Download
adware spyware n.
Skip this Video
Loading SlideShow in 5 Seconds..
Adware & Spyware PowerPoint Presentation
Download Presentation
Adware & Spyware

Adware & Spyware

162 Views Download Presentation
Download Presentation

Adware & Spyware

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Adware & Spyware Free Detection/Cleaning Tips and Techniques François Paget McAfee AVERT Senior Virus Research Engineer November 2005

  2. Adware & Spyware Summary • Who are they and what are they • Preliminary definitions • Some dangers • Installation • Tools used for tracking them • Finding intruders • Cleaning intruders Confidential

  3. Adware & Spyware Etymology Acronyms which cover 2 particular types of commercial software : • Adware • Ads + Ware • Advertising Software • Spyware • Spy + Ware • Spying Software These 2 categories are sometimes linked with other groups of tools of various origins (malevolent or not). Confidential

  4. PUPs & Malware PUP : Potentially Unwanted Program Malware : Malevolent Program • Adware/Spyware • BHO –Browser Helper Object • Browser Hijacker • Dialer • Joke • Virus, Worms • Logic bombs • Trojan / Backdoors • Bots • Remote Administration Tools • Data Hijacking Tools • Resource Hijacking Tools • Network Attack Tools Unwanted commercial programs, hijacked use, lack of consent… Confidential

  5. Adware The adware is a “profiler” • Program of a commercial origin, • Does not replicate itself. Binary file (EXE or DLL). • Installs itself after initial agreement, • Watches browsing habits, • Carries out targeted advertising. Makes offers matching a particular profile, • Does not collect any personal data intentionally. Confidential

  6. Spyware The spyware is a “spy” • Program of a commercial origin, • Does not replicate itself. Binary file (EXE or DLL). • Sometimes installs itself without initial agreement, • Collect and transfers much personal data intentionally. • COMMERCE : Can be used as a springboard by other commercial activities (marketing approach by email, post or phone). • INFORMATION : Provided for commendable purposes but, distorted from its original intent. Confidential

  7. Adware Main introduction vectors • Electronic mail : • Spam, • Discussion forums, • Online registration procedures : • Software licenses, • Access to private browsing zones, • Virus and Trojan • Free or demo software : • Downloading utilities, • Browsing assistance, • Resource sharing software (peer to peer), • Screensavers, • Games, • Hazardous sites : • Pornography, • Games, • Underground world, Confidential

  8. Example Before… A clean system is used for this test. It is a minimal VMWARE W2000 temporary disk with: • 1 icon on the desktop, • 6 applications listed in the Add/Remove Programs facility, • 30 processes in memory according to the Task Manager. Confidential

  9. Example During… A sniffer program recorded connections to more than 100 distinct sites. Confidential

  10. Example After… • 8 new icons, • 16 new applications, • 10 new processes, • 2 BHO, • 2 new favorites, • 1177 keys added in the system registry, • 1579 values added or changed in the system registry, • 96 new directories in the folders tree and, 649 new files. Confidential

  11. Tools used in this tutorial • InCtrl5 • (http://www.pcmag.com/article2/0,4149,25126,00.asp) • LspFix • (http://www.cexx.org/lspfix.htm) • ProcExp • (http://www.sysinternals.com/Utilities/ProcessExplorer.html) • RegMon • (http://www.sysinternals.com/ntw2k/source/regmon.shtml) • StartupRun • (http://www.nirsoft.net/utils/strun.html) • Sporder.exe (from Microsoft) Confidential

  12. Finding intruders Applications loaded when Windows boots are visible with SartupRun Confidential

  13. Finding intruders Applications loaded when Windows boots are visible in the registry Run and RunOnce keys Confidential

  14. Finding intruders With InCtrl5 we can compare the registry between two distinct moments Confidential

  15. Finding intruders Keep an eye on the ShellServiceObjectDelayLoad registry key This location contains only 3 entries in many standards configurations: • Network.ConnectionTray • Systray • WebCheck Confidential

  16. Finding intruders Look at the Internet Explorer Start & Search registry keys Confidential

  17. Finding intruders Look at the Internet Explorer Toolbar registry key for suspicious CLSID Look at the HKCR/CLSID branch for mapping information Confidential

  18. Finding intruders Look at the Advanced Tab of Internet Explorer options Also visible in the registry at : HKLM\SOFTWARE\Microsoft\ Internet Explorer\ AdvancedOptions Confidential

  19. Finding intruders Look at extra items in the Internet Explorer Tools menu Confidential

  20. Finding intruders Search possible StyleSheet hijacking in Internet Explorer Confidential

  21. Finding intruders Search for a possible DLL injection Confidential

  22. Finding intruders Search for trusted site Confidential

  23. Finding intruders Search for Internet Protocol Hijack Confidential

  24. Finding intruders Keep an eye in your Favorites Confidential

  25. Finding intruders Confirm the suspicion http://www.sysinfo.org/bholist.php?type=text&subtype=bho http://castlecops.com/CLSID.html Confidential

  26. Cleaning Adware Cleaning the registry and removing the files needs to boot in safe mode ! Run & RunOnce ShellServiceObjectDelayLoad IE Start & Search […] Etc… MAIN CLSID ENTRIES HKEY_CLASSES_ROOT HKEY_LOCAL_MACHINE\Software\Classes HKEY_CURRENT_USER\Software\Classes OTHER ENTRIES Restoring the default values Deleting the others upsetting values HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\ShellServiceObjectDelayLoad, {CLSID-Value} HKEY_CLASSES_ROOT\PROTOCOLS\Filter (Plugin entries) LINKED CLSID ENTRIES DLL and EXE files launched by the here above keys Whole directories when the doubt is absent FILES AND DIRECTORIES Confidential

  27. Cleaning Adware In order to delete the file and to deal with such « file in use » problem… CLEAN INFECTED Confidential

  28. Cleaning Adware In order to delete the file and to deal with such « file in use » problem, we need to eliminate the processes that got created by booting in Safe Mode. SAFE MODE Confidential

  29. Cleaning Adware Example : step_1) Suspicious EXE and DLL must be identified. Confidential

  30. Cleaning Adware Example : step_2) CLSID values linked to them must be searched (and deleted) in the registry (HKCR/CLSID) 4 CLSID (in this example) must be deleted Confidential

  31. Cleaning Adware Example : step_3) duplicated CLSID values linked to the previous one must be searched (and deleted) in the registry, step_4) Related files must be deleted. One key must be deleted (in this example) Confidential

  32. Cleaning Adware LSPs Cleaning – when adware installation use Winsock 2 (L)ayered and (N)etwork (S)ervice (P)rovider implementation to redirect visits to specific sites CLEAN INFECTED Sporder can be used as a diagnostic tool Confidential

  33. Cleaning Adware LSPs Cleaning – when adware installation use Winsock 2 (L)ayered and (N)etwork (S)ervice (P)rovider implementation to redirect visits to specific sites LspFix can be used as a cleaning tool I know what I am doing Confidential

  34. Adware & Spyware Conclusion • It was very easy to clean most of the viruses and Trojans we encountered some years ago. But now some of the new Trojans are more complicated. And adware and spyware are incredibly complex. • The new war will happen on the cleaning way. Confidential