Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management

Transcription

1 Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management Yi-Min Wang, Roussi Roussev, Chad Verbowski, and Aaron Johnson Microsoft Research, Redmond, Washington Extended Abstract 1. Introduction Spyware is a generic term referring to a class of software programs that track computer users behavior for marketing purposes. In addition to privacy issues, spyware often annoys users by popping up windows with advertisements, changing browser s start page, search page, and bookmark settings, installing unwanted toolbars, etc. Some spyware causes a significant increase in reboot time. Reliability data show that spyware account for a large percentage of the overall crash reports. Saroiu et al. [SGL04] pointed out security problems caused by vulnerabilities in spyware programs. A recent study based on scanning over one million machines showed the alarming prevalence of spyware: an average of almost 28 spyware programs are running on each computer [E04]. Current anti-spyware solutions [A, S] are based on the signature approach used by anti-virus software: each spyware installation is investigated to determine its file and Registry signatures for use by a scanner software to later detect instances of the spyware. This approach has several problems. First, many spyware programs may be considered legitimate in the following sense: their companies sponsor popular freeware to leverage their installation bases; since users agree to an End User Licensing Agreement when they install freeware, removing the bundled spyware may violate this agreement. In many cases, the freeware refuses to run if its bundled spyware is removed. Second, spyware programs are full-fledged applications that are generally much more powerful than the average virus [C04], making it easy for them to have sophisticated behaviors for defeating signature-based detection; observed behaviors include self-healing, non-deterministic latent installation, morphing filenames, etc. Third, spyware may contain common library files that non-spyware applications use. If care is not taken to remove these files from the spyware signatures, scanners using these signatures will break non-spyware applications. Finally, popular spyware removal programs are commonly invoked on-demand or periodically long after the spyware installation, allowing it to collect private information; a monitoring service that catches spyware at installation time is essential to reduce exposure. We propose a new solution that complements the signature-based approach. Our work is based on the observation that spyware is designed to infect a system in one of two ways: as a standalone application that - 1 -

2 is automatically run by registering as an OS auto-start extension such as an NT service, a tray icon in Windows, or a Unix daemon/cron job; or as an extension to an existing application that is either automatically run (such as the shell in Windows), or popular and commonly run by users (such as a Web browser). We call the configuration points that allow these extensions Auto-Start Extensibility Points (ASEPs), which are critical gates (see Figure 1) that allow programs to enter and essentially become part of the machine. Our Gatekeeper solution identifies and monitors these gates and exposes all the hooks to ASEPs in a way that is as user-friendly as possible to allow effective management of spyware. 2. Problem Formulation and Decomposition Figure 2 illustrates the life cycle of the spyware management process and provides a problem decomposition that enables us to reason about this problem systematically. (1) Given a machine infected with spyware, we first use a known-bad signature database and signature-based scanner / removal tool (such as SpyBot) to remove existing spyware. (2) We continuously monitor all ASEPs by recording, alerting, and blocking potentially harmful ASEP hooking operations. It is essential that the signature database includes userfriendly descriptions of known-good [G03,NSRL,PP] and known-bad ASEP hooks to enable presentation of actionable information to the user. If the user decides to install a freeware application after assessing the risks of bundled spyware, (3) bundle tracing captures all components installed by the freeware and display them in Gatekeeper as a group with a user-friendly name enabling the user to manage and remove them as a unit. (4) We monitor the performance and reliability of the system since the freeware / spyware installation and associate any problems with the responsible component(s). These credit reports provide the user with a price tag for the freeware functionality, enabling the user to make value/cost judgments about the freeware. Finally, our solution s effectiveness is directly related to ASEP list completeness. (5) We discover the ASEPs of OS and popular frequently run software by analyzing indirection patterns in file and Registry traces. Another technique is to scan the volatile states of a known infected machine to identify the spyware executable and then use this as an index in a reverse lookup scan of the machine configuration to identify new ASEPs. In this paper, we will focus on (2), (3), and (5). 3. ASEP Monitoring Figure 3 shows 20 ASEPs hooked by at least one of the 67 spyware programs we have tested, indicating when the OS / application starts them. Figure 4 shows the number of spyware hooks to each of the 20 ASEPs. (Note that ASEP #18 includes drivers.) Browser Helper Objects (BHOs) and the system-wide Run key are - 2 -

3 the two most popular ASEPs. Figure 5 shows that most of the spyware hook only one ASEP, but some hook as many as 8 or 10. Hooking multiple ASEPs typically causes significant performance degradation. Each new ASEP hook generates an optional notification sent to the user, or forwarded to an enterprise management system for processing. Figure 6 shows a screenshot of a user notification alert. During the installation of a freeware screensaver, the user is notified of five new ASEP hooks. The Screen Saver hook alert is obviously expected. Searching the Signatures and Descriptions Database with the information from the other four alerts (by clicking on the alerts) reveals that they belong to exact Search Bar and Bargain Buddy. Based on the information provided for these two pieces of software and the benefit provided by the screensaver, the user can then make informed decision about whether to keep this bundle. A blocking option is also provided to allow system administrators to, for example, enable Run key hooking but disable BHO hooking. 4. Bundle Management Currently, when a user installs freeware and its bundled spyware and later decides to uninstall the freeware, the spyware often remains running on the machine, collecting private information without the enduser s awareness or consent. Gatekeeper uses a technique called bundle tracing to expose this unfair practice. Figure 7 demonstrates bundle tracing in the presence of concurrent installations of two bundles: the DivX bundle and the Desktop Destroyer (DD) bundle. ASEP hooks and Add/Remove Programs (ARP) entries created by processes belonging to the same process tree are grouped together as one bundle. The concatenation of the ARP Display Names is used as the bundle name. For example, six processes with parent-child relationship are involved in the installation of the DD bundle. They together created five ASEP hooks and three ARP entries. Figure 8 shows Gatekeeper displaying bundle information through a new Manage Auto-Start Programs applet in the Control Panel ARP interface (called it EP-ARP). It scans all ASEPs and displays the current hooks by bundles. The user can sort by install time to highlight newly installed bundles. It also provides three options for bundle removal/disabling. For example, the bundle name clearly shows that exact Search Bar and Bargain Buddy have been installed as part of the DD bundle. If the user wants to remove DD, she can click the Disable Bundle button and reboot the machine. This removes all five ASEP hooks, stopping the three bundled programs from automatically starting, despite their files remaining on the machine. Alternatively, the user can look for the three ARP names in the regular ARP page and invoke their respective removal programs there. Since it is not uncommon for spyware to provide unreliable ARP removal programs, the user can double-check EP-ARP to make sure that none of the ASEP hooks gets left over after ARP removals. Gatekeeper also integrates with System Restore, as shown at the bottom of Figure 8. If both removal - 3 -

4 options fail, the user can click on the Restore button to roll back machine configuration to a checkpoint taken before the bundle was installed. We have observed that some ASEP hooks have no ARP owners ; if they are not known-good, they are most likely devious or deceptive software that should be disabled. 5. ASEP Discovery By definition, programs that get started through EPs must have their filenames returned as query results from some file or Registry locations, instead of being hard-wired into the launching program code. To compile our list of ASEPs, we combined a white-box approach of documenting well-known EPs (such as those scanned by Autoruns [AR04] or found in OS and application specifications) with a black-box approach of identifying indirection patterns for obtaining executable filenames by analyzing file/registry traces (see Figure 9 for a few examples), and troubleshooting newly discovered spyware with a Windows Task Manager Extension. Figure 10 shows an example of how this tool helps discover a new ASEP by scanning for all modules loaded by each process, incorporating file-update timestamp information from System Restore file change log to highlight most recent changes, and searching various local meta-data information stores (e.g., patch histories) to try to filter out files updated by known-good sources. References [A] Ad-aware, [AR04] Autoruns, [C04] Spyware cures may cause more harm than good, Feb [E04] EarthLink finds rampant spyware, Trojans, InfoWorld, April 15, [G03] Simson L. Garfinkel, A Web Service for File Fingerprints: The Goods, the Bads, and the Unknowns, [NSRL] National Software Reference Library (NSRL) Project Web Site, [PP] Pest Patrol, [S] Spybot, [SGL04] S. Saroiu, S. D. Gribble, and H. M. Levy, Measurement and Analysis of Spyware Infections in a University Environment, in Proc. of the 1st USENIX/ACM Symp. on Networked Systems Design and Implementation (NSDI), [SR01] Windows XP System Restore,

5 Internet User Machine Security Vulnerabilities Software Auto- Update Incorrect Security Settings User Consent Border Gates Persistent State \Run key Startup Folder Unknown ASEP BHO LSP Drivers Middle Gates (ASEPs) Volatile State P4 CreateProcess P3 P2 LoadLibrary Processes Just-in-time Gates P1 DLLs Figure 1. Gates View of Windows: (1) Border Gates are the entrance points for program files from the Internet to get on user machines. User Consent includes explicit consent to install, for example, a freeware program, and implicit consent to allow spyware programs bundled with the freeware to get installed as well. Incorrect Security Settings include the Low setting for Internet Zone security, incorrect entries in the Trusted Sites list, and incorrect entries in the Trusted Publishers list, which would allow drive-by downloads. (2) Middle Gates are the ASEPs that allow programs to survive reboots and maximize their chance of running all the time. BHO stands for Browser Helper Object. LSP stands for Layered Service Provider. (3) Just-in-time Gates control the instantiation of program files into active running program instances. They include CreateProcess, LoadLibrary, and other program execution mechanisms, and can be used to block any potentially harmful programs if they are not on the known-good list

6 Known-* Signatures & Descriptions Database Signature-based Detection, Lookup, & Removal Section 3 ASEP-based Auditing, Alerting, & Blocking ASEP Discovery Through Trace Analysis ASEP Discovery Through Troubleshooting Section 5 Install Freeware Infected Cleaned-up Cleaned-up Bundle Tracing Behavior Monitoring For Credit Report Generation Bundle Management & Removal Section 4 Section 4 Figure 2. The Spyware Management Life Cycle and Problem Decomposition: see descriptions in Section

7 (7), (13),(17), (18) (1), (2), (4), (9), (11), (14), (16) (5), (6), (19), (20) Boot Log-in Start Explorer Start Browser Browsing Actions Scheduled Actions Winlogon\UserInit Winlogon\Shell, etc. (3), (8), (10), (12), (15) Scheduled tasks Screensaver, etc. (1) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects (2) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (3) HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar (4) HKCU\Software\Microsoft\Windows\CurrentVersion\Run (5) HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (6) HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\CustomizeSearch (7) HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries (8) HKCR\PROTOCOLS\Name-Space Handler (9) %ALLUSERSPROFILE%\Start Menu\Programs\Startup (10) HKCU\Software\Microsoft\Internet Explorer\Main\Start Page (11) %USERPROFILE%\Start Menu\Programs\Startup (12) HKCR\PROTOCOLS\Filter\text/html (13) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify (14) HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce (15) HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (16) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (17) HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries (18) HKLM\SYSTEM\CurrentControlSet\Services (19) HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (20) HKCU\Software\Microsoft\Internet Explorer\Main\Search Page Figure 3. Known Spyware-Hooked ASEPs and Their Execution Stages: Search and Start Page-related entries are considered as micro-aseps ; their hooks are in the form of URLs, not executable filenames

8 60 Number of Spyware Hooks to Each ASEP Browser Helper Objects Run IE Toolbar Run (User) IE SearchAssistant IE CustomizeSearch Protocol_Catalog Name-Space Handler Startup Folder IE Start Page (User) Startup Folder (User) Auto-Start Extensibility Point (ASEP) Protocols Filter Winlogon notification RunOnce (User) IE Start Page RunOnce NameSpace_Catalog Services/Drivers IE Search Page IE Search Page (User) Figure 4. Distribution of Spyware ASEP Hooks: ASEPs are sorted by popularity

9 30 25 Number of Spyware Number of ASEP Hooks per Spyware Figure 5. Number of ASEP Hooks Used by Each Spyware

10 Figure 6. ASEP Hooking Alerts: one freeware screensaver (the bottom alert) bundling two spyware programs, each hooking two ASEPs (the other four alerts)

11 Bundle Name = DivX Pro Codec Adware Divx Player DivX Pro Codec Adware Divx Player ARP ASEP GMESys HKLM Run hook GStartup Explorer Sartup Folder DivxPro511Adaware.exe Gain_Trickler.exe Gain_trickler_3202.exe Pdpsetup4006.exe DesktopDestroyer.exe Exact.exe GLB5.tmp GLJ7.tmp Rundll32.exe bb.exe I244DE~1.SCR Screensaver hook Bargains Explorer Run hook exacttoolbar.dll IE Toolbar hook ASEP URL Catcher (apuc.dll) Explorer BHO hook exacttoolbar.dll Explorer BHO hook Desktop Destroyer FREE exact Search Bar Bargain Buddy ARP Bundle Name = Desktop Destroyer FREE exact Search Bar Bargain Buddy Figure 7. DivX and Desktop Destroyer Bundle Tracing: solid arrows represent creating child processes; dashed arrows represents creating ARP entries; dotted arrows represents creating ASEP hooks. Each process tree defines the scope of the bundle, named by concatenation of ARP friendly names

12 Figure 8. Extensibility Point-Add/Remove Programs (EP-ARP): the DivX Pro Codec Adware DivX Player bundle includes two ASEP hooks GMT.exe and CMESys.exe that came from Gator. The Desktop Destroyer FREE exact Search Bar Bargain Buddy bundle includes five ASEP hooks. Clicking on the Restore button at the bottom can roll back the system and remove the two bundles

13 :33:45 explorer.exe: RegQueryValue HKCR\Network\SharingHandler\(DEFAULT) return ntshrui.dll :33:45 explorer.exe: LoadLibrary \WINDOWS\system32\ntshrui.dll :33:49 explorer.exe: RegEnumerateValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray return {35CEC8A3-2BE6-11D E } :33:49 explorer.exe: RegQueryValue HKCR\CLSID\{35CEC8A3-2BE6-11D E }\InprocServer32\(DEFAULT) return C:\WINDOWS\System32\stobject.dll :33:49 explorer.exe: LoadLibrary \WINDOWS\system32\stobject.dll Figure 9. ASEP Discovery through Trace Analysis: HKCR\Network\SharingHandler\(DEFAULT) and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray are identified as ASEPs; HKCR\CLSID\{35CEC8A3-2BE6-11D E }\InprocServer32\(DEFAULT) is an EP, but not necessary an ASEP, although it becomes a secondary ASEP on this machine due to its connection with a primary ASEP

14 (a) After installing SpeedBit, a new process DAP.exe was started and the browser process IEXPLORE.EXE was loading four newly updated DLL files from the installation (highlighted rows in the lower pane)

15 (b) After disabling all new ASEP hooks from Gatekeeper and reboot, IEXPLORE.EXE was still loading two new DLLs. Searching the Registry using the filename DAPIE.DLL revealed that SpeedBit was hooking an additional ASEP under HKCR\PROTOCOLS\Name-Space Handler, which has since been added to the ASEP list monitored by Gatekeeper. Figure 10. Windows Task Manager Extension for ASEP Discovery: the approximate update timestamps are extracted from the System Restore file change log; the patch numbers are extracted from local patch meta-data; the highlighted entries involve changes within the past week