19th EICAR Annual Conference - Paris CPSC 217 - Tutorial Typhoid Adware Daniel Medeiros Nunes de Castro Eric Lin Typhoid Adware John Aycock Mea Wang University of Calgary – Alberta – Canada May 11th, 2010 Typhoid Adware 1 Introducing Typhoid Mary Mary Mallon (1869-1938) – NY Cook In 1907 was diagnosed as a carrier of the Typhoid Fever As she had no symptoms, she refused to be tested, did not accept treatment and continued working Infected tens of people, some died from the disease Forced into a quarantine for the rest of her days May 11th, 2010 Typhoid Adware 2 BUT…. How are computers related to this? And have you mentioned adware? May 11th, 2010 Typhoid Adware 3 In an Internet Café… Network admin? e May 11th, 2010 Typhoid Adware 4 In an Internet Café… e May 11th, 2010 Typhoid Adware 5 In an Internet Café… e ARP Spoofing May 11th, 2010 Typhoid Adware 6 In an Internet Café… BUY IT! e BUY IT! Text and/or Video Modification May 11th, 2010 Typhoid Adware 7 Some remarks There has not been much work/research with Adware. We target video streaming websites due to its popularity Carrier does not receive signs of infection and victims (neighbors) have no visible clue that the advertisement comes from a illegitimate source Carrier may not be interested on removing the bundled adware, as they don’t notice any of its effects. Focusing on adware, we provide a scenario where no artefact is left on the victims machine. May 11th, 2010 Typhoid Adware 8 Implementing Typhoid Adware First, some background… May 11th, 2010 Typhoid Adware 9 Background: ARP Spoofing I can help you… Get this one! DHCP Offer Help! I don’t have an IP!!! Name MAC IP (DHCP Discover) CAFE_SERVER 01:CA:FE:CA:FE:01 192.168.0.1 (Fixed) IP MAC 192.168.0.2 01:41:4C:49:43:45 Name MAC IP Gateway ALICE_LAPTOP 01:41:4C:49:43:45 192.168.0.2 192.168.0.1 IP MAC 192.168.0.1 01:CA:FE:CA:FE:01 Disclaimer: This is a simplified description. DHCP protocol requires some other steps. May 11th, 2010 Typhoid Adware 10 Background: ARP Spoofing Hey! It’s me! ARP Reply Who has 192.168.0.1? Name MAC IP (ARP Request) CAFE_SERVER 01:CA:FE:CA:FE:01 192.168.0.1 (Fixed) IP MAC 192.168.0.2 01:41:4C:49:43:45 192.168.0.3 02:43:41:52:4F:4C Name MAC IP Gateway May 11th, 2010 ALICE_LAPTOP 01:41:4C:49:43:45 192.168.0.2 192.168.0.1 Name MAC IP Gateway CAROL_LAPTOP 02:43:41:52:4F:4C 192.168.0.3 192.168.0.1 IP MAC IP MAC 192.168.0.1 01:CA:FE:CA:FE:01 192.168.0.1 01:CA:FE:CA:FE:01 Typhoid Adware 11 Background: ARP Spoofing ARP Reply ARP ARPReply Reply Name MAC IP Gateway Name MAC IP EVIL_LAPTOP 03:45:56:49:4C:20 192.168.0.4 192.168.0.1 CAFE_SERVER 01:CA:FE:CA:FE:01 192.168.0.1 (Fixed) IP MAC 192.168.0.2 03:45:56:49:4C:20 01:41:4C:49:43:45 192.168.0.3 03:45:56:49:4C:20 02:43:41:52:4F:4C Name MAC IP Gateway May 11th, 2010 ALICE_LAPTOP 01:41:4C:49:43:45 192.168.0.2 192.168.0.1 Name MAC IP Gateway CAROL_LAPTOP 02:43:41:52:4F:4C 192.168.0.3 192.168.0.1 IP MAC IP MAC 192.168.0.1 03:45:56:49:4C:20 01:CA:FE:CA:FE:01 192.168.0.1 01:CA:FE:CA:FE:01 03:45:56:49:4C:20 Typhoid Adware 12 Background: ARP Spoofing Name MAC IP Gateway Name MAC IP EVIL_LAPTOP 03:45:56:49:4C:20 192.168.0.4 192.168.0.1 CAFE_SERVER 01:CA:FE:CA:FE:01 192.168.0.1 (Fixed) IP MAC 192.168.0.2 01:41:4C:49:43:45 03:45:56:49:4C:20 192.168.0.3 02:43:41:52:4F:4C 03:45:56:49:4C:20 Name MAC IP Gateway May 11th, 2010 ALICE_LAPTOP 01:41:4C:49:43:45 192.168.0.2 192.168.0.1 Name MAC IP Gateway CAROL_LAPTOP 02:43:41:52:4F:4C 192.168.0.3 192.168.0.1 IP MAC IP MAC 192.168.0.1 03:45:56:49:4C:20 01:CA:FE:CA:FE:01 192.168.0.1 01:CA:FE:CA:FE:01 03:45:56:49:4C:20 Typhoid Adware 13 Implementing Typhoid Adware Proof-of-concept implementation using open source software: - arpspoof (dsniff) - NetFilter/IPtables - Tiny Proxy (written in Python) - FFMpeg Attack steps: 1) Choose target 2) Intercept connections ARP Spoofing 3) Redirect it to a local program (proxy) Web pages Video file (cached) 4) Modify content May 11th, 2010 Streaming video Typhoid Adware 14 Modifying web pages Web pages are text files Content modification is trivial and allows: - String substitution - Inserting HTML code - Inserting JavaScript code Some sites compress pages before sending. So, basically, we need to follow these steps: 1) Cache 2) Uncompress 3) Modify 4) Compress 5) Send it to the client May 11th, 2010 Typhoid Adware 15 Modifying video And, again, we need a little bit of background info…. May 11th, 2010 Typhoid Adware 16 FLV in a glance Flash Video Format Body Header F L V flags length FLV Tag Tag header length FLV Tag … data Tag Header: - Type of data (audio, video, script), size and timestamp - Some video frames can be “keyframes” May 11th, 2010 Typhoid Adware 17 Modifying video Goal: Insert text and/or picture in a video for advertisement Tools: - FFMPEG libx264: H.264 codec libmp3lame libfaac vhook (deprecated and then removed from later versions of FFMPEG) First implementation: “Cache and modify” Caching all the file and then modifying the entire video at once We can have precise information about modified version before sending Long videos take time to cache, i.e., big delay easily noticeable or user might simply give up on waiting Interesting fact: embedding pictures is faster than embedding text May 11th, 2010 Typhoid Adware 18 Modifying video “on-the-fly” Challenges - Packets received by the proxy sometimes are not complete FLV Tags - Not every video tag can be modified. It must be done in “blocks”, starting by a keyframe Solution: Cache and Parse - Cache size has no fixed size. It is estimate and depends on how many keyframes it will cover. Last keyframe and subsequent tags are left in a buffer for further processing. - “Content-Length” HTTP Header must be informed beforehand . If smaller than the content to be sent, player will “freeze”. But we cannot precisely estimate final size of the modified video. Solution: Browser does not check if “Content-Length” is bigger than number of bytes sent. Let’s triple it! May 11th, 2010 Typhoid Adware 19 Does this really work? What about performance in both sides (infected and victim)? May 11th, 2010 Typhoid Adware 20 Experimental setup Typhoid adware using video streaming modification “on-the-fly” Most difficult and compute intensive implementation Two laptops running Linux Required only for our Typhoid Adware implementation Wired (ethernet hub 10/100 Mbps) and wireless (802.11g, 100Mbps ethernet) Video streaming from YouTube (Flash player is embedded) Direct connection, proxy-only and modification using different cache sizes May 11th, 2010 Typhoid Adware 21 Results Processing time and Latency Time for sending video can double, depending of the chosen cache size, however, the latency is not really noticeable even in the worst case. May 11th, 2010 Typhoid Adware 22 Results Processing time and Latency Time for sending video can double, depending of the chosen cache size, however, the latency is not really noticeable even in the worst case. File size Depending on codecs used, file size is increased from 6-130%, but for short videos (majority in Youtube), that is not a problem. May 11th, 2010 Typhoid Adware 23 Results Processing time and Latency Time for sending video can double, depending of the chosen cache size, however, the latency is not really noticeable even in the worst case. File size Depending on codecs used, file size is increased from 6-130%, but for short videos (majority in Youtube), that is not a problem. Glitches versus cache size Small cache size speeds the process, but introduces noticeable glitches on the video. A good balance is a cache of 64Kb (around 5 seconds of video). May 11th, 2010 Typhoid Adware 24 Ok… it does work… So, how can I protect myself? May 11th, 2010 Typhoid Adware 25 Mitigation Why do I bother about this? Adware is usually considered in a “gray area”. Is the same for Typhoid Adware? Notice that the installation of “normal” adware is up to the user, and they’re (supposedly) aware that advertisement will pop up once in a while. Not in this scenario. Video Content Modification - Encryption (e.g., using HTTPS) - Checksum list Performance Changes in both client and server - Signed checksum list May 11th, 2010 Typhoid Adware 26 Mitigation Why do I bother about this? Adware is usually considered in a “gray area”. Is the same for Typhoid Adware? Notice that the installation of “normal” adware is up to the user, and they’re (supposedly) aware that advertisement will pop up once in a while. Not in this scenario. Video Content Modification - Encryption (e.g., using HTTPS) - Checksum list Performance Changes in both client and server - Signed checksum list May 11th, 2010 Typhoid Adware 27 Mitigation ARP Spoofing FROM ADMIN’S TO USER’S SIDE - ARP spoofing detection - Interesting feature for anti-malware products - Static IP-to-MAC mapping - Internet Café Setting - Parsing DHCP messages - Fixing the gateway once the interface is up May 11th, 2010 Typhoid Adware 28 Related work M. Kershaw. Wireless security isn’t dead, attacking clients with MSF. Black Hat DC, 2010. E. Lin, D. M. N. de Castro, M. Wang, and J. Aycock. SPoIM: A Close Look at Pollution Attacks in P2P Live Streaming. IEEE International Workshop on Quality of Service, 2010, to appear. Conclusions We have presented Typhoid Adware, a new approach for spreading advertisement Implemented using well-known techniques (ARP Spoofing and proxies), but other approaches can also be used (including on other types of network) Even the most overhead-intensive case allows the victim to receive content in reasonable time. We presented also some approaches for mitigation. Typhoid-adware is a viable threat, specially in poorly monitored environments May 11th, 2010 Typhoid Adware 30 Thanks / Merci / Obrigado Typhoid Adware Any questions? Daniel Medeiros Nunes de Castro Eric Lin John Aycock Mea Wang University of Calgary – Alberta – Canada May 11th, 2010 Typhoid Adware 31