SPYWARE Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 1
The growing problem of spyware Very broad definition: Spyware is software that is installed without a user s informed consent and it does things the user might not want to have done A growing problem that threatens the stability, performance, security, and privacy Based on a September 2004 survey, Dell estimates that 90% of Windows PCs harbor at least one spyware program [1] More than 20% of PC s have some sort of spyware [4] Why do companies make this kind of software? Because they make money - business between $500 million and $2 billion a year [Los Angeles Times, May 2005] Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 2
Classes of spyware Cookies & Web bugs Passive form of spyware, no code of their own, rely on Web browser functions Cookies are small pieces of state stored on clients machine. Can be retrieved only by the Web site that initially stored them. Web bugs are invisible images embedded on pages. Browser hijackers Change user s Web browser settings Modify home page, search functionality, etc. Use several mechanisms Installing a browser extension (i.e., browser helper object BHO) Modifying Windows registry entries Modifying or replacing browser preference files Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 3
Classes of spyware Keyloggers Originally designed to record all keystrokes of users in order to find passwords, credit card numbers, and other sensitive information Expanded in scope to capture logs of Websites visited, instant messaging sessions, windows opened, and program executed Tracks Track is generic name for information recorded by an operating system or application about actions performed by the user (e.g., list of recently opened files maintained by OS, or list of recently visited Web sites maintained by Web browsers) Tracks can be mined by spyware Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 4
Classes of spyware Malware Trojan horses, viruses, worms, and automatic phone dialers Spybots Monitor user s behavior, collect logs of activity and transmit them to third parties Adware Examples of collected information: list of visited URLs, list of e-mail addresses to be harvested as spam targets, etc. Displays advertisements tuned to the user s current activity, potentially reporting aggregate or anonymized browsing behavior to a third party Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 5
How spyware affects you & your system? Privacy sends information about Web sites you visit to the spyware vendor Security capture every keystroke, putting confidential information from passwords to credit card numbers at risk spyware programs have vulnerabilities which can be exploited to launch attacks Reduced performance spyware uses system resources making your system slower System instability most spyware is not very well tested and debugged Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 6
Dirty spyware tricks Hide inside another program s installer Hundreds of freeware programs install some sort of spyware along with the main application. Look for third party software may be installed along with the application in the end user license agreement Using confusing legalese Licenses full of vague & confusing prose Keep asking until you say Yes Delivered by ActiveX control that tries to load each time you visit a Web page where the spyware is present Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 7
Dirty spyware tricks Create a false pretense for needing the software Example: Install a greeting card viewer that send greeting cards to everyone in your address book Look essential or be invisible Use official-sounding name like winstartup Use different file names & locations, or generate a random filename Do not uninstall, even when asked A lot of spyware does not remove itself when you uninstall the application that originally installed the spyware Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 8
How spyware sneaks onto your system? Unlike viruses and worms, spyware is usually invited into a machine, albeit sometimes unwittingly Possible means: piggybacking on legitimate software, tricking a user into downloading them voluntarily, or exploiting browser vulnerabilities downloading software from untrustworthy sites free versions of commercial software P2P visiting malicious Web page with insufficiently strict Internet Explorer security settings any other channel that can send files or Web pages (including e-mail & instant-messaging file transfers) free online games, screen savers, song-lyrics sites Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 9
Downloading software & spyware C Net s Web site http://download.com provides free access to over 30,000 freeware and shareware software In [2], the top 10 most downloaded applications were tested for spyware using Spybot Search & Destroy Spyware is packed in 4 out of 10 most downloaded applications (downloaded over 470 million times) #1 Kazaa #4 imesh #9 Morpheus #10 Download Accelerator Plus Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 10
P2P & spyware P2P Program Market Share Adware or Spyware Installed Kazaa 10.48% Brilliant Digital, Gator, Joltid, TopSearch WinMX 8.74% None LimeWire 7.23% None BitTorrent 3.49% None Ares 2.73% NavExcel Toolbar Bearshare 2.58% WhenU SaveNow, WhenU Weather Shareaza 2.26% None emule 1.99% None BitTornado 1.84% None Morpheus 1.11% PIB Toolbar, Huntbar Toolbar, NEO Toolbar imesh 1.01% Ezula, Gator Source: http://www.pcpitstop.com/spycheck/p2p.asp Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 11
P2P & spyware Recently, vendors such as Overpeer have begun seeding P2P networks with rigged media files [1] When played, these files take advantage of a feature in Microsoft Windows Media Player DRM (Digital Rights Management) control which will automatically connect to a Web page which has the vendor s spyware embedded Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 12
Two most common entry points for spyware [1] User consent when installing spyware-bundled applications Many times the installer installs the spyware without clear informed consent from the user Users agree with End User License Agreements (EULA) which with a vague and legalistic language describe the bundled software EULA for Kazaa is over 5,000 words long EULA statements may appear in tiny print, or in very small window Some EULA claim the right to uninstall other (often competing) products from your computer, or disallow uninstalling the spyware once installed Prevention: Do background research on free applications, particularly P2P file-sharing programs, before you install them Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 13
Two most common entry points for spyware [1] ActiveX break-ins through Internet Explorer ActiveX technology provides a highly privileged interface between network programs and the local OS Prevention: This is why security organizations such as CERT and SANS recommend that Windows users turn to alternative browsers such as Mozilla, Firefox, or Opera, none of which run ActiveX component Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 14
Other issues with Windows OS Spyware vendors rely on Windows pervasiveness to generate revenue from advertising and data collection Windows users typically operate with full administrator privileges Often, this is the default for Windows installations, particularly in home use Although users are advised to use less privileged user accounts for day-to-day use, few do part because some Windows applications do not function properly when run from limited user accounts Neither Mac OS X nor Linux are vulnerable to existing spyware However, they are large and complex systems which have their own vulnerabilities Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 15
Anti-spyware tools Use anti-spyware tools Spybot Search & Destroy (available free and regularly updated) http://www.safer-networking.org/en/index.html Lavasoft s Ad-Aware (free and commercial versions) http://www.lavasoftusa.com/ Microsoft AntiSpyware (free beta version, includes scanner which finds and removes known spyware, and a protection module which remains resident and defends against new spyware installations) Be careful: anti-spyware market is flooded with misleading or Trojan products Examples: Ad-Eliminator and SpyBan are in fact spyware carriers themselves Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 16
Anti-spyware tools Signature based detection Each spyware program requires different removal procedures So far, none of the anti-spyware packages is 100% effective Run system scans with two or more of the popular antispyware programs Often manual removal, which can include editing the Windows registry and deleting files, is necessary Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 17
Law in action California passed the first anti-spyware law, which took effect at the start of 2005 It disallows several of the nastier tactics Homepage & bookmark hijacking Disabling existing security software Immortal pop-up ads However, it falls short of prohibiting the most common EULA tricks Vendors are required to notify the user, but not to ask permission The US House Commerce Committee began considering the Spy Act in early 2005 Fines as high as $3 million Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 18
Solutions [1] Technical Education & protection Put users in control of what software winds up on their machines Legal Disallow sneaky and shady installation procedures and license agreements with unreasonable demands Aggressive prosecution Practices employed by many spyware programs are already illegal under existing laws against consumer fraud and identity theft Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 19
References 1. A. Weiss, Spyware Be Gone!, networker, Volume 9, Issue 1, March 2005, pp. 19-25, access through the ACM Digital Library on http://www.libraries.wvu.edu/databases 2. S. Saroiu, S. D. Gribble, and H. M. Levy, Measurement and Analysis of Spyware in a Environment, Proceedings of the 1 st ACM/USENIX Symposium on Networked Systems Design and Implementation, March 2004, pp. 141-153. (just Google it) 3. Communication of the ACM, August 2005, Volume 48, Issue 8, access through the ACM Digital Library on http://www.libraries.wvu.edu/databases 4. PC Pitstop Spyware center, http://www.pcpitstop.com/spycheck/default.asp Copyright K.Goseva-Popstojanova 2006 CS 465 Introduction to Computer Security Slide 20