Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid...

31
May 11th, 2010 Typhoid Adware 1 CPSC 217 - Tutorial Typhoid Adware Typhoid Adware Daniel Medeiros Nunes de Castro Eric Lin John Aycock Mea Wang University of Calgary – Alberta – Canada 19 th EICAR Annual Conference - Paris

Transcript of Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid...

Page 1: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

May 11th, 2010 Typhoid Adware 1

CPSC 217 - Tutorial

Typhoid Adware

Typhoid AdwareDaniel Medeiros Nunes de Castro

Eric LinJohn AycockMea Wang

University of Calgary – Alberta – Canada

19th EICAR Annual Conference - Paris

Page 2: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Introducing Typhoid Mary

Mary Mallon (1869-1938) – NY Cook

In 1907 was diagnosed as a carrier of the Typhoid Fever

As she had no symptoms, she refused to be tested,did not accept treatment and continued working

Infected tens of people, some died from the disease

May 11th, 2010 Typhoid Adware 2

Forced into a quarantine for the rest of her days

Page 3: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

BUT….

How are computers related to this?

And have you mentioned adware?

May 11th, 2010 Typhoid Adware 3

Page 4: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

e

In an Internet Café…

May 11th, 2010 Typhoid Adware 4

Network admin?

Page 5: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

In an Internet Café…

May 11th, 2010 Typhoid Adware 5

e

Page 6: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

In an Internet Café…

May 11th, 2010 Typhoid Adware 6

e

ARP Spoofing

Page 7: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

e

BUY IT!BUY IT!

BUY IT!BUY IT!

In an Internet Café…

May 11th, 2010 Typhoid Adware 7

Text and/or Video Modification

Page 8: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Some remarks

There has not been much work/research with Adware.

We target video streaming websites due to its popularity

Carrier does not receive signs of infection and victims (neighbors) have no visible clue that the advertisement comes from a illegitimate source

Focusing on adware, we provide a scenario where no artefact is left on the victims machine.

Carrier may not be interested on removing the bundled adware, as they don’tnotice any of its effects.

May 11th, 2010 Typhoid Adware 8

Page 9: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Implementing Typhoid Adware

May 11th, 2010 Typhoid Adware 9

First, some background…

Page 10: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

IP MAC

IP MACIP MAC

192.168.0.2 01:41:4C:49:43:45

Name CAFE_SERVERMAC 01:CA:FE:CA:FE:01IP 192.168.0.1 (Fixed)

Name ALICE_LAPTOPMAC 01:41:4C:49:43:45IPGateway

Name ALICE_LAPTOPMAC 01:41:4C:49:43:45IP 192.168.0.2Gateway 192.168.0.1

IP MAC

192.168.0.1 01:CA:FE:CA:FE:01

Background: ARP Spoofing

Help! I don’t have an IP!!!(DHCP Discover)

I can help you… Get this one!

May 11th, 2010 Typhoid Adware 10

DHCP Offer

Disclaimer: This is a simplified description. DHCP protocol requires some other steps.

Page 11: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

IP MAC

IP MAC

192.168.0.2 01:41:4C:49:43:45

IP MAC

192.168.0.2 01:41:4C:49:43:45

192.168.0.3 02:43:41:52:4F:4C

Name CAFE_SERVERMAC 01:CA:FE:CA:FE:01IP 192.168.0.1 (Fixed)

Name ALICE_LAPTOPMAC 01:41:4C:49:43:45IP 192.168.0.2Gateway 192.168.0.1

IP MAC

192.168.0.1 01:CA:FE:CA:FE:01

Background: ARP Spoofing

IP MAC

Name CAROL_LAPTOPMAC 02:43:41:52:4F:4CIP 192.168.0.3Gateway 192.168.0.1

IP MAC

192.168.0.1 01:CA:FE:CA:FE:01

Who has192.168.0.1?(ARP Request)

Hey! It’s me!ARP Reply

May 11th, 2010 Typhoid Adware 11

Page 12: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

IP MAC

192.168.0.2 01:41:4C:49:43:45

192.168.0.3 02:43:41:52:4F:4C

IP MAC

192.168.0.2 03:45:56:49:4C:20

192.168.0.3 02:43:41:52:4F:4C

IP MAC

192.168.0.2 03:45:56:49:4C:20

192.168.0.3 03:45:56:49:4C:20

Name CAFE_SERVERMAC 01:CA:FE:CA:FE:01IP 192.168.0.1 (Fixed)

Name ALICE_LAPTOPMAC 01:41:4C:49:43:45IP 192.168.0.2Gateway 192.168.0.1

IP MAC

192.168.0.1 01:CA:FE:CA:FE:01

Background: ARP Spoofing

Name CAROL_LAPTOPMAC 02:43:41:52:4F:4CIP 192.168.0.3Gateway 192.168.0.1

IP MAC

192.168.0.1 01:CA:FE:CA:FE:01

Name EVIL_LAPTOPMAC 03:45:56:49:4C:20IP 192.168.0.4Gateway 192.168.0.1

IP MAC

192.168.0.1 03:45:56:49:4C:20

IP MAC

192.168.0.1 03:45:56:49:4C:20

ARP ReplyARP Reply

ARP ReplyARP Reply

May 11th, 2010 Typhoid Adware 12

Page 13: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

IP MAC

192.168.0.2 01:41:4C:49:43:45

192.168.0.3 02:43:41:52:4F:4C

IP MAC

192.168.0.2 03:45:56:49:4C:20

192.168.0.3 03:45:56:49:4C:20

Name CAFE_SERVERMAC 01:CA:FE:CA:FE:01IP 192.168.0.1 (Fixed)

Name ALICE_LAPTOPMAC 01:41:4C:49:43:45IP 192.168.0.2Gateway 192.168.0.1

IP MAC

192.168.0.1 01:CA:FE:CA:FE:01

Background: ARP Spoofing

Name CAROL_LAPTOPMAC 02:43:41:52:4F:4CIP 192.168.0.3Gateway 192.168.0.1

IP MAC

192.168.0.1 01:CA:FE:CA:FE:01

Name EVIL_LAPTOPMAC 03:45:56:49:4C:20IP 192.168.0.4Gateway 192.168.0.1

IP MAC

192.168.0.1 03:45:56:49:4C:20

IP MAC

192.168.0.1 03:45:56:49:4C:20

May 11th, 2010 Typhoid Adware 13

Page 14: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Implementing Typhoid Adware

Proof-of-concept implementation using open source software:

- arpspoof (dsniff)

- Tiny Proxy (written in Python)

- NetFilter/IPtables

- FFMpeg

Attack steps:

1) Choose target

2) Intercept connections

3) Redirect it to a local program (proxy)

4) Modify content

ARP Spoofing

Web pages

Streaming video

Video file (cached)

May 11th, 2010 Typhoid Adware 14

Page 15: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Modifying web pages

Web pages are text files

- String substitution

- Inserting JavaScript code

- Inserting HTML code

Content modification is trivial and allows:

Some sites compress pages before sending. So, basically, we need to follow these steps:

1) Cache2) Uncompress3) Modify4) Compress 5) Send it to the client

May 11th, 2010 Typhoid Adware 15

Page 16: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Modifying video

May 11th, 2010 Typhoid Adware 16

And, again, we need a little bit of background info….

Page 17: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

FLV in a glance

Tag Header:- Type of data (audio, video, script), size and timestamp- Some video frames can be “keyframes”

F L V flags

Header Body

length FLV Tag length FLV Tag …

Tag header data

May 11th, 2010 Typhoid Adware 17

Flash Video Format

Page 18: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Modifying video

Goal: Insert text and/or picture in a video for advertisement

Tools:- FFMPEG- libx264: H.264 codec- libmp3lame- libfaac- vhook (deprecated and then removed from later versions of FFMPEG)

First implementation: “Cache and modify”

Long videos take time to cache, i.e., big delay easily noticeable or user mightsimply give up on waiting

May 11th, 2010 Typhoid Adware 18

Interesting fact: embedding pictures is faster than embedding text

Caching all the file and then modifying the entire video at once

We can have precise information about modified version before sending

Page 19: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Modifying video “on-the-fly”

Challenges

- Packets received by the proxy sometimes are not complete FLV Tags

- Not every video tag can be modified. It must be done in “blocks”, starting by a keyframe

Solution: Cache and Parse

- Cache size has no fixed size. It is estimate and depends on how many keyframes it will cover. Last keyframe and subsequent tags are left in a buffer for further processing.

- “Content-Length” HTTP Header must be informed beforehand . If smaller than thecontent to be sent, player will “freeze”. But we cannot precisely estimate final size of the modified video.

Solution: Browser does not check if “Content-Length” is bigger than number of bytes sent. Let’s triple it!

May 11th, 2010 Typhoid Adware 19

Page 20: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Does this really work?

What about performance in both sides (infected and victim)?

May 11th, 2010 Typhoid Adware 20

Page 21: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Experimental setup

Typhoid adware using video streaming modification “on-the-fly”

Wired (ethernet hub 10/100 Mbps) and wireless (802.11g, 100Mbps ethernet)

Video streaming from YouTube (Flash player is embedded)

Two laptops running Linux

Most difficult and compute intensive implementation

Required only for our Typhoid Adware implementation

Direct connection, proxy-only and modification using different cache sizes

May 11th, 2010 Typhoid Adware 21

Page 22: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Results

Processing time and Latency

May 11th, 2010 Typhoid Adware 22

Time for sending video can double, depending of the chosen cache size,however, the latency is not really noticeable even in the worst case.

Page 23: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Results

Processing time and Latency

Time for sending video can double, depending of the chosen cache size,however, the latency is not really noticeable even in the worst case.

File size

May 11th, 2010 Typhoid Adware 23

Depending on codecs used, file size is increased from 6-130%, but for short videos (majority in Youtube), that is not a problem.

Page 24: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Results

Processing time and Latency

Time for sending video can double, depending of the chosen cache size,however, the latency is not really noticeable even in the worst case.

File size

Glitches versus cache size

Depending on codecs used, file size is increased from 6-130%, but for short videos (majority in Youtube), that is not a problem.

Small cache size speeds the process, but introduces noticeable glitches on the video. A good balance is a cache of 64Kb (around 5 seconds of video).

May 11th, 2010 Typhoid Adware 24

Page 25: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Ok… it does work…

So, how can I protect myself?

May 11th, 2010 Typhoid Adware 25

Page 26: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Mitigation

Video Content Modification

- Encryption (e.g., using HTTPS)

- Signed checksum list

- Checksum list

Performance

Changes in both client and server

Adware is usually considered in a “gray area”. Is the same for Typhoid Adware?

Why do I bother about this?

Notice that the installation of “normal” adware is up to the user, and they’re (supposedly) aware that advertisement will pop up once in a while.

Not in this scenario.

May 11th, 2010 Typhoid Adware 26

Page 27: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Mitigation

Video Content Modification

- Encryption (e.g., using HTTPS)

- Signed checksum list

- Checksum list

Performance

Changes in both client and server

Adware is usually considered in a “gray area”. Is the same for Typhoid Adware?

Why do I bother about this?

Notice that the installation of “normal” adware is up to the user, and they’re (supposedly) aware that advertisement will pop up once in a while.

Not in this scenario.

May 11th, 2010 Typhoid Adware 27

Page 28: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Mitigation

ARP Spoofing

- Static IP-to-MAC mapping

- ARP spoofing detection

May 11th, 2010 Typhoid Adware 28

- Internet Café Setting

- Interesting feature for anti-malware products

- Parsing DHCP messages

- Fixing the gateway once the interface is up

FROM ADMIN’S TO USER’S SIDE

Page 29: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Related work

E. Lin, D. M. N. de Castro, M. Wang, and J. Aycock. SPoIM: A Close Look at Pollution Attacks in P2P Live Streaming. IEEE International Workshop on Quality of Service, 2010, to appear.

M. Kershaw. Wireless security isn’t dead, attacking clients with MSF.Black Hat DC, 2010.

Page 30: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Conclusions

We have presented Typhoid Adware, a new approach for spreading advertisement

Implemented using well-known techniques (ARP Spoofing and proxies), but otherapproaches can also be used (including on other types of network)

Even the most overhead-intensive case allows the victim to receive content in reasonable time.

We presented also some approaches for mitigation.

Typhoid-adware is a viable threat, specially in poorly monitored environments

May 11th, 2010 Typhoid Adware 30

Page 31: Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of

Thanks / Merci / Obrigado

Typhoid Adware

Daniel Medeiros Nunes de CastroEric Lin

John AycockMea Wang

University of Calgary – Alberta – Canada

Any questions?Any questions?

May 11th, 2010 Typhoid Adware 31