…::::Spyware / Adware::::…
Tim Altimus
Bassel Kateeb
Spyware• Definition – Spyware: software programs made
by unscrupulous marketing companies that allow them to snoop on user’s browsing activity, see purchases made, and cause pop-up ads to appear
• Spyware is any software program that sends data back to a third party without asking you for permission.
• Eclipsed viruses as the fastest growing online threat
• Infecting nearly 90% of Internet connected PCs
Unaware of Spyware• Not enough companies making security high
priority• Businesses that focus on threat still lack clear
policies• Companies failing to identify exactly where
money needs to be spent
• Survey conducted for Secure Computing – Three quarters of US firms do not consider spyware to
be a problem– Most do not see unauthorized employee use of peer-
to-peer file sharing services or instant messaging as major problems
Horror of Spyware• 2004 Spy Audit conducted by ISP Earthlink and
online privacy firm Webroot Software– Instances of spyware infections on consumer PCs
rose 230%– Instances of Trojans rose 114%– This is only between October 2004 to December 2004– Scan of 1,390,883 PCs in 4thQ 2004 revealed
33,096,255 instances of spyware and adware– Spy Audit recorded a yearly total of 116.5 million
instances of spyware and adware
Costs of Spyware• Viruses, worms and Trojans, cost global
businesses between $169bn and $204bn in 2004
• $281 to $340 worth of damage per machine
How did I get it?• Spyware can infect your system in many
different ways– Visiting a spy-spreading web site– Opening a spy-carrying email attachment– Downloading a spy as part of another (often "free")
software program– Use file-sharing programs like KaZaa / eMule– Traditional anti-virus programs and firewalls don't offer
protection from invasive and harmful Spyware programs that can manifest themselves in many ways on your PC
Spyware Variants• Browser Helper Object
– Small program installed on PC and runs within a browser
– Usually installed on system by another software
program – Toolbar accessories
– Tracks internet usage and collects other information
that is used on the internet
Spyware Variants (cont)• Browser Hijackers
– Related to homepage hijackers (discussed later)– Kick in when bad, wrong, or misspelled URL is typed
in browser– …or by visiting a targeted website
– Tracks internet usage and collects other information
that is used on the internet – Redirect page to a search engine or a page of ads– May also route all website requests through an
unknown third-party for tracking– Leads to invasion of privacy, and dramatic slow down
of browser
Spyware Variants (cont)• Dialers
– Install themselves to dial-up settings– Dials numbers without user’s knowledge– Once downloaded, user is disconnected from their
Internet service provider and another phone number is dialed
– User is billed for the time used– Malicious in nature and can rack up expensive and
unwanted bills
Spyware Variants (cont)• Drive-by downloads
– Downloads that are accomplished by providing a misleading dialogue box or other stealth installation
– Very often, users have no idea they have installed an application
– Internet Explorer exploits make it possible to install software without users' knowledge
– Drive-by downloads can be prevented by good spyware applications by monitoring computer memory
Spyware Variants (cont)• Homepage Hijacking
– Most common of all spyware variants– Browser homepage is forcibly changed to new website
without user’s permission– They prevent users from changing their homepage
back by:• Disabling functionality in “options” menu setting• Installing some type of program that will regularly switch
it back to the forced site• Even if user is able to reset homepage, upon reboot it
will be reset to the Homepage Hijacker setting
– Hijackers may also route all of website requests through an unknown third-party for tracking
– Leads to invasion of privacy, and dramatic slow down of browser
Spyware Variants (cont)• Keyloggers
– Program that records keystrokes the user types in on the keyboard
– They record this information in a log and then usually send that log to a server with user information
– Keyloggers can record information such as• Passwords
• Credit Card information
• Personal ID numbers
– Highly invasive and are a major threat on the internet
Spyware Variants (cont)• Layered Service Provider
– Piece of software that is tightly woven into the networking services of a computer
– LSP integrates itself with the TCP/IP layer of the network
– As a consequence, LSP has access to all TCP/IP traffic coming into and leaving a computer
– Spyware authors use LSP to spy on the habits and data of the user
– It is possible to change information so that the spyware vendor benefits since computer will not see any of the data until the LSP lets it through
• E.g. replacing the top Google search results with links to paid advertisers
Spyware Variants (cont)• Layered Service Provider (cont)
– Trying to remove the LSP without the proper precautions may cause the computer to be unable to reconnect to the internet
– Many times, the only fix is to reinstall OS– Or, use of automated spyware removal tools is highly
recommended
Spyware Variants (cont)• Retrospies
– Software that actively attacks anti-spyware programs in an effort to not be detected
– May disguise themselves by using common system file names
– Malicious and usually use many types of deception in order to avoid detection
Spyware Variants (cont)• Search Hijackers
– Take control over default search engine– In the event of a mistype, a targeted search page will
pop-up rather than the search engine preferred– Targeted search page will generally include many
advertisements and will deliver mostly advertising content rather then relevant search results
Spyware Variants (cont)• Thiefware
– Causes visitors to certain sites to be redirected to a search engine or other web page of the author's choosing
– Not illegal, although it is highly unethical
• Trojan Horses– Programs that appear to be innocuous even beneficial,
but are actually harmful
– The harmful contents could be anything from a virus to a tool which allows outside users to take over full control of a computer
– Trojans are designed to cause loss or theft of computer data, or even to destroy the system
– Distributed as email attachments, or bundled with other software programs
Adware• Definition - Adware: any software program that
causes advertising banners to be displayed to the user
• Adware helps recover programming development costs, and helps to hold down the price of the application for the user
• Come mostly with freeware or shareware applications (Opera, KaZaa, iMesh, etc.)
• Common Adware: Gain, Hotbar, BonziBuddy, WeatherCast, Cydoor
• Some are harmless, but most track user’s habits and personal information
Adware (cont)• Sample Common Types
– About:Blank (CoolWebSearch)• Most insidious and prevalent spyware programs currently
on the net• Nearly impossible to remove• Replaces home page with a new one titled about:blank• Installs Browser Helper Object in IE, slowing down
performance drastically• Restores file directory and registry settings once deleted• If removed from auto-start settings, it will restore itself
– BargainBuddy• BHO that displays popup ads when particular terms are
entered into search engine web form• Shares memory that browser uses, detects events,
creates additional windows while surfing, and monitors activity
Adware (cont)• Sample Common Types (cont)
– Claria• Top Adware pest found on the internet
• Injects ads into browser or displays them on their own popup windows
• Consumes over 13Mb of disk space on average
• Re-brand of what was formally known as "Gator"
– NewDotNet• Company that sells alternate top-level domains not
supported in the official DNS system
• Internet Explorer plug-in that gives the appearance of providing extra top-level domains (.shop, .xxx and .mp3, for example)
• Functionality of this product does not adhere to most Internet standard
Spyware Effects on Computers• Consumes resources on PC• Slows it down• Causes it to crash• Interferes with web browser, slowing it down or
causing downloads to fail• Can hijack browser, redirecting users to sites
with objectionable material• Slows down internet connection because it is
sending information about surfing habits to ad companies– They in turn target users with popup ads that fit
preferences
Spyware Effects on Organizations• Infected PCs can cause organizations a lot of
money on cleaning or installing PC OS and software all over again
• Most dangerous effect of spyware is data security being stolen or jeopardized
• Traces of spyware/adware can trigger alarm by audit software and suspension or firing of innocent employees
Stories I• Browser hijacking changes lives• Jack was fired by his organization for finding
traces of child pornography– He was completely innocent
– Typed wrong URL in browser and his computer was taken over by spyware
– Cleaned his PC with spyware removal tools, but traces were left
– Received 180 days in jail and must register as a sex offender for 10 years
• Husband found male child pornography on wife’s home PC– Sadly, he did not believe her and they ended a 5 year
marriage
– She lost custody of her children
Latest Threats I
• Hackers Use DRM To Plant Massive Amounts Of Spyware– Microsoft's Windows Media Player digital rights
management
– Two new Trojan horses • WmvDownloader.a • WmvDownloader.b
– Planted in video files available on eMule & KaZaA
– WMP 10/WinXP anti-piracy features trick users
– Pretend to download license, actually downloading large number of adware, spyware, dialers, and other viruses
– According to Kaspersky Labs, a single “Yes” click = 58 folders, 786 files, and an incredible 11,915 registry entries
Detection Techniques
• Most anti-spyware tools focus on HD– Search for known spyware in:
• Specific folders• Specific registry keys
– If process is in memory, may not be removed– Depends on a list of known spyware – called
spyware definitions• Requires software tool to update list
– Can delete legitimate folders/registry keys• needed for legitimate applications to run
Detection Techniques (cont)
• Search for processes running in memory– Some processes run hidden (i.e. Cool Web
Search) – Some processes run as system level events
that you cannot remove (permissions problem)
• Start in safe-mode to prevent processes from loading as critical system events
– Still depends on definitions
Detection Techniques (cont)
• Anomaly Detection / Pattern Matching– Continuously monitor the system for
suspicious events• Processes using backchannels on the internet
connection• Processes that are collection system event data
– A heuristic approach• Possibility of false positives/negatives
– Can miss ‘legitimate seeming’ traffic or activity
Detection Techniques (cont)
• Monitor all outgoing traffic– Firewalls can scan for certain types of traffic
• Watch for sensitive or personal data• Will block the traffic and create log files
– Check log files to find info on what processes are sending data
– Limited approach – valid only for narrow definition of spyware
• Does not catch adware and other less malicious code
Detection Techniques (cont)
• Scan for unsigned system files
• Scan for newly created files
• Disk and network performance monitors can be used as alerts to the presence of spyware
Removal Tools
• Free packages• Usually only detect/remove adware
– Adaware : www.lavasoft.com– Spybot Search & Destroy: www.safer-networking.org– Ad infinitum
• Commercial packages– Many work against key loggers, not just adware– Spy Sweeper: www.webroot.com– Spycop: www.spycop.com – And on and on and on…
Removal Methods
• Delete files• Delete registry keys• End process and delete source• Strip malicious code
– Remove from image file (similar to cleaning a legitimate file that has a virus)
• After removal – change settings that may need reset – Cool Web example: homepage
Prevention Methods
• Abstinence…– Best way to stay clean is not to download the
spyware in the first place• Do not download/install free applications• Do not visit untrusted websites
• Update software– XP SP2– Internet explorer critical patches– Firefox/Mozilla – get latest version
Prevention Methods (cont)
• Turn off browser features– Take advantage of security tools built in
• Restricted sites in IE, disable ActiveX, javascript, etc
• Immunize– Many removal tools offer immunization
• List of thousands of websites to be placed in restricted list• List of processes to prevent from running, files to be installed• Prevent homepage from being changed
• Firewall to prevent software from “phoning home”
• Run in non-admin environment to prevent software from being installed in background
Prevention Methods (cont)
• Some anti-spyware tools will use behavioral rules to prevent the spyware from reaching your system– Same as or similar to IDS for PC
The Future
• Stealware– Hijacking cookies for profit
• Spyware that removes/disables anti-spyware software– Radlight– Edit definition file to remove name from list
• Base for large attack– Could place backdoor in Office source code
The Future (cont)
• Spyware building kits– Customize spyware for your needs
• Harder to detect & remove
• Anti-anti spyware– Disable protective measures