Spyware

1

Spyware

ECE 4112-Internetwork Security 2

Agenda

• Cookies

• Browser hijacking

• Bundled software

• Key loggers

• Spyware prevention and deletion


Introduction

• Q: What is spyware• A: analysis and tracking programs that reports your

activities to the advertising providers' web site for storage and analysis. These programs are generally bundled with freeware or shareware and are typically downloaded without the users knowledge.

• Spyware is not illegal and is often times mentioned in very confusing and convoluted language within the user agreement for the freeware/shareware that the user is attempting to download.


Spyware Threats

Spyware threats come in different flavors: malware

– modifies system settings, and can perform undesirable tasks on your system

hijacker – redirects your browser to web sites

dialer – dials a service (most likely porn sites) for which you are billed

collectware – collects information about you and your surfing habits


Cookies

Q: What are cookies?

A: Cookies are unique identifiers placed on your computer by a web server.

Cookies are passive text strings which can be no larger than 4k but are typically only between 20-40 characters long


Cookies: dispelling myths

• Cookies cannot collect personal information about users. The only way a cookie can contain this type of information is if you tell it to a particular website and that site chooses to include it in a cookie.

• Cookie security is such that only the originating domain can use the contents of a cookie

• Cookies are not scripts, though they may be written by a script. Cookies are not executable.


Cookies: so whats the big deal?

Often times the use of cookies are harmless and even helpful at times. However more often than not companies employ the use of cookies to track a user’s activity on websites. This activity is then logged and a history of a user’s surfing habits can be maintained usually in order to target specific individuals with specific advertisements. . Information about a user can be swapped and sold from company to company to achieve a very comprehensive profile of any given user.


Browser Hijacking

• When your web browser is hijacked, attempts to view some websites (such as common search engines or popular web directory sites) get automatically redirected to an alternative website of the hijacker's choice without your consent, frequently via a BHO (Browser Help Object).

• Browser Hijacking can include altering the homepage for IE, changing the default URL prefix, performing DNS spoofing, or installing monitoring software


Homepage Altering

• Browser Hijackers can modify the homepage which is opened every time you start Internet Explorer

• Homepage could be set to an advertising website – companies pay web hosts on a per-click basis for their ads

• The option to edit your homepage in the tools>Internet Options menu of IE can also be disabled through the registry


Homepage Altering

• The default homepage for Internet Explorer is stored in the registry at:“HKEY_CURRENT_USER\Software\Microsoft/Internet Explorer\Main\Start Page”

• Also, the option to disable editing of the homepage in the tools->Intenet Options menu is stored in the registry at:“HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\

Control Panel\Homepage”


Homepage Altering

• By setting “Homepage” to 1, you can no longer edit your homepage in IE

• Writing and reading to the registry is simple with Visual Basic Script files, which could easily be included as attachments in email


Homepage Altering

• Example script code:Dim WSHShell, qDim itemtype, newpage

Set WSHShell = WScript.CreateObject("WScript.Shell")q = "HKEY_CURRENT_USER\Software\Microsoft\Internet

Explorer\Main\Start Page"itemtype = "REG_SZ"newpage = “http://www.hackershomepage.com”WSHShell.RegWrite q, newpage, itemtype


URL Prefix Attack

• When you type in an website address in a browser that includes “www”, the prefix “http://” is automatically appended to the front

• This prefix value is not permanent, and it too can be edited in the registry at:“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\”

• As before, a hacker could redirect you in an attempt to force you to use their search engine or go through their gateway to monitor your usage of the Internet. They may also receive money on a per-click basis from another company every time a certain link is visited.


Host Hijack (DNS Spoofing)

• As we examined in an earlier lab, it is possible to edit the file:

C:/WINDOWS/system32/drivers/etc/hosts

to bypass requests to a DNS server, and instead resolve hostnames to IP address specified in the file


Recovering From BH Attacks

• There are many applications available to help remove the effects of browser hijacking attacks

• One excellent tool for this matter is hijackthis, available at http://www.tomcoyote.org/hjt/

• Hijackthis will provide a list of all the registry entries and files a BH could attack, including the homepage registry entry and the hosts file


Preventing BH Attacks

• To help prevent Browser Hijacking attacks, an application called BHBlaster is available which will monitor changes to registry files and host files and alert the user when something is attempting to alter these values


Bundled Software

• Today, there are a large number of programs used to share files over the Internet. The most popular of these are peer to peer programs which are anonymous to use and free to download

• However, these programs are notorious for their reputation of having bundled 3rd party software which is installed when the main program is installed, often without the user’s knowledge


Bundled Software

• In the lab, you will install an old version of a peer-to-peer client and examine what spyware programs are installed along with the client

• These spyware programs may include pop-up ad generators, browser add-ons such as search toolbars, and software to monitor your usage statistics and report them to a 3rd party company


Key Loggers

• Q: What are key loggers?• A: A key logger is a program that runs in the

background recording all keystrokes. Though many key loggers can be seen in the running process list good key loggers will change their names in the process list to something inconspicuous. Even better key loggers can make themselves totally invisible from the process list.


Key Loggers

Q: Why are key loggers so easy to find?

A: Key loggers are not only used maliciously. There are many other uses for key loggers such as:

• Making sure children are using the internet appropriately and safely

• Ensuring that employees are not misusing company computers

• Safeguarding against lost information in the event of a power outage or other unforeseen circumstances.


Spyware Prevention and Deletion

In recent years, there has been a dramatic increase in the number of anti-spyware applications available.

Of course, the best way to protect your computer from spyware is to carefully examine license agreements when you install free software and be cautious of what websites you visit on the Internet



Some of the best (and free) anti-spyware programs available include:

• AdAware

• Spybot – Search and Destroy

• Microsoft AntiSpyware



AdAware was one of the first applications designed to remove spyware. It performs very thorough searches and is very simple to use. However, it does not provide real-time protection (in the free version).

Spybot – Search and Destroy not only implements all the features of AdAware, but it also has real-time protection. It’s updating software to download the latest spyware signatures, however, is a little lacking.



Microsoft’s AntiSpyware is an excellent application which runs smoothly in the background in Windows. When spyware threats are detected, a window pops up prompting the user as to what action to take. The main weakness of this application is that it is still in beta testing.


Sources

• http://www.cookiecentral.com/demomain.htm

• http://cc.uoregon.edu/cnews/winter2004/hijack.html

• http://www.dougknox.com/security/scripts_desc/nosethomepage.htm

• http://www.refog.com/keylogger/index.html

• http://kujoe.com/freeware/spybot.php

http://www.cookiecentral.com/demomain.htm

http://www.cookiecentral.com/demomain.htm

http://cc.uoregon.edu/cnews/winter2004/hijack.html

http://www.dougknox.com/security/scripts_desc/nosethomepage.htm

http://www.refog.com/keylogger/index.html

http://kujoe.com/freeware/spybot.php

http://kujoe.com/freeware/spybot.php

Documents

Spyware