Spyware and Trojan Horses

1
Spyware and Trojan Horses
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Computer Security Seminar Series SS1

2
Your computer could be watching your every move!
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
Image Source - http//www.clubpmi.it/upload/serviz
i_marketing/images/spyware.jpg
3
Introduction
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
4
Seminar Overview
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Introduction to Spyware / Trojan Horses
• Spyware Examples, Mechanics, Effects, Solutions
• Tracking Cookies Mechanics, Effects, Solutions
• Trojan Horses Mechanics, Effects, More Examples
• Solutions to the problems posed
• Human Factors Human interaction with Spyware
• System X Having suitable avoidance mechanisms
• Conclusions Including our proposals for
  solutions

5
Definitions
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• A general term for a program that surreptitiously
  monitors your actions. While they are sometimes
  sinister, like a remote control program used by a
  hacker, software companies have been known to use
  Spyware to gather data about customers. The
  practice is generally frowned upon.

SPYWARE
Definition from BlackICE Internet Security
Systems - http//blackice.iss.net/glossary.php
TROJAN HORSE
An apparently useful and innocent program
containing additional hidden code which allows
the unauthorized collection, exploitation,
falsification, or destruction of data.
Definition from Texas State Library and
Archives Commission - http//www.tsl.state.tx.us/l
d/pubs/compsecurity/glossary.html
6
Symptoms
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Targeted Pop-ups
• Slow Connection
• Targeted E-Mail (Spam)
• Unauthorized Access
• Spam Relaying
• System Crash
• Program Customisation

SPYWARE
SPYWARE / TROJAN
SPYWARE
TROJAN HORSE
TROJAN HORSE
SPYWARE / TROJAN
SPYWARE
7
Summary of Effects
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Collection of data from your computer without
  consent
• Execution of code without consent
• Assignment of a unique code to identify you
• Collection of data pertaining to your habitual
  use
• Installation on your computer without your
  consent
• Inability to remove the software
• Performing other undesirable tasks without
  consent

8
Similarities / Differences
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
Spyware Trojan Horses
Commercially Motivated Malicious
Internet connection required Any network connection required
Initiates remote connection Receives incoming connection
Purpose To monitor activity Purpose To control activity
Collects data and displays pop-ups Unauthorized access and control
Legal Illegal
Not Detectable with Virus Checker Detectable with Virus Checker
Age Relatively New (lt 5 Years) Age Relatively Old ( gt 20 Years)
Memory Resident Processes Memory Resident Processes
Surreptitiously installed without users consent or understanding Surreptitiously installed without users consent or understanding
Creates a security vulnerability Creates a security vulnerability
Source Table derived and produced by Andrew
Brown, Tim Cocks and Kumutha Swampillai, February
2004.
9
Spyware
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
Image Source The Gator Corporation
http//www.gator.com
10
Software Examples
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• GAIN / Gator
• Gator E-Wallet
• Cydoor
• BonziBuddy
• MySearch Toolbar
• DownloadWare
• BrowserAid
• Dogpile Toolbar

Image Sources GAIN Logo The Gator Corporation
http//www.gator.com BonziBuddy Logo
Bonzi.com - http//images.bonzi.com/images/gorill
atalk.gif DownloadWare Logo DownloadWare -
http//www.downloadware.net
11
Advantages
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Precision Marketing
• Relevant pop-ups are better than all of them!
• You may get some useful adverts!
• Useful Software
• DivX Pro, IMesh, KaZaA, Winamp Pro
• (Experienced) people understand what they are
  installing.
• Enhanced Website Interaction
• Targeted banner adverts
• Website customisation

User Perspective - I
12
Disadvantages
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Browsing profiles created for users without
  consent
• Used for target marketing and statistical
  analysis
• Unable to remove Spyware programs or disable them
• Increased number of misleading / inappropriate
  pop-ups
• Invasion of user privacy (hidden from user)
• Often badly written programs corrupt user system
• Automatically provides unwanted helpful tools
• 20 million people have Spyware on their
  machines.
• Source - Dec 02 GartnerG2 Report

User Perspective - II
13
Example Pop-up
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
Misleading Pop-up
User Perspective - III
Image Source Browser Cleanser Directed pop-up
from http//www.browsercleanser.com/
14
Network Overview
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Push
• Advertising
• Pull
• Tracking
• Personal data

Technical Analysis - I
Image Source Image derived and produced by
Andrew Brown, Tim Cocks and Kumutha Swampillai,
February 2004.
15
Client-Side Operation
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
Technical Analysis - II
Image Source Image derived and produced by
Andrew Brown, Tim Cocks and Kumutha Swampillai,
February 2004.
16
Server-Side Operation
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Server-side operation is relatively unknown.
  However, if we were to develop such a system, it
  would contain

Technical Analysis - III
Image Source Image derived and produced by
Andrew Brown, Tim Cocks and Kumutha Swampillai,
February 2004.
17
Spyware Defence
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Technical Initiatives...
• Spyware Removal Programs
• Pop-up Blockers
• Firewall Technology
• Disable ActiveX Controls
• Not Sandboxed
• E-Mail Filters
• Download Patches

• User Initiatives
• Issue Awareness
• Use Legitimate S/W Sources
• Improved Technical Ability
• Choice of Browser
• Choice of OS
• Legal action taken against breaches of privacy
• Oct 02 Doubleclick

18
GAIN Case Study
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Installed IMesh, which includes Gator
  Installation
• We accessed multiple internet sites
• We simultaneously analyzed network traffic (using
  IRIS)
• We found the packets of data being sent to GAIN
• Packets were encrypted and we could not decrypt
  them
• See Example -gt

19
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
Image Source Screenshot of IRIS v3.7 Network
Analyser Professional Networks Ltd. See
http//www.pnltools.com.
20
Spyware Removers
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Ad-aware (by Lavasoft)
• Reverse Engineer Spyware
• Scans Memory, Registry and Hard Drive for
• Data Mining components
• Aggressive advertising components
• Tracking components
• Updates from Lavasoft
• Plug-ins available
• Extra file information
• Disable Windows Messenger Service

Image Source Screenshot of Ad-aware 6.0.
LavaSoft. See http//www.lavasoft.com
21
Vulnerable Systems
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Those with an internet connection!
• Microsoft Windows 9x/Me/NT/2000/XP
• Does not affect Open Source OSs
• Non - fire-walled systems
• Internet Explorer, executes ActiveX plug-ins
• Other browsers not affected

22
Tracking Cookies
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
23
Cookies
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• A Cookie is a small text file sent to the user
  from a website.
• Contains Website visited
• Provides client-side personalisation
• Supports easy Login
• Cookies are controlled by
• Websites Application Server
• Client-side Java Script
• The website is effectively able to remember the
  user and their activity on previous visits.
• Spyware companies working with websites are able
  to use this relatively innocent technology to
  deliver targeted REAL TIME marketing, based on
  cookies and profiles.

24
Case Study - DoubleClick
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Most regular web users will have a
  doubleclick.net cookie.
• Affiliated sites request the DoubleClick cookie
  on the users computer.
• The site then sends
• Who you are
• All other information in your cookie file
• In return for
• All available marketing information on you -
  collected from other affiliated sites which the
  you have hit.

25
Case Study DoubleClick
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Site targets banner adverts, e-mails and pop-ups
  to the user.
• If the user visits an affiliated site without a
  DoubleClick cookie, then one is sent to the user.
• The whole process is opaque to the user and
  occurs without their consent.

26
Tracking Cookie Implementation
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Protocol designed to only allow the domain who
  created a cookie to access it.
• IE has a number of security holes
• Up to IE 5, domain names specified incorrectly.
• Up to IE 6, able to fool IE into believing it is
  in another domain.
• Patches and IE 6 solved a number of problems
• Since then, tracking cookies are still proving a
  large problem, there are still a number of holes
  still open.

27
Tracking Cookie Implementation
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
Image Source Image produced by Andrew Brown,
Tim Cocks and Kumutha Swampillai partially
inspired by a diagram from 16.
28
Tracking Cookie Defence
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Replace tracking cookies with write protected
  zero length files of the same name.
• DoubleClick offer an opt-out cookie, which can be
  obtained from their website.
• Disable cookies
• Makes many websites unusable
• Delete cookies after session
• Spyware remover (Ad-aware)

Image Source Screenshot of DoubleClick OptOut
Cookie displayed in Microsoft Notepad.
29
Trojan Horses
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
30
Installation
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Secretly installed when an infected executable is
  run
• Much like a virus
• Executables typically come from P2P networks or
  unscrupulous websites
• ActiveX controls on websites
• ActiveX allows automatic installation of software
  from websites
• User probably does not know what they are running
• Misleading descriptions often given
• Not sandboxed!
• Digital signatures used, signing not necessary

31
Installation
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Certificate Authority
• Misleading Certificate Description
• Who is trusted?

Image Source Screenshot of Microsoft Internet
Explorer 6 security warning, prior to the
installation of an ActiveX Control from Roings.
32
Effects
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Allows remote access
• To spy
• To disrupt
• To relay a malicious connection, so as to
  disguise the attackers location (spam, hacking)
• To access resources (i.e. bandwidth, files)
• To launch a DDoS attack

33
Operation
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Listen for connections
• Memory resident
• Start at boot-up
• Disguise presence
• Rootkits integrate with kernel
• Password Protected

34
Example Back Orifice
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Back Orifice
• Produced by the Cult of the Dead Cow
• Win95/98 is vulnerable
• Toast of DefCon 6
• Similar operation to NetBus
• Name similar to MS Product of the time

35
BO Protocol
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Modular authentication
• Modular encryption
• AES and CAST-256 modules available
• UDP or TCP
• Variable port
• Avoids most firewalls
• IP Notification via. ICQ
• Dynamic IP addressing not a problem

36
BO Protocol Example (1)
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
INFECTION OCCURS
Attacker
Image Source Image derived and produced by
Andrew Brown, Tim Cocks and Kumutha Swampillai,
February 2004.
37
BO Protocol Example (2)
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
COMMAND EXECUTED
Image Source Image derived and produced by
Andrew Brown, Tim Cocks and Kumutha Swampillai,
February 2004.
38
BO Protocol Example (3)
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
EVIDENCE DESTROYED
Image Source Image derived and produced by
Andrew Brown, Tim Cocks and Kumutha Swampillai,
February 2004.
39
Trojan Horse Examples
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• M Rootkit
• Integrates with the NT kernel
• Very dangerous
• Virtually undetectable once installed
• Hides from administrator as well as user
• Private TCP/IP stack (LAN only)

40
Trojan Horse Examples
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• iSpyNOW
• Commercial
• Web-based client
• Assassin Trojan
• Custom builds may be purchased
• These are not found by virus scanners
• Firewall circumvention technology

41
Trojan Horse Examples
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Hardware
• Key loggers
• More advanced?
• Magic Lantern
• FBI developed
• Legal grey area (until recently!)
• Split virus checking world

42
Demonstration
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
43
Vulnerable Systems
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Number of trojans in common use

DANGEROUS
RELATIVELY SAFE
MacOS
WinNT
Win 9x
MacOS X
Linux/Unix
WinNT refers to Windows NT 4, 2000, XP and Server
2003. Win9x refers to Windows 95, 95SE, 98 and
ME.Information Source McAfee Security -
http//us.mcafee.com/
Image Source Image derived and produced by
Andrew Brown, Tim Cocks and Kumutha Swampillai,
February 2004.
44
Vulnerable Systems
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• Ease of compromise

DANGEROUS
RELATIVELY SAFE
Win 9x
WinNT
MacOS
MacOS X
Linux/Unix
WinNT refers to Windows NT 4, 2000, XP and Server
2003. Win9x refers to Windows 95, 95SE, 98 and
ME.Information Source McAfee Security -
http//us.mcafee.com/
Image Source Image derived and produced by
Andrew Brown, Tim Cocks and Kumutha Swampillai,
February 2004.
45
Conclusions
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
46
Security Implications
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
Short Term
Long Term

• Divulge personal data
• Backdoors into system
• System corruption
• Disruption / Irritation
• Aids identity theft
• Easy virus distribution
• Increased spam

• Mass data collection
• Consequences unknown
• Web becomes unusable
• Web cons outweigh pros
• Cost of preventions
• More development work
• More IP addresses (IPv6)

47
Solutions
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
Short Term
Long Term

• Firewall
• Virus Checker
• Spyware Remover
• Frequent OS updates
• Frequent back-up
• Learning problems

• Add Spyware to Anti-Virus
• Automatic maintenance
• Legislation
• Education on problems
• Biometric access
• Semantic web (and search)

48
Firewalls
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
Network / Internet

• 3 Types
• Packet Filtering Examines attributes of packet.
• Application Layer Hides the network by
  impersonating the server (proxy).
• Stateful Inspection Examines both the state and
  context of the packets.
• Regardless of type must be configured to work
  properly.
• Access rules must be defined and entered into
  firewall.

49
Firewalls
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
Network / Internet
http - tcp 80
telnet - tcp 23
http - tcp 80
Packet Filtering
ftp - tcp 21
Web Server
Firewall
Allow only http - tcp 80
202.52.222.10 80
192.168.0.10 1020
202.52.222.10 80
Stateful Inspection
192.168.0.10 1020
PC
Firewall
Only allow reply packets for requests made
out Block other unregistered traffic
Image Source Image produced by Andrew Brown,
Tim Cocks and Kumutha Swampillai partially
inspired by a diagram from 4.
50
Intrusion Detection Systems
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
Network
Server
Switch
IDS
Firewall

• Intrusion Detection A Commercial Network
  Solution
• An Intelligent Firewall monitors accesses
  for suspicious activity
• Neural Networks trained by Backpropagation on
  Usage Data
• Could detect Trojan Horse attack, but not
  designed for Spyware
• Put the IDS in front of the firewall to get
  maximum detection
• In a switched network, put IDS on a mirrored
  port to get all traffic.
• Ensure all network traffic passes through the
  IDS host.

Server
PC
Image Source Image produced by Andrew Brown,
Tim Cocks and Kumutha Swampillai partially
inspired by a diagram from 4.
51
System X
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
Network / Internet / Standalone

• Composed of
• Open Source OS
• Mozilla / Opera / Lynx (!) Browser (Not IE)
• Stateful Inspection Firewall
• Anti-Virus Software
• Careful and educated user
• Secure permissions system
• Regularly updated (possibly automatically)

52
Questions
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004
Image Source Penny Arcade - http//www.penny-arc
ade.com/view.php3?date2002-07-19resl
53
Bibliography / Links
Spyware and Trojan Horses Computer Security
Seminar 12th February 2004

• 1 "Spyware" Definition - BlackICE Internet
  Security Systems - http//blackice.iss.net/glossar
  y.php
• 2 "Trojan Horse" Definition
• Texas State Library and Archives Commission -
  http//www.tsl.state.tx.us/ld/pubs/compsecurity/gl
  ossary.html
• 3 Zeinalipour-Yazti, D. Exploiting the
  Security Weaknesses of the Gnutella Protocol,
  University of California. 
• 4 Joshi, R. Network Security Applications,
  Merchantile Communications, CANIT Conference
  2003.
• 5 CERT Advisory CA-1999-02 http//www.cert.org/
  advisories/CA-1999-02.html
• 6 Spyware Guide http//www.spyware-guide.com
• 7 Trojan Horses - http//www.mpsmits.com/highlig
  hts/trojan_horses.shtml
• 8 Trojan Horse - Back Orifice -
  http//www.nwinternet.com/pchelp/bo/bo.html
• 9 NetBus - http//www.nwinternet.com/pchelp/nb/
  netbus.htm
• 10 BBC News - http//news.bbc.co.uk/1/hi/technol
  ogy/3153229.stm
• 11 Wired News Judge takes bite out of Gator
  www.wired.com/news/politics/0,1283,53875,00.html
• 12 Tracking Cookies Demonstration at
  http//www.irt.org/instant/chapter10/tracker/index
  4.htm
• 13 BonziBuddy - http//www.bonzi.com/bonzibuddy/
  bonzibuddyfreehom.asp
• 14 Unwanted Links (Spyware)
  http//www.unwantedlinks.com
• 15 Andersen, R. "Security Engineering", First
  Edition, J. Wiley and Sons, 2001.
• 16 Scacchi, W. Privacy and Other Social
  Issues, Addison-Wesley, 2003.
• http//www.ics.uci.edu/wscacchi/Tech-EC/Security
  Privacy/Privacy.ppt