1 / 28

Adware Spyware

What is Spyware

armande
Download Presentation

Adware Spyware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Adware & Spyware Bo.mendenhall@hsc.utah.edu Principal Information Security Architect Information Technology Services University of Utah Health Sciences Center

    2. What is Spyware & Adware? Spyware: Transmits identifiable info from your computer to a repository generally w/o you knowing EULA usually has a few lines about privacy and is usually buried Adware: Transmits behavioral information from your computer, with claims not to sell the personal information Monitors internet usage to deliver advertisements based on habits.

    3. Browser Helper Objects A Browser Helper Object (BHO): Executable extends IE functionality (toolbars, etc.) w/o developer need source code Alexa, Gator, Flyswat, GetRight, Gozilla, etc. Has access to every place you visit Used to display ads Used to track internet usage Can redirect or display other requests Often uses ActiveX to install Legit uses include Adobe Acrobat plug-in

    4. Browser Helper Objects Using regedit you can browse to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ Subkeys are named with a CLSID Can reference the CLSID in: HKEY_CLASSES_ROOT\CLSID This will give you the associated DLL http://computercops.biz/CLSID.html http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/htm/reg_6vjt.asp CLSID Key A CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, you need to register a CLSID for each supported class of objects. It allows Component Object Model (COM) classes to be referenced. CLSID Key A CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, you need to register a CLSID for each supported class of objects. It allows Component Object Model (COM) classes to be referenced.

    5. Browser Hijackers Responsible for changed IE start & search pages Generally consists of another file that will restore the hijacked settings Uses ActiveX to install programs in many cases Examples: 2nd-thought About Blank AcutalNames CleverIEHooker Easy Search GoHip IETray iGetNet ILookup LoadFonts Masterbar

    6. Hosts File Associates host names with IP addresses Location for WindowsXP Pro: X:\<Windows>\system32\drivers\etc\hosts Hosts file is consulted before DNS Could be used to block known bad sites Point bad sites to 127.0.0.1 Blocks calls on any port (http, ftp, etc.) Could speed up access to known good site

    7. ActiveX Microsoft technology Allows internet apps more powerful than scripts Have full access to files Only works with IE Use is not recommended, but… Two Types: Signed & Unsigned Both can be bad…

    8. Dialers Often installed via ActiveX Most often promise access to free porn, games or crackz Tries to use dial-up service to an expensive toll number

    9. Java Scripts & Applets Scripts: Requires a browser to run in Has little access to a device Can modify the browser Applets Requires a browser to run in Does not have full access to a host like a full Java Application Capable of more than a java script

    10. Keyloggers Logs keys that are pressed Can make screenshots Capture internet/machine usage Send logs via different methods (e-mail)

    11. Berbew Keylogger From IDP Attack information: This signature detects the Berbew worm as it uploads keylogger information to a listening post. Berbew monitors user keystrokes for financial data and reports that information to an attacker via HTTP to a listening post. Source IP addresses that trigger this signature are extremely likely to be infected with the Berbew worm.

    12. Berbew Keylogger

    13. Berbew Keylogger Cont. The trojan is installed via the ADODB/javascript redirection exploit for Internet Explorer for which there is no current patch. When a user visits an infected IIS server using IE, the trojan will be downloaded from a Russian webserver and executed in the background. More information and remediation steps can be found on Microsoft's site: http://www.microsoft.com/security/incident/download_ject.mspx

    14. Tracking Cookies Some could be considered and are often detected as spyware: Ad companies set cookies when your browser loads their banner If that cookie contains a Globally Unique Identifier (GUID) the company will get a notice every time you hit a site that contains their banner Thus your browsing habits are somewhat tracked

    15. Why do people make it? Money…

    16. How do you get it? Vulnerabilities in IE Not patched Security settings Improperly configured browser settings Downloaded programs Cookies Popups Following popups

    17. “Drive by downloads” In this scheme, a normal banner or popup ad will attempt to install software (executable code) on the user's PC. Depending on the browser's security settings, the software will either download silently and without any user action, or present an install dialogue. Novice users may choose "Yes" thinking the browser is asking to download a legitimate page-display plugin.

    18. How do I know if I have it? Browser instability and slowness More popups than normal Home page changes on its own Search results seem odd Toolbars in the browser you didn’t install Can’t change browser settings

    19. How do I remove it? Find & remove offending files Find & remove offending registry settings Check hosts file Use vendor specific tools Use free tools

    20. Detection/RemovalTools McAfee 8.0i Available through OSL Free to HSC staff, students & faculty for work & home usage e-Policy Orchetrator (ePO) Adaware Free & Pay versions Spybot Search & Destroy (S & D) Hijackthis Cool Web Search (CWS) Shredder SpywareBlaster

    21. McAfee Previous AV deployment: AV installed into image, updated weekly Current deployment of over 1,000 hosts – has not been deployed enterprise wide Running v7.1 (detects) & 8.0i (detects & cleans) Uses ePO to install AV ePO manages and reports centrally Can push extra.dat files as needed Have found at least 6 new variants in past 2 months that have required an extra.dat for detection

    22. Top 10 Detected Viruses - ePO Based on 33,387 Total Events

    23. Infections by virus type Ad/spyware is classified by ePO as “Programs”

    24. IDP Reporting

    25. Gator Spyware Fills out forms & remembers passwords OfferCompanion a part of the application Sends information about buying habits for informational purposes Company changed name to Claria http://www.claria.com “A Leader In Online Behavioral Marketing” Current Claria product offerings: GAIN ScreenScences WebSecureAlert Dashbar Weatherscope Gator eWallet Date Manager Precision Time Feedback Research Search Scout

    26. Claria in the news 8.31.2004 http://news.com.com/Pop-up+purveyor+Claria+settles+suits/2100-1024_3-5333003.html “Adware company Claria has quietly settled litigation brought by Wells Fargo, Quicken Loans and other online businesses, which charged that its delivery of pop-up ads violated their trademarks, CNET News.com has learned.”

    27. How do I prevent it? User Education Use an non-IE web browser such as Firefox or Opera Spybot: Immunize Tea Timer Personal firewall Pay attention to what is being allowed Could use hosts file

    28. Resources http://grc.com/oo/cbc.htm http://accs-net.com/smallfish/advw.htm http://www.accs-net.com/hosts/what_is_hosts.html http://www.lurhq.com/berbew.html http://www.cert.org/tech_tips/malicious_code_FAQ.html http://www.kb.cert.org/vuls/id/713878 http://www.windowsecurity.com/articles/Web-Browser-Vulnerabilities.html http://www.processlibrary.com/ http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

    29. Questions…

More Related