Seminar

1

Spyware and Trojan HorsesComputer Security Seminar Series

Spyware and Trojan Horses – Computer Security Seminar 4th November 2004

Your computer could be watching your every move!


Image Source - http://www.clubpmi.it/upload/servizi_marketing/images/spyware.jpg


Introduction

2

Seminar Overview

• Introduction to Spyware / Trojan Horses

• Spyware – Examples, Mechanics, Effects, Solutions

• Tracking Cookies – Mechanics, Effects, Solutions

• Trojan Horses – Mechanics, Effects, More Examples

• Solutions to the problems posed

• Human Factors – Human interaction with Spyware

• “System X” – Having suitable avoidance mechanisms

• Conclusions – Including our proposals for solutions


Definitions

A general term for a program that surreptitiously monitors your actions. While they are sometimes sinister, like a remote

control program used by a hacker, software companies have been known to use Spyware to gather data about customers.

The practice is generally frowned upon.


An apparently useful and innocent program containing additional

hidden code which allows the unauthorized collection,

exploitation, falsification, or destruction of data.

Definition from: Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html

SPYWARE

TROJAN

HORSE

Definition from: BlackICE Internet Security Systems - http://blackice.iss.net/glossary.php

Symptoms


• Targeted Pop-ups

• Slow Connection

• Targeted E-Mail (Spam)

• Unauthorized Access

• Spam Relaying

• Browser Hijack

• Program Customization

SPYWARE

SPYWARE / TROJAN

SPYWARETROJAN HORSE

TROJAN HORSE

SPYWARE / TROJAN

SPYWARE

3

Summary of Effects


• Collection of data from your computer without consent

• Execution of code without consent

• Assignment of a unique code to identify you

• Collection of data pertaining to your habitual use

• Installation on your computer without your consent

• Inability to remove the software

• Performing other undesirable tasks without consent

Similarities / Differences


Memory Resident Processes

Age: Relatively Old ( > 20 Years)Age: Relatively New (< 5 Years)

Detectable with Virus CheckerNot Detectable with Virus Checker

Any network connection requiredInternet connection required

Surreptitiously installed without user’s consent or understanding

Creates a security vulnerability

IllegalLegal

Unauthorized access and controlCollects data and displays pop-ups

Purpose: To control activityPurpose: To monitor activity

Receives incoming connectionInitiates remote connection

MaliciousCommercially Motivated

Trojan HorsesSpyware


Spyware

Image Source – The Gator Corporation – http://www.gator.com

4


Software Examples

• GAIN / Gator

• Gator E-Wallet

• Kazzaa

• BonziBuddy

• MySearch Toolbar

• DownloadWare

• BrowserAid

• Dogpile ToolbarImage Sources…

GAIN Logo – The Gator Corporation – http://www.gator.comBonziBuddy Logo – Bonzi.com - http://images.bonzi.com/images/gorillatalk.gifDownloadWare Logo – DownloadWare - http://www.downloadware.net


Advantages

• Precision Marketing

– Relevant pop-ups are better than all of them!

– You may get some useful adverts!

• Useful Software

– DivX Pro, IMesh, KaZaA, Winamp Pro

– (Experienced) people understand what they are installing.

• Enhanced Website Interaction– Targeted banner adverts

– Website customisation User Perspective - I


Disadvantages

• Browsing profiles created for users without consent

– Used for target marketing and statistical analysis

• Unable to remove Spyware programs or disable them

• Increased number of misleading / inappropriate pop-ups

• Invasion of user privacy (hidden from user)

• Often badly written programs corrupt user system

• Automatically provides unwanted “helpful” tools

• “20 million+ people have Spyware on their machines.”Source - Dec ’02 GartnerG2 Report User Perspective - II

5

Example Pop-up


Misleading Pop-up

User Perspective - IIIImage Source – Browser Cleanser – Directed pop-up from http://www.browsercleanser.com/

Network Overview


Technical Analysis - I

• Push

•Advertising

•Pull

•Tracking

•Personal data

Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.

Client-Side Operation


Technical Analysis - II

6

Server-Side Operation


Technical Analysis - III

• Server-side operation is relatively unknown. However, if I were to develop such a system, it would contain…

Spyware Defence


Technical Initiatives...

• Spyware Removal Programs

• Pop-up Blockers

• Firewall Technology

• Disable ActiveX Controls

– Not Sandboxed

• E-Mail Filters

• Download Patches

User Initiatives…

• Issue Awareness

• Use Legitimate S/W Sources

• Improved Technical Ability

• Choice of Browser

• Choice of OS

• Legal action taken against

breaches of privacy

– Oct ’02 Doubleclick

GAIN Case Study

• Installed IMesh, which includes Gator Installation

• We accessed multiple internet sites

• We simultaneously analyzed network traffic (using IRIS)

• We found the packets of data being sent to GAIN

• Packets were encrypted and we could not decrypt them

• See Example ->


7


Image Source – Screenshot of IRIS v3.7 Network Analyser – Professional Networks Ltd. See http://www.pnltools.com.

Spyware Removers

Ad-aware (by Lavasoft) http://www.lavasoft.de *Freeware*

– Reverse Engineer Spyware

– Scans Memory, Registry and Hard Drive for…

• Data Mining components

• Aggressive advertising components

• Tracking components

– Free Updates from Lavasoft

– Plug-ins available

• Extra file information

• Disable Windows Messenger Service


Image Source – Screenshot of Ad-aware 6.0. LavaSoft. See http://www.lavasoft.com

Spyware Removers

Spybot Search & Destroy http://www.spybot.info *Freeware*

– Reverse Engineer Spyware

– Scans Memory, Registry and Hard Drive for…

• Data Mining components

• Aggressive advertising components

• Tracking components

– Free Updates from Spybot

– Use with caution!

• This may be the best at removal

but your system can suffer

afterwards.


Image Source – Screenshot of Spybot. See http://www.spybot.info

8

Vulnerable Systems

• Any with an internet connection! BROADBAND!

• Microsoft Windows 9x/Me/NT/2000/XP

• Affects Open Source/Mac OSs less

• Non - fire-walled systems

• Internet Explorer, executes ActiveX plug-ins

• Other browsers affected less


Tracking Cookies


Cookies

• A Cookie is a small text file sent to the user from a website.

– Contains Website visited

– Provides client-side personalisation

– Supports easy Login

• Cookies are controlled by…

– Website’s Application Server

– Client-side Java Script

• The website is effectively able to ‘remember’ the user and their

activity on previous visits.

• Spyware companies working with websites are able to use this

relatively innocent technology to deliver targeted REAL TIME

marketing, based on cookies and profiles.


9

Case Study - DoubleClick

• Most regular web users will have a “doubleclick.net” cookie.

• Affiliated sites request the DoubleClick cookie on the users

computer.

• The site then sends…

– Who you are

– All other information in your cookie file

• In return for…

– All available marketing information on you - collected from other

affiliated sites which the you have hit.


Case Study – DoubleClick

• Site targets banner adverts, e-mails and pop-ups to the

user.

• If the user visits an affiliated site without a DoubleClick

cookie, then one is sent to the user.

• The whole process is ‘opaque’ to the user and occurs

without their consent.


Tracking Cookie Implementation

• Protocol designed to only allow the domain who created a

cookie to access it.

• IE has a number of security holes…

– Up to IE 5, domain names specified incorrectly.

– Up to IE 6, able to fool IE into believing it is in another

domain.

• Patches and IE 6 solved a number of problems

• Since then, tracking cookies are still proving a large problem,

there are still a number of holes still open.


10

Tracking Cookie Implementation


Tracking Cookie Defence

• Replace tracking cookies with write protected zero

length files of the same name.

• DoubleClick offer an opt-out cookie, which can be

obtained from their website.

• Disable cookies

– Makes many websites unusable

• Delete cookies after session

• Spyware remover (Ad-aware)

• FireFox browser


Image Source – Screenshot of DoubleClick OptOut Cookie displayed in Microsoft Notepad.

Spyware and Trojan Horses – Computer Security Seminar 4tn November 2004

Trojan Horses

11

Installation

• Secretly installed when an infected executable is run

– Much like a virus

– Executables typically come from P2P networks or unscrupulous websites

• ActiveX controls on websites

– ActiveX allows automatic installation of software from websites

– User probably does not know what they are running

– Misleading descriptions often given

– Not sandboxed!

– Digital signatures used, signing not necessary


Installation


• Certificate Authority

• Misleading Certificate

Description

• Who is trusted?

Image Source – Screenshot of Microsoft Internet Explorer 6 security warning, prior to the installation of an ActiveX Control from “Roings”.

Effects

• Allows remote access

– To spy

– To disrupt

– To relay a malicious connection, so as to disguise the

attacker’s location (spam, hacking)

– To access resources (i.e. bandwidth, files)

– To launch a DDoS attack


12

Operation

• Listen for connections

• Memory resident

• Start at boot-up

• Disguise presence

• Rootkits integrate with kernel

• Password Protected


Example: Back Orifice

• Back Orifice

– Produced by the “Cult of the Dead Cow”

– Win95/98 is vulnerable

– Toast of DefCon 6

– Similar operation to NetBus

– Name similar to MS Product of the time


BO: Protocol

• Modular authentication

• Modular encryption

– AES and CAST-256 modules available

• UDP or TCP

• Variable port

– Avoids most firewalls

• IP Notification via. ICQ

– Dynamic IP addressing not a problem


13

BO: Protocol Example (1)

Attacker VictimICQ SERVER

CONNECTION

TROJAN

IP ADDRESS AND PORT

IP ADDRESS AND PORT

INFECTION OCCURS



Attacker

CONNECTION

COMMAND

COMMAND EXECUTED

REQUEST FOR INFORMATION

INFORMATION


Victim


Attacker

CLEANUP COMMAND

EVIDENCE DESTROYED


Victim

14

Trojan Horse Examples

• M$ Rootkit

– Integrates with the NT kernel

– Very dangerous

– Virtually undetectable once installed

– Hides from administrator as well as user

– Private TCP/IP stack (LAN only)



• iSpyNOW

– Commercial

– Web-based client

• Assassin Trojan

– Custom builds may be purchased

– These are not found by virus scanners

– Firewall circumvention technology



Real World Dangers

• Keystroke loggers

–Circumvents banking and retail

websites security because your

username and password are

transmitted in the clear.


15


Real World Dangers

• Remote Access

–Criminals are able to access your PC

as if they were sitting at it.



Real World Dangers

• Zombie Networks

–Hackers are selling access to zombie

networks of 10,000+ PC’s for about

.10 each. They are often used to

send Spam.


Demonstration


16

Vulnerable Systems

DANGEROUS

Number of trojans in common use…

RELATIVELY SAFE

Linux/Unix

Win 9x

MacOS

WinNT

MacOS

X

WinNT refers to Windows NT 4, 2000, XP and Server 2003. Win9x refers to Windows 95, 95SE, 98 and ME.Information Source: McAfee Security - http://us.mcafee.com/


Vulnerable Systems

DANGEROUSEase of compromise…

RELATIVELY SAFEW

in 9x

Linux/Unix

WinNT

MacOS

MacOS

X

WinNT refers to Windows NT 4, 2000, XP and Server 2003. Win9x refers to Windows 95, 95SE, 98 and ME.Information Source: McAfee Security - http://us.mcafee.com/


Conclusions


17

Security Implications

• Divulge personal data

• Backdoors into system

• System corruption

• Disruption / Irritation

• Aids identity theft

• Easy virus distribution

• Increased spam


• Mass data collection

• Consequences unknown

• Web becomes unusable

• Web cons outweigh pros

• Cost of preventions

• More development work

• More IP addresses (IPv6)

Short Term Long Term

Solutions


• Firewall

• Virus Checker

• Spyware Remover

• Frequent OS updates

• Frequent back-up

• Learning problems

• Add Spyware to Anti-Virus

• Automatic maintenance

• Legislation

• Education on problems

• Biometric access

• Semantic web (and search)

Short Term Long Term

Firewalls

• 3 Types…– Packet Filtering – Examines attributes of packet.

– Application Layer – Hides the network by impersonating the

server (proxy).

– Stateful Inspection – Examines both the state and context of the

packets.

• Regardless of type; must be configured to work properly.

• Access rules must be defined and entered into firewall.


Network / Internet

18

Web Server Firewall

http - tcp 80

telnet - tcp 23

ftp - tcp 21http - tcp 80

Allow only http - tcp 80

Firewalls


Network / Internet

PC Firewall

202.52.222.10: 80

192.168.0.10 : 1020

Only allow reply packets for requests made outBlock other unregistered traffic

202.52.222.10: 80

192.168.0.10 : 1020

Packet Filtering

Stateful Inspection

Software Firewall

Kerio PersonalFirewall http://www.kerio.com *Freeware*

– Stateful Packet Inspection

– Scans applications and data – Inbound and Outbound!

• Spyware connections outbound would be flagged.

– Free Updates from Kerio

– Easily “trained”

• ZoneAlarm


Image Source – Screenshot of Kerio PersonalFirewall. See http://www.kerio.com

Intrusion Detection Systems


Network

PC

Server

Server

IDSFirewallSwitch

• Intrusion Detection – A Commercial Network Solution

• An “Intelligent Firewall” – monitors accesses for suspicious activity

• Neural Networks trained by Backpropagation on Usage Data

• Could detect Trojan Horse attack, but not designed for Spyware

• Put the IDS in front of the firewall to get maximum detection

• In a switched network, put IDS on a mirrored port to get all traffic.

• Ensure all network traffic passes through the IDS host.

19

“System X”

• Composed of…

– Clean, fully patched Operating System (OS)

– Firefox / Opera / Lynx (!) Browser (Not IE)

– Stateful Inspection Firewall http://www.kerio.com

– Anti-Virus Software such as Norton AV or AVG

– Careful user scrutiny of pop-ups and email

– Beware free “utilities” and especially filesharing apps

– Regular patches (possibly automatically)


Network / Internet / Standalone

Questions…


Bibliography / Links• [1] "Spyware" Definition - BlackICE Internet Security Systems - http://blackice.iss.net/glossary.php

• [2] "Trojan Horse" Definition

– Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html

• [3] Zeinalipour-Yazti, D. “Exploiting the Security Weaknesses of the Gnutella Protocol”, University of California.

• [4] Joshi, R. “Network Security Applications”, Merchantile Communications, CANIT Conference 2003.

• [5] CERT Advisory CA-1999-02 http://www.cert.org/advisories/CA-1999-02.html

• [6] Spyware Guide – http://www.spyware-guide.com

• [7] Trojan Horses - http://www.mpsmits.com/highlights/trojan_horses.shtml

• [8] Trojan Horse - Back Orifice - http://www.nwinternet.com/~pchelp/bo/bo.html

• [9] NetBus - http://www.nwinternet.com/~pchelp/nb/netbus.htm

• [10] BBC News - http://news.bbc.co.uk/1/hi/technology/3153229.stm

• [11] Wired News – “Judge takes bite out of Gator” www.wired.com/news/politics/0,1283,53875,00.html

• [12] Tracking Cookies – Demonstration at http://www.irt.org/instant/chapter10/tracker/index4.htm

• [13] BonziBuddy - http://www.bonzi.com/bonzibuddy/bonzibuddyfreehom.asp

• [14] Unwanted Links (Spyware) – http://www.unwantedlinks.com

• [15] Andersen, R. "Security Engineering", First Edition, J. Wiley and Sons, 2001.

• [16] Scacchi, W. “Privacy and Other Social Issues”, Addison-Wesley, 2003.

– http://www.ics.uci.edu/~wscacchi/Tech-EC/Security+Privacy/Privacy.ppt

• [17] Kerio Personal Firewall – http://www.kerio.com


Documents

Seminar