[PPT] - Spyware Spyware Steven Gribble Steven Gribble Department of PowerPoint Presentation

SLIDE 1

Spyware Spyware

Steven Gribble Steven Gribble

Department of Computer Science and Engineering Department of Computer Science and Engineering University of Washington University of Washington

SLIDE 2

kingsofchaos kingsofchaos.com .com

 

A benign web site for an online game A benign web site for an online game

— —

earns revenue from ad networks by showing banners earns revenue from ad networks by showing banners

— —

but, it relinquishes control but, it relinquishes control

f the ad content
f the ad content

SLIDE 3

kingsofchaos kingsofchaos.com .com

 

A benign web site for an online game A benign web site for an online game

— —

earns revenue from ad networks by showing banners earns revenue from ad networks by showing banners

— —

but, it relinquishes control but, it relinquishes control

f the ad content
f the ad content

banner ad from adworldnetwork.com (a legitimate ad network) inline javascript loads HTML from ad provider

SLIDE 4

Incident Incident

 

kingsofchaos kingsofchaos.com was given .com was given this this “ “ad content ad content” ”



This “ad” ultimately:

—

bombarded the user with pop-up ads

—

hijacked the user’s homepage

—

exploited an IE vulnerability to install spyware

SLIDE 5

What What’ ’s going on? s going on?



The advertiser was an ex-email-spammer



His goal:

—

force users to see ads from his servers

— —

draw revenue draw revenue from ad from ad “ “affiliate programs affiliate programs” ”

Apparently earned several millions of dollars

Apparently earned several millions of dollars

 

Why did he use Why did he use spyware spyware? ?

— —

control PC and show ads even when not on the Web control PC and show ads even when not on the Web

SLIDE 6

Take-away lessons Take-away lessons

 

Your PC has value to third parties Your PC has value to third parties

— —

spyware spyware tries to steal this value from you tries to steal this value from you

adware

adware: : eyeballs and demographic information eyeballs and demographic information

spyware

spyware: : sensitive data, PC resources sensitive data, PC resources  

Web content should never be trusted Web content should never be trusted

— —

even if its even if its direct provider is direct provider is

 

Consumer software and Consumer software and OSs OSs are weak are weak

— —

browsers are bug-ridden browsers are bug-ridden

— —

OSs OSs do not protect users from malicious software do not protect users from malicious software

yet, this is increasingly the world we live in

yet, this is increasingly the world we live in

SLIDE 7

Outline Outline

 

Background Background

 

Measurement study Measurement study

 

Discussion on Discussion on spyware spyware mitigation mitigation

SLIDE 8

Outline Outline

 

Background Background

— —

definitions definitions

— —

trends trends

— —

defenses defenses

 

Measurement study Measurement study

 

Discussion on Discussion on spyware spyware mitigation mitigation

SLIDE 9

What is What is spyware spyware? ?

 

Incredibly difficult to define Incredibly difficult to define “ “spyware spyware” ” precisely precisely

— —

no clean line between good and bad behavior no clean line between good and bad behavior

 

Spyware Spyware is a is a software parasite software parasite that: that:

— —

collects information of value and relays it to a third party collects information of value and relays it to a third party

— —

hijacks functions or resources of PC hijacks functions or resources of PC

— —

installs surreptitiously, without consent of user installs surreptitiously, without consent of user

— —

resists detection and de-installation resists detection and de-installation

 

Spyware Spyware provides value to others, provides value to others, but not to you but not to you

SLIDE 10

How one becomes infected How one becomes infected

 

Spyware Spyware piggybacked on executables piggybacked on executables

— —

model for profiting from free software model for profiting from free software

— —

e.g., e.g., Kazaa Kazaa installed installed 2-7 2-7 adware adware programs programs

 

Drive-by downloads Drive-by downloads

— —

Web site attempts to install software through browser Web site attempts to install software through browser

— —

may involve exploiting browser vulnerabilities may involve exploiting browser vulnerabilities

 

Trojan Trojan downloaders downloaders / / “ “tricklers tricklers” ”

— —

spyware spyware that fetches additional that fetches additional spyware spyware

— —

snowball effect snowball effect

SLIDE 11

Types of Types of spyware spyware

Class Class # signatures # signatures

Cookies and web bugs Cookies and web bugs 47 47 Browser hijackers Browser hijackers 272 272 Adware Adware 210 210 Keyloggers Keyloggers 75 75 Dialers Dialers 201 201 Backdoors / Backdoors / trojans trojans / / tricklers tricklers 279 279

From the “Spybot S&D” database, Feb. 2005 .

SLIDE 12

Spyware Spyware trends trends

 

Most Internet PCs have, or have had, it Most Internet PCs have, or have had, it

— —

80% of Internet-connected PCs are infected 80% of Internet-connected PCs are infected

— —

[AOL/NCSA online safety study, Oct. 2004] [AOL/NCSA online safety study, Oct. 2004]

 

Much of the Web has it Much of the Web has it

— —

1 in 8 executables on Web piggyback 1 in 8 executables on Web piggyback spyware spyware

— —

0.1% of random Web pages 0.1% of random Web pages try try “ “drive-by drive-by” ” installs installs

— —

[UW study, Oct. 2005] [UW study, Oct. 2005]

 

Convergence of threats Convergence of threats

— —

worms, viruses, worms, viruses, spyware spyware, , botnets botnets are fusing are fusing

— —

e.g., many e.g., many spyware spyware programs now install spam relays programs now install spam relays

SLIDE 13

Industrial responses Industrial responses

 

Anti-spyware Anti-spyware tools tools

— —

predominantly signature based predominantly signature based

— —

e.g., e.g., AdAware AdAware, , Spybot Spybot S&D, Microsoft S&D, Microsoft AntiSpyware AntiSpyware

 

Blacklisted URLs in firewalls, NIDS Blacklisted URLs in firewalls, NIDS

— —

e.g., UW tipping point machine e.g., UW tipping point machine

 

Sandboxes for Sandboxes for isolating isolating untrusted untrusted content content

— —

e.g., e.g., GreenBorder GreenBorder

SLIDE 14

Legislative responses Legislative responses

 

Federal Federal “ “SPY ACT SPY ACT” ”

— —

Oct. 6: passed in House, received in Senate
Oct. 6: passed in House, received in Senate

— —

lists prohibited software functions lists prohibited software functions

e.g.,

e.g., “ “Modifying settings related to use of the computer or to the computer's Modifying settings related to use of the computer or to the computer's access to or use of the Internet by altering (A) access to or use of the Internet by altering (A) the Web page that appears the Web page that appears when the owner or authorized user launches an Internet browser or similar when the owner or authorized user launches an Internet browser or similar program used to access and navigate the Internet, (B) program used to access and navigate the Internet, (B) …” …”

— —

requires user consent to requires user consent to “ “information collection programs information collection programs” ”

required functions for such programs, e.g., easy to disable

required functions for such programs, e.g., easy to disable

— —

list of exclusions list of exclusions

law enforcement, ISPs,

law enforcement, ISPs, diagnostic and security software/services, diagnostic and security software/services, good good samaritan samaritan protection, manufacturers and retailers providing protection, manufacturers and retailers providing third party branded software third party branded software

— —

has big teeth has big teeth

up to $3,000,000

up to $3,000,000 penalty per violated provision penalty per violated provision

SLIDE 15

Outline Outline

 

Background Background

 

Measurement study Measurement study

— —

“ “A Crawler-based Study of A Crawler-based Study of Spyware Spyware in the Web in the Web” ”

Alex

Alex Moshchuk Moshchuk, Tanya , Tanya Bragin Bragin, Steven D. Gribble, and , Steven D. Gribble, and Henry M. Levy. To appear, NDSS 2006. Henry M. Levy. To appear, NDSS 2006.  

Discussion on Discussion on spyware spyware mitigation mitigation

SLIDE 16

Measurement study Measurement study

 

Understand the problem before defending against it Understand the problem before defending against it

 

Many unanswered questions Many unanswered questions

— —

What What’ ’s the spyware density on the web? s the spyware density on the web?

— —

Where do people get spyware? Where do people get spyware?

— —

How many spyware variants are out there? How many spyware variants are out there?

— —

What kinds of threats does spyware pose? What kinds of threats does spyware pose?

 

Answers give insight into what defenses may work Answers give insight into what defenses may work

SLIDE 17

Approach Approach

  Large-scale measurement of spyware on the Web

Large-scale measurement of spyware on the Web

— — crawl

crawl “ “interesting interesting” ” portions of the web portions of the web

— — download content

download content

— — determine if content is malicious

determine if content is malicious

  Two parts

Two parts

— — Executable study

Executable study

Find executables with known spyware

Find executables with known spyware

— — Drive-by download study

Drive-by download study

Find web pages that attempt drive-by download attacks

Find web pages that attempt drive-by download attacks

SLIDE 18

Analyzing Executables Analyzing Executables

 

Web crawler collects a pool of executables Web crawler collects a pool of executables

 

For each: For each:

— —

clone a clean virtual machine clone a clean virtual machine

10-node VM cluster, 4

10-node VM cluster, 4 VMs VMs per node per node

— —

scripted install of executable scripted install of executable

— —

run analysis to see what changed run analysis to see what changed

currently, we use an anti-spyware tool (Ad-Aware)

currently, we use an anti-spyware tool (Ad-Aware)  

Average analysis time Average analysis time – – 90 sec. per executable 90 sec. per executable

SLIDE 19

Analyzing Drive-by Downloads Analyzing Drive-by Downloads

 

Evaluate the safety of browsing the web Evaluate the safety of browsing the web

 

Automatic Automatic “ “virtual browsing virtual browsing” ”

— —

render pages in a real browser inside clean VM render pages in a real browser inside clean VM

unpatched

unpatched Internet Explorer on Internet Explorer on unpatched unpatched Windows XP Windows XP

— —

define triggers for suspicious browsing activity define triggers for suspicious browsing activity

process creation

process creation

files written outside browser temp. folders

files written outside browser temp. folders

suspicious registry modifications

suspicious registry modifications

— —

run anti-spyware check only when trigger fires run anti-spyware check only when trigger fires

 

(c.f. (c.f. Honeymonkey Honeymonkey work, concurrent with ours) work, concurrent with ours)

SLIDE 20

Executable Study Results Executable Study Results

 

Crawled 32 million pages in 10,000 Web domains Crawled 32 million pages in 10,000 Web domains

 

Downloaded 26,000 unique executables Downloaded 26,000 unique executables

 

Found spyware in 13.5% of them Found spyware in 13.5% of them

— —

most installed only one most installed only one spyware spyware program program

6% installed three or more spyware variants

6% installed three or more spyware variants

— —

142 unique spyware threats 142 unique spyware threats

SLIDE 21

Infection of Executables Infection of Executables

 

Visit a site and download a program Visit a site and download a program

 

What What’ ’s the chance that you got spyware? s the chance that you got spyware?

5 10 15 20 25 30 blacklisted celebrities games wallpapers and screensavers music and movies pirate random kids news % of executables that are infected

SLIDE 22

Spyware Spyware popularity popularity

 

Spyware Spyware popularity is (surprise, surprise) popularity is (surprise, surprise) Zipfian Zipfian

 

A small # of A small # of spyware spyware variants are variants are found frequently found frequently

— — top

top 28 variants account for 90% of 28 variants account for 90% of infected execs. infected execs.

— — WhenU

WhenU, , eZula eZula, 180Solutions at top of list , 180Solutions at top of list

 

A small # of sites have large # of infected execs. A small # of sites have large # of infected execs.

SLIDE 23

Drive-by Download Results Drive-by Download Results

 

5.5% of pages we examined carried drive-by downloads 5.5% of pages we examined carried drive-by downloads

— —

1.4% exploited browser vulnerabilities 1.4% exploited browser vulnerabilities

5 10 15 20 25 30 35 pirate games music and movies blacklist celebrities wallpapers and screensavers random kids news % of pages with drive-by downloads

browser exploits with user consent

SLIDE 24

Types of spyware Types of spyware

75% 75% 88% 88% Adware Adware 84% 84% 62% 62% Browser hijacker Browser hijacker 50% 50% 12% 12% Trojan Trojan Downloader Downloader 0.2% 0.2% 1.2% 1.2% Dialer Dialer 0% 0% 0.05% 0.05% Keylogger Keylogger Drive-by Downloads Drive-by Downloads Executabl Executables es  

Five oft-discussed spyware functions Five oft-discussed spyware functions

— — What

What’ ’s the chance a spyware program contains s the chance a spyware program contains each function? each function?

SLIDE 25

Summary Summary

 

There is plenty of There is plenty of spyware spyware on the web

n the web

— —

1 in 8 programs is infected with spyware 1 in 8 programs is infected with spyware

 

Spyware Spyware targets specific popular content targets specific popular content

— —

0.1% of random web pages try drive-by downloads 0.1% of random web pages try drive-by downloads

— —

5% of 5% of “ “celebrity celebrity” ” web pages try drive-by downloads web pages try drive-by downloads

 

Most Most spyware spyware is just annoying ( is just annoying (adware adware) )

— —

but a significant fraction poses a big risk but a significant fraction poses a big risk

 

Few Few spyware spyware variants are encountered in practice variants are encountered in practice

SLIDE 26

Outline Outline

 

Background Background

 

Measurement study Measurement study

 

Discussion on Discussion on spyware spyware mitigation mitigation

— —

the the “ “opinion

pinion”

” part of this talk part of this talk

SLIDE 27

My view on the problem My view on the problem

 

Spyware Spyware separable into two separable into two “ “classes classes” ” of problem

f problem

 

Shucksters Shucksters out for a quick buck

ut for a quick buck

— —

taking advantage of current blurry legal status of taking advantage of current blurry legal status of spyware spyware

— —

tweak and distribute off-the-shelf tweak and distribute off-the-shelf adware adware

rarely engineer new code

rarely engineer new code

goals:

goals: “ “throw it far and wide, make it stick throw it far and wide, make it stick” ”

— —

responsible for most of responsible for most of what what’ ’s out there s out there

 

Determined criminals Determined criminals

— —

phishers/pharmers phishers/pharmers looking for credit card numbers looking for credit card numbers

— —

keyloggers keyloggers for personal/corporate espionage for personal/corporate espionage

— —

may be willing may be willing to engineer boutique to engineer boutique spyware spyware software software

SLIDE 28

How to stop the How to stop the shucksters shucksters

 

Legislation Legislation helps take away incentive helps take away incentive

— —

makes it clear what is illegal makes it clear what is illegal

— —

legit companies will clean up their act legit companies will clean up their act

 

Anti-spyware Anti-spyware tools deal well with remainder tools deal well with remainder

— —

you you’ ’re really paying for the top ~50 signatures re really paying for the top ~50 signatures

— —

new threats emerge from time to time new threats emerge from time to time

need engineers to keep rules fresh

need engineers to keep rules fresh

seems no different than antivirus

seems no different than antivirus signature problem signature problem

SLIDE 29

The criminals The criminals

 

We We’ ’re not well prepared for this threat re not well prepared for this threat

— —

regular users have poor model of safe regular users have poor model of safe vs

vs. risky

. risky

and savvy users don

and savvy users don’ ’t have good tools for coping t have good tools for coping

— —

OSs OSs built as single trust domain; if compromised, lose built as single trust domain; if compromised, lose

no firewall between Internet-facing code and your stuff

no firewall between Internet-facing code and your stuff  

Maybe we just need Maybe we just need “ “street smart street smart” ” mechanisms mechanisms

— —

help users avoid sketchy parts of the Web help users avoid sketchy parts of the Web

Blacklists? Reputation-based schemes?

Blacklists? Reputation-based schemes?

— —

help users keep valuables locked up help users keep valuables locked up

Lampson

Lampson’ ’s s “ “red red vs

vs. green

. green” ” VMs VMs, , GreenBorder GreenBorder

SLIDE 30

Advanced techniques Advanced techniques

 

Rejigger Rejigger OS so harder for users to add new code OS so harder for users to add new code

+ +

less likely to get unwanted code less likely to get unwanted code

— —

makes it hard to add legitimate apps makes it hard to add legitimate apps

— —

doesn doesn’ ’t t help with scripts / help with scripts / bytecode bytecode

 

Semantic analysis Semantic analysis (look for (look for spyware-like spyware-like behavior) behavior)

+ +

fewer signatures needed, higher leverage in arms race fewer signatures needed, higher leverage in arms race

— —

too many ways to do the same thing in today too many ways to do the same thing in today’ ’s systems s systems

— —

prone to false positives prone to false positives

SLIDE 31