Spyware and Trosen Horces

Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Spyware and Trojan Horses

Computer Security Seminar Series
[SS1]
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Your computer could be watching your

every move!
Image Source - http://www.clubpmi.it/upload/servizi_marketing/images/spyware.jpg

Introduction

Seminar Overview
• Introduction to Spyware / Trojan Horses
• Spyware – Examples, Mechanics, Effects, Solutions
• Tracking Cookies – Mechanics, Effects, Solutions
• Trojan Horses – Mechanics, Effects, More Examples
• Solutions to the problems posed
• Human Factors – Human interaction with Spyware
• “System X” – Having suitable avoidance mechanisms
• Conclusions – Including our proposals for solutions

Definitions
E
A general term for a program that surreptitiously monitors your
A R
actions. While they are sometimes sinister, like a remote
W
control program used by a hacker, software companies have
P Y
been known to use Spyware to gather data about customers.
S The practice is generally frowned upon.
N
Definition from: BlackICE Internet Security Systems - http://blackice.iss.net/glossary.php
An apparently useful and innocent program containing additional

O J A
hidden code which allows the unauthorized collection,
TR RSE
O
exploitation, falsification, or destruction of data.
H
Definition from: Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html

Symptoms
• Targeted Pop-ups SPYWARE

• Slow Connection SPYWARE / TROJAN
• Targeted E-Mail (Spam) SPYWARE
• Unauthorized Access TROJAN HORSE
• Spam Relaying TROJAN HORSE
• System Crash SPYWARE / TROJAN
• Program Customisation SPYWARE

Summary of Effects
• Collection of data from your computer without consent

• Execution of code without consent
• Assignment of a unique code to identify you
• Collection of data pertaining to your habitual use
• Installation on your computer without your consent
• Inability to remove the software
• Performing other undesirable tasks without consent

Similarities / Differences
Spyware Trojan Horses
Commercially Motivated Malicious
Internet connection required Any network connection required
Initiates remote connection Receives incoming connection
Purpose: To monitor activity Purpose: To control activity
Collects data and displays pop-ups Unauthorized access and control
Legal Illegal
Not Detectable with Virus Checker Detectable with Virus Checker
Age: Relatively New (< 5 Years) Age: Relatively Old ( > 20 Years)
Memory Resident Processes
Surreptitiously installed without user’s consent or understanding
Creates a security vulnerability
Source – Table derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.

Spyware
Image Source – The Gator Corporation – http://www.gator.com

Software Examples
• GAIN / Gator
• Gator E-Wallet
• Cydoor
• BonziBuddy
• MySearch Toolbar
• DownloadWare
• BrowserAid
• Dogpile Toolbar
Image Sources…
GAIN Logo – The Gator Corporation – http://www.gator.com

BonziBuddy Logo – Bonzi.com - http://images.bonzi.com/images/gorillatalk.gif
DownloadWare Logo – DownloadWare - http://www.downloadware.net

Advantages
• Precision Marketing
– Relevant pop-ups are better than all of them!
– You may get some useful adverts!
• Useful Software
– DivX Pro, IMesh, KaZaA, Winamp Pro
– (Experienced) people understand what they are installing.
• Enhanced Website Interaction

– Targeted banner adverts
– Website customisation
User Perspective - I

Disadvantages
• Browsing profiles created for users without consent
– Used for target marketing and statistical analysis
• Unable to remove Spyware programs or disable them

• Increased number of misleading / inappropriate pop-ups
• Invasion of user privacy (hidden from user)
• Often badly written programs corrupt user system
• Automatically provides unwanted “helpful” tools
• “20 million+ people have Spyware on their machines.”
Source - Dec ’02 GartnerG2 Report
User Perspective - II

Example Pop-up
Misleading Pop-up
User Perspective - III

Image Source – Browser Cleanser – Directed pop-up from http://www.browsercleanser.com/

Network Overview
• Push
•Advertising
•Pull
•Tracking
•Personal data
Technical Analysis - I
Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.

Client-Side Operation
Technical Analysis - II

Server-Side Operation
• Server-side operation is relatively unknown. However, if
we were to develop such a system, it would contain…
Technical Analysis - III

Spyware Defence
User Initiatives… Technical Initiatives...
• Issue Awareness • Spyware Removal Programs
• Use Legitimate S/W Sources • Pop-up Blockers
• Improved Technical Ability • Firewall Technology
• Choice of Browser • Disable ActiveX Controls
• Choice of OS – Not Sandboxed
• Legal action taken against • E-Mail Filters
breaches of privacy • Download Patches
– Oct ’02 Doubleclick

GAIN Case Study

• Installed IMesh, which includes Gator Installation
• We accessed multiple internet sites
• We simultaneously analyzed network traffic (using IRIS)
• We found the packets of data being sent to GAIN
• Packets were encrypted and we could not decrypt them
• See Example ->

Image Source – Screenshot of IRIS v3.7 Network Analyser – Professional Networks Ltd. See http://www.pnltools.com.

Spyware Removers
Ad-aware (by Lavasoft)
– Reverse Engineer Spyware
– Scans Memory, Registry and Hard Drive for…
• Data Mining components
• Aggressive advertising components
• Tracking components
– Updates from Lavasoft

– Plug-ins available
• Extra file information
• Disable Windows Messenger Service
Image Source – Screenshot of Ad-aware 6.0. LavaSoft. See http://www.lavasoft.com

Vulnerable Systems
• Those with an internet connection!

• Microsoft Windows 9x/Me/NT/2000/XP
• Does not affect Open Source OSs
• Non - fire-walled systems
• Internet Explorer, executes ActiveX plug-ins
• Other browsers not affected

Tracking Cookies

Cookies
• A Cookie is a small text file sent to the user from a website.
– Contains Website visited
– Provides client-side personalisation
– Supports easy Login
• Cookies are controlled by…

– Website’s Application Server
– Client-side Java Script
• The website is effectively able to ‘remember’ the user and their

activity on previous visits.
• Spyware companies working with websites are able to use this
relatively innocent technology to deliver targeted REAL TIME
marketing, based on cookies and profiles.

Case Study - DoubleClick

• Most regular web users will have a “doubleclick.net” cookie.
• Affiliated sites request the DoubleClick cookie on the users
computer.
• The site then sends…
– Who you are
– All other information in your cookie file
• In return for…
– All available marketing information on you - collected from other
affiliated sites which the you have hit.

Case Study – DoubleClick
• Site targets banner adverts, e-mails and pop-ups to the

user.
• If the user visits an affiliated site without a DoubleClick

cookie, then one is sent to the user.
• The whole process is ‘opaque’ to the user and occurs

without their consent.

Tracking Cookie Implementation
• Protocol designed to only allow the domain who created a cookie to

access it.
• IE has a number of security holes…
– Up to IE 5, domain names specified incorrectly.
– Up to IE 6, able to fool IE into believing it is in another domain.
• Patches and IE 6 solved a number of problems
• Since then, tracking cookies are still proving a large problem, there
are still a number of holes still open.

Tracking Cookie Implementation
Image Source – Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [16].

Tracking Cookie Defence

• Replace tracking cookies with write protected zero
length files of the same name.
• DoubleClick offer an opt-out cookie, which can be
obtained from their website.
• Disable cookies
– Makes many websites unusable
• Delete cookies after session

• Spyware remover (Ad-aware)
Image Source – Screenshot of DoubleClick OptOut Cookie displayed in Microsoft Notepad.

Trojan Horses

Installation
• Secretly installed when an infected executable is run
– Much like a virus
– Executables typically come from P2P networks or unscrupulous
websites
• ActiveX controls on websites
– ActiveX allows automatic installation of software from websites
– User probably does not know what they are running
– Misleading descriptions often given
– Not sandboxed!
– Digital signatures used, signing not necessary

Installation
• Certificate Authority
• Misleading Certificate
Description
• Who is trusted?
Image Source – Screenshot of Microsoft

Internet Explorer 6 security warning, prior
to the installation of an ActiveX Control
from “Roings”.

Effects
• Allows remote access
– To spy
– To disrupt
– To relay a malicious connection, so as to disguise the
attacker’s location (spam, hacking)
– To access resources (i.e. bandwidth, files)
– To launch a DDoS attack

Operation
• Listen for connections
• Memory resident
• Start at boot-up
• Disguise presence
• Rootkits integrate with kernel
• Password Protected

Example: Back Orifice

• Back Orifice
– Produced by the “Cult of the Dead Cow”
– Win95/98 is vulnerable
– Toast of DefCon 6
– Similar operation to NetBus
– Name similar to MS Product of the time

BO: Protocol
• Modular authentication
• Modular encryption
– AES and CAST-256 modules available
• UDP or TCP
• Variable port
– Avoids most firewalls
• IP Notification via. ICQ

– Dynamic IP addressing not a problem

BO: Protocol Example (1)
TROJAN
INFECTION OCCURS
Attacker Victim
ICQ SERVER
IP ADDRESS IP ADDRESS
AND PORT AND PORT
CONNECTION

COMMAND
COMMAND EXECUTED
Attacker Victim
CONNECTION
REQUEST FOR INFORMATION
INFORMATION

CLEANUP COMMAND
EVIDENCE DESTROYED
Attacker Victim

Trojan Horse Examples

• M$ Rootkit
– Integrates with the NT kernel
– Very dangerous
– Virtually undetectable once installed
– Hides from administrator as well as user
– Private TCP/IP stack (LAN only)


• iSpyNOW
– Commercial
– Web-based client
• Assassin Trojan
– Custom builds may be purchased
– These are not found by virus scanners
– Firewall circumvention technology


• Hardware
– Key loggers
– More advanced?
• Magic Lantern
– FBI developed
– Legal grey area (until recently!)
– Split virus checking world

Demonstration

Vulnerable Systems
Number of trojans in common use…
RELATIVELY SAFE DANGEROUS

MacOS
MacOS X
Linux/Unix
WinNT
Win 9x
WinNT refers to Windows NT 4, 2000, XP and Server 2003.
Win9x refers to Windows 95, 95SE, 98 and ME.
Information Source: McAfee Security - http://us.mcafee.com/

Vulnerable Systems
Ease of compromise…
RELATIVELY SAFE DANGEROUS
Linux/Unix
MacOS X
WinNT
MacOS
Win 9x
WinNT refers to Windows NT 4, 2000, XP and Server 2003.
Win9x refers to Windows 95, 95SE, 98 and ME.
Information Source: McAfee Security - http://us.mcafee.com/

Conclusions

Security Implications
Short Term Long Term

• Divulge personal data • Mass data collection
• Backdoors into system • Consequences unknown
• System corruption • Web becomes unusable
• Disruption / Irritation • Web cons outweigh pros
• Aids identity theft • Cost of preventions
• Easy virus distribution • More development work
• Increased spam • More IP addresses (IPv6)

Solutions
Short Term Long Term

• Firewall • Add Spyware to Anti-Virus
• Virus Checker • Automatic maintenance
• Spyware Remover • Legislation
• Frequent OS updates • Education on problems
• Frequent back-up • Biometric access
• Learning problems • Semantic web (and search)

Firewalls
Network / Internet
• 3 Types…
– Packet Filtering – Examines attributes of packet.
– Application Layer – Hides the network by impersonating the
server (proxy).
– Stateful Inspection – Examines both the state and context of the
packets.
• Regardless of type; must be configured to work properly.

• Access rules must be defined and entered into firewall.

Firewalls
Network / Internet
http - tcp 80
telnet - tcp 23
http - tcp 80
Internet
Packet Filtering ftp - tcp 21
Web Server Firewall

Allow only http - tcp 80
192.168.0.10 : 202.52.222.10: 80
1020
202.52.222.10: 80 Internet
Stateful Inspection 192.168.0.10 : 1020
PC Firewall
Only allow reply packets for requests made
out
Block other unregistered traffic

Intrusion Detection Systems

Network
Server
Internet
Switch Firewall IDS
Server • Intrusion Detection – A Commercial Network Solution

• An “Intelligent Firewall” – monitors accesses for suspicious activity
• Neural Networks trained by Backpropagation on Usage Data
• Could detect Trojan Horse attack, but not designed for Spyware
PC
• Put the IDS in front of the firewall to get maximum detection
• In a switched network, put IDS on a mirrored port to get all traffic.
• Ensure all network traffic passes through the IDS host.

“System X”
Network / Internet / Standalone
• Composed of…
– Open Source OS
– Mozilla / Opera / Lynx (!) Browser (Not IE)
– Stateful Inspection Firewall
– Anti-Virus Software
– Careful and educated user
– Secure permissions system
– Regularly updated (possibly automatically)

Questions…
Image Source – Penny Arcade - http://www.penny-arcade.com/view.php3?date=2002-07-19&res=l

Bibliography / Links
• [1] "Spyware" Definition - BlackICE Internet Security Systems - http://blackice.iss.net/glossary.php
• [2] "Trojan Horse" Definition
– Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html
• [3] Zeinalipour-Yazti, D. “Exploiting the Security Weaknesses of the Gnutella Protocol”, University of California.
• [4] Joshi, R. “Network Security Applications”, Merchantile Communications, CANIT Conference 2003.
• [5] CERT Advisory CA-1999-02 http://www.cert.org/advisories/CA-1999-02.html
• [6] Spyware Guide – http://www.spyware-guide.com
• [7] Trojan Horses - http://www.mpsmits.com/highlights/trojan_horses.shtml
• [8] Trojan Horse - Back Orifice - http://www.nwinternet.com/~pchelp/bo/bo.html
• [9] NetBus - http://www.nwinternet.com/~pchelp/nb/netbus.htm
• [10] BBC News - http://news.bbc.co.uk/1/hi/technology/3153229.stm
• [11] Wired News – “Judge takes bite out of Gator” www.wired.com/news/politics/0,1283,53875,00.html
• [12] Tracking Cookies – Demonstration at http://www.irt.org/instant/chapter10/tracker/index4.htm
• [13] BonziBuddy - http://www.bonzi.com/bonzibuddy/bonzibuddyfreehom.asp
• [14] Unwanted Links (Spyware) – http://www.unwantedlinks.com
• [15] Andersen, R. "Security Engineering", First Edition, J. Wiley and Sons, 2001.
• [16] Scacchi, W. “Privacy and Other Social Issues”, Addison-Wesley, 2003.
– http://www.ics.uci.edu/~wscacchi/Tech-EC/Security+Privacy/Privacy.ppt

Spyware and Trosen Horces

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Spyware and Trosen Horces

Uploaded by

Copyright:

Available Formats

Spyware and Trojan Horses – Computer Security Seminar 12th February 2004

Spyware and Trojan Horses

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Your computer could be watching your

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

S The practice is generally frowned upon.

An apparently useful and innocent program containing additional

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

• Targeted Pop-ups SPYWARE

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

• Collection of data from your computer without consent

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Image Source – The Gator Corporation – http://www.gator.com

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

GAIN Logo – The Gator Corporation – http://www.gator.com

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

• Enhanced Website Interaction

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

• Unable to remove Spyware programs or disable them

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

User Perspective - III

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Technical Analysis - III

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

GAIN Case Study

• See Example ->

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

– Updates from Lavasoft

Image Source – Screenshot of Ad-aware 6.0. LavaSoft. See http://www.lavasoft.com

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

• Those with an internet connection!

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

• Cookies are controlled by…

• The website is effectively able to ‘remember’ the user and their

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Case Study - DoubleClick

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Case Study – DoubleClick

• Site targets banner adverts, e-mails and pop-ups to the

• If the user visits an affiliated site without a DoubleClick

• The whole process is ‘opaque’ to the user and occurs

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Tracking Cookie Implementation

• Protocol designed to only allow the domain who created a cookie to

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Tracking Cookie Implementation

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Tracking Cookie Defence

• Delete cookies after session

Image Source – Screenshot of DoubleClick OptOut Cookie displayed in Microsoft Notepad.

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

Image Source – Screenshot of Microsoft

Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk