Seminar

Spyware and Trojan Horses Computer Security Seminar
4th November 2004
Spyware and Trojan Horses

Computer Security Seminar Series
4th November 2004
Your computer could be watching your every move!

Image Source - http://www.clubpmi.it/upload/servizi_marketing/images/spyware.jpg
4th November 2004
Introduction
4th November 2004
Seminar Overview
Introduction to Spyware / Trojan Horses Spyware Examples, Mechanics, Effects, Solutions Tracking Cookies Mechanics, Effects, Solutions Trojan Horses Mechanics, Effects, More Examples Solutions to the problems posed Human Factors Human interaction with Spyware System X Having suitable avoidance mechanisms Conclusions Including our proposals for solutions
4th November 2004
Definitions
A general term for a program that surreptitiously monitors your actions. While they are sometimes sinister, like a remote control program used by a hacker, software companies have been known to use Spyware to gather data about customers. The practice is generally frowned upon.
R WA Y SP
Definition from: BlackICE Internet Security Systems - http://blackice.iss.net/glossary.php
An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data.
Definition from: Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html
N O JA E TR R S HO
4th November 2004
Symptoms
Targeted Pop-ups Slow Connection Targeted E-Mail (Spam) Unauthorized Access Spam Relaying Browser Hijack Program Customization
SPYWARE SPYWARE / TROJAN SPYWARE TROJAN HORSE TROJAN HORSE SPYWARE / TROJAN SPYWARE
4th November 2004
Summary of Effects
Collection of data from your computer without consent Execution of code without consent Assignment of a unique code to identify you Collection of data pertaining to your habitual use Installation on your computer without your consent Inability to remove the software Performing other undesirable tasks without consent
4th November 2004
Similarities / Differences
Spyware
Commercially Motivated Internet connection required Initiates remote connection Purpose: To monitor activity Collects data and displays pop-ups Legal Not Detectable with Virus Checker Age: Relatively New (< 5 Years)
Trojan Horses
Malicious Any network connection required Receives incoming connection Purpose: To control activity Unauthorized access and control Illegal Detectable with Virus Checker Age: Relatively Old ( > 20 Years)
Memory Resident Processes Surreptitiously installed without users consent or understanding Creates a security vulnerability
4th November 2004
Spyware
Image Source The Gator Corporation http://www.gator.com
4th November 2004
Software Examples
GAIN / Gator Gator E-Wallet Kazzaa BonziBuddy MySearch Toolbar DownloadWare BrowserAid Dogpile Toolbar
Image Sources GAIN Logo The Gator Corporation http://www.gator.com BonziBuddy Logo Bonzi.com - http://images.bonzi.com/images/gorillatalk.gif DownloadWare Logo DownloadWare - http://www.downloadware.net
4th November 2004
Advantages
Precision Marketing
Relevant pop-ups are better than all of them! You may get some useful adverts!
Useful Software
DivX Pro, IMesh, KaZaA, Winamp Pro (Experienced) people understand what they are installing.
Enhanced Website Interaction

Targeted banner adverts Website customisation User Perspective - I
4th November 2004
Disadvantages
Browsing profiles created for users without consent
Used for target marketing and statistical analysis
Unable to remove Spyware programs or disable them Increased number of misleading / inappropriate pop-ups Invasion of user privacy (hidden from user) Often badly written programs corrupt user system Automatically provides unwanted helpful tools 20 million+ people have Spyware on their machines.
Source - Dec 02 GartnerG2 Report
User Perspective - II
4th November 2004
Example Pop-up
Misleading Pop-up
User Perspective - III

Image Source Browser Cleanser Directed pop-up from http://www.browsercleanser.com/
4th November 2004
Network Overview
Push Advertising Pull Tracking Personal data
Technical Analysis - I
Image Source Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
4th November 2004
Client-Side Operation
Technical Analysis - II
4th November 2004
Server-Side Operation
Server-side operation is relatively unknown. However, if I were to develop such a system, it would contain
Technical Analysis - III
4th November 2004
Spyware Defence
User Initiatives
Issue Awareness Use Legitimate S/W Sources Improved Technical Ability Choice of Browser Choice of OS Legal action taken against breaches of privacy Oct 02 Doubleclick
Technical Initiatives...
Spyware Removal Programs Pop-up Blockers Firewall Technology Disable ActiveX Controls Not Sandboxed E-Mail Filters Download Patches
4th November 2004
GAIN Case Study

Installed IMesh, which includes Gator Installation We accessed multiple internet sites We simultaneously analyzed network traffic (using IRIS) We found the packets of data being sent to GAIN Packets were encrypted and we could not decrypt them
See Example ->
4th November 2004
Image Source Screenshot of IRIS v3.7 Network Analyser Professional Networks Ltd. See http://www.pnltools.com.
4th November 2004
Spyware Removers
Ad-aware (by Lavasoft) http://www.lavasoft.de *Freeware* Reverse Engineer Spyware Scans Memory, Registry and Hard Drive for
Data Mining components Aggressive advertising components Tracking components
Free Updates from Lavasoft Plug-ins available

Extra file information Disable Windows Messenger Service
Image Source Screenshot of Ad-aware 6.0. LavaSoft. See http://www.lavasoft.com
4th November 2004
Spyware Removers
Spybot Search & Destroy http://www.spybot.info *Freeware* Reverse Engineer Spyware Scans Memory, Registry and Hard Drive for
Data Mining components Aggressive advertising components Tracking components
Free Updates from Spybot Use with caution!

This may be the best at removal but your system can suffer afterwards.
Image Source Screenshot of Spybot. See http://www.spybot.info
4th November 2004
Vulnerable Systems
Any with an internet connection! BROADBAND! Microsoft Windows 9x/Me/NT/2000/XP Affects Open Source/Mac OSs less Non - fire-walled systems Internet Explorer, executes ActiveX plug-ins Other browsers affected less
4th November 2004
Tracking Cookies
4th November 2004
Cookies
A Cookie is a small text file sent to the user from a website.
Contains Website visited Provides client-side personalisation Supports easy Login
Cookies are controlled by

Websites Application Server Client-side Java Script
The website is effectively able to remember the user and their activity on previous visits. Spyware companies working with websites are able to use this relatively innocent technology to deliver targeted REAL TIME marketing, based on cookies and profiles.
4th November 2004
Case Study - DoubleClick

Most regular web users will have a doubleclick.net cookie. Affiliated sites request the DoubleClick cookie on the users computer. The site then sends
Who you are All other information in your cookie file
In return for
All available marketing information on you - collected from other affiliated sites which the you have hit.
4th November 2004
Case Study DoubleClick

Site targets banner adverts, e-mails and pop-ups to the user.
If the user visits an affiliated site without a DoubleClick cookie, then one is sent to the user. The whole process is opaque to the user and occurs without their consent.
4th November 2004
Tracking Cookie Implementation

Protocol designed to only allow the domain who created a cookie to access it. IE has a number of security holes Up to IE 5, domain names specified incorrectly. Up to IE 6, able to fool IE into believing it is in another domain. Patches and IE 6 solved a number of problems Since then, tracking cookies are still proving a large problem, there are still a number of holes still open.
4th November 2004
Tracking Cookie Implementation
4th November 2004
Tracking Cookie Defence

Replace tracking cookies with write protected zero length files of the same name. DoubleClick offer an opt-out cookie, which can be obtained from their website. Disable cookies
Makes many websites unusable
Delete cookies after session Spyware remover (Ad-aware) FireFox browser

Image Source Screenshot of DoubleClick OptOut Cookie displayed in Microsoft Notepad.
4tn November 2004
Trojan Horses
10
4th November 2004
Installation
Secretly installed when an infected executable is run
Much like a virus Executables typically come from P2P networks or unscrupulous websites
ActiveX controls on websites

ActiveX allows automatic installation of software from websites User probably does not know what they are running Misleading descriptions often given Not sandboxed! Digital signatures used, signing not necessary
4th November 2004
Installation
Certificate Authority Misleading Certificate Description Who is trusted?
Image Source Screenshot of Microsoft Internet Explorer 6 security warning, prior to the installation of an ActiveX Control from Roings.
4th November 2004
Effects
Allows remote access
To spy To disrupt To relay a malicious connection, so as to disguise the attackers location (spam, hacking) To access resources (i.e. bandwidth, files) To launch a DDoS attack
11
4th November 2004
Operation
Listen for connections Memory resident Start at boot-up Disguise presence Rootkits integrate with kernel Password Protected
4th November 2004
Example: Back Orifice

Back Orifice Produced by the Cult of the Dead Cow Win95/98 is vulnerable Toast of DefCon 6 Similar operation to NetBus Name similar to MS Product of the time
4th November 2004
BO: Protocol
Modular authentication Modular encryption
AES and CAST-256 modules available
UDP or TCP Variable port

Avoids most firewalls
IP Notification via. ICQ

Dynamic IP addressing not a problem
12
4th November 2004
BO: Protocol Example (1)

TROJAN
INFECTION OCCURS
Attacker
IP ADDRESS AND PORT ICQ SERVER IP ADDRESS AND PORT
Victim
CONNECTION
4th November 2004

COMMAND
COMMAND EXECUTED
Attacker
CONNECTION
Victim
REQUEST FOR INFORMATION INFORMATION
4th November 2004

CLEANUP COMMAND
EVIDENCE DESTROYED
Attacker
Victim
13
4th November 2004
Trojan Horse Examples

M$ Rootkit Integrates with the NT kernel Very dangerous Virtually undetectable once installed Hides from administrator as well as user Private TCP/IP stack (LAN only)
4th November 2004

iSpyNOW Commercial Web-based client Assassin Trojan Custom builds may be purchased These are not found by virus scanners Firewall circumvention technology
4th November 2004

Real World Dangers Keystroke loggers Circumvents banking and retail websites security because your username and password are transmitted in the clear.
14
4th November 2004

Real World Dangers Remote Access Criminals are able to access your PC as if they were sitting at it.
4th November 2004

Real World Dangers Zombie Networks Hackers are selling access to zombie networks of 10,000+ PCs for about .10 each. They are often used to send Spam.
4th November 2004
Demonstration
15
4th November 2004
Vulnerable Systems
Number of trojans in common use
RELATIVELY SAFE
DANGEROUS
MacOS MacOS X
WinNT refers to Windows NT 4, 2000, XP and Server 2003. Win9x refers to Windows 95, 95SE, 98 and ME.
Information Source: McAfee Security - http://us.mcafee.com/
Ease of compromise
WinNT refers to Windows NT 4, 2000, XP and Server 2003. Win9x refers to Windows 95, 95SE, 98 and ME.
Information Source: McAfee Security - http://us.mcafee.com/
MacOS X Linux/Unix
Vulnerable Systems
RELATIVELY SAFE DANGEROUS
Conclusions
Linux/Unix WinNT
WinNT MacOS
Win 9x
4th November 2004
Win 9x
4th November 2004
16
4th November 2004
Security Implications
Short Term
Divulge personal data Backdoors into system System corruption Disruption / Irritation Aids identity theft Easy virus distribution Increased spam
Long Term
Mass data collection Consequences unknown Web becomes unusable Web cons outweigh pros Cost of preventions More development work More IP addresses (IPv6)
4th November 2004
Solutions
Short Term
Firewall Virus Checker Spyware Remover Frequent OS updates Frequent back-up Learning problems
Long Term
Add Spyware to Anti-Virus Automatic maintenance Legislation Education on problems Biometric access Semantic web (and search)
4th November 2004
Firewalls
3 Types
Packet Filtering Examines attributes of packet.
Network / Internet
Application Layer Hides the network by impersonating the server (proxy). Stateful Inspection Examines both the state and context of the packets.
Regardless of type; must be configured to work properly. Access rules must be defined and entered into firewall.
17
4th November 2004
Firewalls
http - tcp 80
Network / Internet
http - tcp 80 telnet - tcp 23 ftp - tcp 21 Web Server Firewall Allow only http - tcp 80
Packet Filtering
192.168.0.10 : 1020
202.52.222.10: 80 202.52.222.10: 80 Firewall
Stateful Inspection
192.168.0.10 : 1020 PC
Only allow reply packets for requests made out Block other unregistered traffic
4th November 2004
Software Firewall
Kerio PersonalFirewall http://www.kerio.com *Freeware* Stateful Packet Inspection Scans applications and data Inbound and Outbound!
Spyware connections outbound would be flagged.
Free Updates from Kerio Easily trained

ZoneAlarm
Image Source Screenshot of Kerio PersonalFirewall. See http://www.kerio.com
4th November 2004
Intrusion Detection Systems
Network
Server
Switch
Firewall
IDS
Server
Intrusion Detection A Commercial Network Solution An Intelligent Firewall monitors accesses for suspicious activity Neural Networks trained by Backpropagation on Usage Data Could detect Trojan Horse attack, but not designed for Spyware
PC
Put the IDS in front of the firewall to get maximum detection In a switched network, put IDS on a mirrored port to get all traffic. Ensure all network traffic passes through the IDS host.
18
4th November 2004
System X
Composed of
Network / Internet / Standalone
Clean, fully patched Operating System (OS) Firefox / Opera / Lynx (!) Browser (Not IE) Stateful Inspection Firewall http://www.kerio.com Anti-Virus Software such as Norton AV or AVG Careful user scrutiny of pop-ups and email Beware free utilities and especially filesharing apps Regular patches (possibly automatically)
4th November 2004
Questions
4th November 2004
Bibliography / Links
[1] "Spyware" Definition - BlackICE Internet Security Systems - http://blackice.iss.net/glossary.php [2] "Trojan Horse" Definition Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html [3] Zeinalipour-Yazti, D. Exploiting the Security Weaknesses of the Gnutella Protocol, University of California. [4] Joshi, R. Network Security Applications, Merchantile Communications, CANIT Conference 2003. [5] CERT Advisory CA-1999-02 http://www.cert.org/advisories/CA-1999-02.html [6] Spyware Guide http://www.spyware-guide.com [7] Trojan Horses - http://www.mpsmits.com/highlights/trojan_horses.shtml [8] Trojan Horse - Back Orifice - http://www.nwinternet.com/~pchelp/bo/bo.html [9] NetBus - http://www.nwinternet.com/~pchelp/nb/netbus.htm [10] BBC News - http://news.bbc.co.uk/1/hi/technology/3153229.stm [11] Wired News Judge takes bite out of Gator www.wired.com/news/politics/0,1283,53875,00.html [12] Tracking Cookies Demonstration at http://www.irt.org/instant/chapter10/tracker/index4.htm [13] BonziBuddy - http://www.bonzi.com/bonzibuddy/bonzibuddyfreehom.asp [14] Unwanted Links (Spyware) http://www.unwantedlinks.com [15] Andersen, R. "Security Engineering", First Edition, J. Wiley and Sons, 2001. [16] Scacchi, W. Privacy and Other Social Issues, Addison-Wesley, 2003. http://www.ics.uci.edu/~wscacchi/Tech-EC/Security+Privacy/Privacy.ppt [17] Kerio Personal Firewall http://www.kerio.com
19

Seminar

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Seminar

Uploaded by

Copyright:

Available Formats

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Spyware and Trojan Horses

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Your computer could be watching your every move!

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Definition from: BlackICE Internet Security Systems - http://blackice.iss.net/glossary.php

Definition from: Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Image Source The Gator Corporation http://www.gator.com

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Enhanced Website Interaction

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

User Perspective - III

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Technical Analysis - III

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

GAIN Case Study

See Example ->

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Free Updates from Lavasoft Plug-ins available

Image Source Screenshot of Ad-aware 6.0. LavaSoft. See http://www.lavasoft.com

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Free Updates from Spybot Use with caution!

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Spyware and Trojan Horses Computer Security Seminar

4th November 2004

Cookies are controlled by

Spyware and Trojan Horses Computer Security Seminar