MALWARE Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 1
Mobile malware Mobile malware cases nearly triple in the first half of 2012 [PCWorld] Estimate: 13 million phones infected in the first half of 2012 NetQin findings 17,676 mobile malware programs detected during 2012's first half 25% China, 17% Russia, and 16.5% U.S. 5,582 malware programs designed for Android during June 2012 only 3.9 million phones in China infected with money-stealing malware that sends out text messages to trigger fee-based mobile services $616,533 each day A Survey of Mobile Malware in the Wild Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 2
Mobile malware Apple App Store are reviewed by Apple for security If ios users want to install applications from other sources, then they must jailbreak their devices Android Market Most Android phones allow users to install applications from unofficial markets Android mobile OS Jelly Bean improved system's security Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 3
SPYWARE Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 4 Copyright K. Goseva-Popstojanova 2012
The growing problem of spyware Very broad definition: Spyware is software that is installed without a user s informed consent and it does things the user might not want to have done A growing problem that threatens the stability, performance, security, and privacy Based on a September 2004 survey, Dell estimates that 90% of Windows PCs harbor at least one spyware program [1] More than 20% of PC s have some sort of spyware [4] Why do companies make this kind of software? Because they make money - business between $500 million and $2 billion a year [Los Angeles Times, May 2005] Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 5
Classes of spyware Cookies & Web bugs Passive form of spyware, no code of their own, rely on Web browser functions Cookies are small pieces of state stored on clients Web browsers. Can be retrieved only by the Web site that initially stored them. Web bugs are invisible images embedded on pages. Browser hijackers Change user s Web browser settings Modify home page, search functionality, etc. Use several mechanisms Installing a browser extension (i.e., browser helper object BHO) Modifying Windows registry entries Modifying or replacing browser preference files Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 6
Classes of spyware Keyloggers Originally designed to record all keystrokes of users in order to find passwords, credit card numbers, and other sensitive information Expanded in scope to capture logs of Websites visited, instant messaging sessions, windows opened, and program executed Tracks Track is generic name for information recorded by an operating system or application about actions performed by the user (e.g., list of recently visited Web sites maintained by Web browsers, or list of recently opened files maintained by OS) Tracks can be mined by spyware Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 7
Classes of spyware Spybots Monitor user s behavior, collecting logs of activity and transmitting them to third parties Adware Examples of collected information: list of visited URLs, list of e-mail addresses to be harvested as spam targets Display advertisements tuned to the user s current activity, potentially reporting aggregate or anonymized browsing behavior to a third party Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 8
How spyware affects you & your system? Privacy sends information about Web sites you visit to the spyware vendor Security capture every keystroke, putting confidential information from passwords to credit card numbers at risk spyware programs have vulnerabilities which can be exploited by to launch attacks Reduced performance spyware uses system resources making your system slower System instability most spyware is not very well tested and debugged Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 9
Dirty spyware tricks Hide inside another program s installer Hundreds of freeware programs install some sort of spyware along with main application. Look for third party software may be installed along with the application in the end user license agreement Using confusing legalese Licenses full of vague & confusing prose Keep asking until you say Yes Delivered by ActiveX control that tries to load each time you visit a Web page where the spyware is present Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 10
Dirty spyware tricks Create a false pretense for needing the software Example: Install a greeting card viewer that send greeting cards to everyone in your address book Look essential or be invisible Use official-sounding name like winstartup Use different file names & locations, or generate a random filename Do not uninstall, even when asked A lot of spyware does not remove itself when you uninstall the application that originally installed the spyware Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 11
How spyware sneaks onto your system? Unlike viruses and worms, spyware is usually invited into a machine, albeit sometimes unwittingly Possible means: piggybacking on legitimate software, tricking a user into downloading them voluntarily, or exploiting browser vulnerabilities downloading software from untrustworthy sites free versions of commercial software P2P visiting malicious Web page with insufficiently strict Internet Explorer security settings any other channel that can send files or Web pages (including e-mail & instant-messaging file transfers) free online games, screen savers, song-lyrics sites Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 12
Downloading software & spyware C Net s Web site http://download.com provides free access to over 30,000 freeware and shareware software In [2] the top 10 most downloaded applications were tested for spyware using SpyBot S&D Spyware is packed in 4 out of 10 most downloaded applications (downloaded over 470 million times) Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 13
Two most common entry points for spyware User consent when installing spyware-bundled applications Many times the installer installs the spyware without clear informed consent from the user Users agree with End User License Agreements (EULA) which with a vague and legalistic language describe the bundled software Often have over 5,000 words EULA statements may appear in tiny print, or in very small window Prevention: Do background research on free applications before you install them ActiveX break-ins through Internet Explorer ActiveX technology provides a highly privileged interface between network programs and the local OS Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 14
Anti-spyware tools Use anti-spyware tools Spybot Search & Destroy (available free and regularly updated http://www.safer-networking.org/ Lavasoft s Ad-Aware (free and commercial versions) http://lavasoftusa.com Microsoft AntiSpyware (free beta version, includes scanner which finds and removes known spyware, and a protection module which remains resident and defends against new spyware installations) Be careful: anti-spyware market is flooded with misleading or Trojan products Examples: Ad-Eliminator and SpyBan are in fact spyware carriers themselves Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 15
Anti-spyware tools Each spyware program requires different removal procedures Signature based detection So far, none of the anti-spyware packages is 100% effective Run system scans with two or more of the popular antispyware programs Often manual removal, which can include editing the Windows registry and deleting files, is necessary Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 16
Law in action California passed the first anti-spyware low, which took effect at the start of 2005 It disallows several of the nastier tactics Homepage & bookmark hijacking Disabling existing security software Immortal pop-up ads Falls short of prohibiting the most common EULA tricks Vendors are required to notify the user, but not to ask permission The Internet Spyware Prevention Act (I-SPY) imposes penalties and punishments on creators of computer spyware First introduced in the House of Representatives 2004 and passed in 2005 Reintroduced in March 2007 to further prosecute makers of spyware Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 17
Solutions [1] Technical Education & protection Put users in control of what software winds up on their machines Legal Disallow sneaky and shady installation procedures and byzantine license agreements with unreasonable demands Aggressive prosecution Practices employed by many spyware programs are already illegal under existing lows against consumer fraud and identity theft Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 18
References 1. A. Weiss, Spyware Be Gone!, networker, Volume 9, Issue 1, March 2005, pp. 19-25, access through the ACM Digital Library on http://www.libraries.wvu.edu/databases 2. S. Saroiu, S. D. Gribble, and H. M. Levy, Measurement and Analysis of Spyware in a Environment, Proceedings of the 1 st ACM/USENIX Symposium on Networked Systems Design and Implementation, March 2004, pp. 141-153. (just Google it) 3. Communication of the ACM, August 2005, Volume 48, Number 8, access through the ACM Digital Library on http://www.libraries.wvu.edu/databases 4. PC Pitstop Spyware center, http://www.pcpitstop.com/spycheck/default.asp Copyright 2K.Goseva-Popstojanova 2011 CS 465 Introduction to Computer Security Slide 19