1 / 53

Spyware and Trojan Horses

Spyware and Trojan Horses – Computer Security Seminar 12 th February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk. Spyware and Trojan Horses. Computer Security Seminar Series [SS1].

erica-fleming
Download Presentation

Spyware and Trojan Horses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Spyware and Trojan Horses Computer Security Seminar Series [SS1]

  2. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Your computer could be watching your every move!

  3. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Introduction

  4. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Seminar Overview • Introduction to Spyware / Trojan Horses • Spyware – Examples, Mechanics, Effects, Solutions • Tracking Cookies – Mechanics, Effects, Solutions • Trojan Horses – Mechanics, Effects, More Examples • Solutions to the problems posed • Human Factors – Human interaction with Spyware • “System X” – Having suitable avoidance mechanisms • Conclusions – Including our proposals for solutions

  5. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Definitions A general term for a program that surreptitiously monitors your actions. While they are sometimes sinister, like a remote control program used by a hacker, software companies have been known to use Spyware to gather data about customers. The practice is generally frowned upon. – Google definition SPYWARE TROJAN HORSE An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data. – Google definition

  6. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Symptoms • Targeted Pop-ups • Slow Connection • Targeted E-Mail (Spam) • Unauthorized Access • Spam Relaying • System Crash • Program Customisation SPYWARE SPYWARE / TROJAN SPYWARE TROJAN HORSE TROJAN HORSE SPYWARE / TROJAN SPYWARE

  7. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Summary of Effects • Collection of data from your computer without consent • Execution of code without consent • Assignment of a unique code to identify you • Collection of data pertaining to your habitual use • Installation on your computer without your consent • Inability to remove the software • Performing other undesirable tasks without consent

  8. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Similarities / Differences

  9. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Spyware

  10. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Software Examples • GAIN / Gator • Gator E-Wallet • Cydoor • BonziBuddy • MySearch Toolbar • DownloadWare • BrowserAid • Dogpile Toolbar

  11. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Advantages • Precision Marketing • Relevant pop-ups are better than all of them! • You may get some useful adverts! • Useful Software • DivX Pro, IMesh, KaZaA, Winamp Pro • (Experienced) people understand what they are installing. • Enhanced Website Interaction • Targeted banner adverts • Website customisation User Perspective - I

  12. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Disadvantages • Browsing profiles created for users without consent • Used for target marketing and statistical analysis • Unable to remove Spyware programs or disable them • Increased number of misleading / inappropriate pop-ups • Invasion of user privacy (hidden from user) • Often badly written programs corrupt user system • Automatically provides unwanted “helpful” tools • “20 million+ people have Spyware on their machines.” Source - Dec ’02 GartnerG2 Report User Perspective - II

  13. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Example Pop-up Misleading Pop-up User Perspective - III

  14. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Network Overview • Push • Advertising • Pull • Tracking • Personal data Technical Analysis - I

  15. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Client-Side Operation Technical Analysis - II

  16. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Server-Side Operation • Server-side operation is relatively unknown. However, if we were to develop such a system, it would contain… Technical Analysis - III

  17. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Spyware Defence User Initiatives… • Issue Awareness • Use Legitimate S/W Sources • Improved Technical Ability • Choice of Browser • Choice of OS • Legal action taken against breaches of privacy • Oct ’02 Doubleclick Technical Initiatives... • Spyware Removal Programs • Pop-up Blockers • Firewall Technology • Disable ActiveX Controls • Not Sandboxed • E-Mail Filters • Download Patches

  18. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk GAIN Case Study • Installed IMesh, which includes Gator Installation • We accessed multiple internet sites • We simultaneously analyzed network traffic (using IRIS) • We found the packets of data being sent to GAIN • Packets were encrypted and we could not decrypt them • See Example ->

  19. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

  20. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Spyware Removers Ad-aware (by Lavasoft) • Reverse Engineer Spyware • Scans Memory, Registry and Hard Drive for… • Data Mining components • Aggressive advertising components • Tracking components • Updates from Lavasoft • Plug-ins available • Extra file information • Disable Windows Messenger Service

  21. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Vulnerable Systems • Those with an internet connection! • Microsoft Windows 9x/Me/NT/2000/XP • Does not affect Open Source OSs • Non - fire-walled systems • Internet Explorer, executes ActiveX plug-ins • Other browsers not affected

  22. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Tracking Cookies

  23. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Cookies • A Cookie is a small text file sent to the user from a website. • Contains Website visited • Provides client-side personalisation • Supports easy Login • Cookies are controlled by… • Website’s Application Server • Client-side Java Script • The website is effectively able to ‘remember’ the user and their activity on previous visits. • Spyware companies working with websites are able to use this relatively innocent technology to deliver targeted REAL TIME marketing, based on cookies and profiles.

  24. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Case Study - DoubleClick • Most regular web users will have a “doubleclick.net” cookie. • Affiliated sites request the DoubleClick cookie on the users computer. • The site then sends… • Who you are • All other information in your cookie file • In return for… • All available marketing information on you - collected from other affiliated sites which the you have hit.

  25. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Case Study – DoubleClick • Site targets banner adverts, e-mails and pop-ups to the user. • If the user visits an affiliated site without a DoubleClick cookie, then one is sent to the user. • The whole process is ‘opaque’ to the user and occurs without their consent.

  26. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Tracking Cookie Implementation • Protocol designed to only allow the domain who created a cookie to access it. • IE has a number of security holes… • Up to IE 5, domain names specified incorrectly. • Up to IE 6, able to fool IE into believing it is in another domain. • Patches and IE 6 solved a number of problems • Since then, tracking cookies are still proving a large problem, there are still a number of holes still open.

  27. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Tracking Cookie Implementation Cookies Web page Spyware Cookie Spyware <IMG> 1. Request Page Random Web Server Client Browser 2. Return Page 4. Return Image Return Updated Cookie 3. Request Image Return Cookie Spyware Web Server Spyware Database

  28. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Tracking Cookie Defence • Replace tracking cookies with write protected zero length files of the same name. • DoubleClick offer an opt-out cookie, which can be obtained from their website. • Disable cookies • Makes many websites unusable • Delete cookies after session • Spyware remover (Ad-aware)

  29. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Trojan Horses

  30. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Installation • Secretly installed when an infected executable is run • Much like a virus • Executables typically come from P2P networks or unscrupulous websites • ActiveX controls on websites • ActiveX allows automatic installation of software from websites • User probably does not know what they are running • Misleading descriptions often given • Not sandboxed! • Digital signatures used, signing not necessary

  31. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Installation • Certificate Authority • Misleading Certificate Description • Who is trusted?

  32. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Effects • Allows remote access • To spy • To disrupt • To relay a malicious connection, so as to disguise the attacker’s location (spam, hacking) • To access resources (i.e. bandwidth, files) • To launch a DDoS attack

  33. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Operation • Listen for connections • Memory resident • Start at boot-up • Disguise presence • Rootkits integrate with kernel • Password Protected

  34. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Example: Back Orifice • Back Orifice • Produced by the “Cult of the Dead Cow” • Win95/98 is vulnerable • Toast of DefCon 6 • Similar operation to NetBus • Name similar to MS Product of the time

  35. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk BO: Protocol • Modular authentication • Modular encryption • AES and CAST-256 modules available • UDP or TCP • Variable port • Avoids most firewalls • IP Notification via. ICQ • Dynamic IP addressing not a problem

  36. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 ICQ SERVER Victim CONNECTION TROJAN IP ADDRESS AND PORT IP ADDRESS AND PORT Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk BO: Protocol Example (1) INFECTION OCCURS Attacker

  37. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Attacker Victim CONNECTION COMMAND REQUEST FOR INFORMATION INFORMATION Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk BO: Protocol Example (2) COMMAND EXECUTED

  38. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Attacker Victim CLEANUP COMMAND Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk BO: Protocol Example (3) EVIDENCE DESTROYED

  39. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Trojan Horse Examples • M$ Rootkit • Integrates with the NT kernel • Very dangerous • Virtually undetectable once installed • Hides from administrator as well as user • Private TCP/IP stack (LAN only)

  40. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Trojan Horse Examples • iSpyNOW • Commercial • Web-based client • Assassin Trojan • Custom builds may be purchased • These are not found by virus scanners • Firewall circumvention technology

  41. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Trojan Horse Examples • Hardware • Key loggers • More advanced? • Magic Lantern • FBI developed • Legal grey area (until recently!) • Split virus checking world

  42. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Demonstration

  43. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Vulnerable Systems Number of trojans in common use… RELATIVELY SAFE DANGEROUS MacOS WinNT Win 9x MacOS X Linux/Unix WinNT refers to Windows NT 4, 2000, XP and Server 2003. Win9x refers to Windows 95, 95SE, 98 and ME.Source: McAfee Security

  44. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Vulnerable Systems Ease of compromise… DANGEROUS RELATIVELY SAFE WinNT MacOS Win 9x MacOS X Linux/Unix WinNT refers to Windows NT 4, 2000, XP and Server 2003. Win9x refers to Windows 95, 95SE, 98 and ME.Source: McAfee Security

  45. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Conclusions

  46. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Security Implications • Divulge personal data • Backdoors into system • System corruption • Disruption / Irritation • Aids identity theft • Easy virus distribution • Increased spam Short Term Long Term • Mass data collection • Consequences unknown • Web becomes unusable • Web cons outweigh pros • Cost of preventions • More development work • More IP addresses (IPv6)

  47. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Solutions • Firewall • Virus Checker • Spyware Remover • Frequent OS updates • Frequent back-up • Learning problems Short Term Long Term • Add Spyware to Anti-Virus • Automatic maintenance • Legislation • Education on problems • Biometric access • Semantic web (and search)

  48. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Firewalls Network / Standalone • 3 Types… • Packet Filtering – Examines attributes of packet. • Application Layer – Hides the network by impersonating the server (proxy). • Stateful Inspection – Examines both the state and context of the packets. • Regardless of type; must be configured to work properly. • Access rules must be defined and entered into firewall.

  49. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Firewalls Network / Standalone http - tcp 80 telnet - tcp 23 http - tcp 80 Packet Filtering ftp - tcp 21 Web Server Firewall Allow only http - tcp 80 202.52.222.10: 80 192.168.0.10 : 1025 202.52.222.10: 80 Stateful Inspection 192.168.0.10 : 1025 PC Firewall Only allows reply packets for requests made out Blocks other unregistered traffic

  50. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk Intrusion Detection Systems Network Server Switch Firewall IDS • Intrusion Detection – A Commercial Network Solution • An “Intelligent Firewall” – monitors accesses for suspicious activity • Neural Networks trained by Backpropagation on Usage Data • Could detect Trojan Horse attack, but not designed for Spyware • Place IDS before the firewall to get maximum detection • In a switched network, place IDS on a mirrored port (gets all traffic) • Ensure all network traffic passes the IDS host Server PC

More Related