Upload
pichika-naga-venkata-pavan
View
33
Download
2
Tags:
Embed Size (px)
Citation preview
1
Spyware and Trojan HorsesComputer Security Seminar Series
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Your computer could be watching your every move!
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Image Source - http://www.clubpmi.it/upload/servizi_marketing/images/spyware.jpg
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Introduction
2
Seminar Overview
• Introduction to Spyware / Trojan Horses
• Spyware – Examples, Mechanics, Effects, Solutions
• Tracking Cookies – Mechanics, Effects, Solutions
• Trojan Horses – Mechanics, Effects, More Examples
• Solutions to the problems posed
• Human Factors – Human interaction with Spyware
• “System X” – Having suitable avoidance mechanisms
• Conclusions – Including our proposals for solutions
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Definitions
A general term for a program that surreptitiously monitors your actions. While they are sometimes sinister, like a remote
control program used by a hacker, software companies have been known to use Spyware to gather data about customers.
The practice is generally frowned upon.
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
An apparently useful and innocent program containing additional
hidden code which allows the unauthorized collection,
exploitation, falsification, or destruction of data.
Definition from: Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html
SPYWARE
TROJAN
HORSE
Definition from: BlackICE Internet Security Systems - http://blackice.iss.net/glossary.php
Symptoms
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
• Targeted Pop-ups
• Slow Connection
• Targeted E-Mail (Spam)
• Unauthorized Access
• Spam Relaying
• Browser Hijack
• Program Customization
SPYWARE
SPYWARE / TROJAN
SPYWARETROJAN HORSE
TROJAN HORSE
SPYWARE / TROJAN
SPYWARE
3
Summary of Effects
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
• Collection of data from your computer without consent
• Execution of code without consent
• Assignment of a unique code to identify you
• Collection of data pertaining to your habitual use
• Installation on your computer without your consent
• Inability to remove the software
• Performing other undesirable tasks without consent
Similarities / Differences
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Memory Resident Processes
Age: Relatively Old ( > 20 Years)Age: Relatively New (< 5 Years)
Detectable with Virus CheckerNot Detectable with Virus Checker
Any network connection requiredInternet connection required
Surreptitiously installed without user’s consent or understanding
Creates a security vulnerability
IllegalLegal
Unauthorized access and controlCollects data and displays pop-ups
Purpose: To control activityPurpose: To monitor activity
Receives incoming connectionInitiates remote connection
MaliciousCommercially Motivated
Trojan HorsesSpyware
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Spyware
Image Source – The Gator Corporation – http://www.gator.com
4
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Software Examples
• GAIN / Gator
• Gator E-Wallet
• Kazzaa
• BonziBuddy
• MySearch Toolbar
• DownloadWare
• BrowserAid
• Dogpile ToolbarImage Sources…
GAIN Logo – The Gator Corporation – http://www.gator.comBonziBuddy Logo – Bonzi.com - http://images.bonzi.com/images/gorillatalk.gifDownloadWare Logo – DownloadWare - http://www.downloadware.net
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Advantages
• Precision Marketing
– Relevant pop-ups are better than all of them!
– You may get some useful adverts!
• Useful Software
– DivX Pro, IMesh, KaZaA, Winamp Pro
– (Experienced) people understand what they are installing.
• Enhanced Website Interaction– Targeted banner adverts
– Website customisation User Perspective - I
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Disadvantages
• Browsing profiles created for users without consent
– Used for target marketing and statistical analysis
• Unable to remove Spyware programs or disable them
• Increased number of misleading / inappropriate pop-ups
• Invasion of user privacy (hidden from user)
• Often badly written programs corrupt user system
• Automatically provides unwanted “helpful” tools
• “20 million+ people have Spyware on their machines.”Source - Dec ’02 GartnerG2 Report User Perspective - II
5
Example Pop-up
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Misleading Pop-up
User Perspective - IIIImage Source – Browser Cleanser – Directed pop-up from http://www.browsercleanser.com/
Network Overview
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Technical Analysis - I
• Push
•Advertising
•Pull
•Tracking
•Personal data
Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
Client-Side Operation
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Technical Analysis - II
6
Server-Side Operation
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Technical Analysis - III
• Server-side operation is relatively unknown. However, if I were to develop such a system, it would contain…
Spyware Defence
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Technical Initiatives...
• Spyware Removal Programs
• Pop-up Blockers
• Firewall Technology
• Disable ActiveX Controls
– Not Sandboxed
• E-Mail Filters
• Download Patches
User Initiatives…
• Issue Awareness
• Use Legitimate S/W Sources
• Improved Technical Ability
• Choice of Browser
• Choice of OS
• Legal action taken against
breaches of privacy
– Oct ’02 Doubleclick
GAIN Case Study
• Installed IMesh, which includes Gator Installation
• We accessed multiple internet sites
• We simultaneously analyzed network traffic (using IRIS)
• We found the packets of data being sent to GAIN
• Packets were encrypted and we could not decrypt them
• See Example ->
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
7
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Image Source – Screenshot of IRIS v3.7 Network Analyser – Professional Networks Ltd. See http://www.pnltools.com.
Spyware Removers
Ad-aware (by Lavasoft) http://www.lavasoft.de *Freeware*
– Reverse Engineer Spyware
– Scans Memory, Registry and Hard Drive for…
• Data Mining components
• Aggressive advertising components
• Tracking components
– Free Updates from Lavasoft
– Plug-ins available
• Extra file information
• Disable Windows Messenger Service
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Image Source – Screenshot of Ad-aware 6.0. LavaSoft. See http://www.lavasoft.com
Spyware Removers
Spybot Search & Destroy http://www.spybot.info *Freeware*
– Reverse Engineer Spyware
– Scans Memory, Registry and Hard Drive for…
• Data Mining components
• Aggressive advertising components
• Tracking components
– Free Updates from Spybot
– Use with caution!
• This may be the best at removal
but your system can suffer
afterwards.
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Image Source – Screenshot of Spybot. See http://www.spybot.info
8
Vulnerable Systems
• Any with an internet connection! BROADBAND!
• Microsoft Windows 9x/Me/NT/2000/XP
• Affects Open Source/Mac OSs less
• Non - fire-walled systems
• Internet Explorer, executes ActiveX plug-ins
• Other browsers affected less
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Tracking Cookies
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Cookies
• A Cookie is a small text file sent to the user from a website.
– Contains Website visited
– Provides client-side personalisation
– Supports easy Login
• Cookies are controlled by…
– Website’s Application Server
– Client-side Java Script
• The website is effectively able to ‘remember’ the user and their
activity on previous visits.
• Spyware companies working with websites are able to use this
relatively innocent technology to deliver targeted REAL TIME
marketing, based on cookies and profiles.
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
9
Case Study - DoubleClick
• Most regular web users will have a “doubleclick.net” cookie.
• Affiliated sites request the DoubleClick cookie on the users
computer.
• The site then sends…
– Who you are
– All other information in your cookie file
• In return for…
– All available marketing information on you - collected from other
affiliated sites which the you have hit.
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Case Study – DoubleClick
• Site targets banner adverts, e-mails and pop-ups to the
user.
• If the user visits an affiliated site without a DoubleClick
cookie, then one is sent to the user.
• The whole process is ‘opaque’ to the user and occurs
without their consent.
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Tracking Cookie Implementation
• Protocol designed to only allow the domain who created a
cookie to access it.
• IE has a number of security holes…
– Up to IE 5, domain names specified incorrectly.
– Up to IE 6, able to fool IE into believing it is in another
domain.
• Patches and IE 6 solved a number of problems
• Since then, tracking cookies are still proving a large problem,
there are still a number of holes still open.
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
10
Tracking Cookie Implementation
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Tracking Cookie Defence
• Replace tracking cookies with write protected zero
length files of the same name.
• DoubleClick offer an opt-out cookie, which can be
obtained from their website.
• Disable cookies
– Makes many websites unusable
• Delete cookies after session
• Spyware remover (Ad-aware)
• FireFox browser
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Image Source – Screenshot of DoubleClick OptOut Cookie displayed in Microsoft Notepad.
Spyware and Trojan Horses – Computer Security Seminar 4tn November 2004
Trojan Horses
11
Installation
• Secretly installed when an infected executable is run
– Much like a virus
– Executables typically come from P2P networks or unscrupulous websites
• ActiveX controls on websites
– ActiveX allows automatic installation of software from websites
– User probably does not know what they are running
– Misleading descriptions often given
– Not sandboxed!
– Digital signatures used, signing not necessary
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Installation
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
• Certificate Authority
• Misleading Certificate
Description
• Who is trusted?
Image Source – Screenshot of Microsoft Internet Explorer 6 security warning, prior to the installation of an ActiveX Control from “Roings”.
Effects
• Allows remote access
– To spy
– To disrupt
– To relay a malicious connection, so as to disguise the
attacker’s location (spam, hacking)
– To access resources (i.e. bandwidth, files)
– To launch a DDoS attack
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
12
Operation
• Listen for connections
• Memory resident
• Start at boot-up
• Disguise presence
• Rootkits integrate with kernel
• Password Protected
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Example: Back Orifice
• Back Orifice
– Produced by the “Cult of the Dead Cow”
– Win95/98 is vulnerable
– Toast of DefCon 6
– Similar operation to NetBus
– Name similar to MS Product of the time
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
BO: Protocol
• Modular authentication
• Modular encryption
– AES and CAST-256 modules available
• UDP or TCP
• Variable port
– Avoids most firewalls
• IP Notification via. ICQ
– Dynamic IP addressing not a problem
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
13
BO: Protocol Example (1)
Attacker VictimICQ SERVER
CONNECTION
TROJAN
IP ADDRESS AND PORT
IP ADDRESS AND PORT
INFECTION OCCURS
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
BO: Protocol Example (2)
Attacker
CONNECTION
COMMAND
COMMAND EXECUTED
REQUEST FOR INFORMATION
INFORMATION
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Victim
BO: Protocol Example (3)
Attacker
CLEANUP COMMAND
EVIDENCE DESTROYED
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Victim
14
Trojan Horse Examples
• M$ Rootkit
– Integrates with the NT kernel
– Very dangerous
– Virtually undetectable once installed
– Hides from administrator as well as user
– Private TCP/IP stack (LAN only)
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Trojan Horse Examples
• iSpyNOW
– Commercial
– Web-based client
• Assassin Trojan
– Custom builds may be purchased
– These are not found by virus scanners
– Firewall circumvention technology
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Trojan Horse Examples
Real World Dangers
• Keystroke loggers
–Circumvents banking and retail
websites security because your
username and password are
transmitted in the clear.
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
15
Trojan Horse Examples
Real World Dangers
• Remote Access
–Criminals are able to access your PC
as if they were sitting at it.
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Trojan Horse Examples
Real World Dangers
• Zombie Networks
–Hackers are selling access to zombie
networks of 10,000+ PC’s for about
.10 each. They are often used to
send Spam.
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Demonstration
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
16
Vulnerable Systems
DANGEROUS
Number of trojans in common use…
RELATIVELY SAFE
Linux/Unix
Win 9x
MacOS
WinNT
MacOS
X
WinNT refers to Windows NT 4, 2000, XP and Server 2003. Win9x refers to Windows 95, 95SE, 98 and ME.Information Source: McAfee Security - http://us.mcafee.com/
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Vulnerable Systems
DANGEROUSEase of compromise…
RELATIVELY SAFEW
in 9x
Linux/Unix
WinNT
MacOS
MacOS
X
WinNT refers to Windows NT 4, 2000, XP and Server 2003. Win9x refers to Windows 95, 95SE, 98 and ME.Information Source: McAfee Security - http://us.mcafee.com/
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Conclusions
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
17
Security Implications
• Divulge personal data
• Backdoors into system
• System corruption
• Disruption / Irritation
• Aids identity theft
• Easy virus distribution
• Increased spam
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
• Mass data collection
• Consequences unknown
• Web becomes unusable
• Web cons outweigh pros
• Cost of preventions
• More development work
• More IP addresses (IPv6)
Short Term Long Term
Solutions
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
• Firewall
• Virus Checker
• Spyware Remover
• Frequent OS updates
• Frequent back-up
• Learning problems
• Add Spyware to Anti-Virus
• Automatic maintenance
• Legislation
• Education on problems
• Biometric access
• Semantic web (and search)
Short Term Long Term
Firewalls
• 3 Types…– Packet Filtering – Examines attributes of packet.
– Application Layer – Hides the network by impersonating the
server (proxy).
– Stateful Inspection – Examines both the state and context of the
packets.
• Regardless of type; must be configured to work properly.
• Access rules must be defined and entered into firewall.
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Network / Internet
18
Web Server Firewall
http - tcp 80
telnet - tcp 23
ftp - tcp 21http - tcp 80
Allow only http - tcp 80
Firewalls
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Network / Internet
PC Firewall
202.52.222.10: 80
192.168.0.10 : 1020
Only allow reply packets for requests made outBlock other unregistered traffic
202.52.222.10: 80
192.168.0.10 : 1020
Packet Filtering
Stateful Inspection
Software Firewall
Kerio PersonalFirewall http://www.kerio.com *Freeware*
– Stateful Packet Inspection
– Scans applications and data – Inbound and Outbound!
• Spyware connections outbound would be flagged.
– Free Updates from Kerio
– Easily “trained”
• ZoneAlarm
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Image Source – Screenshot of Kerio PersonalFirewall. See http://www.kerio.com
Intrusion Detection Systems
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Network
PC
Server
Server
IDSFirewallSwitch
• Intrusion Detection – A Commercial Network Solution
• An “Intelligent Firewall” – monitors accesses for suspicious activity
• Neural Networks trained by Backpropagation on Usage Data
• Could detect Trojan Horse attack, but not designed for Spyware
• Put the IDS in front of the firewall to get maximum detection
• In a switched network, put IDS on a mirrored port to get all traffic.
• Ensure all network traffic passes through the IDS host.
19
“System X”
• Composed of…
– Clean, fully patched Operating System (OS)
– Firefox / Opera / Lynx (!) Browser (Not IE)
– Stateful Inspection Firewall http://www.kerio.com
– Anti-Virus Software such as Norton AV or AVG
– Careful user scrutiny of pop-ups and email
– Beware free “utilities” and especially filesharing apps
– Regular patches (possibly automatically)
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Network / Internet / Standalone
Questions…
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004
Bibliography / Links• [1] "Spyware" Definition - BlackICE Internet Security Systems - http://blackice.iss.net/glossary.php
• [2] "Trojan Horse" Definition
– Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html
• [3] Zeinalipour-Yazti, D. “Exploiting the Security Weaknesses of the Gnutella Protocol”, University of California.
• [4] Joshi, R. “Network Security Applications”, Merchantile Communications, CANIT Conference 2003.
• [5] CERT Advisory CA-1999-02 http://www.cert.org/advisories/CA-1999-02.html
• [6] Spyware Guide – http://www.spyware-guide.com
• [7] Trojan Horses - http://www.mpsmits.com/highlights/trojan_horses.shtml
• [8] Trojan Horse - Back Orifice - http://www.nwinternet.com/~pchelp/bo/bo.html
• [9] NetBus - http://www.nwinternet.com/~pchelp/nb/netbus.htm
• [10] BBC News - http://news.bbc.co.uk/1/hi/technology/3153229.stm
• [11] Wired News – “Judge takes bite out of Gator” www.wired.com/news/politics/0,1283,53875,00.html
• [12] Tracking Cookies – Demonstration at http://www.irt.org/instant/chapter10/tracker/index4.htm
• [13] BonziBuddy - http://www.bonzi.com/bonzibuddy/bonzibuddyfreehom.asp
• [14] Unwanted Links (Spyware) – http://www.unwantedlinks.com
• [15] Andersen, R. "Security Engineering", First Edition, J. Wiley and Sons, 2001.
• [16] Scacchi, W. “Privacy and Other Social Issues”, Addison-Wesley, 2003.
– http://www.ics.uci.edu/~wscacchi/Tech-EC/Security+Privacy/Privacy.ppt
• [17] Kerio Personal Firewall – http://www.kerio.com
Spyware and Trojan Horses – Computer Security Seminar 4th November 2004