Spyware Who can it be now

1
SpywareWho can it be now?

• Curtis Shrote, CISSP

2
Introduction

• Spyware
• Formal definition any technology that is
  instrumented and used to gather information about
  a target without user knowledge and ultimately
  relay that information to interested parties.

3
Introduction

• Adware
• Formal definition any technology that is
  instrumented and used to pull to a target select
  advertisements in context (targeted) or
  independent of a current site being visited with
  or without user knowledge.

4
Introduction

• Spyware
• Informal definition any technology that is
  instrumented and installed onto a target whose
  existence the user is not fully aware and if
  awareness existed would cause concerns with
  respect to any of the following
• Privacy (data loss, aggregation/association,
  etc.)
• Functionality modification (browser, mail,
  general apps, etc.)
• Resource utilization (cpu, disk, internet, etc.)
• (as implicitly defined by the functionality that
  the anti-spyware industry supplies)

5
Introduction

• What questions will be answered
• What is and is not spyware?
• What are the implications of spyware?
• How is spyware delivered?
• How can spyware be stopped?
• A checklist
• What are example tools that are spyware?
• What are example tools that can detect spyware?

6
Introduction

• Survey said
• How many are concerned about spyware?
• How many are tasked with its detection and
  prevention? Haz-ware team member?
• How many have been personally affected?
• Keyloggers?
• Adware?
• Cookie theft? (Symptom passwords stored
  incorrectly in cookies get stolen resulting in
  online account tampering)

7
Agenda

• Implications
• Spyware media events
• Spyware by the numbers
• Vocabulary
• Legalities
• Detecting infection
• Stopping/Preventing infection
• Review a chronology of infection
• Demonstration of spyware elimination

8
Implications

• Theft of usernames passwords
• Theft of corporate secrets
• Regulatory infractions
• Lost network bandwidth
• Help desk overhead
• Damaged files
• Vague complaints
• OS instability/rebuilds
• Restoration from backups
• Lost worker productivity
• Grid computing impacted

9
Possible Additional Outcomes

• Modified DNS server address
• Surfing becomes a jumbled mess
• Words on web pages converted to links

10
Spyware Media Events

• Double Click
• Servers that track user from site to site
• www.privacychoices.org/optout.htm
• Double Click clones
• Avenue A
• Hitbox
• Some search engine providers

11
Spyware Media Events

• Gator
• Implant software to monitor any site visited
• Individual numeric IDs
• eWallet
• Remembers passwords
• Auto fill online forms
• Custom ads based on your surfing habits
• 100 million downloads (WSJ August 2003)
• 35 million active

12
Spyware Sadistics

• PestPatrol
• 78,000 spyware programs
• Last year
• 500 new Trojans
• 500 new keyloggers
• 1,287 new adware apps
• 40 burrowers
• Webroot Software
• 80 of PCs infected (does not include cookies)

13
Vocabulary

• Stealware a mechanism which credits another web
  site for an ad visitation that resulted in a
  purchase
• Web bug email/browser delivered data that can
  be used to track recipients
• Snoopware see spyware
• Pestware see adware
• Drive-by-download the act of getting infected
  via visiting a site or opening email

14
Vocabulary

• Burrower an application that embeds itself into
  the OS
• Tickler mini-programs that reinstall deleted
  files
• Immortalware see burrower and Tickler

15
Legalities

• Adware is typically packaged with another useful
  tool.
• End User License Agreements typically mention the
  existence/bundling of data collection or THIRD
  PARTY SOFTWARE utilities.
• Keeps them legal
• Who really reads the details of 15 pages of
  EULA?
• Argument for independent EULA per utility

16
Examples of Tools Bearing Adware

• Kazaa
• iMesh
• Bearshare (paid version spyware free)
• Limeware (paid version spyware free)
• Grokster
• Morpheus

17
Examples of Adware/Spyware

• Gator - eWallet and more
• e free software exchanged for data gathering
• Comet Cursor
• Web3000
• SaveNow popups - saves country/zip codes
• DelFin advertisements
• MediaLoads advertisements
• b3d Projector richer/more dynamic popups
• New.net - directs users to sponsor web sites
• Cydoor cd_clint.dll cd_htm.dll adware
  enhancement

18
Examples of Adware/Spyware

• Trojans (SubSeven, Back Orifice, BoSniffer, etc.)
• Trojan/Adware
• CoolWebSearch
• Autodialer, adware, autoupdates, etc.
• Save your family packages
• eBlaster, Spector Pro
• Keyloggers
• Web trackers
• But wait theres more! http//www.spywareguide.com
  

19
Detecting Infection Getting Clue the Manual Way

• Is your personal firewall asking about granting
  internet permissions to processes that youve
  never hear of before?
• Is your computer sluggish?
• Is your internet connection light transmitting
  even when your browser and mail are down?
• Have you experienced changes in browser
  functionality?
• Is the last web site you visited not the current
  one being displayed?
• Have new unexplainable icons appeared on your
  desktop? (Turbodownload et. al.)

20
Detecting Infection Getting Clue the Manual Way

• Are you periodically changing program settings
  back to your defaults?
• Personal firewall
• Personal browser defaults
• Did your spyware detector get disabled?
• RadLight v3.03
• Did you see an application or shell startup and
  then disappear?

21
Detecting Infection Getting Clue the Manual Way

• Has the audible pattern of your computer hard
  drive changed?
• Is your computer hard drive stuffed?
• Are there any physical changes to your computers
  external cabling?
• Does your screen periodically flicker as if a
  camera shutter has opened and closed?
• Has someone been hanging around your computer
  more?
• Is Windows providing new End Task boxes at
  shutdown?

22
Detecting Infection Getting Clue the Manual Way

• Are there new processes in the process list that
  you cant recognize?
• Advanced Startup Cop
• Los Angeles Free-Net
• www.lafn.org/webconnect/mentor/startup/PENINDEX.ht
  m
• Black Viper
• www.blackviper.com
• Are there new programs installed on the machine?
• Installation monitors can detect these
• Is your memory consumption up but you cant
  explain why via current additional application
  usage?

23
Detecting Infection Getting Clue the Manual Way

• Have the browser favorites been modified?

24
Stopping Spyware

• Opensource processes tend to make the concealment
  of spyware, adware, and secret phone home
  functions next to impossible.
• Libpcap backdoor
• 2 days until eradication
• Keep systems updated

25
Stopping Spyware The Draconian Way

• Consider Restricted User Settings Painful for
  the User in some cases but
• Cant write the registry
• Limited ability to load new software
• The soft/juicy software core is protected

26
Preventing Spyware

• Use tools other than Internet Explorer or Outlook
• But secure them anyway
• They are the 1 target
• Disable cookies
• Delete cookies or limit their life time
• Disable Javascript for mail and news
• Disable ActiveX
• Step by step procedures for many browsers
  http//www.geocities.com/yosponge/browser.html

27
Preventing Spyware

• Install a personal firewall
• With executable blocking to aid in detection
• Install anti-virus
• Install spyware detection
• Read EULAs to completion
• Learn to say no particularly to untrusted sites
• Dont download that tracking cookie
• Dont download that ActiveX plug-in
• Dont enable Javascript
• Dont let an unfamiliar executable have access to
  the network

28
A Simple Experiment

• The Victim Machine
• Dell Latitude CS 400XT
• Windows 2000 SP4
• Internet Explorer 5.00.3700.1000 SP4 (default
  configuration)
• Mozilla Firefox version 0.8 (default
  configuration)
• The Defenders
• Spybot Search Destroy 1.2
• Adaware 6.0 (free version) reference file 01R217
  08.09.2003
• ZoneAlarm (free version) 4.5.530.000

29
A Simple Experiment

• Alternate between Firefox and IE as each site is
  visited and say yes to everything
• Initial scan 3 number of detections spyware
  scanners detected from a baseline of 0
• Microsoft Mediaplayer registry keys
• Internet Explorer serial number
• Toured some popular sites
• Yahoo, tomshardware, zipzoomfly, amazon, walmart,
  zdnet

30
A Simple Experiment

• Zdnet downloads (randomly selected from personal
  interest)
• WW2 War Birds screen saver
• AquaticaWaterWorlds screen saver
• Cisco CCNA Certification exam Sim 5.2
• Windows Registry Guide 2003
• An Intro to TCP/IP Programming
• Network Admin Skills Assessment network skills
  test

31
A Simple Experiment

• Download.com (personally caused infection)
• Molecular Bonds 1.0 Adware documented in EULA 10
• Arcade Classic Arcade Pack 2.0
• keyloggerLite 12
• elfBowl 3 21 (so 21 total wares detections)

32
A Simple Experiment

• Day 2
• Scan after reboot 40
• ZoneAlarm - NHUpdater.exe heads for the web
• IE startup - starting address has been hijacked
  to start.free-windows-games.com
• ZoneAlarm - Wupdater.exe heads for the net
• ZoneAlarm - Tipb.exe heads for the net via port
  1105

33
A Simple Experiment

• www.msn.com 43
• Clicked on Starsky Hutch advertisement
• Popup from free-windows-games advertising a
  really cool haunted house screen saver so I
  downloaded it (but didnt install it maybe
  later)
• www.thesmokinggun.com
• More, More, More, Im still not satisfied

34
A Simple Experiment

• Astalavista.box.sk (a hacker oriented site)
• Mozilla is silent to any extras - page displays
  fine
• IE popup declaring a plug-in is needed to see the
  site OK or Cancel? (drive-by-download in
  progress)
• But of COURSE YES 58
• ZoneAlarm - MFC application iefeaturesversion.exe
  heads for the net
• ZoneAlarm stcloader.exe heads for the net
• ZoneAlarm Edow.exe heads for the net
• ZoneAlarm ClrSchP070.exe heads for the net

35
A Simple Experiment

• Another plug-in install request from IE YES
• ZoneAlarm Thinstaller Client bd14108.exe heads
  for the net
• ZoneAlarm SQ_3394_3222.exe heads for the net
• ZoneAlarm iefeatureversion.exe heads for the
  net
• ZoneAlarm WinTools.exe heads for the net
• ZoneAlarm tb_setup.exe heads for the net 76
• ZoneAlarm iefeatureversion.exe heads for the
  net
• ZoneAlarm bi_probe.exe heads for the net

36
A Simple Experiment

• Your IE has been updated with the latest search
  toolbar from web search. Keep It? YES!
• ZoneAlarm ad.exe heads for the net
• ZoneAlarm ieExploreSkins.exe heads for the net
  99
• Game Over Until I thirst for More

37
End Result

• Multiple extra processes running that request
  access to the internet every 5-10 minutes
• My CPU fan kicked in every 5-10 minutes as these
  hungry processes do their thing
• My IE is no longer visually the same even after
  anti-spyware tools purge the spyware but the
  spyware processes are gone looks like a call to
  the help desk to fix IE

38
Where to Get More Information

• SANS GSEC Practical - Defending Against Spyware
  Invasion, Brian J. Smith
• Your PC is under attack, Evan Hansen and John
  Borland, http//zdnet.com.com/2100-1105-938652.htm
  l
• http//www.spychecker.com/software/antispy.html
• http//www.pcmag.com/article2/0,4149,981708,00.asp
  
• http//www.pchell.com/support/spyware.shtml
• http//www.spywareguide.com

39
Where to Get More Information

• http//www.pcmag.com
• http//www.scumware.com
• http//www.simplythebest.net/info/spyware.html
• http//www.spyware.co.uk

40
Where to Get Free Tools

• Adaware 6.0 http//www.lavasoftusa.com
• Optout http//grc.com/optout.htm no longer
  available
• Spybot SD 1.2 http//www.spybot.eon.net.au
• http//www.spywareguide.com - spyware interceptor
  (block list)