Beruflich Dokumente
Kultur Dokumente
Introduction
Seminar Overview
• Introduction to Spyware / Trojan Horses
• Spyware – Examples, Mechanics, Effects, Solutions
• Tracking Cookies – Mechanics, Effects, Solutions
• Trojan Horses – Mechanics, Effects, More Examples
• Solutions to the problems posed
• Human Factors – Human interaction with Spyware
• “System X” – Having suitable avoidance mechanisms
• Conclusions – Including our proposals for solutions
Definitions
E
A general term for a program that surreptitiously monitors your
A R
actions. While they are sometimes sinister, like a remote
W
control program used by a hacker, software companies have
P Y
been known to use Spyware to gather data about customers.
N
Definition from: BlackICE Internet Security Systems - http://blackice.iss.net/glossary.php
H
Definition from: Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html
Symptoms
Summary of Effects
Similarities / Differences
Source – Table derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
Spyware
Software Examples
• GAIN / Gator
• Gator E-Wallet
• Cydoor
• BonziBuddy
• MySearch Toolbar
• DownloadWare
• BrowserAid
Image Sources…
Advantages
• Precision Marketing
– Relevant pop-ups are better than all of them!
– You may get some useful adverts!
• Useful Software
– DivX Pro, IMesh, KaZaA, Winamp Pro
– (Experienced) people understand what they are installing.
Disadvantages
• Browsing profiles created for users without consent
– Used for target marketing and statistical analysis
Example Pop-up
Misleading Pop-up
Network Overview
• Push
•Advertising
•Pull
•Tracking
•Personal data
Technical Analysis - I
Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
Client-Side Operation
Technical Analysis - II
Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
Server-Side Operation
• Server-side operation is relatively unknown. However, if
we were to develop such a system, it would contain…
Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
Spyware Defence
User Initiatives… Technical Initiatives...
• Issue Awareness • Spyware Removal Programs
• Use Legitimate S/W Sources • Pop-up Blockers
• Improved Technical Ability • Firewall Technology
• Choice of Browser • Disable ActiveX Controls
• Choice of OS – Not Sandboxed
• Legal action taken against • E-Mail Filters
breaches of privacy • Download Patches
– Oct ’02 Doubleclick
Image Source – Screenshot of IRIS v3.7 Network Analyser – Professional Networks Ltd. See http://www.pnltools.com.
Spyware Removers
Ad-aware (by Lavasoft)
– Reverse Engineer Spyware
– Scans Memory, Registry and Hard Drive for…
• Data Mining components
• Aggressive advertising components
• Tracking components
Vulnerable Systems
Tracking Cookies
Cookies
• A Cookie is a small text file sent to the user from a website.
– Contains Website visited
– Provides client-side personalisation
– Supports easy Login
• In return for…
– All available marketing information on you - collected from other
affiliated sites which the you have hit.
Image Source – Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [16].
Trojan Horses
Installation
• Secretly installed when an infected executable is run
– Much like a virus
– Executables typically come from P2P networks or
unscrupulous websites
• ActiveX controls on websites
– ActiveX allows automatic installation of software from
websites
– User probably does not know what they are running
– Misleading descriptions often given
– Not sandboxed!
– Digital signatures used, signing not necessary
Installation
• Certificate Authority
• Misleading Certificate
Description
• Who is trusted?
Effects
• Allows remote access
– To spy
– To disrupt
– To relay a malicious connection, so as to disguise the
attacker’s location (spam, hacking)
– To access resources (i.e. bandwidth, files)
– To launch a DDoS attack
Operation
• Listen for connections
• Memory resident
• Start at boot-up
• Disguise presence
• Rootkits integrate with kernel
• Password Protected
BO: Protocol
• Modular authentication
• Modular encryption
– AES and CAST-256 modules available
• UDP or TCP
• Variable port
– Avoids most firewalls
TROJAN
INFECTION OCCURS
Attacker Victim
ICQ SERVER
IP ADDRESS IP ADDRESS
AND PORT AND PORT
CONNECTION
Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
COMMAND
COMMAND EXECUTED
Attacker Victim
CONNECTION
INFORMATION
Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
CLEANUP COMMAND
EVIDENCE DESTROYED
Attacker Victim
Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
Demonstration
Vulnerable Systems
Number of trojans in common use…
Linux/Unix
WinNT
Win 9x
WinNT refers to Windows NT 4, 2000, XP and Server 2003.
Win9x refers to Windows 95, 95SE, 98 and ME.
Information Source: McAfee Security - http://us.mcafee.com/
Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
Vulnerable Systems
Ease of compromise…
RELATIVELY SAFE DANGEROUS
Linux/Unix
MacOS X
WinNT
MacOS
Win 9x
WinNT refers to Windows NT 4, 2000, XP and Server 2003.
Win9x refers to Windows 95, 95SE, 98 and ME.
Information Source: McAfee Security - http://us.mcafee.com/
Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
Conclusions
Security Implications
Solutions
Firewalls
Network / Internet
• 3 Types…
– Packet Filtering – Examines attributes of packet.
– Application Layer – Hides the network by impersonating the
server (proxy).
– Stateful Inspection – Examines both the state and context of the
packets.
Firewalls
Network / Internet
http - tcp 80
telnet - tcp 23
http - tcp 80 Internet
192.168.0.10 : 202.52.222.10: 80
1020
Internet
202.52.222.10: 80
Stateful Inspect io n 192.168.0.10 : 1020
PC Firewall
Only allow reply packets for requests made
out
Block other unregistered traffic
Image Source – Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [4].
Server
Internet
Image Source – Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [4].
“System X”
Network / Internet / Standalone
• Composed of…
– Open Source OS
– Mozilla / Opera / Lynx (!) Browser (Not IE)
– Stateful Inspection Firewall
– Anti-Virus Software
– Careful and educated user
– Secure permissions system
– Regularly updated (possibly automatically)
Questions…
Bibliography / Links
• [1] "Spyware" Definition - BlackICE Internet Security Systems - http://blackice.iss.net/glossary.php
• [2] "Trojan Horse" Definition
– Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html
• [3] Zeinalipour-Yazti, D. “Exploiting the Security Weaknesses of the Gnutella Protocol”, University of California.
• [4] Joshi, R. “Network Security Applications”, Merchantile Communications, CANIT Conference 2003.
• [5] CERT Advisory CA-1999-02 http://www.cert.org/advisories/CA-1999-02.html
• [6] Spyware Guide – http://www.spyware-guide.com
• [7] Trojan Horses - http://www.mpsmits.com/highlights/trojan_horses.shtml
• [8] Trojan Horse - Back Orifice - http://www.nwinternet.com/~pchelp/bo/bo.html
• [9] NetBus - http://www.nwinternet.com/~pchelp/nb/netbus.htm
• [10] BBC News - http://news.bbc.co.uk/1/hi/technology/3153229.stm
• [11] Wired News – “Judge takes bite out of Gator” www.wired.com/news/politics/0,1283,53875,00.html
• [12] Tracking Cookies – Demonstration at http://www.irt.org/instant/chapter10/tracker/index4.htm
• [13] BonziBuddy - http://www.bonzi.com/bonzibuddy/bonzibuddyfreehom.asp
• [14] Unwanted Links (Spyware) – http://www.unwantedlinks.com
• [15] Andersen, R. "Security Engineering", First Edition, J. Wiley and Sons, 2001.
• [16] Scacchi, W. “Privacy and Other Social Issues”, Addison-Wesley, 2003.
– http://www.ics.uci.edu/~wscacchi/Tech-EC/Security+Privacy/Privacy.ppt