270 likes | 510 Views
Spyware. Agenda. Cookies Browser hijacking Bundled software Key loggers Spyware prevention and deletion. Introduction. Q: What is spyware
E N D
Agenda • Cookies • Browser hijacking • Bundled software • Key loggers • Spyware prevention and deletion ECE 4112-Internetwork Security
Introduction • Q: What is spyware • A: analysis and tracking programs that reports your activities to the advertising providers' web site for storage and analysis. These programs are generally bundled with freeware or shareware and are typically downloaded without the users knowledge. • Spyware is not illegal and is often times mentioned in very confusing and convoluted language within the user agreement for the freeware/shareware that the user is attempting to download. ECE 4112-Internetwork Security
Spyware Threats Spyware threats come in different flavors: • malware • modifies system settings, and can perform undesirable tasks on your system • hijacker • redirects your browser to web sites • dialer • dials a service (most likely porn sites) for which you are billed • collectware • collects information about you and your surfing habits ECE 4112-Internetwork Security
Cookies Q: What are cookies? A: Cookies are unique identifiers placed on your computer by a web server. Cookies are passive text strings which can be no larger than 4k but are typically only between 20-40 characters long ECE 4112-Internetwork Security
Cookies: dispelling myths • Cookies cannot collect personal information about users. The only way a cookie can contain this type of information is if you tell it to a particular website and that site chooses to include it in a cookie. • Cookie security is such that only the originating domain can use the contents of a cookie • Cookies are not scripts, though they may be written by a script. Cookies are not executable. ECE 4112-Internetwork Security
Cookies: so whats the big deal? Often times the use of cookies are harmless and even helpful at times. However more often than not companies employ the use of cookies to track a user’s activity on websites. This activity is then logged and a history of a user’s surfing habits can be maintained usually in order to target specific individuals with specific advertisements. . Information about a user can be swapped and sold from company to company to achieve a very comprehensive profile of any given user. ECE 4112-Internetwork Security
Browser Hijacking • When your web browser is hijacked, attempts to view some websites (such as common search engines or popular web directory sites) get automatically redirected to an alternative website of the hijacker's choice without your consent, frequently via a BHO (Browser Help Object). • Browser Hijacking can include altering the homepage for IE, changing the default URL prefix, performing DNS spoofing, or installing monitoring software ECE 4112-Internetwork Security
Homepage Altering • Browser Hijackers can modify the homepage which is opened every time you start Internet Explorer • Homepage could be set to an advertising website – companies pay web hosts on a per-click basis for their ads • The option to edit your homepage in the tools>Internet Options menu of IE can also be disabled through the registry ECE 4112-Internetwork Security
Homepage Altering • The default homepage for Internet Explorer is stored in the registry at:“HKEY_CURRENT_USER\Software\Microsoft/Internet Explorer\Main\Start Page” • Also, the option to disable editing of the homepage in the tools->Intenet Options menu is stored in the registry at: “HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\ Control Panel\Homepage” ECE 4112-Internetwork Security
Homepage Altering • By setting “Homepage” to 1, you can no longer edit your homepage in IE • Writing and reading to the registry is simple with Visual Basic Script files, which could easily be included as attachments in email ECE 4112-Internetwork Security
Homepage Altering • Example script code: Dim WSHShell, q Dim itemtype, newpage Set WSHShell = WScript.CreateObject("WScript.Shell") q = "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page" itemtype = "REG_SZ" newpage = “http://www.hackershomepage.com” WSHShell.RegWrite q, newpage, itemtype ECE 4112-Internetwork Security
URL Prefix Attack • When you type in an website address in a browser that includes “www”, the prefix “http://” is automatically appended to the front • This prefix value is not permanent, and it too can be edited in the registry at: “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\” • As before, a hacker could redirect you in an attempt to force you to use their search engine or go through their gateway to monitor your usage of the Internet. They may also receive money on a per-click basis from another company every time a certain link is visited. ECE 4112-Internetwork Security
Host Hijack (DNS Spoofing) • As we examined in an earlier lab, it is possible to edit the file: C:/WINDOWS/system32/drivers/etc/hosts to bypass requests to a DNS server, and instead resolve hostnames to IP address specified in the file ECE 4112-Internetwork Security
Recovering From BH Attacks • There are many applications available to help remove the effects of browser hijacking attacks • One excellent tool for this matter is hijackthis, available at http://www.tomcoyote.org/hjt/ • Hijackthis will provide a list of all the registry entries and files a BH could attack, including the homepage registry entry and the hosts file ECE 4112-Internetwork Security
Preventing BH Attacks • To help prevent Browser Hijacking attacks, an application called BHBlaster is available which will monitor changes to registry files and host files and alert the user when something is attempting to alter these values ECE 4112-Internetwork Security
Bundled Software • Today, there are a large number of programs used to share files over the Internet. The most popular of these are peer to peer programs which are anonymous to use and free to download • However, these programs are notorious for their reputation of having bundled 3rd party software which is installed when the main program is installed, often without the user’s knowledge ECE 4112-Internetwork Security
Bundled Software • In the lab, you will install an old version of a peer-to-peer client and examine what spyware programs are installed along with the client • These spyware programs may include pop-up ad generators, browser add-ons such as search toolbars, and software to monitor your usage statistics and report them to a 3rd party company ECE 4112-Internetwork Security
Key Loggers • Q: What are key loggers? • A: A key logger is a program that runs in the background recording all keystrokes. Though many key loggers can be seen in the running process list good key loggers will change their names in the process list to something inconspicuous. Even better key loggers can make themselves totally invisible from the process list. ECE 4112-Internetwork Security
Key Loggers Q: Why are key loggers so easy to find? A: Key loggers are not only used maliciously. There are many other uses for key loggers such as: • Making sure children are using the internet appropriately and safely • Ensuring that employees are not misusing company computers • Safeguarding against lost information in the event of a power outage or other unforeseen circumstances. ECE 4112-Internetwork Security
Spyware Prevention and Deletion In recent years, there has been a dramatic increase in the number of anti-spyware applications available. Of course, the best way to protect your computer from spyware is to carefully examine license agreements when you install free software and be cautious of what websites you visit on the Internet ECE 4112-Internetwork Security
Spyware Prevention and Deletion Some of the best (and free) anti-spyware programs available include: • AdAware • Spybot – Search and Destroy • Microsoft AntiSpyware ECE 4112-Internetwork Security
Spyware Prevention and Deletion AdAware was one of the first applications designed to remove spyware. It performs very thorough searches and is very simple to use. However, it does not provide real-time protection (in the free version). Spybot – Search and Destroy not only implements all the features of AdAware, but it also has real-time protection. It’s updating software to download the latest spyware signatures, however, is a little lacking. ECE 4112-Internetwork Security
Spyware Prevention and Deletion Microsoft’s AntiSpyware is an excellent application which runs smoothly in the background in Windows. When spyware threats are detected, a window pops up prompting the user as to what action to take. The main weakness of this application is that it is still in beta testing. ECE 4112-Internetwork Security
Sources • http://www.cookiecentral.com/demomain.htm • http://cc.uoregon.edu/cnews/winter2004/hijack.html • http://www.dougknox.com/security/scripts_desc/nosethomepage.htm • http://www.refog.com/keylogger/index.html • http://kujoe.com/freeware/spybot.php ECE 4112-Internetwork Security