Typhoid Adware

advertisement
19th EICAR Annual Conference - Paris
CPSC 217 - Tutorial
Typhoid Adware
Daniel Medeiros Nunes de Castro
Eric Lin
Typhoid
Adware
John Aycock
Mea Wang
University of Calgary – Alberta – Canada
May 11th, 2010
Typhoid Adware
1
Introducing Typhoid Mary
Mary Mallon (1869-1938) – NY Cook
In 1907 was diagnosed as a carrier of the
Typhoid Fever
As she had no symptoms, she refused to be tested,
did not accept treatment and continued working
Infected tens of people, some died from
the disease
Forced into a quarantine for the rest of her days
May 11th, 2010
Typhoid Adware
2
BUT….
How are computers related to this?
And have you mentioned adware?
May 11th, 2010
Typhoid Adware
3
In an Internet Café…
Network
admin?
e
May 11th, 2010
Typhoid Adware
4
In an Internet Café…
e
May 11th, 2010
Typhoid Adware
5
In an Internet Café…
e
ARP Spoofing
May 11th, 2010
Typhoid Adware
6
In an Internet Café…
BUY IT!
e
BUY IT!
Text and/or Video
Modification
May 11th, 2010
Typhoid Adware
7
Some remarks
There has not been much work/research with Adware.
We target video streaming websites due to its popularity
Carrier does not receive signs of infection and victims (neighbors) have no
visible clue that the advertisement comes from a illegitimate source
Carrier may not be interested on removing the bundled adware, as they don’t
notice any of its effects.
Focusing on adware, we provide a scenario where no artefact is left on the
victims machine.
May 11th, 2010
Typhoid Adware
8
Implementing Typhoid Adware
First, some background…
May 11th, 2010
Typhoid Adware
9
Background: ARP Spoofing
I can help you…
Get this one!
DHCP Offer
Help! I don’t
have an IP!!!
Name
MAC
IP
(DHCP Discover)
CAFE_SERVER
01:CA:FE:CA:FE:01
192.168.0.1 (Fixed)
IP
MAC
192.168.0.2
01:41:4C:49:43:45
Name
MAC
IP
Gateway
ALICE_LAPTOP
01:41:4C:49:43:45
192.168.0.2
192.168.0.1
IP
MAC
192.168.0.1
01:CA:FE:CA:FE:01
Disclaimer: This is a simplified description.
DHCP protocol requires some other steps.
May 11th, 2010
Typhoid Adware
10
Background: ARP Spoofing
Hey! It’s me!
ARP Reply
Who has
192.168.0.1?
Name
MAC
IP
(ARP Request)
CAFE_SERVER
01:CA:FE:CA:FE:01
192.168.0.1 (Fixed)
IP
MAC
192.168.0.2
01:41:4C:49:43:45
192.168.0.3
02:43:41:52:4F:4C
Name
MAC
IP
Gateway
May 11th, 2010
ALICE_LAPTOP
01:41:4C:49:43:45
192.168.0.2
192.168.0.1
Name
MAC
IP
Gateway
CAROL_LAPTOP
02:43:41:52:4F:4C
192.168.0.3
192.168.0.1
IP
MAC
IP
MAC
192.168.0.1
01:CA:FE:CA:FE:01
192.168.0.1
01:CA:FE:CA:FE:01
Typhoid Adware
11
Background: ARP Spoofing
ARP Reply
ARP
ARPReply
Reply
Name
MAC
IP
Gateway
Name
MAC
IP
EVIL_LAPTOP
03:45:56:49:4C:20
192.168.0.4
192.168.0.1
CAFE_SERVER
01:CA:FE:CA:FE:01
192.168.0.1 (Fixed)
IP
MAC
192.168.0.2
03:45:56:49:4C:20
01:41:4C:49:43:45
192.168.0.3
03:45:56:49:4C:20
02:43:41:52:4F:4C
Name
MAC
IP
Gateway
May 11th, 2010
ALICE_LAPTOP
01:41:4C:49:43:45
192.168.0.2
192.168.0.1
Name
MAC
IP
Gateway
CAROL_LAPTOP
02:43:41:52:4F:4C
192.168.0.3
192.168.0.1
IP
MAC
IP
MAC
192.168.0.1
03:45:56:49:4C:20
01:CA:FE:CA:FE:01
192.168.0.1
01:CA:FE:CA:FE:01
03:45:56:49:4C:20
Typhoid Adware
12
Background: ARP Spoofing
Name
MAC
IP
Gateway
Name
MAC
IP
EVIL_LAPTOP
03:45:56:49:4C:20
192.168.0.4
192.168.0.1
CAFE_SERVER
01:CA:FE:CA:FE:01
192.168.0.1 (Fixed)
IP
MAC
192.168.0.2
01:41:4C:49:43:45
03:45:56:49:4C:20
192.168.0.3
02:43:41:52:4F:4C
03:45:56:49:4C:20
Name
MAC
IP
Gateway
May 11th, 2010
ALICE_LAPTOP
01:41:4C:49:43:45
192.168.0.2
192.168.0.1
Name
MAC
IP
Gateway
CAROL_LAPTOP
02:43:41:52:4F:4C
192.168.0.3
192.168.0.1
IP
MAC
IP
MAC
192.168.0.1
03:45:56:49:4C:20
01:CA:FE:CA:FE:01
192.168.0.1
01:CA:FE:CA:FE:01
03:45:56:49:4C:20
Typhoid Adware
13
Implementing Typhoid Adware
Proof-of-concept implementation using open source software:
- arpspoof (dsniff)
- NetFilter/IPtables
- Tiny Proxy (written in Python)
- FFMpeg
Attack steps:
1) Choose target
2) Intercept connections
ARP Spoofing
3) Redirect it to a local program (proxy)
Web pages
Video file (cached)
4) Modify content
May 11th, 2010
Streaming video
Typhoid Adware
14
Modifying web pages
Web pages are text files
Content modification is trivial and allows:
- String substitution
- Inserting HTML code
- Inserting JavaScript code
Some sites compress pages before sending. So, basically, we need to follow
these steps:
1) Cache
2) Uncompress
3) Modify
4) Compress
5) Send it to the client
May 11th, 2010
Typhoid Adware
15
Modifying video
And, again, we need a little bit of background info….
May 11th, 2010
Typhoid Adware
16
FLV in a glance
Flash Video Format
Body
Header
F L V
flags
length
FLV Tag
Tag header
length
FLV Tag
…
data
Tag Header:
- Type of data (audio, video, script), size and timestamp
- Some video frames can be “keyframes”
May 11th, 2010
Typhoid Adware
17
Modifying video
Goal: Insert text and/or picture in a video for advertisement
Tools:
-
FFMPEG
libx264: H.264 codec
libmp3lame
libfaac
vhook (deprecated and then removed from later versions of FFMPEG)
First implementation: “Cache and modify”
Caching all the file and then modifying the entire video at once
We can have precise information about modified version before sending
Long videos take time to cache, i.e., big delay easily noticeable or user might
simply give up on waiting
Interesting fact: embedding pictures is faster than embedding text
May 11th, 2010
Typhoid Adware
18
Modifying video “on-the-fly”
Challenges
- Packets received by the proxy sometimes are not complete FLV Tags
- Not every video tag can be modified. It must be done in “blocks”, starting by
a keyframe
Solution: Cache and Parse
- Cache size has no fixed size. It is estimate and depends on how
many keyframes it will cover. Last keyframe and subsequent tags
are left in a buffer for further processing.
- “Content-Length” HTTP Header must be informed beforehand . If smaller than the
content to be sent, player will “freeze”. But we cannot precisely estimate final
size of the modified video.
Solution: Browser does not check if “Content-Length” is bigger than number of
bytes sent. Let’s triple it!
May 11th, 2010
Typhoid Adware
19
Does this really work?
What about performance in both
sides (infected and victim)?
May 11th, 2010
Typhoid Adware
20
Experimental setup
Typhoid adware using video streaming modification “on-the-fly”
Most difficult and compute intensive implementation
Two laptops running Linux
Required only for our Typhoid Adware implementation
Wired (ethernet hub 10/100 Mbps) and wireless (802.11g, 100Mbps ethernet)
Video streaming from YouTube (Flash player is embedded)
Direct connection, proxy-only and modification using different cache sizes
May 11th, 2010
Typhoid Adware
21
Results
Processing time and Latency
Time for sending video can double, depending of the chosen cache size,
however, the latency is not really noticeable even in the worst case.
May 11th, 2010
Typhoid Adware
22
Results
Processing time and Latency
Time for sending video can double, depending of the chosen cache size,
however, the latency is not really noticeable even in the worst case.
File size
Depending on codecs used, file size is increased from 6-130%, but for
short videos (majority in Youtube), that is not a problem.
May 11th, 2010
Typhoid Adware
23
Results
Processing time and Latency
Time for sending video can double, depending of the chosen cache size,
however, the latency is not really noticeable even in the worst case.
File size
Depending on codecs used, file size is increased from 6-130%, but for
short videos (majority in Youtube), that is not a problem.
Glitches versus cache size
Small cache size speeds the process, but introduces noticeable glitches on
the video. A good balance is a cache of 64Kb (around 5 seconds of video).
May 11th, 2010
Typhoid Adware
24
Ok… it does work…
So, how can I protect myself?
May 11th, 2010
Typhoid Adware
25
Mitigation
Why do I bother about this?
Adware is usually considered in a “gray area”. Is the same for Typhoid Adware?
Notice that the installation of “normal” adware is up to the user, and they’re
(supposedly) aware that advertisement will pop up once in a while.
Not in this scenario.
Video Content Modification
- Encryption (e.g., using HTTPS)
- Checksum list
Performance
Changes in both client and server
- Signed checksum list
May 11th, 2010
Typhoid Adware
26
Mitigation
Why do I bother about this?
Adware is usually considered in a “gray area”. Is the same for Typhoid Adware?
Notice that the installation of “normal” adware is up to the user, and they’re
(supposedly) aware that advertisement will pop up once in a while.
Not in this scenario.
Video Content Modification
- Encryption (e.g., using HTTPS)
- Checksum list
Performance
Changes in both client and server
- Signed checksum list
May 11th, 2010
Typhoid Adware
27
Mitigation
ARP Spoofing
FROM ADMIN’S TO USER’S SIDE
- ARP spoofing detection
- Interesting feature for anti-malware products
- Static IP-to-MAC mapping
- Internet Café Setting
- Parsing DHCP messages
- Fixing the gateway once the interface is up
May 11th, 2010
Typhoid Adware
28
Related work
M. Kershaw. Wireless security isn’t dead, attacking clients with MSF.
Black Hat DC, 2010.
E. Lin, D. M. N. de Castro, M. Wang, and J. Aycock. SPoIM: A Close Look at
Pollution Attacks in P2P Live Streaming. IEEE International Workshop on Quality
of Service, 2010, to appear.
Conclusions
We have presented Typhoid Adware, a new approach for spreading advertisement
Implemented using well-known techniques (ARP Spoofing and proxies), but other
approaches can also be used (including on other types of network)
Even the most overhead-intensive case allows the victim to receive content in
reasonable time.
We presented also some approaches for mitigation.
Typhoid-adware is a viable threat, specially in poorly monitored environments
May 11th, 2010
Typhoid Adware
30
Thanks / Merci / Obrigado
Typhoid Adware
Any questions?
Daniel Medeiros Nunes de Castro
Eric Lin
John Aycock
Mea Wang
University of Calgary – Alberta – Canada
May 11th, 2010
Typhoid Adware
31
Download