Mike Irwin

1

• Mike Irwin
• COO
• Webroot Software

2
Spyware vs. Viruses

• Harder to Find
• Research for AV is passive -- Honey Pot works
  for finding new viruses
• Spyware research is active hunting Spyware
• Harder to Remove
• A Virus signature typically has between 1 and 50
  traces on an infected desktop
• A Spyware signature typically has between 20 and
  over 500 traces on an infected desktop.
• These traces require thousands of removal
  routines to deal with registry entries, watcher
  programs, processes, DLLs, etc.
• Harder to Keep Up
• Growth of new spyware variants is accelerating
  faster than viruses
• 80 of new signatures are variants aimed at
  avoiding detection
• Increasing distribution points
• Money feeds the spyware machine
• Economics vs. Ego

3
Laying Traps vs. Hunting
Honey Pot Method
Webroot Phileas Bots
Proactive Malware Hunting 10 URLs Every Second,
24/7/365
Passive Trapping
4
Spyware Economy

• Spyware producers display ads and earn ad revenue
• Spyware producer pays web properties a commission
• Site owners get paid to install spyware on a
  users machine
• Software producers get paid to bundle spyware
  with their software, e.g., Kazaa, freeware
• Illegal spyware has become more sophisticated
  with targeted attacks
• Keyloggers and Trojan Horses installed on a few
  machines gain network access or steal IDs, trade
  secrets and credit card numbers
• Rootkits evade detection at the kernel level of
  the operating system

5
Spyware - Propagation

• Drive-By Websites
• Unwittingly surfing to a website with malicious
  code
• A widely-known example was www.googkle.com ()
• Contained up to 49 different malware applications
• Even the latest OS security patches can be
  infected (Zero-Day Threats)
• Most users are not current on security patches

() Disclaimer It is not recommended to open
this site, as it may contain malicious code.
6
Spyware - Propagation

• Peer to Peer Network Search Results
• Sophisticated new applications propagate on P2P
  networks
• A user will search for an application or file and
  an infected peer will detect the search and offer
  a virtually-named, or renamed file that is
  actually spyware. When downloaded is executed,
  the users system becomes infected
• Similar forms of P2P-propagating spyware populate
  shared directories with many copies of itself
  with different names that are included in popular
  file searches by other peers

7
Spyware - Propagation

• Trojan Horses
• Rogue Anti-Spyware applications
• Examples SpyBlast, AntiVirusGold, PSGuard, and
  SpySheriff
• Some are named to resemble legitimate products.
  Example Adware Pro or Adware Deluxe not to be
  confused with Adaware
• Some claim to find malicious files and offer to
  remove them if you buy a license for the product.
  Most often, these malicious files either do not
  exist or are not actually malicious
• There are over 200 rogue/suspect anti-spyware
  products on this list

(from http//www.spywarewarrior.com/rogue_anti-sp
yware.htm)
8
Spyware - Propagation

• Propagation Techniques
• Internet browser exploits
• IFrame, and WMF
• Site redirects and misleading browser pop-ups
• Would you like to install this piece of software?
  Click No to continue
• Application Piggybacking
• Multiple product software bundles (music
  downloading software)
• Spyware Tagalongs
• Spyware that installs packages of various
  spyware
• Will lead to massive infection rates as technique
  grows in popularity
• Distribution via social networking sites
• myspace.com, Second Life, Facebook, etc.

9
Spyware - Advanced Propagation Techniques

• Encryption Algorithms
• Encrypted malicious code that thwarts detection
  algorithms
• There are many publicly available executable
  encryptors/packers
• UPX, FSG, PEComPACT, AsPack, ARMaDillo
• Proprietary encryption usually based on public or
  open source algorithms
• Injection Procedures
• Basic registry dependency placement (ex Winlogon
  Notify section)
• Basic DLL injection procedures that overwrite API
  locations and
• point into malicious code
• Injecting a Thread into a running process

10
Spyware - Advanced Propagation Techniques

• Compilation and Coding Techniques
• Writing system discovery code into spyware
• Spyware code that acts differently on different
  platforms (easy)
• Executable sister codependency
• Executables that depend on another executable
  being present
• Usually validate other infections (eg
  reinstalling each other)
• Modular Compilation
• Modular compilation is usually associated with
  Polymorphic code
• Variants are less predictable
• Extremely difficult to write a detection
  signature

11
How to Hunt Spyware
12
Automated Spyware Research Phileas

• Challenge
• Spyware in the wild propagate quickly and not
  being found fast
• Large numbers of hours required manually
• Approach
• Proactive research - Get infected before users
• Automated Spyware research and detection
  capability
• Phileas is named after the character Phileas Fogg
  the great discoverer from the Jules Verne
  classic, "Around the World in Eighty Days"

13
Phileas - Research Architecture
14
Automated Spyware Research - Phileas

• Globally spiders Websites for malware
• Saves exploited Web pages for analysis
• Checks over 4,000,000 sites per week
• Finds over 500,000 Websites containing potential
  exploits
• Found over 8 billion URLs
• Scanned 250 million
• Identified almost 5 million with Malware or 2,000
  per day

15
Spyware Exploit Sites by Country
16
Findings

• Highest infections rates since 2005
• 89 of scanned PCs detected spyware
• 59 of scanned PCs detected adware
• Increase in Trojan horse infection rates to 31
  up from 29
• The United States had the highest average number
  of spies detected with 34 per scanned PC
• Ireland detected 32.5 per scanned PC
• United Kingdom detected 31.7 per scanned PC

17
Evolving Spyware Techniques

• Evolving infiltration and evasion methods
• Rootkit-like behavior continues to increase
• Re-emergence of phishing Trojans
• New phishing Trojans include code updates
  implementing rootkit-like functionality and
  advanced evasion procedures
• The top threats this quarter displayed the
  continued use of packing and encryption
  algorithms
• Keyloggers are becoming more aggressive
• Continue to use kernel-level drivers
• Use process blocking techniques to actively stop
  anti-spyware programs from running
• Adware programs have become more aggressive
• Adopting sophisticated techniques of malicious
  spyware to evade detection and removal
• Programs continue to download adware programs
  without users consent
• Targets toolbar, advertisements and hijacks
  browser settings

18
Top 5 Threats

• Look2me
• Executables packed in proprietary encryption
  algorithm
• Installs in the Windows system directory, places
  registry key in Winlogon notify section, makes
  installed components a dependency to system level
  process
• AdminCash
• Uses disk file injection techniques to install
  itself inside explorer.exe
• Variants have been seen in the wild with varying
  encryption algorithms
• CoolWebSearch
• Modularly compiled separate modules generate
  packaged variant, unknown possible number of
  variants
• Packed with alterations made to UPX file
  encryption
• Vx2/Nail
• Vx2/Abetterinternet injects threads into
  explorer.exe and nail.exe
• Thread injection into System processes can
  reproduce with more complicated procedures
• Uses publicly available and proprietary
  encryption algorithms
• Elitebar
• Elitebar utilizes system wide hooks in order to
  hide its executable
• Packed with alterations made to UPX file
  encryption.

19
Real World Example Trojan-Phisher-Rebery

• Identity stealing Trojan
• Thousands of stolen identities discovered to date
• Distributed via malicious exploit through
  www.teens7.com ()
• Banking Trojan
• Activates when user visits a variety of online
  banking or e-commerce sites
• Steals data from online forms and takes
  screenshots
• Allows collection of passwords from sites that
  use anti-phishing technology
• Stolen data names, phone numbers, addresses,
  credit card and Social Security numbers, account
  numbers and logins/passwords contained on an FTP
  server
• When discovered just over 4,500 computers were
  breached two weeks later, the number of
  infected computers almost doubled to more than
  8,500

() Disclaimer It is not recommended to open
this site, as it may contain malicious code.
20
Seven Tips for Avoiding Spyware

• Just say No! to free software
• Use Mozilla FireFox
• Always patch your system
• Avoid questionable sites
• Be very suspicious of email
• Use public kiosks with extreme caution
• Keep Anti Virus and Anti Spyware technology
  update
• BONUS Use Non-Admin account to login

21
Thank You
Q A Mike Irwin mirwin_at_webroot.com