1 / 36

…::::Spyware / Adware::::… Tim Altimus Bassel Kateeb

…::::Spyware / Adware::::… Tim Altimus Bassel Kateeb. Spyware. Definition – Spyware: software programs made by unscrupulous marketing companies that allow them to snoop on user’s browsing activity, see purchases made, and cause pop-up ads to appear

olaf
Download Presentation

…::::Spyware / Adware::::… Tim Altimus Bassel Kateeb

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. …::::Spyware / Adware::::… Tim Altimus Bassel Kateeb

  2. Spyware • Definition – Spyware: software programs made by unscrupulous marketing companies that allow them to snoop on user’s browsing activity, see purchases made, and cause pop-up ads to appear • Spyware is any software program that sends data back to a third party without asking you for permission. • Eclipsed viruses as the fastest growing online threat • Infecting nearly 90% of Internet connected PCs

  3. Unaware of Spyware • Not enough companies making security high priority • Businesses that focus on threat still lack clear policies • Companies failing to identify exactly where money needs to be spent • Survey conducted for Secure Computing • Three quarters of US firms do not consider spyware to be a problem • Most do not see unauthorized employee use of peer-to-peer file sharing services or instant messaging as major problems

  4. Horror of Spyware • 2004 Spy Audit conducted by ISP Earthlink and online privacy firm Webroot Software • Instances of spyware infections on consumer PCs rose 230% • Instances of Trojans rose 114% • This is only between October 2004 to December 2004 • Scan of 1,390,883 PCs in 4thQ 2004 revealed 33,096,255 instances of spyware and adware • Spy Audit recorded a yearly total of 116.5 million instances of spyware and adware

  5. Costs of Spyware • Viruses, worms and Trojans, cost global businesses between $169bn and $204bn in 2004 • $281 to $340 worth of damage per machine

  6. How did I get it? • Spyware can infect your system in many different ways • Visiting a spy-spreading web site • Opening a spy-carrying email attachment • Downloading a spy as part of another (often "free") software program • Use file-sharing programs like KaZaa / eMule • Traditional anti-virus programs and firewalls don't offer protection from invasive and harmful Spyware programs that can manifest themselves in many ways on your PC

  7. Spyware Variants • Browser Helper Object • Small program installed on PC and runs within a browser • Usually installed on system by another software program • Toolbar accessories • Tracks internet usage and collects other information that is used on the internet

  8. Spyware Variants (cont) • Browser Hijackers • Related to homepage hijackers (discussed later) • Kick in when bad, wrong, or misspelled URL is typed in browser • …or by visiting a targeted website • Tracks internet usage and collects other information that is used on the internet • Redirect page to a search engine or a page of ads • May also route all website requests through an unknown third-party for tracking • Leads to invasion of privacy, and dramatic slow down of browser

  9. Spyware Variants (cont) • Dialers • Install themselves to dial-up settings • Dials numbers without user’s knowledge • Once downloaded, user is disconnected from their Internet service provider and another phone number is dialed • User is billed for the time used • Malicious in nature and can rack up expensive and unwanted bills

  10. Spyware Variants (cont) • Drive-by downloads • Downloads that are accomplished by providing a misleading dialogue box or other stealth installation • Very often, users have no idea they have installed an application • Internet Explorer exploitsmake it possible to install software without users' knowledge • Drive-by downloads can be prevented by good spyware applications by monitoring computer memory

  11. Spyware Variants (cont) • Homepage Hijacking • Most common of all spyware variants • Browser homepage is forcibly changed to new website without user’s permission • They prevent users from changing their homepage back by: • Disabling functionality in “options” menu setting • Installing some type of program that will regularly switch it back to the forced site • Even if user is able to reset homepage, upon reboot it will be reset to the Homepage Hijacker setting • Hijackers may also route all of website requests through an unknown third-party for tracking • Leads to invasion of privacy, and dramatic slow down of browser

  12. Spyware Variants (cont) • Keyloggers • Program that records keystrokes the user types in on the keyboard • They record this information in a log and then usually send that log to a server with user information • Keyloggers can record information such as • Passwords • Credit Card information • Personal ID numbers • Highly invasive and are a major threat on the internet

  13. Spyware Variants (cont) • Layered Service Provider • Piece of software that is tightly woven into the networking services of a computer • LSP integrates itself with the TCP/IP layer of the network • As a consequence, LSP has access to all TCP/IP traffic coming into and leaving a computer • Spyware authors use LSP to spy on the habits and data of the user • It is possible to change information so that the spyware vendor benefits since computer will not see any of the data until the LSP lets it through • E.g. replacing the top Google search results with links to paid advertisers

  14. Spyware Variants (cont) • Layered Service Provider (cont) • Trying to remove the LSP without the proper precautions may cause the computer to be unable to reconnect to the internet • Many times, the only fix is to reinstall OS • Or, use of automated spyware removal tools is highly recommended

  15. Spyware Variants (cont) • Retrospies • Software that actively attacks anti-spyware programs in an effort to not be detected • May disguise themselves by using common system file names • Malicious and usually use many types of deception in order to avoid detection

  16. Spyware Variants (cont) • Search Hijackers • Take control over default search engine • In the event of a mistype, a targeted search page will pop-up rather than the search engine preferred • Targeted search page will generally include many advertisements and will deliver mostly advertising content rather then relevant search results

  17. Spyware Variants (cont) • Thiefware • Causes visitors to certain sites to be redirected to a search engine or other web page of the author's choosing • Not illegal, although it is highly unethical • Trojan Horses • Programs that appear to be innocuous even beneficial, but are actually harmful • The harmful contents could be anything from a virus to a tool which allows outside users to take over full control of a computer • Trojans are designed to cause loss or theft of computer data, or even to destroy the system • Distributed as email attachments, or bundled with other software programs

  18. Adware • Definition - Adware: any software program that causes advertising banners to be displayed to the user • Adware helps recover programming development costs, and helps to hold down the price of the application for the user • Come mostly with freeware or shareware applications (Opera, KaZaa, iMesh, etc.) • Common Adware: Gain, Hotbar, BonziBuddy, WeatherCast, Cydoor • Some are harmless, but most track user’s habits and personal information

  19. Adware (cont) • Sample Common Types • About:Blank (CoolWebSearch) • Most insidious and prevalent spyware programs currently on the net • Nearly impossible to remove • Replaces home page with a new one titled about:blank • Installs Browser Helper Object in IE, slowing down performance drastically • Restores file directory and registry settings once deleted • If removed from auto-start settings, it will restore itself • BargainBuddy • BHO that displays popup ads when particular terms are entered into search engine web form • Shares memory that browser uses, detects events, creates additional windows while surfing, and monitors activity

  20. Adware (cont) • Sample Common Types (cont) • Claria • Top Adware pest found on the internet • Injects ads into browser or displays them on their own popup windows • Consumes over 13Mb of disk space on average • Re-brand of what was formally known as "Gator" • NewDotNet • Company that sells alternate top-level domains not supported in the official DNS system • Internet Explorer plug-in that gives the appearance of providing extra top-level domains (.shop, .xxx and .mp3, for example) • Functionality of this product does not adhere to most Internet standard

  21. Spyware Effects on Computers • Consumes resources on PC • Slows it down • Causes it to crash • Interferes with web browser, slowing it down or causing downloads to fail • Can hijack browser, redirecting users to sites with objectionable material • Slows down internet connection because it is sending information about surfing habits to ad companies • They in turn target users with popup ads that fit preferences

  22. Spyware Effects on Organizations • Infected PCs can cause organizations a lot of money on cleaning or installing PC OS and software all over again • Most dangerous effect of spyware is data security being stolen or jeopardized • Traces of spyware/adware can trigger alarm by audit software and suspension or firing of innocent employees

  23. Stories I • Browser hijacking changes lives • Jack was fired by his organization for finding traces of child pornography • He was completely innocent • Typed wrong URL in browser and his computer was taken over by spyware • Cleaned his PC with spyware removal tools, but traces were left • Received 180 days in jail and must register as a sex offender for 10 years • Husband found male child pornography on wife’s home PC • Sadly, he did not believe her and they ended a 5 year marriage • She lost custody of her children

  24. Latest Threats I • Hackers Use DRM To Plant Massive Amounts Of Spyware • Microsoft's Windows Media Player digital rights management • Two new Trojan horses • WmvDownloader.a • WmvDownloader.b • Planted in video files available on eMule & KaZaA • WMP 10/WinXP anti-piracy features trick users • Pretend to download license, actually downloading large number of adware, spyware, dialers, and other viruses • According to Kaspersky Labs, a single “Yes” click = 58 folders, 786 files, and an incredible 11,915 registry entries

  25. Detection Techniques • Most anti-spyware tools focus on HD • Search for known spyware in: • Specific folders • Specific registry keys • If process is in memory, may not be removed • Depends on a list of known spyware – called spyware definitions • Requires software tool to update list • Can delete legitimate folders/registry keys • needed for legitimate applications to run

  26. Detection Techniques (cont) • Search for processes running in memory • Some processes run hidden (i.e. Cool Web Search) • Some processes run as system level events that you cannot remove (permissions problem) • Start in safe-mode to prevent processes from loading as critical system events • Still depends on definitions

  27. Detection Techniques (cont) • Anomaly Detection / Pattern Matching • Continuously monitor the system for suspicious events • Processes using backchannels on the internet connection • Processes that are collection system event data • A heuristic approach • Possibility of false positives/negatives • Can miss ‘legitimate seeming’ traffic or activity

  28. Detection Techniques (cont) • Monitor all outgoing traffic • Firewalls can scan for certain types of traffic • Watch for sensitive or personal data • Will block the traffic and create log files • Check log files to find info on what processes are sending data • Limited approach – valid only for narrow definition of spyware • Does not catch adware and other less malicious code

  29. Detection Techniques (cont) • Scan for unsigned system files • Scan for newly created files • Disk and network performance monitors can be used as alerts to the presence of spyware

  30. Removal Tools • Free packages • Usually only detect/remove adware • Adaware : www.lavasoft.com • Spybot Search & Destroy: www.safer-networking.org • Ad infinitum • Commercial packages • Many work against key loggers, not just adware • Spy Sweeper: www.webroot.com • Spycop: www.spycop.com • And on and on and on…

  31. Removal Methods • Delete files • Delete registry keys • End process and delete source • Strip malicious code • Remove from image file (similar to cleaning a legitimate file that has a virus) • After removal – change settings that may need reset – Cool Web example: homepage

  32. Prevention Methods • Abstinence… • Best way to stay clean is not to download the spyware in the first place • Do not download/install free applications • Do not visit untrusted websites • Update software • XP SP2 • Internet explorer critical patches • Firefox/Mozilla – get latest version

  33. Prevention Methods (cont) • Turn off browser features • Take advantage of security tools built in • Restricted sites in IE, disable ActiveX, javascript, etc • Immunize • Many removal tools offer immunization • List of thousands of websites to be placed in restricted list • List of processes to prevent from running, files to be installed • Prevent homepage from being changed • Firewall to prevent software from “phoning home” • Run in non-admin environment to prevent software from being installed in background

  34. Prevention Methods (cont) • Some anti-spyware tools will use behavioral rules to prevent the spyware from reaching your system • Same as or similar to IDS for PC

  35. The Future • Stealware • Hijacking cookies for profit • Spyware that removes/disables anti-spyware software • Radlight • Edit definition file to remove name from list • Base for large attack • Could place backdoor in Office source code

  36. The Future (cont) • Spyware building kits • Customize spyware for your needs • Harder to detect & remove • Anti-anti spyware • Disable protective measures

More Related