Spyware

SpyWare! IQxplorer

Agenda

Define SpyWare

Discuss methods used for spying

Focus on passive tracking methods

Demonstrate one passive method

Discuss prevention

Conclusions

SpyWare Definition

SpyWare is a general term used to describe software that performs certain behaviors such as advertising, collecting personal information, or changing the configuration of your computer, generally without appropriately obtaining your consent first.

http://www.microsoft.com/athome/security/spyware/spywarewhat.mspx

SpyWare Categories

Advertising (Passive)

Capture browsing history

Capture buying habits

Surveillance (Active)

Key loggers

System Monitors

SpyWare Statistics

90% of all internet connected machines are infected

~28 SpyWare traces on each machine

1/3 infected with surveillance SpyWare

80% of infections were cookies

Passive Tracking Methods

Web Beacons

Cookies deposits

Web Beacons

Also know as

Web Bugs

Clear GIFs

Allows destination to log page hits

Can be used in conjunction with cookies

Cookie Fields Parameter Description Name The name of the cookie. Value The value of the cookie. Expire The time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch. In other words, you'll most likely set this with the time() function plus the number of seconds before you want it to expire. Path The path on the server in which the cookie will be available. Domain The domain in which the cookie is available Secure When set to TRUE , the cookie will only be set if a secure connection exists. The default is FALSE . httponly When TRUE the cookie will be made accessible only through the HTTP protocol. Not supported on all browsers

Web Beacon w/Cookie Example: spywareWebBeaconCookieDeposit.html

<html>

<head>

<title>Web Beacon Cookie Deposit Example</title>

</head>

<body>

<h1><b>Web Beacon Cookie Deposit Example:</b></h1>

<hr />

<img src="http://www.cs.uccs.edu/~cdshort/serverWebBeacon.php" alt="Picture" width="0" height ="0" border = "0" />

</body>

</html>

Server Code serverWebBeacon.php

<?php

if (!(isset($_COOKIE["SpyCookie"]))){

setcookie("SpyCookie", "ISpyOnYou", time()+3600);

}

?>

<html>

<head>

<title>PHP Test</title>

</head>

<body>

<?php

$filename = 'cookieCapture.txt';

$today = date("D M j G:i:s T Y");

$Content = "SpyCookie" . " : " . "$_COOKIE[SpyCookie]" . " : " . "$today ";

if($handle = fopen($filename, 'a')){

fwrite($handle, $Content);

fclose($handle);

}

?>

</body>

</html>

Cookie Capture File

[cdshort@windom public_html]$ cat cookieCapture.txt

SpyCookie : ISpyOnYou : Fri Dec 1 18:30:17 MST 2006

SpyCookie : ISpyOnYou : Fri Dec 1 18:30:38 MST 2006

[cdshort@windom public_html]$

Packet Capture

Conclusions

Browser settings can prevent cookie deposit

Be careful what you download

Don’t open the door willingly

The use of cookies is fundamental

The information provided is minimal

Questions?

References

http://www.php.net/manual/en/function.setcookie.php

http://cs.uccs.edu/~cs301/php/php.html

Tzu-Yen Wang, Shi-Jinn Horng, Ming-Yang Su, Chin-Hsiung Wu,Peng-Chu Wang and Wei-Zen Su. A Surveillance Spyware Detection System Based on Data Mining Methods. 2006 IEEE Congress on Evolutionary Computation.