Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid...
Transcript of Typhoid Adware - 2016.eicar.org2016.eicar.org/files/typhoid_adware_eicar.pdf · Introducing Typhoid...
May 11th, 2010 Typhoid Adware 1
CPSC 217 - Tutorial
Typhoid Adware
Typhoid AdwareDaniel Medeiros Nunes de Castro
Eric LinJohn AycockMea Wang
University of Calgary – Alberta – Canada
19th EICAR Annual Conference - Paris
Introducing Typhoid Mary
Mary Mallon (1869-1938) – NY Cook
In 1907 was diagnosed as a carrier of the Typhoid Fever
As she had no symptoms, she refused to be tested,did not accept treatment and continued working
Infected tens of people, some died from the disease
May 11th, 2010 Typhoid Adware 2
Forced into a quarantine for the rest of her days
BUT….
How are computers related to this?
And have you mentioned adware?
May 11th, 2010 Typhoid Adware 3
e
In an Internet Café…
May 11th, 2010 Typhoid Adware 4
Network admin?
In an Internet Café…
May 11th, 2010 Typhoid Adware 5
e
In an Internet Café…
May 11th, 2010 Typhoid Adware 6
e
ARP Spoofing
e
BUY IT!BUY IT!
BUY IT!BUY IT!
In an Internet Café…
May 11th, 2010 Typhoid Adware 7
Text and/or Video Modification
Some remarks
There has not been much work/research with Adware.
We target video streaming websites due to its popularity
Carrier does not receive signs of infection and victims (neighbors) have no visible clue that the advertisement comes from a illegitimate source
Focusing on adware, we provide a scenario where no artefact is left on the victims machine.
Carrier may not be interested on removing the bundled adware, as they don’tnotice any of its effects.
May 11th, 2010 Typhoid Adware 8
Implementing Typhoid Adware
May 11th, 2010 Typhoid Adware 9
First, some background…
IP MAC
IP MACIP MAC
192.168.0.2 01:41:4C:49:43:45
Name CAFE_SERVERMAC 01:CA:FE:CA:FE:01IP 192.168.0.1 (Fixed)
Name ALICE_LAPTOPMAC 01:41:4C:49:43:45IPGateway
Name ALICE_LAPTOPMAC 01:41:4C:49:43:45IP 192.168.0.2Gateway 192.168.0.1
IP MAC
192.168.0.1 01:CA:FE:CA:FE:01
Background: ARP Spoofing
Help! I don’t have an IP!!!(DHCP Discover)
I can help you… Get this one!
May 11th, 2010 Typhoid Adware 10
DHCP Offer
Disclaimer: This is a simplified description. DHCP protocol requires some other steps.
IP MAC
IP MAC
192.168.0.2 01:41:4C:49:43:45
IP MAC
192.168.0.2 01:41:4C:49:43:45
192.168.0.3 02:43:41:52:4F:4C
Name CAFE_SERVERMAC 01:CA:FE:CA:FE:01IP 192.168.0.1 (Fixed)
Name ALICE_LAPTOPMAC 01:41:4C:49:43:45IP 192.168.0.2Gateway 192.168.0.1
IP MAC
192.168.0.1 01:CA:FE:CA:FE:01
Background: ARP Spoofing
IP MAC
Name CAROL_LAPTOPMAC 02:43:41:52:4F:4CIP 192.168.0.3Gateway 192.168.0.1
IP MAC
192.168.0.1 01:CA:FE:CA:FE:01
Who has192.168.0.1?(ARP Request)
Hey! It’s me!ARP Reply
May 11th, 2010 Typhoid Adware 11
IP MAC
192.168.0.2 01:41:4C:49:43:45
192.168.0.3 02:43:41:52:4F:4C
IP MAC
192.168.0.2 03:45:56:49:4C:20
192.168.0.3 02:43:41:52:4F:4C
IP MAC
192.168.0.2 03:45:56:49:4C:20
192.168.0.3 03:45:56:49:4C:20
Name CAFE_SERVERMAC 01:CA:FE:CA:FE:01IP 192.168.0.1 (Fixed)
Name ALICE_LAPTOPMAC 01:41:4C:49:43:45IP 192.168.0.2Gateway 192.168.0.1
IP MAC
192.168.0.1 01:CA:FE:CA:FE:01
Background: ARP Spoofing
Name CAROL_LAPTOPMAC 02:43:41:52:4F:4CIP 192.168.0.3Gateway 192.168.0.1
IP MAC
192.168.0.1 01:CA:FE:CA:FE:01
Name EVIL_LAPTOPMAC 03:45:56:49:4C:20IP 192.168.0.4Gateway 192.168.0.1
IP MAC
192.168.0.1 03:45:56:49:4C:20
IP MAC
192.168.0.1 03:45:56:49:4C:20
ARP ReplyARP Reply
ARP ReplyARP Reply
May 11th, 2010 Typhoid Adware 12
IP MAC
192.168.0.2 01:41:4C:49:43:45
192.168.0.3 02:43:41:52:4F:4C
IP MAC
192.168.0.2 03:45:56:49:4C:20
192.168.0.3 03:45:56:49:4C:20
Name CAFE_SERVERMAC 01:CA:FE:CA:FE:01IP 192.168.0.1 (Fixed)
Name ALICE_LAPTOPMAC 01:41:4C:49:43:45IP 192.168.0.2Gateway 192.168.0.1
IP MAC
192.168.0.1 01:CA:FE:CA:FE:01
Background: ARP Spoofing
Name CAROL_LAPTOPMAC 02:43:41:52:4F:4CIP 192.168.0.3Gateway 192.168.0.1
IP MAC
192.168.0.1 01:CA:FE:CA:FE:01
Name EVIL_LAPTOPMAC 03:45:56:49:4C:20IP 192.168.0.4Gateway 192.168.0.1
IP MAC
192.168.0.1 03:45:56:49:4C:20
IP MAC
192.168.0.1 03:45:56:49:4C:20
May 11th, 2010 Typhoid Adware 13
Implementing Typhoid Adware
Proof-of-concept implementation using open source software:
- arpspoof (dsniff)
- Tiny Proxy (written in Python)
- NetFilter/IPtables
- FFMpeg
Attack steps:
1) Choose target
2) Intercept connections
3) Redirect it to a local program (proxy)
4) Modify content
ARP Spoofing
Web pages
Streaming video
Video file (cached)
May 11th, 2010 Typhoid Adware 14
Modifying web pages
Web pages are text files
- String substitution
- Inserting JavaScript code
- Inserting HTML code
Content modification is trivial and allows:
Some sites compress pages before sending. So, basically, we need to follow these steps:
1) Cache2) Uncompress3) Modify4) Compress 5) Send it to the client
May 11th, 2010 Typhoid Adware 15
Modifying video
May 11th, 2010 Typhoid Adware 16
And, again, we need a little bit of background info….
FLV in a glance
Tag Header:- Type of data (audio, video, script), size and timestamp- Some video frames can be “keyframes”
F L V flags
Header Body
length FLV Tag length FLV Tag …
Tag header data
May 11th, 2010 Typhoid Adware 17
Flash Video Format
Modifying video
Goal: Insert text and/or picture in a video for advertisement
Tools:- FFMPEG- libx264: H.264 codec- libmp3lame- libfaac- vhook (deprecated and then removed from later versions of FFMPEG)
First implementation: “Cache and modify”
Long videos take time to cache, i.e., big delay easily noticeable or user mightsimply give up on waiting
May 11th, 2010 Typhoid Adware 18
Interesting fact: embedding pictures is faster than embedding text
Caching all the file and then modifying the entire video at once
We can have precise information about modified version before sending
Modifying video “on-the-fly”
Challenges
- Packets received by the proxy sometimes are not complete FLV Tags
- Not every video tag can be modified. It must be done in “blocks”, starting by a keyframe
Solution: Cache and Parse
- Cache size has no fixed size. It is estimate and depends on how many keyframes it will cover. Last keyframe and subsequent tags are left in a buffer for further processing.
- “Content-Length” HTTP Header must be informed beforehand . If smaller than thecontent to be sent, player will “freeze”. But we cannot precisely estimate final size of the modified video.
Solution: Browser does not check if “Content-Length” is bigger than number of bytes sent. Let’s triple it!
May 11th, 2010 Typhoid Adware 19
Does this really work?
What about performance in both sides (infected and victim)?
May 11th, 2010 Typhoid Adware 20
Experimental setup
Typhoid adware using video streaming modification “on-the-fly”
Wired (ethernet hub 10/100 Mbps) and wireless (802.11g, 100Mbps ethernet)
Video streaming from YouTube (Flash player is embedded)
Two laptops running Linux
Most difficult and compute intensive implementation
Required only for our Typhoid Adware implementation
Direct connection, proxy-only and modification using different cache sizes
May 11th, 2010 Typhoid Adware 21
Results
Processing time and Latency
May 11th, 2010 Typhoid Adware 22
Time for sending video can double, depending of the chosen cache size,however, the latency is not really noticeable even in the worst case.
Results
Processing time and Latency
Time for sending video can double, depending of the chosen cache size,however, the latency is not really noticeable even in the worst case.
File size
May 11th, 2010 Typhoid Adware 23
Depending on codecs used, file size is increased from 6-130%, but for short videos (majority in Youtube), that is not a problem.
Results
Processing time and Latency
Time for sending video can double, depending of the chosen cache size,however, the latency is not really noticeable even in the worst case.
File size
Glitches versus cache size
Depending on codecs used, file size is increased from 6-130%, but for short videos (majority in Youtube), that is not a problem.
Small cache size speeds the process, but introduces noticeable glitches on the video. A good balance is a cache of 64Kb (around 5 seconds of video).
May 11th, 2010 Typhoid Adware 24
Ok… it does work…
So, how can I protect myself?
May 11th, 2010 Typhoid Adware 25
Mitigation
Video Content Modification
- Encryption (e.g., using HTTPS)
- Signed checksum list
- Checksum list
Performance
Changes in both client and server
Adware is usually considered in a “gray area”. Is the same for Typhoid Adware?
Why do I bother about this?
Notice that the installation of “normal” adware is up to the user, and they’re (supposedly) aware that advertisement will pop up once in a while.
Not in this scenario.
May 11th, 2010 Typhoid Adware 26
Mitigation
Video Content Modification
- Encryption (e.g., using HTTPS)
- Signed checksum list
- Checksum list
Performance
Changes in both client and server
Adware is usually considered in a “gray area”. Is the same for Typhoid Adware?
Why do I bother about this?
Notice that the installation of “normal” adware is up to the user, and they’re (supposedly) aware that advertisement will pop up once in a while.
Not in this scenario.
May 11th, 2010 Typhoid Adware 27
Mitigation
ARP Spoofing
- Static IP-to-MAC mapping
- ARP spoofing detection
May 11th, 2010 Typhoid Adware 28
- Internet Café Setting
- Interesting feature for anti-malware products
- Parsing DHCP messages
- Fixing the gateway once the interface is up
FROM ADMIN’S TO USER’S SIDE
Related work
E. Lin, D. M. N. de Castro, M. Wang, and J. Aycock. SPoIM: A Close Look at Pollution Attacks in P2P Live Streaming. IEEE International Workshop on Quality of Service, 2010, to appear.
M. Kershaw. Wireless security isn’t dead, attacking clients with MSF.Black Hat DC, 2010.
Conclusions
We have presented Typhoid Adware, a new approach for spreading advertisement
Implemented using well-known techniques (ARP Spoofing and proxies), but otherapproaches can also be used (including on other types of network)
Even the most overhead-intensive case allows the victim to receive content in reasonable time.
We presented also some approaches for mitigation.
Typhoid-adware is a viable threat, specially in poorly monitored environments
May 11th, 2010 Typhoid Adware 30
Thanks / Merci / Obrigado
Typhoid Adware
Daniel Medeiros Nunes de CastroEric Lin
John AycockMea Wang
University of Calgary – Alberta – Canada
Any questions?Any questions?
May 11th, 2010 Typhoid Adware 31