) link, or other unsolicited advertisement. Spyware can also be attached to or embedded in e-mail or instant messenger communications, included as part of an ActiveX installation, or may be deliberately installed by someone with administrative access. Given that spyware publishers are constantly creating new threats that are increasingly difficult to detect, harder to remove, and easier to inadvertently install than ever before, augmenting existing security strategies to include anti- spyware is a must for those who want to use the Internet safely. Spyware publishers’ specific intent is to circumvent conventional technologies, such as anti-virus and firewall applications, leaving those organizations and individuals who rely on these methods vulnerable to serious risks and costly consequences. Spyware Risks While in its earliest incarnations spyware was considered a mere annoyance for computer enthusiasts, today it’s a Failing to effectively dangerous and costly threat that affects everyone connected to the Internet. Failing to effectively safeguard against safeguard against spyware has numerous consequences including: compromised security of confidential data, loss or destruction of data spyware has numerous due to malicious attacks, reduced productivity and computer performance caused by bandwidth and memory drain, consequences including: and increased tech support burden. compromised security of confidential data, loss or Compromised Security of Confidential Data: Spyware that performs surveillance actions—such as rootkits and destruction of data due to keyloggers—allow unauthorized parties to monitor virtually every move made on a network or desktop, granting malicious attacks, reduced intruders direct access to highly sensitive information. This risk is of particular concern for organizations that must productivity and computer comply with government information security regulations. In 2005, Sheriff John Whetsel of Oklahoma City reported performance caused by that an unknown person had planted surveillance software on office computers that contained details about prisoner bandwidth and memory movements, confidential homeland security updates and private personnel files. It is unknown how long the drain, and increased tech programs had been monitoring the sensitive law enforcement information. Individuals also suffer from spyware support burden. attacks when cyber criminals harvest personal and private information including passwords, social security numbers, and financial data that can be used for bank account and identity theft. Loss or Destruction of Data Due To Malicious Attack: Spyware infections increase the vulnerability of data loss by giving attackers the ability to steal or destroy valuable files at will. Corporations looking to safeguard intellectual property need to be cognizant of the connection between spyware and espionage. In March, 2006 an Israeli couple was jailed for allegedly selling and installing customized trojan horses that gave rivals access to their competitor’s stolen documents. Individuals need also be aware of spyware’s propensity to corrupt precious data—irreplaceable digital photographs and movies, music and other files can all be lost. Reduced Productivity and Computer Performance: Sluggish system performance, distraction caused by increased pop-up advertisements, and downtime due to data loss are all byproducts of spyware infections. The constant transmission of stolen information from infected computers to unauthorized sources consumes bandwidth and diminishes network performance. Also, many spyware programs store materials such as unwanted advertisements on the computer’s hard drive. When valuable bandwidth intended for business or personal use is hijacked, networks become clogged and Internet connectivity/Web browsing slows as a result. More than an annoyance, these events reduce the amount of time employees and individuals can spend on valuable projects. © Copyright 2006. All products are trademarks of Aluria Software, a division of EarthLink, Inc. 3
  4. 4. Increased Tech Support Burden: Corporations are expending valuable and costly IT resources in time-consuming efforts to identify and eradicate spyware and to repair the damage caused to individual computers. Michael George, Vice President of Dell Computer’s United States consumer business, stated that more customers are calling Dell Technical Support seeking relief from spyware than for any other technical support issue. Spyware is evading traditional security measures, causing serious, costly damage to both organizations and individuals. Computer crimes cost businesses an estimated $67 billion dollars a year, according to the 2005 FBI Computer Crime Survey. Individual losses are also significant; in early 2006, Ukrainian hacker, Dimitry Ivanovic Golubov was charged with cybercrimes that involved financial fraud that included—according to an affidavit from an FBI special agent—the trafficking of “millions of stolen credit card numbers and financial information.” Stolen cards and information are sold to low-level criminals who use them to withdraw cash from ATMs and buy merchandise. For anyone connected to the Internet, finding efficient and effective spyware protection is of paramount concern. Spyware Prevention and Threat Remedies Safeguarding business and home environments requires dedicated anti-spyware technology that protects all points Safeguarding business and of entry, and includes advanced kernel-level prevention functionality to completely block future spyware home environments installations. requires dedicated anti-spyware technology Perimeter that protects all points of For network environments, the first step in circumventing spyware is to stop it at the perimeter, before it infiltrates entry, and includes desktop workstations. To do this, an anti-spyware solution must be integrated at the gateway on the network. A advanced kernel-level proactive anti-spyware solution scans network traffic in real time, searching for suspect programs, files, and data prevention functionality transmissions that exhibit known spyware characteristics. When spyware is detected, an immediate notification to completely block future occurs to effectively stop the threat in its tracks. To protect those points of entry that are not on the network spyware installations. perimeter a desktop anti-spyware solution with remediation and real-time, kernel-level prevention is also recommended. Remediation The nature of spyware makes infection unavoidable, thus remediation measures to address post-installation infection is tantamount to protecting against the threat. Remediation works by scanning for existing spyware installations and quarantining them inside a computer where they can no longer cause damage; all traces of intrusive code that have been quarantined are blocked from establishing a link back to their source. The limitation of this strategy relies on the fact that spyware must already be present on a computer before protective measures can be taken. Prevention Because today’s threats are specifically designed to avoid removal after successful installation, utilizing advanced prevention technologies is a critical component in the fight against spyware. Some anti-spyware offerings are designed to scan systems for existing spyware installations; this reactive response allows spyware to be installed before removal is attempted which is problematic because many forms of spyware are incredibly difficult to completely remove once installed. A truly proactive approach, on the other hand—one that prevents infection in real-time—effectively neutralizes rogue applications as they attempt to write to desktops or file systems, preventing installation altogether. Polling Versus Real-Time Generally, there are two approaches to spyware prevention technology—polling and real-time, the latter of which is far superior as it offers always-on protection while consuming less resources. © Copyright 2006. All products are trademarks of Aluria Software, a division of EarthLink, Inc. 4
  5. 5. Polling Prevention Unable to effectively stop spyware until its processes have already begun, polling-based prevention is a Two independently less-than-reliable method for preventing spyware infection. Designed to check systems periodically, engineered SDKs—the polling technology only reacts once spyware launches a process. Thus spyware infection has already Aluria Gateway Protection occurred by the time the polling solution recognizes the malicious code. SDK, and the Aluria Desktop/Server SDK—can Real-Time Prevention be implemented The advantage of real-time prevention—as opposed to polling—is that malicious code is blocked at the separately or can combine kernel level, before processes ever have a chance to launch. Real-time monitoring means the system is for a dual solution that “aware” of every process at all times, constantly prepared to block malicious code from ever executing. By stops spyware from intercepting and neutralizing malicious activity before it writes to the hard drive, real-time methods entering a network provide a layer of kernel-level protection that proactively prevents spyware from being installed in the first regardless of point of place. entry—whether Web, disk, e-mail, network, etc. Anti-Spyware at the Gateway To protect its multiple entry points from dangerous and destructive spyware, corporate networks must employ a multi-layered anti-spyware strategy that includes perimeter, remediation, and prevention components. A gateway application serves as a network’s first line of defense, providing real-time protection at the perimeter. A desktop solution, equipped with remediation and prevention components, removes existing instances of spyware and protects against attacks that enter via unsecured internal access, (by way of personal laptop or USB storage device, for example). Anti-Spyware on the Desktop Combining both remediation and prevention functionality into a single desktop anti-spyware application prevents all risks associated with spyware infections. Regardless whether securing a network or home environment, reactive scanning allows users to scan and remove spyware already on the desktop, while preventative blocking stops inbound spyware from reaching the desktop in the first place. For businesses and individuals alike, anti-spyware technology that comes complete with remediation and prevention technologies is essential for total threat protection. The Aluria Solution The Aluria family of SDKs offer complete multi-layered anti-spyware protection that can be leveraged to rapidly create robust applications for corporate networks and/or individual computers. Two independently engineered SDKs—the Aluria Gateway Protection SDK, and the Aluria Desktop/Server SDK—can be implemented separately or can combine for a dual solution that stops spyware from entering a network regardless of point of entry—whether Web, disk, e-mail, network, etc. SDK partners can tailor the SDKs to their specific needs by implementing the original SDK engines and integrating them into an existing framework. The Aluria development team can also help with SDK setup and address partner requests for new features and customizations to our interface, to provide the closest possible fit with implementation requirements. Because the Aluria SDKs require minimal development effort, adopters benefit from a rapid return on investment. Aluria Gateway Protection SDK Specially designed to allow rapid deployment of real-time spyware blocking within Linux/UNIX/Windows gateway appliances and products for Internet servers and other gateways, the Aluria Gateway Protection SDK protects against spyware in two different ways: 1) by blocking known malicious IP addresses and URL’s, and 2) by performing signature analysis. © Copyright 2006. All products are trademarks of Aluria Software, a division of EarthLink, Inc. 5
  6. 6. Here’s how it works: A typical implementation of the Aluria Gateway Protection SDK involves loading Aluria’s IP- domain black list into an appliance, creating a firewall-type protection that enables the gateway to prohibit incoming or outgoing access of specified URLs. If a malicious IP is detected, the SDK blocks its entrance into the appliance. If the incoming data is not a malicious IP, it will pass through the appliance and will be either written to the disk or buffered in memory (as specified by the SDK partner). After the gateway processes these files, they are passed to the Aluria SDK using simple calls. The SDK then performs a signature-based analysis—on files, ActiveX, and Browser Helper Objects—by scanning incoming files against those in the spyware database. Once the analysis is complete, the SDK notifies the gateway to either block or accept the files. This event-driven approach to spyware detection and blocking allows for minimum use of resources with maximum versatility in implementation. Versatile in its universal support of operating systems and architectures, the Aluria Gateway Protection SDK can be easily integrated into any environment. Platform agnostic, designed for all operating systems and 95% of architectures, the SDK’s supported operating systems include, but are not limited to: Windows NT to 2003, Linux (Debian, Mandrake, SUSE, Red Hat and Knoppix), and Unix (Free BSD and NetBSD); the unprecedented variety of architectures includes, but is not limited to: x86, 32bit Little Endian, ARM Big Endian/Little Endian, and MIPS Big Endian/Little Endian. Aluria Desktop/Server Protection SDK The Aluria Desktop/Server Protection SDK contains all the necessary functionality needed for robust and flexible remediation of existing spyware and prevention of further infections. Designed to eliminate any existing spyware and defend against spyware as it attempts to infiltrate a Windows PC/host, the SDK includes two core strategies: an On- Demand Scan & Removal Engine™ and a real-time Active Defense Shield (ADS)™. The Aluria Desktop/Server Protection SDK’s On-Demand Scan & Removal Engine is a reactive scanning utility that is useful in situations where spyware already exists on a system prior to anti-spyware installation or when real-time preventions, like ADS, have been temporarily disabled. Completely customizable, developers can configure the SDK to perform scans in memory, registry, specific directories, specific files, cookie directories, and any other exploit-sensitive entry point on the system. Desktops can then be scanned on demand or at prescheduled times. When spyware is detected, it can be processed by quarantining, ignoring, or removal; quarantined items can be restored or removed. Removed items are permanently deleted. For reporting purposes, the SDK can also return spyware descriptions, threat levels, variants, and categories. Once scanning and removal are complete, the SDK allows for unloading the ScanEngine object and releasing used memory. Aluria’s exclusive ADS technology provides the Aluria Desktop/Server Protection SDK with truly proactive, real-time, event-based prevention that goes far beyond traditional reactive/frequency-based monitoring. It guards computers against all attempted spyware installations including those that originate on the Web as installers, on intranets, mapped network drives, CD-ROMs, floppy drives, and USB drives. ADS catches spyware as soon as it attempts to write, move, or rename files and automatically performs a pre-configured action to Auto-Delete, Auto-Quarantine or Ignore. In production, here’s how ADS works: ADS consists of a file-system driver that resides in the operating system Ring-0 or the kernel, which enables it to hook into the file system and monitor for particular events such Open, Close, or Rename. When such an event occurs, ADS blocks the file from gaining any access for analysis and takes appropriate action if spyware is found. Safe files may proceed with their normal actions. Unlike most anti-spyware monitoring solutions, ADS does not conflict with popular anti-virus programs or require constant CPU cycles, and it functions unobtrusively in the background. © Copyright 2006. All products are trademarks of Aluria Software, a division of EarthLink, Inc. 6
  7. 7. Dual Protection SDK Expressly for network environments, the Aluria Gateway Protection SDK can be implemented together with the Aluria Desktop/Server Protection SDK to protect all points of entry on the network. Aluria’s two protection SDKs—when used in tandem—institute a fully integrated anti-spyware solution that provides real-time protection at both the network and desktop parameters. Aluria protection SDKs are designed specifically for original equipment manufacturers (OEM) and independent software vendors (ISV) to add value to their product offerings. Software developers, network appliance and hardware manufacturers, and system integrators seeking the ultimate protection from online threats and malicious spyware can easily implement the Aluria solutions through proven, tested methods. “Developer-friendly” APIs (application programming interface) allow quick, easy, and effective implementations that add the value that customers demand. To download the Aluria SDK Datasheet, visit © Copyright 2006. All products are trademarks of Aluria Software, a division of EarthLink, Inc. 7
  8. 8. Proven Provider, Trusted Partner Built on Aluria’s widely-trusted, event-driven technology, Aluria SDKs feature a light footprint, a robust and strategic tool set, flexible options, diverse OS and hardware compatibility and the partnership and technical support that only an established industry leader can provide. All Aluria anti-spyware technology is backed by an in-house team of spyware experts and engineers, automated, patent-pending Threat Prevention System™ spyware research technologies designed to provide zero-day protection against the most elusive threats, and Aluria’s massive database of verified spyware signatures and definitions. For more information about Aluria Software and the Aluria family of protection SDKs, please visit our Web site at or contact us via phone at 1.888.627.4650 or by e-mail at © Copyright 2006. All products are trademarks of Aluria Software, a division of EarthLink, Inc. 8