Spyware Spyware Steven Gribble Steven Gribble Department of Computer Science and Engineering Department of Computer Science and Engineering University of Washington University of Washington
kingsofchaos.com .com kingsofchaos A benign web site for an online game A benign web site for an online game earns revenue from ad networks by showing banners earns revenue from ad networks by showing banners — — but, it relinquishes control of the ad content of the ad content but, it relinquishes control — —
kingsofchaos.com .com kingsofchaos A benign web site for an online game A benign web site for an online game earns revenue from ad networks by showing banners earns revenue from ad networks by showing banners — — but, it relinquishes control of the ad content of the ad content but, it relinquishes control — — banner ad from adworldnetwork.com (a legitimate ad network) inline javascript loads HTML from ad provider
Incident Incident kingsofchaos.com was given .com was given this this “ “ad content ad content” ” kingsofchaos <script type="text/javascript">document.write(‘ \u003c\u0062\u006f\u0064\u0079\u0020\u006f\u006e\u0055 \u006f\u0077\u0050\u006f\u0070\u0075\u0070\u0028\u0029 \u003b\u0073\u0068\u006f\u0077\u0048\u0069 …etc. This “ad” ultimately: bombarded the user with pop-up ads — hijacked the user’s homepage — exploited an IE vulnerability to install spyware —
What’ ’s going on? s going on? What The advertiser was an ex-email-spammer His goal: force users to see ads from his servers — draw revenue from ad from ad “ “affiliate programs affiliate programs” ” draw revenue — — Apparently earned several millions of dollars Apparently earned several millions of dollars Why did he use spyware spyware? ? Why did he use control PC and show ads even when not on the Web control PC and show ads even when not on the Web — —
Take-away lessons Take-away lessons Your PC has value to third parties Your PC has value to third parties spyware tries to steal this value from you tries to steal this value from you spyware — — adware: adware : eyeballs and demographic information eyeballs and demographic information spyware: spyware : sensitive data, PC resources sensitive data, PC resources Web content should never be trusted Web content should never be trusted even if its direct provider is direct provider is even if its — — Consumer software and OSs OSs are weak are weak Consumer software and browsers are bug-ridden browsers are bug-ridden — — OSs OSs do not protect users from malicious software do not protect users from malicious software — — yet, this is increasingly the world we live in yet, this is increasingly the world we live in
Outline Outline Background Background Measurement study Measurement study Discussion on spyware spyware mitigation mitigation Discussion on
Outline Outline Background Background definitions definitions — — trends trends — — defenses defenses — — Measurement study Measurement study Discussion on spyware spyware mitigation mitigation Discussion on
What is spyware spyware? ? What is Incredibly difficult to define “ “spyware spyware” ” precisely precisely Incredibly difficult to define no clean line between good and bad behavior no clean line between good and bad behavior — — Spyware is a is a software parasite software parasite that: that: Spyware collects information of value and relays it to a third party collects information of value and relays it to a third party — — hijacks functions or resources of PC hijacks functions or resources of PC — — installs surreptitiously, without consent of user installs surreptitiously, without consent of user — — resists detection and de-installation resists detection and de-installation — — Spyware provides value to others, provides value to others, but not to you but not to you Spyware
How one becomes infected How one becomes infected Spyware piggybacked on executables piggybacked on executables Spyware model for profiting from free software model for profiting from free software — — e.g., Kazaa Kazaa installed installed 2-7 2-7 adware adware programs programs e.g., — — Drive-by downloads Drive-by downloads Web site attempts to install software through browser Web site attempts to install software through browser — — may involve exploiting browser vulnerabilities may involve exploiting browser vulnerabilities — — Trojan downloaders downloaders / / “ “tricklers tricklers” ” Trojan spyware that fetches additional that fetches additional spyware spyware spyware — — snowball effect snowball effect — —
Types of spyware spyware Types of Class Class # signatures # signatures Cookies and web bugs 47 Cookies and web bugs 47 Browser hijackers 272 Browser hijackers 272 Adware Adware 210 210 Keyloggers Keyloggers 75 75 Dialers Dialers 201 201 Backdoors / trojans trojans / / tricklers tricklers 279 Backdoors / 279 From the “Spybot S&D” database, Feb. 2005 .
Spyware trends trends Spyware Most Internet PCs have, or have had, it Most Internet PCs have, or have had, it 80% of Internet-connected PCs are infected 80% of Internet-connected PCs are infected — — [AOL/NCSA online safety study, Oct. 2004] [AOL/NCSA online safety study, Oct. 2004] — — Much of the Web has it Much of the Web has it 1 in 8 executables on Web piggyback 1 in 8 executables on Web piggyback spyware spyware — — 0.1% of random Web pages try try “ “drive-by drive-by” ” installs installs 0.1% of random Web pages — — [UW study, Oct. 2005] [UW study, Oct. 2005] — — Convergence of threats Convergence of threats worms, viruses, spyware spyware, , botnets botnets are fusing are fusing worms, viruses, — — e.g., many spyware spyware programs now install spam relays programs now install spam relays e.g., many — —
Industrial responses Industrial responses Anti-spyware tools tools Anti-spyware predominantly signature based predominantly signature based — — e.g., AdAware AdAware, , Spybot Spybot S&D, Microsoft S&D, Microsoft AntiSpyware AntiSpyware e.g., — — Blacklisted URLs in firewalls, NIDS Blacklisted URLs in firewalls, NIDS e.g., UW tipping point machine e.g., UW tipping point machine — — Sandboxes for isolating isolating untrusted untrusted content content Sandboxes for e.g., GreenBorder GreenBorder e.g., — —
Legislative responses Legislative responses Federal “ “SPY ACT SPY ACT” ” Federal Oct. 6: passed in House, received in Senate Oct. 6: passed in House, received in Senate — — lists prohibited software functions lists prohibited software functions — — e.g., e.g., “ “Modifying settings related to use of the computer or to the computer's Modifying settings related to use of the computer or to the computer's access to or use of the Internet by altering (A) access to or use of the Internet by altering (A) the Web page that appears the Web page that appears when the owner or authorized user launches an Internet browser or similar when the owner or authorized user launches an Internet browser or similar program used to access and navigate the Internet, (B) program used to access and navigate the Internet, (B) …” …” requires user consent to “ requires user consent to “information collection programs information collection programs” ” — — required functions for such programs, e.g., easy to disable required functions for such programs, e.g., easy to disable list of exclusions list of exclusions — — law enforcement, ISPs, diagnostic and security software/services, diagnostic and security software/services, law enforcement, ISPs, good samaritan samaritan protection, manufacturers and retailers providing protection, manufacturers and retailers providing good third party branded software third party branded software has big teeth has big teeth — — up to $3,000,000 penalty per violated provision penalty per violated provision up to $3,000,000
Outline Outline Background Background Measurement study Measurement study “ “A Crawler-based Study of A Crawler-based Study of Spyware Spyware in the Web in the Web” ” — — Alex Moshchuk Moshchuk, Tanya , Tanya Bragin Bragin, Steven D. Gribble, and , Steven D. Gribble, and Alex Henry M. Levy. To appear, NDSS 2006. Henry M. Levy. To appear, NDSS 2006. Discussion on spyware spyware mitigation mitigation Discussion on
Recommend
More recommend
