Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management



Similar documents
Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management

Guideline for Prevention of Spyware and other Potentially Unwanted Software

System Administrator Guide

How to Deal with Spyware A CyberAngels Quick Tutorial

How to Install Windows 7 software


How to easily clean an infected computer (Malware Removal Guide)

AskStrider: What Has Changed on My Machine Lately?

Software. Webroot. Spy Sweeper. User Guide. for. Webroot Software, Inc. PO Box Boulder, CO Version 6.

Basic Computer Maintenance

AnVir Task Manager v5.2 User's Guide

ESET NOD32 Antivirus. Table of contents

Best Practices for Deploying Behavior Monitoring and Device Control

Airtel PC Secure Trouble Shooting Guide

Printed Documentation

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Spyware Analysis. Security Event - April 28, 2004 Page 1

Using XP Service Pack 2 with Cameleon

Welcome to Part 2 of the online course, Spyware and Adware What s in Your Computer?

Introduction to Computer Security Table of Contents

Sophos Enterprise Console Help

Administering Cisco ISE

Spyware Doctor Enterprise Technical Data Sheet

Product Guide. McAfee Endpoint Security 10

Sophos for Microsoft SharePoint startup guide

Advanced Malware Cleaning Techniques for the IT Professional

Sophos Anti-Virus standalone startup guide. For Windows and Mac OS X

Security Practices Essentials. Viruses McAfee Virus Software Critical Windows Updates Network Settings. Spyware Adaware Spybot Windows Defender

Legal Notes. Regarding Trademarks KYOCERA Document Solutions Inc.

Get Started Guide - PC Tools Internet Security

How to Use Windows Firewall With User Account Control (UAC)

Step-by-Step Guide: How to remove spyware By Serdar Yegulalp, author Windows 2000 Power Users Newsletter

Advanced Endpoint Protection Overview

WINDOWS REGISTRY AUDITING CHEAT SHEET - Win 7/Win 2008 or later

Migrating TimeForce To A New Server

Overview Using the Secure Desktop Agent Troubleshooting... 10

A Crawler-based Study of Spyware in the Web. Alex Moshchuk, Tanya Bragin, Steve Gribble, Hank Levy

Ohio University Computer Services Center October, 2004 Spyware, Adware, and Virus Guide

Sophos Anti-Virus for NetApp Storage Systems startup guide. Runs on Windows 2000 and later

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

A Testing Methodology for Antispyware Product s Removal Effectiveness

Client Manager for Endpoint Protection (CMEP) User s Guide

What is PC Matic?...4. System Requirements...4. Launching PC Matic.5. How to Purchase a PC Matic Subscription..6. Additional Installations.

PC Security and Maintenance

Security and Protection in Real-Time

Contents. McAfee Internet Security 3

How To Understand What A Virus Is And How To Protect Yourself From A Virus

Client Guide for Symantec Endpoint Protection and Symantec Network Access Control

Common SofTest Troubleshooting Techniques

What you need to know to keep your computer safe on the Internet

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

How can I ensure that I have the correct version of the McAfee epo client with VirusScan & AntiSpyware?

Introduction to Free Computer Tools

SMALL BUSINESS EDITION. Sophos Control Center startup guide

User Guide. Windows 8 Upgrade Assistant. Laplink Software, Inc. MN-PCM-UpgdAssist-EN-08 (REV. 10/2012)

NOD32 Antivirus 3.0. User Guide. Integrated components: ESET NOD32 Antivirus ESET NOD32 Antispyware. we protect your digital worlds

NETWRIX USER ACTIVITY VIDEO REPORTER

Trend Micro OfficeScan Best Practice Guide for Malware

Security Task Manager User Guide

KASPERSKY LAB. Kaspersky Administration Kit version 6.0. Administrator s manual

NOTE: You may want to choose the Word Wrap option from Notepad Edit menu to make this text more readable.

Client Guide for Symantec Endpoint Protection and Symantec Network Access Control

COMPUTER-INTERNET SECURITY. How am I vulnerable?

Team Foundation Server 2010, Visual Studio Ultimate 2010, Team Build 2010, & Lab Management Beta 2 Installation Guide

PC Diet and fitness plan

Microsoft Windows Installation and Troubleshooting Guide

Insight. Security Response. Deployment Best Practices

Sophos Endpoint Security and Control Help

HoneyBOT User Guide A Windows based honeypot solution

The software can be downloaded from the Spiceworks web site at:

Remove ANY TOOLBAR from Internet Explorer, Firefox and Chrome

Net Protector Admin Console

Creating a Patch Management Dashboard with IT Analytics Hands-On Lab

Driver Updater Manual

Federated Identity Service Certificate Download Requirements

STEP 1: INSTALLING WINDOWS DEFENDER

Getting Ahead of Malware

Microsoft Security Essentials Installation and Configuration Guide

ViRobot Desktop 5.5. User s Guide

Cox Business Premium Security Service FAQs

Configuring, Customizing, and Troubleshooting Outlook Express

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Frequent Smart Updates: Used to detect and guard against new infections as well as adding enhancements to Spyware Doctor.

SystemTech AntiSpyware Manual

Super Anti-spyware Free Edition User Guide

Sophos Endpoint Security and Control Help. Product version: 11

Sophos Anti-Virus for NetApp Storage Systems user guide. Product version: 3.0

Spyware Study. Prof. Robila CMPT 495. Computer and Data Security. Group: Francis Rivera Douglas Schemly Igor Yussim. Due:

Security and Usability of Anti-spyware software

Charter Business Desktop Security Administrator's Guide

Online Payments Threats

Basic Security Considerations for and Web Browsing

Sophos Anti-Virus for NetApp Storage Systems startup guide

Sophos Anti-Virus for Mac OS X Help

contents 1. ESET Smart Security Installation Beginner s guide Work with ESET Smart Security...12

Table of Contents Chapter 1 INTRODUCTION TO MAILENABLE SOFTWARE... 3 MailEnable Webmail Introduction MailEnable Requirements and Getting Started

Desktop Release Notes. Desktop Release Notes 5.2.1

Spyware and Adware What s in Your Computer?

8x8 Click2Pop User Guide

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning

Transcription:

Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management Yi-Min Wang, Roussi Roussev, Chad Verbowski, and Aaron Johnson Microsoft Research, Redmond, Washington Extended Abstract 1. Introduction Spyware is a generic term referring to a class of software programs that track computer users behavior for marketing purposes. In addition to privacy issues, spyware often annoys users by popping up windows with advertisements, changing browser s start page, search page, and bookmark settings, installing unwanted toolbars, etc. Some spyware causes a significant increase in reboot time. Reliability data show that spyware account for a large percentage of the overall crash reports. Saroiu et al. [SGL04] pointed out security problems caused by vulnerabilities in spyware programs. A recent study based on scanning over one million machines showed the alarming prevalence of spyware: an average of almost 28 spyware programs are running on each computer [E04]. Current anti-spyware solutions [A, S] are based on the signature approach used by anti-virus software: each spyware installation is investigated to determine its file and Registry signatures for use by a scanner software to later detect instances of the spyware. This approach has several problems. First, many spyware programs may be considered legitimate in the following sense: their companies sponsor popular freeware to leverage their installation bases; since users agree to an End User Licensing Agreement when they install freeware, removing the bundled spyware may violate this agreement. In many cases, the freeware refuses to run if its bundled spyware is removed. Second, spyware programs are full-fledged applications that are generally much more powerful than the average virus [C04], making it easy for them to have sophisticated behaviors for defeating signature-based detection; observed behaviors include self-healing, non-deterministic latent installation, morphing filenames, etc. Third, spyware may contain common library files that non-spyware applications use. If care is not taken to remove these files from the spyware signatures, scanners using these signatures will break non-spyware applications. Finally, popular spyware removal programs are commonly invoked on-demand or periodically long after the spyware installation, allowing it to collect private information; a monitoring service that catches spyware at installation time is essential to reduce exposure. We propose a new solution that complements the signature-based approach. Our work is based on the observation that spyware is designed to infect a system in one of two ways: as a standalone application that - 1 -

is automatically run by registering as an OS auto-start extension such as an NT service, a tray icon in Windows, or a Unix daemon/cron job; or as an extension to an existing application that is either automatically run (such as the shell in Windows), or popular and commonly run by users (such as a Web browser). We call the configuration points that allow these extensions Auto-Start Extensibility Points (ASEPs), which are critical gates (see Figure 1) that allow programs to enter and essentially become part of the machine. Our Gatekeeper solution identifies and monitors these gates and exposes all the hooks to ASEPs in a way that is as user-friendly as possible to allow effective management of spyware. 2. Problem Formulation and Decomposition Figure 2 illustrates the life cycle of the spyware management process and provides a problem decomposition that enables us to reason about this problem systematically. (1) Given a machine infected with spyware, we first use a known-bad signature database and signature-based scanner / removal tool (such as SpyBot) to remove existing spyware. (2) We continuously monitor all ASEPs by recording, alerting, and blocking potentially harmful ASEP hooking operations. It is essential that the signature database includes userfriendly descriptions of known-good [G03,NSRL,PP] and known-bad ASEP hooks to enable presentation of actionable information to the user. If the user decides to install a freeware application after assessing the risks of bundled spyware, (3) bundle tracing captures all components installed by the freeware and display them in Gatekeeper as a group with a user-friendly name enabling the user to manage and remove them as a unit. (4) We monitor the performance and reliability of the system since the freeware / spyware installation and associate any problems with the responsible component(s). These credit reports provide the user with a price tag for the freeware functionality, enabling the user to make value/cost judgments about the freeware. Finally, our solution s effectiveness is directly related to ASEP list completeness. (5) We discover the ASEPs of OS and popular frequently run software by analyzing indirection patterns in file and Registry traces. Another technique is to scan the volatile states of a known infected machine to identify the spyware executable and then use this as an index in a reverse lookup scan of the machine configuration to identify new ASEPs. In this paper, we will focus on (2), (3), and (5). 3. ASEP Monitoring Figure 3 shows 20 ASEPs hooked by at least one of the 67 spyware programs we have tested, indicating when the OS / application starts them. Figure 4 shows the number of spyware hooks to each of the 20 ASEPs. (Note that ASEP #18 includes drivers.) Browser Helper Objects (BHOs) and the system-wide Run key are - 2 -

the two most popular ASEPs. Figure 5 shows that most of the spyware hook only one ASEP, but some hook as many as 8 or 10. Hooking multiple ASEPs typically causes significant performance degradation. Each new ASEP hook generates an optional notification sent to the user, or forwarded to an enterprise management system for processing. Figure 6 shows a screenshot of a user notification alert. During the installation of a freeware screensaver, the user is notified of five new ASEP hooks. The Screen Saver hook alert is obviously expected. Searching the Signatures and Descriptions Database with the information from the other four alerts (by clicking on the alerts) reveals that they belong to exact Search Bar and Bargain Buddy. Based on the information provided for these two pieces of software and the benefit provided by the screensaver, the user can then make informed decision about whether to keep this bundle. A blocking option is also provided to allow system administrators to, for example, enable Run key hooking but disable BHO hooking. 4. Bundle Management Currently, when a user installs freeware and its bundled spyware and later decides to uninstall the freeware, the spyware often remains running on the machine, collecting private information without the enduser s awareness or consent. Gatekeeper uses a technique called bundle tracing to expose this unfair practice. Figure 7 demonstrates bundle tracing in the presence of concurrent installations of two bundles: the DivX bundle and the Desktop Destroyer (DD) bundle. ASEP hooks and Add/Remove Programs (ARP) entries created by processes belonging to the same process tree are grouped together as one bundle. The concatenation of the ARP Display Names is used as the bundle name. For example, six processes with parent-child relationship are involved in the installation of the DD bundle. They together created five ASEP hooks and three ARP entries. Figure 8 shows Gatekeeper displaying bundle information through a new Manage Auto-Start Programs applet in the Control Panel ARP interface (called it EP-ARP). It scans all ASEPs and displays the current hooks by bundles. The user can sort by install time to highlight newly installed bundles. It also provides three options for bundle removal/disabling. For example, the bundle name clearly shows that exact Search Bar and Bargain Buddy have been installed as part of the DD bundle. If the user wants to remove DD, she can click the Disable Bundle button and reboot the machine. This removes all five ASEP hooks, stopping the three bundled programs from automatically starting, despite their files remaining on the machine. Alternatively, the user can look for the three ARP names in the regular ARP page and invoke their respective removal programs there. Since it is not uncommon for spyware to provide unreliable ARP removal programs, the user can double-check EP-ARP to make sure that none of the ASEP hooks gets left over after ARP removals. Gatekeeper also integrates with System Restore, as shown at the bottom of Figure 8. If both removal - 3 -

options fail, the user can click on the Restore button to roll back machine configuration to a checkpoint taken before the bundle was installed. We have observed that some ASEP hooks have no ARP owners ; if they are not known-good, they are most likely devious or deceptive software that should be disabled. 5. ASEP Discovery By definition, programs that get started through EPs must have their filenames returned as query results from some file or Registry locations, instead of being hard-wired into the launching program code. To compile our list of ASEPs, we combined a white-box approach of documenting well-known EPs (such as those scanned by Autoruns [AR04] or found in OS and application specifications) with a black-box approach of identifying indirection patterns for obtaining executable filenames by analyzing file/registry traces (see Figure 9 for a few examples), and troubleshooting newly discovered spyware with a Windows Task Manager Extension. Figure 10 shows an example of how this tool helps discover a new ASEP by scanning for all modules loaded by each process, incorporating file-update timestamp information from System Restore file change log to highlight most recent changes, and searching various local meta-data information stores (e.g., patch histories) to try to filter out files updated by known-good sources. References [A] Ad-aware, http://www.lavasoft.de/ms/index.htm. [AR04] Autoruns, http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml. [C04] Spyware cures may cause more harm than good, http://news.com.com/2100-1032-5153485.html, Feb. 2004. [E04] EarthLink finds rampant spyware, Trojans, http://www.infoworld.com/article/04/04/15/hnearthspyware_1.html, InfoWorld, April 15, 2004. [G03] Simson L. Garfinkel, A Web Service for File Fingerprints: The Goods, the Bads, and the Unknowns, http://www.simson.net/clips/2003.15_972.finalpaper.pdf. [NSRL] National Software Reference Library (NSRL) Project Web Site, http://www.nsrl.nist.gov/. [PP] Pest Patrol, http://research.pestpatrol.com [S] Spybot, http://www.safer-networking.org/microsoft.en.html. [SGL04] S. Saroiu, S. D. Gribble, and H. M. Levy, Measurement and Analysis of Spyware Infections in a University Environment, in Proc. of the 1st USENIX/ACM Symp. on Networked Systems Design and Implementation (NSDI), 2004. [SR01] Windows XP System Restore, http://msdn.microsoft.com/library/default.asp?url=/library/enus/dnwxp/html/windowsxpsystemrestore.asp. - 4 -

Internet User Machine Security Vulnerabilities Software Auto- Update Incorrect Security Settings User Consent Border Gates Persistent State \Run key Startup Folder Unknown ASEP BHO LSP Drivers Middle Gates (ASEPs) Volatile State P4 CreateProcess P3 P2 LoadLibrary Processes Just-in-time Gates P1 DLLs Figure 1. Gates View of Windows: (1) Border Gates are the entrance points for program files from the Internet to get on user machines. User Consent includes explicit consent to install, for example, a freeware program, and implicit consent to allow spyware programs bundled with the freeware to get installed as well. Incorrect Security Settings include the Low setting for Internet Zone security, incorrect entries in the Trusted Sites list, and incorrect entries in the Trusted Publishers list, which would allow drive-by downloads. (2) Middle Gates are the ASEPs that allow programs to survive reboots and maximize their chance of running all the time. BHO stands for Browser Helper Object. LSP stands for Layered Service Provider. (3) Just-in-time Gates control the instantiation of program files into active running program instances. They include CreateProcess, LoadLibrary, and other program execution mechanisms, and can be used to block any potentially harmful programs if they are not on the known-good list. - 5 -

Known-* Signatures & Descriptions Database Signature-based Detection, Lookup, & Removal Section 3 ASEP-based Auditing, Alerting, & Blocking ASEP Discovery Through Trace Analysis ASEP Discovery Through Troubleshooting Section 5 Install Freeware Infected Cleaned-up Cleaned-up Bundle Tracing Behavior Monitoring For Credit Report Generation Bundle Management & Removal Section 4 Section 4 Figure 2. The Spyware Management Life Cycle and Problem Decomposition: see descriptions in Section 2. - 6 -

(7), (13),(17), (18) (1), (2), (4), (9), (11), (14), (16) (5), (6), (19), (20) Boot Log-in Start Explorer Start Browser Browsing Actions Scheduled Actions Winlogon\UserInit Winlogon\Shell, etc. (3), (8), (10), (12), (15) Scheduled tasks Screensaver, etc. (1) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects (2) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (3) HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar (4) HKCU\Software\Microsoft\Windows\CurrentVersion\Run (5) HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant (6) HKLM\SOFTWARE\Microsoft\Internet Explorer\Search\CustomizeSearch (7) HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries (8) HKCR\PROTOCOLS\Name-Space Handler (9) %ALLUSERSPROFILE%\Start Menu\Programs\Startup (10) HKCU\Software\Microsoft\Internet Explorer\Main\Start Page (11) %USERPROFILE%\Start Menu\Programs\Startup (12) HKCR\PROTOCOLS\Filter\text/html (13) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify (14) HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce (15) HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (16) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (17) HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries (18) HKLM\SYSTEM\CurrentControlSet\Services (19) HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page (20) HKCU\Software\Microsoft\Internet Explorer\Main\Search Page Figure 3. Known Spyware-Hooked ASEPs and Their Execution Stages: Search and Start Page-related entries are considered as micro-aseps ; their hooks are in the form of URLs, not executable filenames. - 7 -

60 Number of Spyware Hooks to Each ASEP 50 40 30 20 10 0 Browser Helper Objects Run IE Toolbar Run (User) IE SearchAssistant IE CustomizeSearch Protocol_Catalog Name-Space Handler Startup Folder IE Start Page (User) Startup Folder (User) Auto-Start Extensibility Point (ASEP) Protocols Filter Winlogon notification RunOnce (User) IE Start Page RunOnce NameSpace_Catalog Services/Drivers IE Search Page IE Search Page (User) Figure 4. Distribution of Spyware ASEP Hooks: ASEPs are sorted by popularity. - 8 -

30 25 Number of Spyware 20 15 10 5 0 0 1 2 3 4 5 6 7 8 9 10 Number of ASEP Hooks per Spyware Figure 5. Number of ASEP Hooks Used by Each Spyware. - 9 -

Figure 6. ASEP Hooking Alerts: one freeware screensaver (the bottom alert) bundling two spyware programs, each hooking two ASEPs (the other four alerts). - 10 -

Bundle Name = DivX Pro Codec Adware Divx Player DivX Pro Codec Adware Divx Player ARP ASEP GMESys HKLM Run hook GStartup Explorer Sartup Folder DivxPro511Adaware.exe Gain_Trickler.exe Gain_trickler_3202.exe Pdpsetup4006.exe DesktopDestroyer.exe Exact.exe GLB5.tmp GLJ7.tmp Rundll32.exe bb.exe I244DE~1.SCR Screensaver hook Bargains Explorer Run hook exacttoolbar.dll IE Toolbar hook ASEP URL Catcher (apuc.dll) Explorer BHO hook exacttoolbar.dll Explorer BHO hook Desktop Destroyer FREE exact Search Bar Bargain Buddy ARP Bundle Name = Desktop Destroyer FREE exact Search Bar Bargain Buddy Figure 7. DivX and Desktop Destroyer Bundle Tracing: solid arrows represent creating child processes; dashed arrows represents creating ARP entries; dotted arrows represents creating ASEP hooks. Each process tree defines the scope of the bundle, named by concatenation of ARP friendly names. - 11 -

Figure 8. Extensibility Point-Add/Remove Programs (EP-ARP): the DivX Pro Codec Adware DivX Player bundle includes two ASEP hooks GMT.exe and CMESys.exe that came from Gator. The Desktop Destroyer FREE exact Search Bar Bargain Buddy bundle includes five ASEP hooks. Clicking on the Restore button at the bottom can roll back the system and remove the two bundles. - 12 -

2004-04-22 16:33:45 explorer.exe: RegQueryValue HKCR\Network\SharingHandler\(DEFAULT) return ntshrui.dll 2004-04-22 16:33:45 explorer.exe: LoadLibrary \WINDOWS\system32\ntshrui.dll 2004-04-22 16:33:49 explorer.exe: RegEnumerateValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray return {35CEC8A3-2BE6-11D2-8773-92E220524153} 2004-04-22 16:33:49 explorer.exe: RegQueryValue HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\(DEFAULT) return C:\WINDOWS\System32\stobject.dll 2004-04-22 16:33:49 explorer.exe: LoadLibrary \WINDOWS\system32\stobject.dll Figure 9. ASEP Discovery through Trace Analysis: HKCR\Network\SharingHandler\(DEFAULT) and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray are identified as ASEPs; HKCR\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\(DEFAULT) is an EP, but not necessary an ASEP, although it becomes a secondary ASEP on this machine due to its connection with a primary ASEP. - 13 -

(a) After installing SpeedBit, a new process DAP.exe was started and the browser process IEXPLORE.EXE was loading four newly updated DLL files from the installation (highlighted rows in the lower pane). - 14 -

(b) After disabling all new ASEP hooks from Gatekeeper and reboot, IEXPLORE.EXE was still loading two new DLLs. Searching the Registry using the filename DAPIE.DLL revealed that SpeedBit was hooking an additional ASEP under HKCR\PROTOCOLS\Name-Space Handler, which has since been added to the ASEP list monitored by Gatekeeper. Figure 10. Windows Task Manager Extension for ASEP Discovery: the approximate update timestamps are extracted from the System Restore file change log; the patch numbers are extracted from local patch meta-data; the highlighted entries involve changes within the past week. - 15 -

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information