Spyware and Trojan Horses – Computer Security Seminar               12th February 2004                Spyware and Trojan H...
Spyware and Trojan Horses – Computer Security Seminar                                        12th February 2004       Your...
Spyware and Trojan Horses – Computer Security Seminar           12th February 2004                                   Intro...
Spyware and Trojan Horses – Computer Security Seminar           12th February 2004                        Seminar Overview...
Definitions         A general term for a program that surreptitiously monitors your              actions. While they are s...
Symptoms• Targeted Pop-ups         SPYWARE• Slow Connection          SPYWARE / TROJAN• Targeted E-Mail (Spam)   SPYWARE• U...
Spyware and Trojan Horses – Computer Security Seminar            12th February 2004                      Summary of Effect...
Similarities / DifferencesSpyware                               Trojan HorsesCommercially Motivated                Malicio...
Spyware
Software Examples• GAIN / Gator• Gator E-Wallet• Cydoor• BonziBuddy• MySearch Toolbar• DownloadWare• BrowserAid           ...
Spyware and Trojan Horses – Computer Security Seminar                                  12th February 2004                 ...
Spyware and Trojan Horses – Computer Security Seminar                                          12th February 2004         ...
Spyware and Trojan Horses – Computer Security Seminar           12th February 2004                      Vulnerable Systems...
Spyware and Trojan Horses – Computer Security Seminar           12th February 2004                                Trojan H...
Spyware and Trojan Horses – Computer Security Seminar                   12th February 2004                                ...
Spyware and Trojan Horses – Computer Security Seminar                               12th February 2004                    ...
Spyware and Trojan Horses – Computer Security Seminar               12th February 2004                                    ...
Spyware and Trojan Horses – Computer Security Seminar           12th February 2004                                        ...
Spyware and Trojan Horses – Computer Security Seminar           12th February 2004                  Example: Back Orifice ...
Spyware and Trojan Horses – Computer Security Seminar           12th February 2004                                   BO: P...
Spyware and Trojan Horses – Computer Security Seminar                                                                     ...
Spyware and Trojan Horses – Computer Security Seminar                                                                     ...
Spyware and Trojan Horses – Computer Security Seminar                                                                     ...
Spyware and Trojan Horses – Computer Security Seminar           12th February 2004               Trojan Horse Examples    ...
Spyware and Trojan Horses – Computer Security Seminar           12th February 2004               Trojan Horse Examples    ...
Spyware and Trojan Horses – Computer Security Seminar           12th February 2004               Trojan Horse Examples    ...
Spyware and Trojan Horses – Computer Security Seminar           12th February 2004                               Demonstra...
Spyware and Trojan Horses – Computer Security Seminar                                                                     ...
Spyware and Trojan Horses – Computer Security Seminar                                                                     ...
Spyware and Trojan Horses – Computer Security Seminar           12th February 2004                                    Conc...
Spyware and Trojan Horses – Computer Security Seminar                           12th February 2004                   Secur...
Spyware and Trojan Horses – Computer Security Seminar                           12th February 2004                        ...
Spyware and Trojan Horses – Computer Security Seminar                         12th February 2004                          ...
Spyware and Trojan Horses – Computer Security Seminar                                                                     ...
Spyware and Trojan Horses – Computer Security Seminar                                                                     ...
Spyware and Trojan Horses – Computer Security Seminar                          12th February 2004                         ...
Upcoming SlideShare
Loading in …5
×

Presentation

561 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
561
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Presentation

  1. 1. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Spyware and Trojan Horses Computer Security Seminar Series [SS1]Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  2. 2. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Your computer could be watching your every move! Image Source - http://www.clubpmi.it/upload/servizi_marketing/images/spyware.jpgAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  3. 3. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 IntroductionAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  4. 4. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Seminar Overview • Introduction to Spyware / Trojan Horses • Spyware – Examples, Mechanics, Effects, Solutions • Tracking Cookies – Mechanics, Effects, Solutions • Trojan Horses – Mechanics, Effects, More Examples • Solutions to the problems posed • Human Factors – Human interaction with Spyware • “System X” – Having suitable avoidance mechanisms • Conclusions – Including our proposals for solutionsAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  5. 5. Definitions A general term for a program that surreptitiously monitors your actions. While they are sometimes sinister, like a remote control program used by a hacker, software companies have A REbeen known to use Spyware to gather data about customers. YW The practice is generally frowned upon.SP An apparently useful and innocent program containing additional JAN hidden code which allows the unauthorized collection, RO SET R exploitation, falsification, or destruction of data. HO
  6. 6. Symptoms• Targeted Pop-ups SPYWARE• Slow Connection SPYWARE / TROJAN• Targeted E-Mail (Spam) SPYWARE• Unauthorized Access TROJAN HORSE• Spam Relaying TROJAN HORSE• System Crash SPYWARE / TROJAN• Program Customisation SPYWARE
  7. 7. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Summary of Effects • Collection of data from your computer without consent • Execution of code without consent • Assignment of a unique code to identify you • Collection of data pertaining to your habitual use • Installation on your computer without your consent • Inability to remove the software • Performing other undesirable tasks without consentAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  8. 8. Similarities / DifferencesSpyware Trojan HorsesCommercially Motivated MaliciousInternet connection required Any network connection requiredInitiates remote connection Receives incoming connectionPurpose: To monitor activity Purpose: To control activityCollects data and displays pop-ups Unauthorized access and controlLegal IllegalNot Detectable with Virus Checker Detectable with Virus CheckerAge: Relatively New (< 5 Years) Age: Relatively Old ( > 20 Years) Memory Resident Processes Surreptitiously installed without user’s consent or understanding Creates a security vulnerability
  9. 9. Spyware
  10. 10. Software Examples• GAIN / Gator• Gator E-Wallet• Cydoor• BonziBuddy• MySearch Toolbar• DownloadWare• BrowserAid Image Sources…• Dogpile Toolbar GAIN Logo – The Gator Corporation – http://www.gator.com BonziBuddy Logo – Bonzi.com - http://images.bonzi.com/images/gorillatalk.gif DownloadWare Logo – DownloadWare - http://www.downloadware.net
  11. 11. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Spyware Defence User Initiatives… Technical Initiatives... • Issue Awareness • Spyware Removal Programs • Use Legitimate S/W Sources • Pop-up Blockers • Improved Technical Ability • Firewall Technology • Choice of Browser • Disable ActiveX Controls • Choice of OS – Not Sandboxed • Legal action taken against • E-Mail Filters breaches of privacy • Download Patches – Oct ’02 DoubleclickAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  12. 12. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Spyware Removers Ad-aware (by Lavasoft) – Reverse Engineer Spyware – Scans Memory, Registry and Hard Drive for… • Data Mining components • Aggressive advertising components • Tracking components – Updates from Lavasoft – Plug-ins available • Extra file information • Disable Windows Messenger Service Image Source – Screenshot of Ad-aware 6.0. LavaSoft. See http://www.lavasoft.comAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  13. 13. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Vulnerable Systems • Those with an internet connection! • Microsoft Windows 9x/Me/NT/2000/XP • Does not affect Open Source OSs • Non - fire-walled systems • Internet Explorer, executes ActiveX plug-ins • Other browsers not affectedAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  14. 14. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Trojan HorsesAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  15. 15. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Installation • Secretly installed when an infected executable is run – Much like a virus – Executables typically come from P2P networks or unscrupulous websites • ActiveX controls on websites – ActiveX allows automatic installation of software from websites – User probably does not know what they are running – Misleading descriptions often given – Not sandboxed! – Digital signatures used, signing not necessaryAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  16. 16. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Installation • Certificate Authority • Misleading Certificate Description • Who is trusted? Image Source – Screenshot of Microsoft Internet Explorer 6 security warning, prior to the installation of an ActiveX Control from “Roings”.Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  17. 17. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Effects • Allows remote access – To spy – To disrupt – To relay a malicious connection, so as to disguise the attacker’s location (spam, hacking) – To access resources (i.e. bandwidth, files) – To launch a DDoS attackAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  18. 18. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Operation • Listen for connections • Memory resident • Start at boot-up • Disguise presence • Rootkits integrate with kernel • Password ProtectedAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  19. 19. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Example: Back Orifice • Back Orifice – Produced by the “Cult of the Dead Cow” – Win95/98 is vulnerable – Toast of DefCon 6 – Similar operation to NetBus – Name similar to MS Product of the timeAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  20. 20. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 BO: Protocol • Modular authentication • Modular encryption – AES and CAST-256 modules available • UDP or TCP • Variable port – Avoids most firewalls • IP Notification via. ICQ – Dynamic IP addressing not a problemAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  21. 21. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 BO: Protocol Example (1) TROJAN INFECTION OCCURS Attacker Victim ICQ SERVER IP ADDRESS IP ADDRESS AND PORT AND PORT CONNECTION Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  22. 22. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 BO: Protocol Example (2) COMMAND COMMAND EXECUTED Attacker Victim CONNECTION REQUEST FOR INFORMATION INFORMATION Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  23. 23. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 BO: Protocol Example (3) CLEANUP COMMAND EVIDENCE DESTROYED Attacker Victim Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  24. 24. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Trojan Horse Examples • M$ Rootkit – Integrates with the NT kernel – Very dangerous – Virtually undetectable once installed – Hides from administrator as well as user – Private TCP/IP stack (LAN only)Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  25. 25. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Trojan Horse Examples • iSpyNOW – Commercial – Web-based client • Assassin Trojan – Custom builds may be purchased – These are not found by virus scanners – Firewall circumvention technologyAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  26. 26. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Trojan Horse Examples • Hardware – Key loggers – More advanced? • Magic Lantern – FBI developed – Legal grey area (until recently!) – Split virus checking worldAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  27. 27. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 DemonstrationAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  28. 28. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Vulnerable Systems Number of trojans in common use… RELATIVELY SAFE DANGEROUS MacOS MacOS X Linux/Unix WinNT Win 9x WinNT refers to Windows NT 4, 2000, XP and Server 2003. Win9x refers to Windows 95, 95SE, 98 and ME. Information Source: McAfee Security - http://us.mcafee.com/ Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  29. 29. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Vulnerable Systems Ease of compromise… RELATIVELY SAFE DANGEROUS Linux/Unix MacOS X WinNT MacOS Win 9x WinNT refers to Windows NT 4, 2000, XP and Server 2003. Win9x refers to Windows 95, 95SE, 98 and ME. Information Source: McAfee Security - http://us.mcafee.com/ Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004.Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  30. 30. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 ConclusionsAndrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  31. 31. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Security Implications Short Term Long Term • Divulge personal data • Mass data collection • Backdoors into system • Consequences unknown • System corruption • Web becomes unusable • Disruption / Irritation • Web cons outweigh pros • Aids identity theft • Cost of preventions • Easy virus distribution • More development work • Increased spam • More IP addresses (IPv6)Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  32. 32. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Solutions Short Term Long Term • Firewall • Add Spyware to Anti-Virus • Virus Checker • Automatic maintenance • Spyware Remover • Legislation • Frequent OS updates • Education on problems • Frequent back-up • Biometric access • Learning problems • Semantic web (and search)Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  33. 33. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Firewalls Network / Internet • 3 Types… – Packet Filtering – Examines attributes of packet. – Application Layer – Hides the network by impersonating the server (proxy). – Stateful Inspection – Examines both the state and context of the packets. • Regardless of type; must be configured to work properly. • Access rules must be defined and entered into firewall.Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  34. 34. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Firewalls Network / Internet http - tcp 80 telnet - tcp 23 http - tcp 80 Packet Filtering ftp - tcp 21 Web Server Firewall Allow only http - tcp 80 192.168.0.10 : 1020 202.52.222.10: 80 202.52.222.10: 80 Stateful Inspection 192.168.0.10 : 1020 PC Firewall Only allow reply packets for requests made out Block other unregistered traffic Image Source – Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [4].Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  35. 35. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Intrusion Detection Systems Network Server Switch Firewall IDS Server • Intrusion Detection – A Commercial Network Solution • An “Intelligent Firewall” – monitors accesses for suspicious activity • Neural Networks trained by Backpropagation on Usage Data • Could detect Trojan Horse attack, but not designed for Spyware PC • Put the IDS in front of the firewall to get maximum detection • In a switched network, put IDS on a mirrored port to get all traffic. • Ensure all network traffic passes through the IDS host. Image Source – Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [4].Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  36. 36. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 “System X” Network / Internet / Standalone • Composed of… – Open Source OS – Mozilla / Opera / Lynx (!) Browser (Not IE) – Stateful Inspection Firewall – Anti-Virus Software – Careful and educated user – Secure permissions system – Regularly updated (possibly automatically)Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

×