presentation

download report

Transcript presentation

Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Spyware and Trojan Horses
Computer Security Seminar Series
[SS1]
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Your computer could be watching your
every move!
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Introduction
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Seminar Overview
• Introduction to Spyware / Trojan Horses
• Spyware – Examples, Mechanics, Effects, Solutions
• Tracking Cookies – Mechanics, Effects, Solutions
• Trojan Horses – Mechanics, Effects, More Examples
• Solutions to the problems posed
• Human Factors – Human interaction with Spyware
• “System X” – Having suitable avoidance mechanisms
• Conclusions – Including our proposals for solutions
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Definitions
A general term for a program that surreptitiously monitors your
actions. While they are sometimes sinister, like a remote
control program used by a hacker, software companies have
been known to use Spyware to gather data about customers.
The practice is generally frowned upon. – Google definition
An apparently useful and innocent program containing additional
hidden code which allows the unauthorized collection,
exploitation, falsification, or destruction of data.
Andrew Brown, Tim Cocks and Kumutha Swampillai
– Google definition
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Symptoms
• Targeted Pop-ups
• Slow Connection
• Targeted E-Mail (Spam)
• Unauthorized Access
• Spam Relaying
• System Crash
• Program Customisation
Andrew Brown, Tim Cocks and Kumutha Swampillai
SPYWARE
SPYWARE / TROJAN
SPYWARE
TROJAN HORSE
TROJAN HORSE
SPYWARE / TROJAN
SPYWARE
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Summary of Effects
• Collection of data from your computer without consent
• Execution of code without consent
• Assignment of a unique code to identify you
• Collection of data pertaining to your habitual use
• Installation on your computer without your consent
• Inability to remove the software
• Performing other undesirable tasks without consent
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Similarities / Differences
Spyware
Trojan Horses
Commercially Motivated
Malicious
Internet connection required
Any network connection required
Initiates remote connection
Receives incoming connection
Purpose: To monitor activity
Purpose: To control activity
Collects data and displays pop-ups
Unauthorized access and control
Legal
Illegal
Not Detectable with Virus Checker
Detectable with Virus Checker
Age: Relatively New (< 5 Years)
Age: Relatively Old ( > 20 Years)
Memory Resident Processes
Surreptitiously installed without user’s consent or understanding
Creates a security vulnerability
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Spyware
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Software Examples
• GAIN / Gator
• Gator E-Wallet
• Cydoor
• BonziBuddy
• MySearch Toolbar
• DownloadWare
• BrowserAid
• Dogpile Toolbar
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Advantages
• Precision Marketing
– Relevant pop-ups are better than all of them!
– You may get some useful adverts!
• Useful Software
– DivX Pro, IMesh, KaZaA, Winamp Pro
– (Experienced) people understand what they are installing.
• Enhanced Website Interaction
– Targeted banner adverts
– Website customisation
Andrew Brown, Tim Cocks and Kumutha Swampillai
User Perspective - I
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Disadvantages
• Browsing profiles created for users without consent
– Used for target marketing and statistical analysis
• Unable to remove Spyware programs or disable them
• Increased number of misleading / inappropriate pop-ups
• Invasion of user privacy (hidden from user)
• Often badly written programs corrupt user system
• Automatically provides unwanted “helpful” tools
• “20 million+ people have Spyware on their machines.”
Source - Dec ’02 GartnerG2 Report
Andrew Brown, Tim Cocks and Kumutha Swampillai
User Perspective - II
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Example Pop-up
Misleading Pop-up
User Perspective - III
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Network Overview
• Push
•Advertising
•Pull
•Tracking
•Personal data
Technical Analysis - I
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Client-Side Operation
Technical Analysis - II
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Server-Side Operation
• Server-side operation is relatively unknown. However, if
we were to develop such a system, it would contain…
Technical Analysis - III
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Spyware Defence
User Initiatives…
Technical Initiatives...
•
Issue Awareness
•
Spyware Removal Programs
•
Use Legitimate S/W Sources
•
Pop-up Blockers
•
Improved Technical Ability
•
Firewall Technology
•
Choice of Browser
•
Disable ActiveX Controls
•
Choice of OS
•
Legal action taken against
•
E-Mail Filters
breaches of privacy
•
Download Patches
– Not Sandboxed
– Oct ’02 Doubleclick
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
GAIN Case Study
• Installed IMesh, which includes Gator Installation
• We accessed multiple internet sites
• We simultaneously analyzed network traffic (using IRIS)
• We found the packets of data being sent to GAIN
• Packets were encrypted and we could not decrypt them
• See Example ->
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
Andrew Brown, Tim Cocks and Kumutha Swampillai
12th February 2004
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Spyware Removers
Ad-aware (by Lavasoft)
– Reverse Engineer Spyware
– Scans Memory, Registry and Hard Drive for…
• Data Mining components
• Aggressive advertising components
• Tracking components
– Updates from Lavasoft
– Plug-ins available
• Extra file information
• Disable Windows Messenger Service
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Vulnerable Systems
• Those with an internet connection!
• Microsoft Windows 9x/Me/NT/2000/XP
• Does not affect Open Source OSs
• Non - fire-walled systems
• Internet Explorer, executes ActiveX plug-ins
• Other browsers not affected
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Tracking Cookies
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Cookies
•
•
•
A Cookie is a small text file sent to the user from a website.
–
Contains Website visited
–
Provides client-side personalisation
–
Supports easy Login
Cookies are controlled by…
–
Website’s Application Server
–
Client-side Java Script
The website is effectively able to ‘remember’ the user and their
activity on previous visits.
•
Spyware companies working with websites are able to use this
relatively innocent technology to deliver targeted REAL TIME
marketing, based on cookies and profiles.
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Case Study - DoubleClick
• Most regular web users will have a “doubleclick.net” cookie.
• Affiliated sites request the DoubleClick cookie on the users
computer.
• The site then sends…
– Who you are
– All other information in your cookie file
• In return for…
– All available marketing information on you - collected from other
affiliated sites which the you have hit.
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Case Study – DoubleClick
• Site targets banner adverts, e-mails and pop-ups to the
user.
• If the user visits an affiliated site without a DoubleClick
cookie, then one is sent to the user.
• The whole process is ‘opaque’ to the user and occurs
without their consent.
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Tracking Cookie Implementation
• Protocol designed to only allow the domain who created a
cookie to access it.
• IE has a number of security holes…
– Up to IE 5, domain names specified incorrectly.
– Up to IE 6, able to fool IE into believing it is in another
domain.
• Patches and IE 6 solved a number of problems
• Since then, tracking cookies are still proving a large problem,
there are still a number of holes still open.
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Tracking Cookie Implementation
Cookies
Web page
Spyware
Cookie
Spyware
<IMG>
1. Request Page
Client
Browser
2. Return Page
3. Request Image
4. Return Image
Return Cookie
Return Updated
Cookie
Spyware
Web
Server
Andrew Brown, Tim Cocks and Kumutha Swampillai
Random
Web
Server
Spyware
Database
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Tracking Cookie Defence
• Replace tracking cookies with write protected zero
length files of the same name.
• DoubleClick offer an opt-out cookie, which can be
obtained from their website.
• Disable cookies
– Makes many websites unusable
• Delete cookies after session
• Spyware remover (Ad-aware)
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Trojan Horses
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Installation
• Secretly installed when an infected executable is run
– Much like a virus
– Executables typically come from P2P networks or
unscrupulous websites
• ActiveX controls on websites
– ActiveX allows automatic installation of software from
websites
– User probably does not know what they are running
– Misleading descriptions often given
– Not sandboxed!
– Digital signatures used, signing not necessary
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Installation
•
Certificate Authority
•
Misleading Certificate
Description
•
Andrew Brown, Tim Cocks and Kumutha Swampillai
Who is trusted?
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Effects
• Allows remote access
– To spy
– To disrupt
– To relay a malicious connection, so as to disguise the
attacker’s location (spam, hacking)
– To access resources (i.e. bandwidth, files)
– To launch a DDoS attack
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Operation
• Listen for connections
• Memory resident
• Start at boot-up
• Disguise presence
• Rootkits integrate with kernel
• Password Protected
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Example: Back Orifice
• Back Orifice
– Produced by the “Cult of the Dead Cow”
– Win95/98 is vulnerable
– Toast of DefCon 6
– Similar operation to NetBus
– Name similar to MS Product of the time
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
BO: Protocol
• Modular authentication
• Modular encryption
– AES and CAST-256 modules available
• UDP or TCP
• Variable port
– Avoids most firewalls
• IP Notification via. ICQ
– Dynamic IP addressing not a problem
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
BO: Protocol Example (1)
TROJAN
INFECTION OCCURS
Attacker
Victim
ICQ SERVER
IP ADDRESS
AND PORT
IP ADDRESS
AND PORT
CONNECTION
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
BO: Protocol Example (2)
COMMAND
COMMAND EXECUTED
Attacker
Victim
CONNECTION
REQUEST FOR INFORMATION
INFORMATION
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
BO: Protocol Example (3)
CLEANUP COMMAND
EVIDENCE DESTROYED
Attacker
Andrew Brown, Tim Cocks and Kumutha Swampillai
Victim
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Trojan Horse Examples
• M$ Rootkit
– Integrates with the NT kernel
– Very dangerous
– Virtually undetectable once installed
– Hides from administrator as well as user
– Private TCP/IP stack (LAN only)
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Trojan Horse Examples
• iSpyNOW
– Commercial
– Web-based client
• Assassin Trojan
– Custom builds may be purchased
– These are not found by virus scanners
– Firewall circumvention technology
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Trojan Horse Examples
• Hardware
– Key loggers
– More advanced?
• Magic Lantern
– FBI developed
– Legal grey area (until recently!)
– Split virus checking world
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Demonstration
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Vulnerable Systems
Number of trojans in common use…
RELATIVELY SAFE
DANGEROUS
Win 9x
WinNT
Linux/Unix
MacOS
MacOS X
WinNT refers to Windows NT 4, 2000, XP and Server 2003.
Win9x refers to Windows 95, 95SE, 98 and ME.
Source: McAfee Security
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Vulnerable Systems
Ease of compromise…
DANGEROUS
RELATIVELY SAFE
Win 9x
MacOS
WinNT
MacOS X
Linux/Unix
WinNT refers to Windows NT 4, 2000, XP and Server 2003.
Win9x refers to Windows 95, 95SE, 98 and ME.
Source: McAfee Security
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Conclusions
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Security Implications
Short Term
Long Term
• Divulge personal data
• Mass data collection
• Backdoors into system
• Consequences unknown
• System corruption
• Web becomes unusable
• Disruption / Irritation
• Web cons outweigh pros
• Aids identity theft
• Cost of preventions
• Easy virus distribution
• More development work
• Increased spam
• More IP addresses (IPv6)
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Solutions
Short Term
Long Term
• Firewall
• Add Spyware to Anti-Virus
• Virus Checker
• Automatic maintenance
• Spyware Remover
• Legislation
• Frequent OS updates
• Education on problems
• Frequent back-up
• Biometric access
• Learning problems
• Semantic web (and search)
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
Firewalls
12th February 2004
Network / Standalone
• 3 Types…
– Packet Filtering – Examines attributes of packet.
– Application Layer – Hides the network by impersonating the
server (proxy).
– Stateful Inspection – Examines both the state and context of the
packets.
• Regardless of type; must be configured to work properly.
• Access rules must be defined and entered into firewall.
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Firewalls
Network / Standalone
http - tcp 80
telnet - tcp 23
http - tcp 80
Packet Filtering
Internet
ftp - tcp 21
Web Server
Firewall
Allow only http - tcp 80
202.52.222.10: 80
192.168.0.10 : 1025
Stateful Inspection
202.52.222.10: 80
192.168.0.10 : 1025
PC
Internet
Firewall
Only allows reply packets for requests made out
Blocks other unregistered traffic
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Intrusion Detection Systems
Network
Server
Internet
Switch
Server
Firewall
IDS
• Intrusion Detection – A Commercial Network Solution
• An “Intelligent Firewall” – monitors accesses for suspicious activity
• Neural Networks trained by Backpropagation on Usage Data
• Could detect Trojan Horse attack, but not designed for Spyware
PC
• Place IDS before the firewall to get maximum detection
• In a switched network, place IDS on a mirrored port (gets all traffic)
• Ensure all network traffic passes the IDS host
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
“System X”
12th February 2004
Network / Standalone
• Composed of…
– Open Source OS
– Mozilla / Opera / Lynx (!) Browser (Not IE)
– Stateful Inspection Firewall
– Anti-Virus Software
– Careful and educated user
– Secure permissions system
– Regularly updated (possibly automatically)
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Questions…
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar
12th February 2004
Bibliography / Links
•
[1] "Spyware" - Google Definition Tool – http://www.google.com
•
[2] "Trojan Horse" - Google Definition Tool – http://www.google.com
•
[3] Zeinalipour-Yazti, D. “Exploiting the Security Weaknesses of the Gnutella Protocol”, University of California.
•
[4] Joshi, R. “Network Security Applications”, Merchantile Communications, CANIT Conference 2003.
•
[5] CERT Advisory CA-1999-02 http://www.cert.org/advisories/CA-1999-02.html
•
[6] Spyware Guide – http://www.spyware-guide.com
•
[7] Trojan Horses - http://www.mpsmits.com/highlights/trojan_horses.shtml
•
[8] Trojan Horse - Back Orifice - http://www.nwinternet.com/~pchelp/bo/bo.html
•
[9] NetBus - http://www.nwinternet.com/~pchelp/nb/netbus.htm
•
[10] BBC News - http://news.bbc.co.uk/1/hi/technology/3153229.stm
•
[11] Wired News – “Judge takes bite out of Gator” www.wired.com/news/politics/0,1283,53875,00.html
•
[12] Tracking Cookies – Demonstration at http://www.irt.org/instant/chapter10/tracker/index4.htm
•
[13] BonziBuddy - http://www.bonzi.com/bonzibuddy/bonzibuddyfreehom.asp
•
[14] Unwanted Links (Spyware) – http://www.unwantedlinks.com
•
[15] Ad-aware - http://www.ada-ware.com/
Andrew Brown, Tim Cocks and Kumutha Swampillai
http://birmingham.f9.co.uk