Spyware Analysis. jan.monsch@csnc.ch. Security Event - April 28, 2004 Page 1



Similar documents
Guideline for Prevention of Spyware and other Potentially Unwanted Software

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003

Spyware Doctor Enterprise Technical Data Sheet

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Spyware. Summary. Overview of Spyware. Who Is Spying?

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

Computer Viruses: How to Avoid Infection

How to easily clean an infected computer (Malware Removal Guide)

Countermeasures against Spyware

Online Payments Threats

How Spyware and Anti-Spyware Work

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

PLATO Learning Environment System and Configuration Requirements. for workstations. April 14, 2008

Introduction to Computer Security Table of Contents

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Computer Security: Best Practices for Home Computing. Presented by Student Help Desk Merced Community College

System Administration Training Guide. S100 Installation and Site Management

Host-based Intrusion Prevention System (HIPS)

Getting Started Guide for Symantec On-Demand Protection for Outlook Web Access 3.0

Section 12 MUST BE COMPLETED BY: 4/22

Locking down a Hitachi ID Suite server

Sage ERP MAS 90 Sage ERP MAS 200 Sage ERP MAS 200 SQL. Installation and System Administrator's Guide 4MASIN450-08

Tracking Anti-Malware Protection 2015

Basic PC Maintenance. Instructors. Action Center

AND SERVER SECURITY

AND SERVER SECURITY

RightNow November 09 Workstation Specifications

System Management. What are my options for deploying System Management on remote computers?

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Secure Your Mobile Workplace

The Value of Physical Memory for Incident Response

Firewalls and Software Updates

How To Understand The History Of The Web (Web)

Welcome to Part 2 of the online course, Spyware and Adware What s in Your Computer?

FortiClient dialup-client configurations

F-Secure Messaging Security Gateway. Deployment Guide

PLATO Learning Environment System and Configuration Requirements for workstations. October 27th, 2008

Defeating Windows Personal Firewalls: Filtering Methodologies, Attacks, and Defenses

Avira Endpoint and Security. HowTo

Get Started Guide - PC Tools Internet Security

Malware, Spyware, Adware, Viruses. Gracie White, Scott Black Information Technology Services

Sophos for Microsoft SharePoint startup guide

Computer Security. Uses Zip disks that hold up to 750 MB of data. Must buy and hook up the drive.

LASTLINE WHITEPAPER. In-Depth Analysis of Malware

PLATO Learning Environment 2.0 System and Configuration Requirements. Dec 1, 2009

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Endpoint Business Products Testing Report. Performed by AV-Test GmbH

Core Protection for Virtual Machines 1

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Chapter 12: Windows XP, Vista, and 7

Symantec Mail Security for Microsoft Exchange

Brazosport College VPN Connection Installation and Setup Instructions. Draft 2 March 24, 2005

Symantec Endpoint Protection Small Business Edition Getting Started Guide

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Optimizing Windows Security Features to Block Malware and Hack Tools on USB Storage Devices

BROWSER AND SYSTEM REQUIREMENTS

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

ADMINISTRATOR'S GUIDE

COMPUTER-INTERNET SECURITY. How am I vulnerable?

System Planning, Deployment, and Best Practices Guide

Symantec AntiVirus Enterprise Edition

Windows 7, Enterprise Desktop Support Technician

Release Notes for Websense Security v7.2

Attacks from the Inside

Release Version 4.1 The 2X Software Server Based Computing Guide

HoneyBOT User Guide A Windows based honeypot solution

USER GUIDE: MaaS360 Services

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

Threats to Online Banking

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

AN OVERVIEW OF VULNERABILITY SCANNERS

Customer Tips. Network Packet Analyzer Tips. for the user. Purpose. Introduction to Packet Capture. Xerox Multifunction Devices.

The Education Fellowship Finance Centralisation IT Security Strategy

Symantec Endpoint Protection Small Business Edition Installation and Administration Guide

Frequent Smart Updates: Used to detect and guard against new infections as well as adding enhancements to Spyware Doctor.

Integrated Virtual Debugger for Visual Studio Developer s Guide VMware Workstation 8.0

Airtel PC Secure Trouble Shooting Guide

Cox Business Premium Security Service FAQs

Symantec Protection for SharePoint Servers Implementation Guide

F-Secure Anti-Virus for Mac. User's Guide

White Paper Secure Reverse Proxy Server and Web Application Firewall

Remote Deposit Capture Installation Guide

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

Avira Small Business Security Suite. HowTo

Using a Firewall General Configuration Guide

Juniper NetScreen IPSec Dial Client. Installation Guide for Windows 2000 Windows XP Windows Vista

Transcription:

Spyware Analysis jan.monsch@csnc.ch Security Event - April 28, 2004 Page 1 Content Definition & types of spyware Statistics Hooks Static vs. dynamic software analysis Test environment for spyware Analysis procedure Spyware analysis examples Dashbar/Gator igetnet Windows Update Conclusion spyware analysis Security Event - April 28, 2004 Page 2 1

Definition Spyware Spyware Is a tool or mechanism that allows the spying party to do one or a combination of the following things track the activities of a victim steal data from a victim s system modify a victim s environment Often spyware requires installation of a client-side software! Security Event - April 28, 2004 Page 3 Spyware System A spyware system consists of client agent Access to local resources, e.g. files, registry Hooks itself into other applications, e.g. keyboard controlling server Controls the agent s behavior Client Server API API Hook Spyware Agent Network Spyware Controller File Registry Security Event - April 28, 2004 Page 4 2

Types of Spyware Adware Often bundled with free software Displaying pop-ups with advertisements Adware cookies Persistent browser cookies used to uniquely identify a user for the purpose of tracking the user s surfing behavior No additional software other than the browser is required Security Event - April 28, 2004 Page 5 Types of Spyware System monitors Capture information: Email traffic, key strokes, sites visited, screen shots, A tool often run in the background Often in combination with adware or Trojans Trojan horses Packed with a useful application or in viruses Often containing a RAT (Remote Administration Tool) giving the attacker full system access Often in combination with system monitors Security Event - April 28, 2004 Page 6 3

Types of Spyware The following show spyware-like behaviors Software update Application which regularly or on request check for new versions of an application Often sending back license and configuration information to vendor License verifier Applications that contact the sever to verify the license status Often found in very expensive applications Security Event - April 28, 2004 Page 7 Types of Spyware The line between these different types of spyware is very slim. Often a tool uses a combination of them! Some of these spy tools are commercially available for monitoring employees, children or YOU! Other spyware tools are custom made for viruses or are part of as Trojan construction kits Security Event - April 28, 2004 Page 8 4

Statistics Recent assessment by Earthlink About 1.1 Million systems have been scanned About 29.5 Million spyware objects have been identified System Monitors 0.2 Mio Trojans 0.2 Mio Adware 5.3 Mio Adware Cookies 23.8 Mio about 28 spyware objects per PC!!! Security Event - April 28, 2004 Page 9 Hooks A hook is a location in the software where additional features can be added! Intentionally provided, e.g. Application Browser Plug-ins: Flash Acrobat Reader, Crypto API other crypto libraries Newest generation of windows anti-virus products Plug-in Plug-in Created on purpose by the application that requests the feature, e.g. Debuggers, API Monitors 1 st generation anti-virus products Application API Debugger or Monitor Inject Hooks are very important for spyware writers as well as for spyware analysts! Security Event - April 28, 2004 Page 10 5

Static and Dynamic Aspects Software can be analyzed from different perspectives Static Snapshot based: Before and after a scenario Pro: Compact overview of system changes Contra: Read aspects not or minimally covered Dynamic Real-time based: Every application action Pro: Every operation visible, including reads Contra: Volume of collected material can be enormous A good mix of both makes analysis very efficient Security Event - April 28, 2004 Page 11 Test Environment for Spyware Infrastructure Disk image technologies for quick & easy environment setup Virtual PC or VMware images (best choice) Ghost or DriveImage A client system totally isolated from internal network Client must have network access via firewall only Separate network traffic monitoring client IDS when spyware is run unattended Client Network on a Hub Firewall Internet Network Monitor IDS Security Event - April 28, 2004 Page 12 6

Test Environment for Spyware Software required for analysis Virus scanner Spyware scanner Personal Firewall Network sniffer Tool for detecting file and registry changes API monitoring tools Disassembler, Debugger Security Event - April 28, 2004 Page 13 Analysis Procedure Sample analysis process Collect Spyware Distributable Spyware Runtime analysis Execute spyware in a monitored environment easy to perform currently inactive code is not detected stealth technologies may go undetected Yes Runtime Analysis More Runtime Analysis? No Code Analysis No Results Results Code analysis Disassemble spyware every action traceable time-consuming Assembler skills required Yes More Analysis? No Done Security Event - April 28, 2004 Page 14 7

Analysis Procedure Runtime 1. Isolate the spyware distributable 2. Place it on a monitored and isolated test environment 3. Create snapshots of file system and registry 4. Scan the distributable for known viruses and spyware Check findings with anti-virus vendors and spyware lists 5. Run monitoring tools At least: network sniffer Optional: additional tools for monitoring API calls, file and/or registry access 6. Execute spyware distributable 7. Create another snapshot of file system and registry 8. Scan installation for viruses and spyware 9. Analyse the results Compare the snapshots and analyse the differences Analyse the output of the monitoring tools Security Event - April 28, 2004 Page 15 Dashbar/Gator - Introduction Dashbar is an Internet Explorer browser bar which provides access to a search engine. The application is rather small: ~1MB... cute you think... Security Event - April 28, 2004 Page 16 8

Dashbar/Gator - Analysis Results Apart from its search-bar feature it contains a boot strap program to fetch an additional 5 MB of software components! Downloads the spy and ad engine in a low priority download using byte ranges. The additional software trickles in as soon as there is an open Internet connection! Used for tracking user behavior: When the user accesses a site the name s site and other information is sent to the spyware provider! As response an advertisement package is returned. Uses proprietary content encryption protocols from transferring the ads and for storage on the disk. Security Event - April 28, 2004 Page 17 igetnet - Introduction igetnet uses Browser Helper Objects (a.k.a BHO) BHO are extensions to the Internet Explorer which in one form or another are related to support surfing activities... Deployment often by drive-by-installation Often browser weaknesses are used to do unattended installations Security Event - April 28, 2004 Page 18 9

igetnet-analysis Results Browser Helper Object (BHO) Modifies the hosts file to hijack users of certain sites to the web site of the spyware provider Downloads additional software from the spyware provider Norton Antivirus 2004 does not detect the distributable as malicious when it is placed on disk or when it is installed! detects it as spyware when a manual scan on the installation is performed! Why? Some spywares are considered as regular commercial products! Security Event - April 28, 2004 Page 19 Windows Update - Introduction Introduction Windows Update is a service from Microsoft to distribute application updates and security patches. It is part of any Windows 2000/XP installation nowadays. Since Windows 2000 SP3 Windows Update is active by default. How does it work? Windows Update uses an ActiveX component to search the system for hardware and driver configuration. This information is sent to Microsoft which in turn tells the system which patches need to be installed. Security Event - April 28, 2004 Page 20 10

Windows Update - Introduction Web application with ActiveX Security Event - April 28, 2004 Page 21 Windows Update - API Monitor API provide services for applications and other APIs Browser Several distinct APIs for different features Winsock for TCP/IP Crypto API SSL API... Wininet SSL APIs Windows Kernel Driver Hardware Security Event - April 28, 2004 Page 22 11

Windows Update - API Monitor An API monitor is a debugger Browser API Monitor Dynamically patches APIs in their process space Patch Wininet SSL APIs Patches intercept calls which in turn trigger the GUI Windows Kernel Driver Read plaintext before the traffic becomes SSL Hardware Security Event - April 28, 2004 Page 23 Windows Update - Analysis Results Users seem to be tracked SSL encrypted connection is used to Send hardware profile information to Microsoft Type of Hardware used Available drives and free disk space Receive update and patch information Fetch URLs of software download location The PID that tecchannels found during their Windows- Update analysis does not exist any more. Security Event - April 28, 2004 Page 24 12

Conclusion Spyware Analysis Conclusion Antivirus products are not reliable in detecting spyware Distribution package is often not recognized as malicious! Spyware may go undetected until the weekly spyware scan is performed! Spyware has a real chance of survival Often encrypted communication protocols (SSL or proprietary) are in use for calls home to the spyware master Content filters may be bypassed Security Event - April 28, 2004 Page 25 References Spyware and virus information SARC Symantec Anti-Virus Research Center http://www.sarc.com Spyware Guide Database http://www.spywareguide.com LURHQ http://www.lurhq.com List of known BHOs http://www.spywareinfo.com/bhos/ Spyware scanners Lavasoft Ad-aware http://www.lavasoftusa.com System snapshots Winanalysis http://www.winanalysis.com Security Event - April 28, 2004 Page 26 13

References BHO BHO Daemon http://www.spywareinfo.com/downloads/bhod/ Network sniffer Ethereal http://www.ethereal.com API Monitors Auto Debug for Windows 2.4 (commercial tool) http://www.autodebug.com Sysinternals Utilities http://www.sysinternals.com Disassembler, Debugger IDA Pro http://www.datarescue.com NuMega Driver Studio http://www.compuware.com Security Event - April 28, 2004 Page 27 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information