Spyware on Internet. Sybil Attacks on Sensor Networks.

1
Spyware on Internet. Sybil Attacks on Sensor
Networks.

• csci599 Spring 2004
• Siddharth Thakkar

2
Presentation Outline

• Spyware
• Introduction
• Spyware basics and Classes
• Study in the Paper Gator, eZula, SaveNow, Cydoor
• Analysis
• Results - details
• Spyware Vulnerabilities
• Scaling on to the Internet
• Conclusions
• Sybil Attacks
• Introduction Basics
• Taxonomy
• Attacks
• Defenses Especially Random Key Distribution
  Approaches
• Summary
• In P2P networks

3
Spyware
Reference Measurement and Analysis of Spyware
in a University Environment Saroiu et al.
4
Introduction Stealth/Parasite programs

• Stealth and Parasite Programs
• CIAC Technical report (Nov 2002)
• Distributed and installed along with a known
  program.
• get onto a system by piggybacking on an installer
  
• Not Viruses! Viruses attach themselves to other
  programs in order to steal a ride onto another
  persons system
• Parasite programs are intentionally attached to
  the programs they ride on.
• Classes
• Adware advertisements, web-pages, pop-ups or
  cookies from Browsers - when you access a web
  page that contains an ad from the adware server.
• Spyware Intelligently spy on all your browsing
  activity, looking into browser temp
  files/cookies/histories and all collected
  information is sent back to the spyware server to
  target future misuse of information.
• Stealth Networks Networks of computers, usually
  P2P, to store files on and queue jobs for
  execution on someone elses system (needs program
  installed there)
• Browser Helper Objects BHOs are essentially
  add-in programs /executable code for IE
  difficult to detect have to clean Registry.

5
Spyware Basics

• Definition (users perspective)
• Software that gathers information about the
  computers use (with or without users consent)
  and relays it back to a 3rd party for its
  benefit.
• Risks
• Users privacy is compromised
• Affect usability/stability of users computing
  environment
• Can Self-Update Introduce new security
  vulnerabilities
• Can put millions of computers at risk
• Why do they exist?
• Because information is valuable and can be
  capitalized upon.
• How can I get it?
• Your behavior
• Popular software with embedded spyware
• Website prompting to install browser extensions
• Cookies to track behavior across cooperating
  websites
• Usability Vs. Security O.S.s are meant to be
  extensible!

6
Classes of Spyware (characteristics, working and
threats) - 1

• Cookies and Web Bugs
• Passive form of Spyware (no code of their own)
• Cookies
• State stored in clients web browsers
• Website/general Advertisement providers who
  stored can retrieve them.
• Can track users behavior across various sites
• Web Bugs
• Invisible images embedded in page placed by
  advertisement networks
• Browser Hijackers
• Try to change browser settings (start page,
  search) by
• BHOs (helper objects), windows registry, browser
  preference files

7
Classes of Spyware (characteristics, working and
threats) - 2

• Keyloggers
• Record all keystrokes
• Passwords, credit card numbers, etc.
• New ones capture logs of visited sites, chat
  sessions, windows and programs opened.
• Tracks
• Application records info. About users actions
  (recently visited websites)
• O.S. also does it. Such Tracks can be mined by
  malicious programs.
• Malware
• Viruses, worms, trojan horses, automatic phone
  dialers!

8
Classes of Spyware (characteristics, working and
threats) - 3

• Spybots
• Prototypical example of spyware
• Monitor users behavior, collects activity logs,
  transmits them to 3rd party
• Info. Like web form data, email addresses for
  spam, URL lists, etc.
• Installed as BHO, or DLL, or separate process on
  O.S. booting!
• Adware
• Benign variety of Spybots.
• Display advertisements tuned to users activity,
  reporting browsing behavior.

9
Show me a reason to worry!

• The extent denoted by
• Results of this paper (well see soon)
• Spyware Signatures
• E.g. SpyBot SD program has 790 signatures as of
  Jan 27th, 2004.

• The spread
• Freeware/Shareware
• Authors downloaded (10 famous titles reporting
  872 million downlaods) from http//download.com
• Kazaa, iMesh, Morpheus, Download Accelerator had
  spyware!
• 12 spyware in free Kazaa (MORAL theres no free
  meal!)
• Kazaas paid version doesnt have spyware!! ?

10
Spyware studied by this paper

• Aim
• First academic attempt to understand the nature
  and extent of spyware, for attention of research
  community.
• Studied software versions between Aug 03 to Jan
  04.
• Network signatures to detect spyware. Traces
  of traffic between Univ. of Washington and the
  Internet.
• Focused on 4 spyware Gator, Cydoor, SaveNow,
  eZula
• All are from the Spybot or Adware class
• Affect approx. 5.1 of active university hosts.
• Can easily get into users system via free
  software
• Easy to derive signatures by sniffing n/w traffic
  (they use http with their servers)
• Bad servers listed using name/IP lists as. in
  ARIN RIPE registries

11
Gator - 1

• An Adware AKA OfferCompanion, Trickler, GAIN
• collects/transmits users web activity info.(URLs
  visited), demographic info (name, zipcode),
  computer configuration info.
• Generates users profile of interests and targets
  advertisements
• Installed by
• Free s/w by Claria Corporation
• P2P clients
• Websites prompting popups to install
• Runs as
• DLL linked with free s/w
• Own process gain.exe, cmesys.exe
• Capable of Self-updating !!

12
Gator 2

• Smartness
• Usually spyware can be de-fanged
• hosts.txt file can be manipulated to remap the
  DNS names of spyware servers by adding adding
  entries.
• Gator on the other hand
• Comments out entries referring to gator.com
• Caches IP addresses of gator.com DNS names.
• You are a l-user! ?

13
Cydoor

• About
• Made by Cydoor Technologies
• Client prefetches targeted pop-up advertisements
  from servers when containing App. Is run
• Online or Offline!
• Gets users demographic info. From a
  Questionnaire filled while installing the
  containing application!
• Inside scoop ?
• Company also offers a free SDK
• To use to embed Cydoor DLL in any Windows
  programs and generate revenue for them.
• Removal of the DLL causes program to crash!
• Dont spread the word! ?

14
SaveNow

• About
• Save.exe image
• Show advertisements when user appears to be
  shopping
• Doesnt transmit information to servers
• But still collects such info. To target ads
• Contacts server to update its advertisement-cache
• Comes with P2P free s/w. (Kazaa)

15
eZula

• About
• Ezulamain.exe process
• AKA TopText, ContextPro, HotText
• Attached to browser Modifies incoming HTML to
  create links to ads on keywords
• artificial links are highlighted to redirect
  away from original legitimate advertisers to its
  own!
• Bundled with free P2P s/w (Kazaa, LimeWire) or as
  a standalone tool.
• Can Self-Update!

16
Analysis Goals Methodology

• To understand how widespread spyware is within
  the Univ. of Washington at
• Individual clients granularity
• Academic departments granularity
• Gain insight into kinds of user behavior that are
  correlated with spyware.
• Monitoring Host Traces
• Relevant info. of HTTP activity from
  reconstructed TCP/HTTP request/response streams
  is Logged at the Monitoring Host.
• Sensitive information (IP) is anonymized using
  1-way hashing.

17
Analysis - Environment

• Univ. of Washington Infrastructure

18
Aside- some USC network facts

• Network as presented in June 03 (James Pepin,
  ISD)

19
Analysis Limitations/Assumptions

• Anonymization
• 2bits of IP lost. Cant uniquely find IP of
  infected client
• DHCP effect
• No fix client IP. So dial-up excluded.
• But even with all this, Gator infected clients
  could be numbered!
• Gator happens to provide a unique identifier in
  its request packets ?
• Signature analysis
• Might miss some spyware traffic because of
  pattern matching errors
• But result would be underestimated value,
  Threat might be higher!

20
Results Spread of Spyware - 1

• Traces Summary (Table 3)

21
Results Spread of Spyware - 2

• Gator 3.4 clients that communicated during the
  study (weeklong trace)
• Cydoor 1.3
• SaveNow 1.3
• eZula 0.2
• Bad news
• In total, 1587 clients (5.1 of total hosts)
  infected with one or more spyware programs!
• This is just 4 programs studied!
• Gator
• Only 52 new installations found over the week by
  studying Gator client registration packets and
  timestamp with date of installation.
• Means many Gators were installed months/years in
  the past!

22
Results Spread of Spyware - 3

• Values indicate percentage of 872

Dates discovered for 872 out of the 1077 Gator
Clients.
23
Results Modem Vs. Non-Modems

• Modem Pool IPs
• Though DHCP made authors exclude dialup IPs
• Gator timestamps used to identify uniquely within
  the modem-pool clients
• 942 Gator installations out of 12,435 accounts
  using modem-pool. (7.6)
• Note that 872 were already in the 31,303
  host-non-modem pool network (2.8)
• Which means
• Spyware is prevalent on personally-owned
  computers
• But also significance presence even in University
  computers !!

24
Results Cross Infection rates - 1
25
Results Cross Infection rates - 2

• Once infected, forever vulnerable!
• eZula
• Only 28.6 of eZula infected hosts are infected
  with ONLY eZula
• Whatevers causing eZula infections also causes
  infections of other Spyware programs!
• Spyware open new vulnerabilities!

26
Results Web activity - 1

• Usual causes
• P2P client software
• Downloading/installing executables off the
  internet
• Software bundled with spyware.
• Correlation for such activity can be derived.
  (graphs in following slide)

27
Results Web activity - 2

• Servers contacted by infected clients

• Servers contacted by ALL clients

28
Results Web activity - 3

• Web request issued by infected clients

• Web requests issued by ALL clients

29
Results Downloading executables
30
Results Using P2P File-sharing

• Analysis revealed that
• 38 of clients issuing at least one Kazaa request
  were infected by spyware!
• Mainly containing Cydoor, and Gator (28.2 17
  respectively.)
• Compared to previous table (Web clients/requests)
• These values are almost 22 times higher!
• Impliesfile sharing programs expose clients to
  spyware.!
• Kazaa is not the only one.!

31
Results Todays Security Infrastructure

• Spyware bypass it!
• Univ. of Washington Core is centrally managed
• Each department is responsible for managing its
  own systems/security policies.
• Independent trust domain, with own set of
  defenses
• Still 69 of organizations are infected with at
  least one variety of spyware!
• 64 have Gator!
• Perimeter protection mechanisms such as Firewalls
  are not helpful!
• Spyware need cooperation from user (willing or
  not willing)
• An exploit could leave major network vulnerable!
• 47 of top most popular web-servers in Univ. share
  a subnet with Gator client
• Backdoor in spyware can lead the attacker easily
  inside major trust boundary!

32
Bugs in Spyware?!

• Gator/eZula
• Client (Software) downloads updates for code and
  data
• Doesnt verify authenticity or integrity of the
  downloaded archive before extracting files from
  it.
• Attacker can cause his/her OWN file to be
  extracted by hijacking/spoofing gator.com or
  ezula.com!
• Authors reported this vulnerability to make the
  spyware stronger and secure ??!!!!

33
Finally, Scaling it on to the Internet

• Kazaa as an example
• Kazaa users counters on websites report 4 million
  concurrent clients.
• Using this papers 38 infection rate, estimate
  is
• 1.5 million spyware infected hosts active on
  Kazaa network!!
• Estimate based on external Kazaa hosts contacting
  Univ. of Washington hosts, is that
• 2.6 million spyware-infected Kazaa hosts!
• Research at UC Berkeley estimates this to be 3.4
  million!

34
Spyware Conclusions/Comments

• This Paper
• Authors present a very justified argument about
  the spread of Spyware in a controlled environment
  as Univ. of Washington
• Results serve as an alert to the research
  community.
• Active monitoring of network traffic avoids
  doubts!
• Spyware
• Significant local and global security
  implications
• Next trend after annoying banners ?
• Signatures can ease detection
• Free software are the most harmful
• Wide spread make spyware a potential entry for
  any system-wide vulnerability break-down!
• Need alert system administration for regular
  cleanup!
• Social aspects train the users to avoid
  clicking OK without reading! ?

35
Sybil Attacks
Reference The Sybil Attack in Sensor Network
Analysis and Defenses by Newsome et al.
36
Sybil Attacks - Introduction

• The term Sybil attack
• Sybil Dorsett, a survivor of child abuse who was
  diagnosed with the first multiple personality
  disorder, reveals that she played host to sixteen
  separate and distinct personalities before making
  the long journey to recovery.
• Definition
• In networks,
• An attack where the attacker posses multiple
  identities a malicious node behaves as if it
  were a larger number of nodes, by impersonating
  other nodes or simply by claiming false
  identities!
• First identified for P2P networks by John Douceur.

37
Sybil attacks and Sensor Networks

• Motivation
• Sensor networks may monitor critical information.
• Sybil attacks may exploit, confuse or overwhelm
  the sensor network.
• Need to identify, classify such attacks
• Need to choose the best defense mechanism for
  sensor networks.
• This paper
• Is the first study of Sybil attacks for Sensor
  Networks
• Authors attempt to identify attacks, classify
  them and then evaluate various Defense mechanisms!

38
Sybil Attacks Taxonomy -1

• For Sensor networks

39
Sybil Attacks Taxonomy -2

• Direct
• Malicious node listens to Radio message from
  legitimate node!
• Indirect
• Messages to Sybil node are routed through one of
  the malicious nodes!
• Fabricated
• For. E.g. Attacker assigns each Sybil node a
  random-bit value if each node is generally
  identified by a 32-bit integer
• Stolen
• If mechanism can identify legitimate node
  identities, Attacker needs to assign other
  legitimate identities by destroying or
  temporarily disabling the impersonated identities
• Simultaneous
• All Sybil identities participate in the network
  at once, may be cycle through!
• Non-Simultaneous
• Attacker having large number of identities over
  time, he may only act as a smaller number at any
  given time. May be Leave and Join multiple times
  with separate identities!

40
List of Sybil Attacks -1

• Known Attacks
• Distributed Storage
• Can defeat replication and fragmentation
  mechanism
• Easily defeat DHTs based on Geographic Hash
  (GHT)s
• System designed to replicate data on several
  nodes
• But it might be storing on Sybil identities
  generated by malicious node! ?
• Routing
• Multipath or Dispersity Routing
• Seemingly disjoint paths could in fact go through
  a single malicious node presenting several Sybil
  identities ?
• Geographic routing
• Sybil node could appear at multiplce locations. ?
• Attempt to Detect routing attacks like BlackHoles
• Sybil attack could confuse the detection
  mechanism! ?

41
List of Sybil Attacks -2

• New Attacks
• Data Aggregation
• One malicious node could contribute to the
  computed aggregate of readings many times.
• May completely alter the aggregate reading! ?
• Voting
• Wireless Sensor networks use voting for many
  tasks.
• Sybil attack for false ballots or
  ballot-stuffing! ?
• May be able to determine/influence outcome of any
  vote to declare a legitimate node as misbehaving!
  ?
• May save a misbehaving node by favoring votes!

42
List of Sybil Attacks -3

• Fair Resource Allocation
• Used to allow a malicious node to obtain an
  unfair share of shared resource (like radio
  channel).
• Denial of service to legitimate nodes
• Gives attacker more resources to perform More
  attacks! ?
• Misbehavior Detection
• Usually, due to false-positives considerations,
  any misbehavior detection system delays action.
• An attacker with Sybil identities could spread
  the blame and pass unnoticed by only small
  misbehavior per identity! ?
• If action taken to revoke an identity, attacker
  can create new identities and continue
  misbehavior without himself getting revoked! ?

43
Vulnerable protocols
44
Sybil Attack Identity Validation

• Identity Validation
• Types
• DIRECT VALIDATION node directly tests another
  node identity
• INDIRECT VALIDATION nodes that have already been
  verified are allowed to vouch for or refute other
  nodes.
• Note
• Paper focuses on Direct Validation schemes only.

45
Defenses

• Previous Defenses
• Resource testing
• Assumption limited resource per physical entity
• Verify that each identity has as much of tested
  resource as the physical device.
• More implies multiple identities!
• Communication as a critical resource for Sensor
  Networks
• One method Broadcast a request of identities
  and accept replies that occur within a given time
  interval.
• Unsuitable for wireless sensor networks because
  of network congestion by all replies! ?
• New Defenses
• New approaches suggested by the Authors
• Topics to follow -gt

46
Radio Resource Testing -1

• Assumption
• Physical device has only 1 radio and cant
  send/receive on more than 1 channel
  simultaneously
• Working
• A verifier s assigns its n neighbors different
  channels.
• Listens on a randomly chosen channel.
• If neighbor was assigned that channel is
  legitimate, it should hear the message.
• Choosing a channel to listen which isnt being
  transmitted on, is a Sybil node detection!
• Probability s/n
• Probability of Not detecting sybil node (n-s)/n
• If repeated for r rounds, its ((n-s)/n)r

47
Radio Resource Testing -2

• Case Not enough channels
• To assign to each neighbor
• Can test c neighbors at a time, does r rounds
• There are S Sybil nodes, M malicious nodes and G
  good nodes

• More channels means easy/faster to detect (See
  next graph)

48
Radio Resource Testing -3

• Advantages
• Effective defense against simultaneous
  direct-communication variant of Sybil attacks.
• Disadvantages
• Assumptions that device cant send on multiple
  channels simultaneously!
• Software radio negates this assumption!

49
Random Key Predistribution - 1

• Basic Idea
• Assign a random set of keys or key-related info.
  To each node
• Key-setup phase
• each node can computer the common keys it shares
  with neighbors
• Shared secret session key for node-to-node
  secrecy!
• Key Validation
• Network able to verify part or all of the keys
  that an identity claims to have!
• Bad guy mightve been able to capture only
  limited set of keys.
• Little probability that arbitrarily generated
  identity will work!

50
Random Key Predistribution - 2

• Validation
• 2 ways
• Direct each node challenges an identity using
  its own limited knowledge
• ? May not reach globally consistent decision
• Indirect nodes collaborate
• ? Effective since sensor nodes have limited
  memory/knowledge!
• ? Costly- communication overhead
• Random key Predistribution Approaches
• (modified to use as Sybil Defenses by authors)
• Key Pool
• Single-space pair-wise key distribution
• Multiple-space pair-wise key distribution

51
Key Pool - 1

• Core Scheme
• Set of keys assigned to a node
• If two nodes share q common keys, they can
  establish a secret link.
• ith key from key pool goes to node depending on
  the one-way Pseudo Random hash Function.
• Attacker cant just gather bunch of keys and
  claim an identity PRF is one way!
• Validation
• Challenge the identity
• If a key Ki should be in Omega(ID) but it isnt
  in the compromised key set S, ID is cheating!

52
Key Pool - 2

• Time complexity -1
• Full validation case
• Partial challenged by d nodes
• Pr(tcardinality of intersection set of
  Omega(ID) and S)
• x Pr(ID passes validation with all d
  verifiers conditioned over tcardinality of
  intersection set)
• Detailed mathematical steps in paper.

53
Key Pool - 3

• Time complexity 2
• If Tolerance threshold Pr(a random Sybil IS is
  usable) 2-64
• Attacker needs to compromise only 30 nodes in
  partial validation!
• 150 if full validation!

54
Single Space Pairwise Key Distribution

• Scheme
• Assign unique key to each pair
• Bloms scheme polynomial-based scheme
  (references)
• Node i stores unique public information Ui and
  private information Vi.
• Node i computes key from f(Vi,Uj) with node j.
• Lambda secure property
• Secure against direct/indirect sybil attacks till
  Lambda nodes are compromised (c lt Lambda)
• Validation
• A node validates an identity provided it has the
  pairwise key between it and the verifier!
• No consideration of OTHER nodes! ?
• Need globally consistent validation. ?

55
Multi-space Pairwise Key Distribution-1

• Scheme
• Each sensor node is assigned k out of the m Key
  Spaces generated by the setup server.
• If 2 neighbors have gt1 keyspaces common,
• Compute pairwise secret key like Single space
  scheme! ?
• Preventing Sybil Attacks
• Without Validation
• Direct communication sybil attacks
• Node needs to capture nodes such that at least 1
  key-space is compromised!
• Indirect communication sybil attacks need more
  validation! (next slide)

56
Multi-space Pairwise Key Distribution-2

• With Validation
• Indirect validation needed to challenge if an
  adversary claims to have key-spaces Ti.
• For Globally consistent decision
• Full Validation
• Adversary has to compromise all k key-spaces!
• Probability calculation
• Si event that space i is compromised
• m all key spaces
• If S1 is compromised, it is less likely that so
  is S2!

57
Multi-space Pairwise Key Distribution-3

• Note
• Different kind of probability on Y-axis
• Compared to Fig.3 before

58
Other Defenses

• Registration
• Trusted central authority managing the network
  could poll the network and compare to known
  deployment
• Sensor networks are unlike P2P may have central
  control
• ? Registration list of known identities has to be
  secured!
• Position Verification
• Sybil nodes will appear to be exactly at the same
  location!
• Assuming sensor nodes are immobile, attack
  detected!
• For Mobile attacker Need to verify ALL nodes
  position simultaneously!
• Code Attestation
• Validate node by verifying memory contents!
• Not yet applicable to wireless network
• Trusted hardware with security guarantees for
  this?
• Future
• Costly and high energy consumption! ?

59
Sybil attacks on Sensor networks - Summary

• Current defenses cant fight every type of Sybil
  attack (Table before)
• Each defense has diff. cost and assumptions ?
• Random key predistribution
• Sounds most promising seeing the difficulty of
  attack
• Basic Pool
• Mapping nodes identity to the indices of its
  keys using 1-way function
• Single-space
• Good as long as Lambda nodes are not captured!
• Direct validation ensures global consistent
  validation
• Multi-space
• Need Lambda instances of EACH key space to
  attack! ?
• Has to compromise at least k key spaces to
  succeed! ?
• Paper presents a detailed analytical first-take
  on Sybil attacks on Sensor networks! (for P2P see
  next slides!)
• Area needs to explore lot more options!
• Way to AVOID creation of multiple identities?
• Associate a node to an owner? Attacker cant
  misuse existing node for Sybil identities!
• Who does this?

60
Appendix Sybil attacks P2P

• Systems and Attacks
• P2P systems are heterogenous WITH unlimited
  computing power!
• Attackers can cause Sybil identities and they
  need to to be validated concurrently and
  simultaneously!
• Infrastructure
• Identities communicate via messages over a cloud
  through pipes!
• Intentional replication for duplication,
  reliability, etc. can be misused as multiple
  identities!
• Existing relied upon mechanisms
• Certification Verisign
• CFS identify node by hash of IP address
• SFS append host path to a DNS name
• EMBASSY bind machine to cryptographic keys in
  hardware!
• Dependent mechanisms might get obsolete (IPv6 and
  CFS!)
• New ideas?
• Resource-demanding challenges to identities!
• Not administrable on large distributed network! ?

61
References

• Measurement and Analysis of Spyware in a
  University Environment
• Stefan Saroiu, Steen Gribble, Henry Levy
• Proceedings of the First Symposium on Networked
  Systems Design and Implementation (NSDI '04),
  March 2004
• The Sybil Attack in Sensor Networks Analysis and
  Defense
• James Newsome, Elaine Shi, Dawn Song, Adrian
  Perrig
• Proceedings of 3rd International Symposium on
  Information Processing in Sensor Networks (IPSN
  04), April 2004
• The Sybil Attack
• John R. Douceur
• First International Workshop on Peer-to-Peer
  Systems, March 2002
• Leveraging the High performance computing
  Environment
• Michael Pierce, Jim Pepin
• HPC - High Performance Computing - Consortium
  Meeting, June 2003
• Parasite Programs Adware, Spyware, and Stealth
  Networks
• CIAC Tech02-004-Technical Bulletin, Revised in
  November 2002
• http//www.ciac.org/ciac/techbull/CIACTech02-004.s
  html