Boost PC performance: How more available memory can improve productivity
Presentation
1. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Spyware and Trojan Horses
Computer Security Seminar Series
[SS1]
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
2. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Your computer could be watching your
every move!
Image Source - http://www.clubpmi.it/upload/servizi_marketing/images/spyware.jpg
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
3. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Introduction
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
4. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Seminar Overview
• Introduction to Spyware / Trojan Horses
• Spyware – Examples, Mechanics, Effects, Solutions
• Tracking Cookies – Mechanics, Effects, Solutions
• Trojan Horses – Mechanics, Effects, More Examples
• Solutions to the problems posed
• Human Factors – Human interaction with Spyware
• “System X” – Having suitable avoidance mechanisms
• Conclusions – Including our proposals for solutions
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
5. Definitions
A general term for a program that surreptitiously monitors your
actions. While they are sometimes sinister, like a remote
control program used by a hacker, software companies have
A REbeen known to use Spyware to gather data about customers.
YW
The practice is generally frowned upon.
SP
An apparently useful and innocent program containing additional
JAN
hidden code which allows the unauthorized collection,
RO SE
T R
exploitation, falsification, or destruction of data.
HO
7. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Summary of Effects
• Collection of data from your computer without consent
• Execution of code without consent
• Assignment of a unique code to identify you
• Collection of data pertaining to your habitual use
• Installation on your computer without your consent
• Inability to remove the software
• Performing other undesirable tasks without consent
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
8. Similarities / Differences
Spyware Trojan Horses
Commercially Motivated Malicious
Internet connection required Any network connection required
Initiates remote connection Receives incoming connection
Purpose: To monitor activity Purpose: To control activity
Collects data and displays pop-ups Unauthorized access and control
Legal Illegal
Not Detectable with Virus Checker Detectable with Virus Checker
Age: Relatively New (< 5 Years) Age: Relatively Old ( > 20 Years)
Memory Resident Processes
Surreptitiously installed without user’s consent or understanding
Creates a security vulnerability
10. Software Examples
• GAIN / Gator
• Gator E-Wallet
• Cydoor
• BonziBuddy
• MySearch Toolbar
• DownloadWare
• BrowserAid
Image Sources…
• Dogpile Toolbar GAIN Logo – The Gator Corporation – http://www.gator.com
BonziBuddy Logo – Bonzi.com - http://images.bonzi.com/images/gorillatalk.gif
DownloadWare Logo – DownloadWare - http://www.downloadware.net
11. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Spyware Defence
User Initiatives… Technical Initiatives...
• Issue Awareness • Spyware Removal Programs
• Use Legitimate S/W Sources • Pop-up Blockers
• Improved Technical Ability • Firewall Technology
• Choice of Browser • Disable ActiveX Controls
• Choice of OS – Not Sandboxed
• Legal action taken against • E-Mail Filters
breaches of privacy • Download Patches
– Oct ’02 Doubleclick
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
12. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Spyware Removers
Ad-aware (by Lavasoft)
– Reverse Engineer Spyware
– Scans Memory, Registry and Hard Drive for…
• Data Mining components
• Aggressive advertising components
• Tracking components
– Updates from Lavasoft
– Plug-ins available
• Extra file information
• Disable Windows Messenger Service
Image Source – Screenshot of Ad-aware 6.0. LavaSoft. See http://www.lavasoft.com
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
13. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Vulnerable Systems
• Those with an internet connection!
• Microsoft Windows 9x/Me/NT/2000/XP
• Does not affect Open Source OSs
• Non - fire-walled systems
• Internet Explorer, executes ActiveX plug-ins
• Other browsers not affected
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
14. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Trojan Horses
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
15. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Installation
• Secretly installed when an infected executable is run
– Much like a virus
– Executables typically come from P2P networks or
unscrupulous websites
• ActiveX controls on websites
– ActiveX allows automatic installation of software from
websites
– User probably does not know what they are running
– Misleading descriptions often given
– Not sandboxed!
– Digital signatures used, signing not necessary
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
16. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Installation
• Certificate Authority
• Misleading Certificate
Description
• Who is trusted?
Image Source – Screenshot of Microsoft
Internet Explorer 6 security warning, prior
to the installation of an ActiveX Control
from “Roings”.
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
17. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Effects
• Allows remote access
– To spy
– To disrupt
– To relay a malicious connection, so as to disguise the
attacker’s location (spam, hacking)
– To access resources (i.e. bandwidth, files)
– To launch a DDoS attack
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
18. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Operation
• Listen for connections
• Memory resident
• Start at boot-up
• Disguise presence
• Rootkits integrate with kernel
• Password Protected
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
19. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Example: Back Orifice
• Back Orifice
– Produced by the “Cult of the Dead Cow”
– Win95/98 is vulnerable
– Toast of DefCon 6
– Similar operation to NetBus
– Name similar to MS Product of the time
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
20. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
BO: Protocol
• Modular authentication
• Modular encryption
– AES and CAST-256 modules available
• UDP or TCP
• Variable port
– Avoids most firewalls
• IP Notification via. ICQ
– Dynamic IP addressing not a problem
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
21. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
BO: Protocol Example (1)
TROJAN
INFECTION OCCURS
Attacker Victim
ICQ SERVER
IP ADDRESS IP ADDRESS
AND PORT AND PORT
CONNECTION
Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
22. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
BO: Protocol Example (2)
COMMAND
COMMAND EXECUTED
Attacker Victim
CONNECTION
REQUEST FOR INFORMATION
INFORMATION
Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
23. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
BO: Protocol Example (3)
CLEANUP COMMAND
EVIDENCE DESTROYED
Attacker Victim
Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
24. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Trojan Horse Examples
• M$ Rootkit
– Integrates with the NT kernel
– Very dangerous
– Virtually undetectable once installed
– Hides from administrator as well as user
– Private TCP/IP stack (LAN only)
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
25. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Trojan Horse Examples
• iSpyNOW
– Commercial
– Web-based client
• Assassin Trojan
– Custom builds may be purchased
– These are not found by virus scanners
– Firewall circumvention technology
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
26. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Trojan Horse Examples
• Hardware
– Key loggers
– More advanced?
• Magic Lantern
– FBI developed
– Legal grey area (until recently!)
– Split virus checking world
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
27. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Demonstration
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
28. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Vulnerable Systems
Number of trojans in common use…
RELATIVELY SAFE DANGEROUS
MacOS
MacOS X
Linux/Unix
WinNT
Win 9x
WinNT refers to Windows NT 4, 2000, XP and Server 2003.
Win9x refers to Windows 95, 95SE, 98 and ME.
Information Source: McAfee Security - http://us.mcafee.com/
Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
29. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Vulnerable Systems
Ease of compromise…
RELATIVELY SAFE DANGEROUS
Linux/Unix
MacOS X
WinNT
MacOS
Win 9x
WinNT refers to Windows NT 4, 2000, XP and Server 2003.
Win9x refers to Windows 95, 95SE, 98 and ME.
Information Source: McAfee Security - http://us.mcafee.com/
Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
30. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Conclusions
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
31. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Security Implications
Short Term Long Term
• Divulge personal data • Mass data collection
• Backdoors into system • Consequences unknown
• System corruption • Web becomes unusable
• Disruption / Irritation • Web cons outweigh pros
• Aids identity theft • Cost of preventions
• Easy virus distribution • More development work
• Increased spam • More IP addresses (IPv6)
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
32. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Solutions
Short Term Long Term
• Firewall • Add Spyware to Anti-Virus
• Virus Checker • Automatic maintenance
• Spyware Remover • Legislation
• Frequent OS updates • Education on problems
• Frequent back-up • Biometric access
• Learning problems • Semantic web (and search)
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
33. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Firewalls
Network / Internet
• 3 Types…
– Packet Filtering – Examines attributes of packet.
– Application Layer – Hides the network by impersonating the
server (proxy).
– Stateful Inspection – Examines both the state and context of the
packets.
• Regardless of type; must be configured to work properly.
• Access rules must be defined and entered into firewall.
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
34. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Firewalls
Network / Internet
http - tcp 80
telnet - tcp 23
http - tcp 80
Packet Filtering ftp - tcp 21
Web Server Firewall
Allow only http - tcp 80
192.168.0.10 : 1020 202.52.222.10: 80
202.52.222.10: 80
Stateful Inspection 192.168.0.10 : 1020
PC Firewall
Only allow reply packets for requests made out
Block other unregistered traffic
Image Source – Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [4].
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
35. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
Intrusion Detection Systems
Network
Server
Switch Firewall IDS
Server • Intrusion Detection – A Commercial Network Solution
• An “Intelligent Firewall” – monitors accesses for suspicious activity
• Neural Networks trained by Backpropagation on Usage Data
• Could detect Trojan Horse attack, but not designed for Spyware
PC
• Put the IDS in front of the firewall to get maximum detection
• In a switched network, put IDS on a mirrored port to get all traffic.
• Ensure all network traffic passes through the IDS host.
Image Source – Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [4].
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
36. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004
“System X”
Network / Internet / Standalone
• Composed of…
– Open Source OS
– Mozilla / Opera / Lynx (!) Browser (Not IE)
– Stateful Inspection Firewall
– Anti-Virus Software
– Careful and educated user
– Secure permissions system
– Regularly updated (possibly automatically)
Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk