Spyware and Trojan Horses Computer Security Seminar

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Spyware and Trojan Horses Computer Security Seminar Series [SS 1] Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Your computer could be watching your every move! Image Source - http: //www. clubpmi. it/upload/servizi_marketing/images/spyware. jpg Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Introduction Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Seminar Overview • Introduction to Spyware / Trojan Horses • Spyware – Examples, Mechanics, Effects, Solutions • Tracking Cookies – Mechanics, Effects, Solutions • Trojan Horses – Mechanics, Effects, More Examples • Solutions to the problems posed • Human Factors – Human interaction with Spyware • “System X” – Having suitable avoidance mechanisms • Conclusions – Including our proposals for solutions Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Definitions E AR YW P A general term for a program that surreptitiously monitors your actions. While they are sometimes sinister, like a remote control program used by a hacker, software companies have been known to use Spyware to gather data about customers. The practice is generally frowned upon. S AN J O E TR RS O H Definition from: Black. ICE Internet Security Systems - http: //blackice. iss. net/glossary. php An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data. Definition from: Texas State Library and Archives Commission - http: //www. tsl. state. tx. us/ld/pubs/compsecurity/glossary. html Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Symptoms • Targeted Pop-ups • Slow Connection • Targeted E-Mail (Spam) • Unauthorized Access • Spam Relaying • System Crash • Program Customisation Andrew Brown, Tim Cocks and Kumutha Swampillai SPYWARE / TROJAN SPYWARE TROJAN HORSE SPYWARE / TROJAN SPYWARE http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Summary of Effects • Collection of data from your computer without consent • Execution of code without consent • Assignment of a unique code to identify you • Collection of data pertaining to your habitual use • Installation on your computer without your consent • Inability to remove the software • Performing other undesirable tasks without consent Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Similarities / Differences Spyware Trojan Horses Commercially Motivated Malicious Internet connection required Any network connection required Initiates remote connection Receives incoming connection Purpose: To monitor activity Purpose: To control activity Collects data and displays pop-ups Unauthorized access and control Legal Illegal Not Detectable with Virus Checker Age: Relatively New (< 5 Years) Age: Relatively Old ( > 20 Years) Memory Resident Processes Surreptitiously installed without user’s consent or understanding Creates a security vulnerability Source – Table derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Spyware Image Source – The Gator Corporation – http: //www. gator. com Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Software Examples • GAIN / Gator • Gator E-Wallet • Cydoor • Bonzi. Buddy • My. Search Toolbar • Download. Ware • Browser. Aid • Dogpile Toolbar Andrew Brown, Tim Cocks and Kumutha Swampillai Image Sources… GAIN Logo – The Gator Corporation – http: //www. gator. com Bonzi. Buddy Logo – Bonzi. com - http: //images. bonzi. com/images/gorillatalk. gif Download. Ware Logo – Download. Ware - http: //www. downloadware. net http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Advantages • Precision Marketing – Relevant pop-ups are better than all of them! – You may get some useful adverts! • Useful Software – Div. X Pro, IMesh, Ka. Za. A, Winamp Pro – (Experienced) people understand what they are installing. • Enhanced Website Interaction – Targeted banner adverts – Website customisation Andrew Brown, Tim Cocks and Kumutha Swampillai User Perspective - I http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Disadvantages • Browsing profiles created for users without consent – Used for target marketing and statistical analysis • Unable to remove Spyware programs or disable them • Increased number of misleading / inappropriate pop-ups • Invasion of user privacy (hidden from user) • Often badly written programs corrupt user system • Automatically provides unwanted “helpful” tools • “ 20 million+ people have Spyware on their machines. ” Source - Dec ’ 02 Gartner. G 2 Report Andrew Brown, Tim Cocks and Kumutha Swampillai User Perspective - II http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Example Pop-up Misleading Pop-up User Perspective - III Image Source – Browser Cleanser – Directed pop-up from http: //www. browsercleanser. com/ Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Network Overview • Push • Advertising • Pull • Tracking • Personal data Technical Analysis - I Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Client-Side Operation Technical Analysis - II Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Server-Side Operation • Server-side operation is relatively unknown. However, if we were to develop such a system, it would contain… Technical Analysis - III Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Spyware Defence User Initiatives… Technical Initiatives. . . • Issue Awareness • Spyware Removal Programs • Use Legitimate S/W Sources • Pop-up Blockers • Improved Technical Ability • Firewall Technology • Choice of Browser • Disable Active. X Controls • Choice of OS • Legal action taken against • E-Mail Filters breaches of privacy • Download Patches – Not Sandboxed – Oct ’ 02 Doubleclick Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 GAIN Case Study • Installed IMesh, which includes Gator Installation • We accessed multiple internet sites • We simultaneously analyzed network traffic (using IRIS) • We found the packets of data being sent to GAIN • Packets were encrypted and we could not decrypt them • See Example -> Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Image Source – Screenshot of IRIS v 3. 7 Network Analyser – Professional Networks Ltd. See http: //www. pnltools. com. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Spyware Removers Ad-aware (by Lavasoft) – Reverse Engineer Spyware – Scans Memory, Registry and Hard Drive for… • Data Mining components • Aggressive advertising components • Tracking components – Updates from Lavasoft – Plug-ins available • Extra file information • Disable Windows Messenger Service Image Source – Screenshot of Ad-aware 6. 0. Lava. Soft. See http: //www. lavasoft. com Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Vulnerable Systems • Those with an internet connection! • Microsoft Windows 9 x/Me/NT/2000/XP • Does not affect Open Source OSs • Non - fire-walled systems • Internet Explorer, executes Active. X plug-ins • Other browsers not affected Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Tracking Cookies Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Cookies • A Cookie is a small text file sent to the user from a website. – – Provides client-side personalisation – • Contains Website visited Supports easy Login Cookies are controlled by… – – • Website’s Application Server Client-side Java Script The website is effectively able to ‘remember’ the user and their activity on previous visits. • Spyware companies working with websites are able to use this relatively innocent technology to deliver targeted REAL TIME marketing, based on cookies and profiles. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Case Study - Double. Click • Most regular web users will have a “doubleclick. net” cookie. • Affiliated sites request the Double. Click cookie on the users computer. • The site then sends… – Who you are – All other information in your cookie file • In return for… – All available marketing information on you - collected from other affiliated sites which the you have hit. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Case Study – Double. Click • Site targets banner adverts, e-mails and pop-ups to the user. • If the user visits an affiliated site without a Double. Click cookie, then one is sent to the user. • The whole process is ‘opaque’ to the user and occurs without their consent. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Tracking Cookie Implementation • Protocol designed to only allow the domain who created a cookie to access it. • IE has a number of security holes… – Up to IE 5, domain names specified incorrectly. – Up to IE 6, able to fool IE into believing it is in another domain. • Patches and IE 6 solved a number of problems • Since then, tracking cookies are still proving a large problem, there are still a number of holes still open. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Tracking Cookie Implementation Image Source – Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [16]. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Tracking Cookie Defence • Replace tracking cookies with write protected zero length files of the same name. • Double. Click offer an opt-out cookie, which can be obtained from their website. • Disable cookies – Makes many websites unusable • Delete cookies after session • Spyware remover (Ad-aware) Image Source – Screenshot of Double. Click Opt. Out Cookie displayed in Microsoft Notepad. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Trojan Horses Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Installation • Secretly installed when an infected executable is run – Much like a virus – Executables typically come from P 2 P networks or unscrupulous websites • Active. X controls on websites – Active. X allows automatic installation of software from websites – User probably does not know what they are running – Misleading descriptions often given – Not sandboxed! – Digital signatures used, signing not necessary Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Installation • Certificate Authority • Misleading Certificate Description • Who is trusted? Image Source – Screenshot of Microsoft Internet Explorer 6 security warning, prior to the installation of an Active. X Control from “Roings”. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Effects • Allows remote access – To spy – To disrupt – To relay a malicious connection, so as to disguise the attacker’s location (spam, hacking) – To access resources (i. e. bandwidth, files) – To launch a DDo. S attack Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Operation • Listen for connections • Memory resident • Start at boot-up • Disguise presence • Rootkits integrate with kernel • Password Protected Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Example: Back Orifice • Back Orifice – Produced by the “Cult of the Dead Cow” – Win 95/98 is vulnerable – Toast of Def. Con 6 – Similar operation to Net. Bus – Name similar to MS Product of the time Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 BO: Protocol • Modular authentication • Modular encryption – AES and CAST-256 modules available • UDP or TCP • Variable port – Avoids most firewalls • IP Notification via. ICQ – Dynamic IP addressing not a problem Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 BO: Protocol Example (1) TROJAN INFECTION OCCURS Attacker Victim ICQ SERVER IP ADDRESS AND PORT CONNECTION Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 BO: Protocol Example (2) COMMAND EXECUTED Attacker Victim CONNECTION REQUEST FOR INFORMATION Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 BO: Protocol Example (3) CLEANUP COMMAND EVIDENCE DESTROYED Attacker Victim Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Trojan Horse Examples • M$ Rootkit – Integrates with the NT kernel – Very dangerous – Virtually undetectable once installed – Hides from administrator as well as user – Private TCP/IP stack (LAN only) Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Trojan Horse Examples • i. Spy. NOW – Commercial – Web-based client • Assassin Trojan – Custom builds may be purchased – These are not found by virus scanners – Firewall circumvention technology Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Trojan Horse Examples • Hardware – Key loggers – More advanced? • Magic Lantern – FBI developed – Legal grey area (until recently!) – Split virus checking world Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Demonstration Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Vulnerable Systems Number of trojans in common use… RELATIVELY SAFE DANGEROUS Win 9 x Win. NT Linux/Unix Mac. OS X Win. NT refers to Windows NT 4, 2000, XP and Server 2003. Win 9 x refers to Windows 95, 95 SE, 98 and ME. Information Source: Mc. Afee Security - http: //us. mcafee. com/ Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Vulnerable Systems Ease of compromise… DANGEROUS RELATIVELY SAFE Win 9 x Mac. OS Win. NT Mac. OS X Linux/Unix Win. NT refers to Windows NT 4, 2000, XP and Server 2003. Win 9 x refers to Windows 95, 95 SE, 98 and ME. Information Source: Mc. Afee Security - http: //us. mcafee. com/ Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Conclusions Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Security Implications Short Term Long Term • Divulge personal data • Mass data collection • Backdoors into system • Consequences unknown • System corruption • Web becomes unusable • Disruption / Irritation • Web cons outweigh pros • Aids identity theft • Cost of preventions • Easy virus distribution • More development work • Increased spam • More IP addresses (IPv 6) Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Solutions Short Term Long Term • Firewall • Add Spyware to Anti-Virus • Virus Checker • Automatic maintenance • Spyware Remover • Legislation • Frequent OS updates • Education on problems • Frequent back-up • Biometric access • Learning problems • Semantic web (and search) Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar Firewalls 12 th February 2004 Network / Internet • 3 Types… – Packet Filtering – Examines attributes of packet. – Application Layer – Hides the network by impersonating the server (proxy). – Stateful Inspection – Examines both the state and context of the packets. • Regardless of type; must be configured to work properly. • Access rules must be defined and entered into firewall. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Firewalls Network / Internet http - tcp 80 telnet - tcp 23 http - tcp 80 Packet Filtering ftp - tcp 21 Web Server Firewall Allow only http - tcp 80 202. 52. 222. 10: 80 192. 168. 0. 10 : 1020 Stateful Inspection 202. 52. 222. 10: 80 192. 168. 0. 10 : 1020 PC Firewall Only allow reply packets for requests made out Block other unregistered traffic Image Source – Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [4]. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Intrusion Detection Systems Network Server Switch Server Firewall IDS • Intrusion Detection – A Commercial Network Solution • An “Intelligent Firewall” – monitors accesses for suspicious activity • Neural Networks trained by Backpropagation on Usage Data • Could detect Trojan Horse attack, but not designed for Spyware PC • Put the IDS in front of the firewall to get maximum detection • In a switched network, put IDS on a mirrored port to get all traffic. • Ensure all network traffic passes through the IDS host. Image Source – Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [4]. Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 “System X” Network / Internet / Standalone • Composed of… – Open Source OS – Mozilla / Opera / Lynx (!) Browser (Not IE) – Stateful Inspection Firewall – Anti-Virus Software – Careful and educated user – Secure permissions system – Regularly updated (possibly automatically) Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Questions… Image Source – Penny Arcade - http: //www. penny-arcade. com/view. php 3? date=2002 -07 -19&res=l Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004 Bibliography / Links • [1] "Spyware" Definition - Black. ICE Internet Security Systems - http: //blackice. iss. net/glossary. php • [2] "Trojan Horse" Definition – Texas State Library and Archives Commission - http: //www. tsl. state. tx. us/ld/pubs/compsecurity/glossary. html • [3] Zeinalipour-Yazti, D. “Exploiting the Security Weaknesses of the Gnutella Protocol”, University of California. • [4] Joshi, R. “Network Security Applications”, Merchantile Communications, CANIT Conference 2003. • [5] CERT Advisory CA-1999 -02 http: //www. cert. org/advisories/CA-1999 -02. html • [6] Spyware Guide – http: //www. spyware-guide. com • [7] Trojan Horses - http: //www. mpsmits. com/highlights/trojan_horses. shtml • [8] Trojan Horse - Back Orifice - http: //www. nwinternet. com/~pchelp/bo/bo. html • [9] Net. Bus - http: //www. nwinternet. com/~pchelp/nb/netbus. htm • [10] BBC News - http: //news. bbc. co. uk/1/hi/technology/3153229. stm • [11] Wired News – “Judge takes bite out of Gator” www. wired. com/news/politics/0, 1283, 53875, 00. html • [12] Tracking Cookies – Demonstration at http: //www. irt. org/instant/chapter 10/tracker/index 4. htm • [13] Bonzi. Buddy - http: //www. bonzi. com/bonzibuddyfreehom. asp • [14] Unwanted Links (Spyware) – http: //www. unwantedlinks. com • [15] Andersen, R. "Security Engineering", First Edition, J. Wiley and Sons, 2001. • [16] Scacchi, W. “Privacy and Other Social Issues”, Addison-Wesley, 2003. – http: //www. ics. uci. edu/~wscacchi/Tech-EC/Security+Privacy/Privacy. ppt Andrew Brown, Tim Cocks and Kumutha Swampillai http: //birmingham. f 9. co. uk