Documente Academic
Documente Profesional
Documente Cultură
Introduction
Seminar Overview
Introduction to Spyware / Trojan Horses Spyware Examples, Mechanics, Effects, Solutions Tracking Cookies Mechanics, Effects, Solutions Trojan Horses Mechanics, Effects, More Examples Solutions to the problems posed Human Factors Human interaction with Spyware System X Having suitable avoidance mechanisms Conclusions Including our proposals for solutions
Definitions
A general term for a program that surreptitiously monitors your actions. While they are sometimes sinister, like a remote control program used by a hacker, software companies have been known to use Spyware to gather data about customers. The practice is generally frowned upon.
R WA Y SP
An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data.
N O JA E TR R S HO
Symptoms
Targeted Pop-ups Slow Connection Targeted E-Mail (Spam) Unauthorized Access Spam Relaying Browser Hijack Program Customization
SPYWARE SPYWARE / TROJAN SPYWARE TROJAN HORSE TROJAN HORSE SPYWARE / TROJAN SPYWARE
Summary of Effects
Collection of data from your computer without consent Execution of code without consent Assignment of a unique code to identify you Collection of data pertaining to your habitual use Installation on your computer without your consent Inability to remove the software Performing other undesirable tasks without consent
Similarities / Differences
Spyware
Commercially Motivated Internet connection required Initiates remote connection Purpose: To monitor activity Collects data and displays pop-ups Legal Not Detectable with Virus Checker Age: Relatively New (< 5 Years)
Trojan Horses
Malicious Any network connection required Receives incoming connection Purpose: To control activity Unauthorized access and control Illegal Detectable with Virus Checker Age: Relatively Old ( > 20 Years)
Memory Resident Processes Surreptitiously installed without users consent or understanding Creates a security vulnerability
Spyware
Software Examples
GAIN / Gator Gator E-Wallet Kazzaa BonziBuddy MySearch Toolbar DownloadWare BrowserAid Dogpile Toolbar
Image Sources GAIN Logo The Gator Corporation http://www.gator.com BonziBuddy Logo Bonzi.com - http://images.bonzi.com/images/gorillatalk.gif DownloadWare Logo DownloadWare - http://www.downloadware.net
Advantages
Precision Marketing
Relevant pop-ups are better than all of them! You may get some useful adverts!
Useful Software
DivX Pro, IMesh, KaZaA, Winamp Pro (Experienced) people understand what they are installing.
Disadvantages
Browsing profiles created for users without consent
Used for target marketing and statistical analysis
Unable to remove Spyware programs or disable them Increased number of misleading / inappropriate pop-ups Invasion of user privacy (hidden from user) Often badly written programs corrupt user system Automatically provides unwanted helpful tools 20 million+ people have Spyware on their machines.
Source - Dec 02 GartnerG2 Report
User Perspective - II
Example Pop-up
Misleading Pop-up
Network Overview
Push Advertising Pull Tracking Personal data
Technical Analysis - I
Image Source Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
Client-Side Operation
Technical Analysis - II
Server-Side Operation
Server-side operation is relatively unknown. However, if I were to develop such a system, it would contain
Spyware Defence
User Initiatives
Issue Awareness Use Legitimate S/W Sources Improved Technical Ability Choice of Browser Choice of OS Legal action taken against breaches of privacy Oct 02 Doubleclick
Technical Initiatives...
Spyware Removal Programs Pop-up Blockers Firewall Technology Disable ActiveX Controls Not Sandboxed E-Mail Filters Download Patches
Image Source Screenshot of IRIS v3.7 Network Analyser Professional Networks Ltd. See http://www.pnltools.com.
Spyware Removers
Ad-aware (by Lavasoft) http://www.lavasoft.de *Freeware* Reverse Engineer Spyware Scans Memory, Registry and Hard Drive for
Data Mining components Aggressive advertising components Tracking components
Spyware Removers
Spybot Search & Destroy http://www.spybot.info *Freeware* Reverse Engineer Spyware Scans Memory, Registry and Hard Drive for
Data Mining components Aggressive advertising components Tracking components
Vulnerable Systems
Any with an internet connection! BROADBAND! Microsoft Windows 9x/Me/NT/2000/XP Affects Open Source/Mac OSs less Non - fire-walled systems Internet Explorer, executes ActiveX plug-ins Other browsers affected less
Tracking Cookies
Cookies
A Cookie is a small text file sent to the user from a website.
Contains Website visited Provides client-side personalisation Supports easy Login
The website is effectively able to remember the user and their activity on previous visits. Spyware companies working with websites are able to use this relatively innocent technology to deliver targeted REAL TIME marketing, based on cookies and profiles.
In return for
All available marketing information on you - collected from other affiliated sites which the you have hit.
If the user visits an affiliated site without a DoubleClick cookie, then one is sent to the user. The whole process is opaque to the user and occurs without their consent.
Trojan Horses
10
Installation
Secretly installed when an infected executable is run
Much like a virus Executables typically come from P2P networks or unscrupulous websites
Installation
Certificate Authority Misleading Certificate Description Who is trusted?
Image Source Screenshot of Microsoft Internet Explorer 6 security warning, prior to the installation of an ActiveX Control from Roings.
Effects
Allows remote access
To spy To disrupt To relay a malicious connection, so as to disguise the attackers location (spam, hacking) To access resources (i.e. bandwidth, files) To launch a DDoS attack
11
Operation
Listen for connections Memory resident Start at boot-up Disguise presence Rootkits integrate with kernel Password Protected
BO: Protocol
Modular authentication Modular encryption
AES and CAST-256 modules available
12
INFECTION OCCURS
Attacker
IP ADDRESS AND PORT ICQ SERVER IP ADDRESS AND PORT
Victim
CONNECTION
COMMAND EXECUTED
Attacker
CONNECTION
Victim
EVIDENCE DESTROYED
Attacker
Victim
13
14
Demonstration
15
Vulnerable Systems
Number of trojans in common use
RELATIVELY SAFE
DANGEROUS
MacOS MacOS X
WinNT refers to Windows NT 4, 2000, XP and Server 2003. Win9x refers to Windows 95, 95SE, 98 and ME.
Information Source: McAfee Security - http://us.mcafee.com/
Ease of compromise
WinNT refers to Windows NT 4, 2000, XP and Server 2003. Win9x refers to Windows 95, 95SE, 98 and ME.
Information Source: McAfee Security - http://us.mcafee.com/
MacOS X Linux/Unix
Vulnerable Systems
RELATIVELY SAFE DANGEROUS
Conclusions
Linux/Unix WinNT
WinNT MacOS
Win 9x
4th November 2004
Win 9x
4th November 2004
16
Security Implications
Short Term
Divulge personal data Backdoors into system System corruption Disruption / Irritation Aids identity theft Easy virus distribution Increased spam
Long Term
Mass data collection Consequences unknown Web becomes unusable Web cons outweigh pros Cost of preventions More development work More IP addresses (IPv6)
Solutions
Short Term
Firewall Virus Checker Spyware Remover Frequent OS updates Frequent back-up Learning problems
Long Term
Add Spyware to Anti-Virus Automatic maintenance Legislation Education on problems Biometric access Semantic web (and search)
Firewalls
3 Types
Packet Filtering Examines attributes of packet.
Network / Internet
Application Layer Hides the network by impersonating the server (proxy). Stateful Inspection Examines both the state and context of the packets.
Regardless of type; must be configured to work properly. Access rules must be defined and entered into firewall.
17
Firewalls
http - tcp 80
Network / Internet
http - tcp 80 telnet - tcp 23 ftp - tcp 21 Web Server Firewall Allow only http - tcp 80
Packet Filtering
192.168.0.10 : 1020
Stateful Inspection
192.168.0.10 : 1020 PC
Only allow reply packets for requests made out Block other unregistered traffic
Software Firewall
Kerio PersonalFirewall http://www.kerio.com *Freeware* Stateful Packet Inspection Scans applications and data Inbound and Outbound!
Spyware connections outbound would be flagged.
Network
Server
Switch
Firewall
IDS
Server
Intrusion Detection A Commercial Network Solution An Intelligent Firewall monitors accesses for suspicious activity Neural Networks trained by Backpropagation on Usage Data Could detect Trojan Horse attack, but not designed for Spyware
PC
Put the IDS in front of the firewall to get maximum detection In a switched network, put IDS on a mirrored port to get all traffic. Ensure all network traffic passes through the IDS host.
18
System X
Composed of
Clean, fully patched Operating System (OS) Firefox / Opera / Lynx (!) Browser (Not IE) Stateful Inspection Firewall http://www.kerio.com Anti-Virus Software such as Norton AV or AVG Careful user scrutiny of pop-ups and email Beware free utilities and especially filesharing apps Regular patches (possibly automatically)
Questions
Bibliography / Links
[1] "Spyware" Definition - BlackICE Internet Security Systems - http://blackice.iss.net/glossary.php [2] "Trojan Horse" Definition Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html [3] Zeinalipour-Yazti, D. Exploiting the Security Weaknesses of the Gnutella Protocol, University of California. [4] Joshi, R. Network Security Applications, Merchantile Communications, CANIT Conference 2003. [5] CERT Advisory CA-1999-02 http://www.cert.org/advisories/CA-1999-02.html [6] Spyware Guide http://www.spyware-guide.com [7] Trojan Horses - http://www.mpsmits.com/highlights/trojan_horses.shtml [8] Trojan Horse - Back Orifice - http://www.nwinternet.com/~pchelp/bo/bo.html [9] NetBus - http://www.nwinternet.com/~pchelp/nb/netbus.htm [10] BBC News - http://news.bbc.co.uk/1/hi/technology/3153229.stm [11] Wired News Judge takes bite out of Gator www.wired.com/news/politics/0,1283,53875,00.html [12] Tracking Cookies Demonstration at http://www.irt.org/instant/chapter10/tracker/index4.htm [13] BonziBuddy - http://www.bonzi.com/bonzibuddy/bonzibuddyfreehom.asp [14] Unwanted Links (Spyware) http://www.unwantedlinks.com [15] Andersen, R. "Security Engineering", First Edition, J. Wiley and Sons, 2001. [16] Scacchi, W. Privacy and Other Social Issues, Addison-Wesley, 2003. http://www.ics.uci.edu/~wscacchi/Tech-EC/Security+Privacy/Privacy.ppt [17] Kerio Personal Firewall http://www.kerio.com
19