Spyware and trosen horces

8/8/2019 Spyware and trosen horces

1/53

Spyware and Trojan HorsesComputer Security Seminar Series

[SS1]

Spyware and Trojan Horses Computer Security Seminar 12th February 2004

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk


2/53

Your computer could be watching yourevery move!



Image Source - http://www.clubpmi.it/upload/servizi_marketing/images/spyware.jpg


3/53



Introduction


4/53

Seminar Overview

Introduction to Spyware / Trojan Horses

Spyware Examples, Mechanics, Effects, Solutions

Tracking Cookies Mechanics, Effects, Solutions

Trojan Horses Mechanics, Effects, More Examples

Solutions to the problems posed

Human Factors Human interaction with Spyware

System X Having suitable avoidance mechanisms

Conclusions Including our proposals for solutions




5/53

Definitions

A general term for a program that surreptitiously monitors your

actions. While they are sometimes sinister, like a remote

control program used by a hacker, software companies have

been known to use Spyware to gather data about customers.

The practice is generally frowned upon.



An apparently useful and innocent program containing additionalhidden code which allows the unauthorized collection,

exploitation, falsification, or destruction of data.

Definition from: Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html

SPYWARE

TROJAN

HORSE

Definition from: BlackICE Internet Security Systems - http://blackice.iss.net/glossary.php


6/53

Symptoms



Targeted Pop-ups

Slow Connection

Targeted E-Mail (Spam)

Unauthorized Access

Spam Relaying

System Crash

Program Customisation

SPYWARE

SPYWARE / TROJAN

SPYWARE

TROJAN HORSE

TROJAN HORSE

SPYWARE / TROJAN

SPYWARE


7/53

Summary of Effects



Collection of data from your computer without consent

Execution of code without consent

Assignment of a unique code to identify you

Collection of data pertaining to your habitual use

Installation on your computer without your consent

Inability to remove the software

Performing other undesirable tasks without consent


8/53

Similarities / Differences



Spyware Trojan Horses

Commercially Motivated Malicious

Internet connection required Any network connection required

Initiates remote connection Receives incoming connection

Purpose: To monitor activity Purpose: To control activity

Collects data and displays pop-ups Unauthorized access and control

Legal Illegal

Not Detectable with Virus Checker Detectable with Virus Checker

Age: Relatively New (< 5 Years) Age: Relatively Old ( > 20 Years)

Memory Resident Processes

Surreptitiously installed without users consent or understanding

Creates a security vulnerability

Source Table derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.


9/53


Spyware


Image Source The Gator Corporation http://www.gator.com


10/53



Software Examples

GAIN / Gator

Gator E-Wallet

Cydoor

BonziBuddy

MySearch Toolbar

DownloadWare

BrowserAid

Dogpile Toolbar

Image Sources

GAIN Logo The Gator Corporation http://www.gator.comBonziBuddy Logo Bonzi.com - http://images.bonzi.com/images/gorillatalk.gifDownloadWare Logo DownloadWare - http://www.downloadware.net


11/53



Advantages

Precision Marketing

Relevant pop-ups are better than all of them!

You may get some useful adverts!

Useful Software

DivX Pro, IMesh, KaZaA, Winamp Pro

(Experienced) people understand what they are installing.

Enhanced Website Interaction

Targeted banner adverts

Website customisation

User Perspective - I


12/53



Disadvantages

Browsing profiles created for users without consent

Used for target marketing and statistical analysis

Unable to remove Spyware programs or disable them

Increased number of misleading / inappropriate pop-ups

Invasion of user privacy (hidden from user)

Often badly written programs corrupt user system

Automatically provides unwanted helpful tools

20 million+ people have Spyware on their machines.

Source - Dec 02 GartnerG2 ReportUser Perspective - II


13/53

Example Pop-up



Misleading Pop-up

User Perspective - III

Image Source Browser Cleanser Directed pop-up from http://www.browsercleanser.com/


14/53

Network Overview



Technical Analysis - I

Push

Advertising

Pull

Tracking

Personal data

Image Source Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.


15/53

Client-Side Operation



Technical Analysis - II



16/53

Server-Side Operation



Technical Analysis - III

Server-side operation is relatively unknown. However, if

we were to develop such a system, it would contain



17/53

Spyware Defence



Technical Initiatives...

Spyware Removal Programs

Pop-up Blockers Firewall Technology

Disable ActiveX Controls

Not Sandboxed

E-Mail Filters

Download Patches

User Initiatives

Issue Awareness

Use Legitimate S/W Sources Improved Technical Ability

Choice of Browser

Choice of OS

Legal action taken against

breaches of privacy

Oct 02 Doubleclick


18/53

GAIN Case Study

Installed IMesh, which includes Gator Installation

We accessed multiple internet sites

We simultaneously analyzed network traffic (using IRIS)

We found the packets of data being sent to GAIN

Packets were encrypted and we could not decrypt them

See Example ->




19/53



Image Source Screenshot of IRIS v3.7 Network Analyser Professional Networks Ltd. See http://www.pnltools.com.


20/53

Spyware Removers

Ad-aware (by Lavasoft)

Reverse Engineer Spyware

Scans Memory, Registry and Hard Drive for Data Mining components

Aggressive advertising components

Tracking components

Updates from Lavasoft

Plug-ins available

Extra file information

Disable Windows Messenger Service



Image Source Screenshot of Ad-aware 6.0. LavaSoft. See http://www.lavasoft.com


21/53

Vulnerable Systems

Those with an internet connection!

Microsoft Windows 9x/Me/NT/2000/XP Does not affect Open Source OSs

Non - fire-walled systems

Internet Explorer, executes ActiveX plug-ins

Other browsers not affected



S d T j H C t S it S i 12th F b 2004


22/53

Tracking Cookies



S d T j H C t S it S i 12th F b 2004


23/53

Cookies

A Cookie is a small text file sent to the user from a website.

Contains Website visited

Provides client-side personalisation

Supports easy Login

Cookies are controlled by

Websites Application Server

Client-side Java Script

The website is effectively able to remember the user and their

activity on previous visits.

Spyware companies working with websites are able to use this

relatively innocent technology to deliver targeted REAL TIME

marketing, based on cookies and profiles.



Sp a e and T ojan Ho ses Comp te Sec it Semina 12th Feb a 2004


24/53

Case Study - DoubleClick

Most regular web users will have a doubleclick.net cookie.

Affiliated sites request the DoubleClick cookie on the users

computer. The site then sends

Who you are

All other information in your cookie file

In return for All available marketing information on you - collected from other

affiliated sites which the you have hit.





25/53

Case Study DoubleClick

Site targets banner adverts, e-mails and pop-ups to the

user.

If the user visits an affiliated site without a DoubleClick

cookie, then one is sent to the user.

The whole process is opaque to the user and occurs

without their consent.





26/53

Tracking Cookie Implementation

Protocol designed to only allow the domain who created a cookie to

access it.

IE has a number of security holes

Up to IE 5, domain names specified incorrectly.

Up to IE 6, able to fool IE into believing it is in another domain.

Patches and IE 6 solved a number of problems

Since then, tracking cookies are still proving a large problem, thereare still a number of holes still open.





27/53

Tracking Cookie Implementation


Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.ukImage Source Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [16].


28/53



29/53

Spyware and Trojan Horses Computer Security Seminar 12 February 2004


Trojan Horses


30/53



31/53

Installation



Certificate Authority

Misleading Certificate

Description

Who is trusted?

Image Source Screenshot of MicrosoftInternet Explorer 6 security warning, priorto the installation of an ActiveX Controlfrom Roings.



32/53

Effects

Allows remote access

To spy

To disrupt

To relay a malicious connection, so as to disguise the

attackers location (spam, hacking)

To access resources (i.e. bandwidth, files) To launch a DDoS attack





33/53

Operation

Listen for connections

Memory resident

Start at boot-up

Disguise presence

Rootkits integrate with kernel Password Protected

py j p y y




34/53

Example: Back Orifice

Back Orifice

Produced by the Cult of the Dead Cow

Win95/98 is vulnerable

Toast of DefCon 6

Similar operation to NetBus Name similar to MS Product of the time

py j p y y




35/53

BO: Protocol

Modular authentication

Modular encryption

AES and CAST-256 modules available

UDP or TCP

Variable port

Avoids most firewalls

IP Notification via. ICQ

Dynamic IP addressing not a problem

py j p y y




36/53

BO: Protocol Example (1)

Attacker Victim

ICQ SERVER

CONNECTION

TROJAN

IP ADDRESS

AND PORT

IP ADDRESS

AND PORT

INFECTION OCCURS





37/53


Attacker

CONNECTION

COMMAND

COMMAND EXECUTED

REQUEST FOR INFORMATION

INFORMATION


Victim




38/53


Attacker

CLEANUP COMMAND

EVIDENCE DESTROYED


Victim




39/53

Trojan Horse Examples

M$ Rootkit

Integrates with the NT kernel

Very dangerous

Virtually undetectable once installed

Hides from administrator as well as user

Private TCP/IP stack (LAN only)




40/53


iSpyNOW

Commercial

Web-based client

Assassin Trojan

Custom builds may be purchased

These are not found by virus scanners

Firewall circumvention technology




41/53


Hardware

Key loggers

More advanced?

Magic Lantern

FBI developed

Legal grey area (until recently!)

Split virus checking world




42/53

Demonstration




43/53

Vulnerable Systems

DANGEROUS

Number of trojans in common use

RELATIVELY SAFELinu

x/Unix

Win

9x

MacOS

WinNT

Mac

OS

X

WinNT refers to Windows NT 4, 2000, XP and Server 2003.Win9x refers to Windows 95, 95SE, 98 and ME.Information Source: McAfee Security - http://us.mcafee.com/





44/53

Vulnerable Systems

DANGEROUS

Ease of compromise

RELATIVELY SAFEWin

9x

Linu

x/U

n ix

WinNT

Mac

OS

Mac

OS

X

WinNT refers to Windows NT 4, 2000, XP and Server 2003.Win9x refers to Windows 95, 95SE, 98 and ME.Information Source: McAfee Security - http://us.mcafee.com/





45/53

Conclusions




46/53

Security Implications

Divulge personal data

Backdoors into system

System corruption

Disruption / Irritation

Aids identity theft

Easy virus distribution

Increased spam


Mass data collection

Consequences unknown

Web becomes unusable

Web cons outweigh pros

Cost of preventions

More development work

More IP addresses (IPv6)

Short Term Long Term



47/53

Solutions


Firewall

Virus Checker

Spyware Remover

Frequent OS updates

Frequent back-up

Learning problems

Add Spyware to Anti-Virus

Automatic maintenance

Legislation

Education on problems

Biometric access

Semantic web (and search)

Short Term Long Term



48/53

Firewalls

3 Types

Packet Filtering Examines attributes of packet.

Application Layer Hides the network by impersonating theserver (proxy).

Stateful Inspection Examines both the state and context of the

packets.

Regardless of type; must be configured to work properly. Access rules must be defined and entered into firewall.


Network / Internet



49/53

Web Server Firewall

http - tcp 80

telnet - tcp 23

ftp - tcp 21

http - tcp 80

Allow only http - tcp 80

Firewalls

Internet


Network / Internet

PC Firewall

202.52.222.10: 80

192.168.0.10 : 1020

Only allow reply packets for requests madeoutBlock other unregistered traffic

202.52.222.10: 80

192.168.0.10 :1020

InternetP a c k e t F i l te ri ng

S ta te f u l I nsp e c ti o n

Image Source Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [4].



50/53

Intrusion Detection Systems


Network

PC

Server

Server

IDSFirewallSwitch

Intrusion Detection A Commercial Network Solution

An Intelligent Firewall monitors accesses for suspicious activity

Neural Networks trained by Backpropagation on Usage Data

Could detect Trojan Horse attack, but not designed for Spyware

Put the IDS in front of the firewall to get maximum detection

In a switched network, put IDS on a mirrored port to get all traffic.

Ensure all network traffic passes through the IDS host.

Internet

Image Source Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [4].



51/53

System X

Composed of

Open Source OS

Mozilla / Opera / Lynx (!) Browser (Not IE)

Stateful Inspection Firewall

Anti-Virus Software

Careful and educated user

Secure permissions system

Regularly updated (possibly automatically)


Network / Internet / Standalone



52/53

Questions


Image Source Penny Arcade - http://www.penny-arcade.com/view.php3?date=2002-07-19&res=l


53/53

Spyware and trosen horces

Documents

Transcript of Spyware and trosen horces