SlideShare a Scribd company logo

Spiffy Spyware Stuff

n|u - The Open Security Community
n|u - The Open Security Community

Spiffy Spyware Stuff by Tushar Dalvi and Nilesh Dalvi

Technology
1 of 6
Download to read offline
Spiffy Spyware Stuff Tushar Dalvi Nilesh Dalvi Abstract There are several softwares available that maintain a database of all the known spywares and the files they An increasing number of shareware softwares today install and use the database to detect the presence of come with spyware programs, programs that collect spywares on one’s system. While they have proven browsing habits of users and other information and pe- to be quite effective, spyware writers can easily get riodically report them to remote host. In this paper, we around them by having clever installations that change discuss the use of network based signatures for detect- the names of the files installed to a random string. ing spywares. We present a survey of commonly found In this work, we propose the use of network based spywares and their working. We also propose a set of signatures to detect spywares. This scheme works by basic network signatures and demonstrate that most of analyzing the packets in the output network stream and the commonly found spywares satisfy them. correlating them with the browser activity to infer spy- ware activity. Network signatures can not only detect adwares that send browsing information but other spy- 1 Introduction ing softwares like key loggers. Spyware is Internet jargon for Advertising Supported Our contributions in this project are : software (Adware). It is a way for shareware authors 1. Analyzing various spywares currently in circula- to make money from a product, other than by selling it tion and studying their network activity. to the users. There are several large media companies that offer them to place banner ads in their products 2. Proposing a set of basic signatures to look for and in exchange for a portion of the revenue from banner demonstrating their effectiveness on current spy- sales. wares. While this may be a great concept, the downside is that the advertising companies also install additional 3. Providing a tool that sniffs packets and stores tracking software on the system, which is continuously along with the process that generated it. This tool calling home, using user’s Internet connection and is useful in analyzing spywares/detecting signa- reports statistical data. While according to the pri- tures. vacy policies of the companies, there will be no sensi- The rest of the paper is organized as follows. In Sec- tive or identifying data collected from the user’s system tion 1, we describe the workings of spywares most com- and the user shall remain anonymous, it still remains monly found today. In Section 3, we classify these spy- the fact that a live server is active on one’s computer wares into various categories. In Section 4, we discuss continuously sending information about the user and the strategies for detecting these spywares, including user’s browsing habits. A spyware has complete access our network based signature technique. In Section 6, to one’s computer and data and a malicious spyware we describe the related work and we conclude in Sec- may send user passwords and credit card information. tion 7. Spywares also consume one’s CPU, memory and band- width on someone else’s behalf. The hangover from record downloads of programs 2 Common Spyware that include adware and other spywares has created a matching demand for utilities designed to block Most spyware that is included in the popular software unwanted pop-up ads or remove spyware altogether. packages available on the Internet comes from a small 1
set of highly used spyware. The activity of a number data.alexa.com, including the names of all the URLs of such spyware (as well as some uncommon pieces of visited by the browser. spyware) has been analyzed, and the results are pre- It uses HTTP for communication. HTTP seems to sented here. be the favorite among spywares, perhaps because many users in academic/corporate environments are behind firewalls and most ports are blocked, while HTTP is 2.1 Gator always the safest choice. The Gator Advertising and Information Network (GAIN) [GC03], powered by The Gator Corporation, 2.4 Google Toolbar comes with many popular software applications and services. It delivers ads, information, and software The Google Toolbar [Goo03] is an Internet Explorer based on the web sites viewed by the user. plugin designed to give the user easier access to Gog- Gator runs as a standalone process called GMT.exe gle’s services. Because it is a browser plugin, the tool- and monitors user’s browser activity to attempt to bet- bar does not appear in a process of its own. With the ter target the ads shown. It randomly selects one PageRank feature disabled, using the toolbar is no dif- of the following six hosts to which to send infor- ferent from using the Google search page itself. With mation: bannerserver.gator.com, ss.gator.com, PageRank turned on, however, on every web access, rs.gator.com, gs.gator.com, bg.gator.com and the URL being visited is sent to Google via HTTP to search.gator.com. Each time a website is visited, it retrieve the PageRank information. The toolbar is care- sends one of these hosts information about the name of ful, however, to not relay to Google any data that was the website, the local time, a uniquely identifiable ma- entered into web forms, or to relay intranet URLs. chine ID, browser type, etc. Not everything that was sent was in plain text. No personal information or pass- 2.5 KeySpy words were seen in the packets, but the plain text did KeySpy [IIP03] is a commercial keylogger application not account for everything it sent. produced by IIPwr. It is invisibly installed on a vic- tim system, set to execute whenever the system reboots, 2.2 Comet Cursor and does not appear in a process of its own. It sits in the background, silently monitoring and recording all Comet Cursor [CS03] is an Internet Explorer toolbar. user keystrokes, window titles, as well as all process Since it does not run as a separate process, it was dif- names, IDs, and start and stop activities. At regular in- ficult to isolate its network activity for study. To study tervals (configurable by the attacker), KeySpy sends a Comet Cursor’s traffic, the ambient network activity of report via e-mail to the attacker, optionally in an en- the system was reduced as much as possible, and all crypted form. When sending its report, KeySpy spawns packets that could otherwise be accounted for were dis- a separate process to open its TCP connection to the carded. It was observed that Comet Cursor randomly SMTP server. Once the report has been sent, this pro- sends information to either rs.cometsystems.com or cess terminates, eliminating any lingering CLOSE WAIT log.cc.cometsystems.com. or TIME WAIT entries that might show up in a casual Comet Cursor’s activity immediately follows the netstat. browser activity. It is more selective in what it sends. Names of websites visited by browsers were never seen 2.6 SaveNow in the packets. However, it does send all the search terms entered in the forms in search engines such as SaveNow [Whe03] is adware that is often bundled as a Google and Yahoo. The names of the search engines third-party component with other software, including are perhaps hard coded inside the Comet Cursor code. popular file-sharing packages such as KaZaa [SN03] and BearShare [FPI03]. It lives in a process of its own, 2.3 Alexa called save.exe, monitoring the user’s browser activ- ity to attempt to better target the ads shown. As often Alexa [Ale03] is another Internet Explorer toolbar, as once a minute (triggered by the user’s browser activ- powered by Amazon. It sends its information to ity), SaveNow contacts an Akamai server via HTTP to 2
download its ads. It does not appear to send any infor- KeySpy reports are sent every few minutes; their fre- mation about what sites have been visited, or what data quency is uncorrelated with user activity. has been entered into web forms. 3.3 Content of Reports 2.7 Web3000 4 Strategies for Detection Web3000 [Net03] is another Ad network. Its software is bundled with Netsonic Download Accelerator in the In this section, traditional techniques for detecting spy- form of Ezula TopText. It inserts its own text adver- ware are first described. These include detection based tisements as pop-ups linked to highlighted words in a on firewalls and databases detection. Then network- Web page. It does not show up in the process list un- based signatures are discussed. der the Windows Task Manager, but HTTP packets are seen to be transmitted to www.ezula.com containing 4.1 Firewall-Based Detection the names of all the URLs visited by the browser. One simple way of detecting spyware is to install a fire- wall, such as Zone Alarm [ZL03]. Zone Alarm blocks 3 Classes of Spyware all the processes from connecting to the Internet or act- ing as servers. Access to the network can be selectively Based on the observations above, it appears that spy- enabled by the user on a per-process basis, depending ware can be classified into several categories accord- on the processes that user recognizes. Many pieces of ing to their behaviour. This classification is useful in spyware that attempt to hide themselves from the user guiding the development of strategies for dealing with come to surface in this way. spyware. There are two downsides to the firewall approach. First, a process recognized by the user as requiring 3.1 Process Location network access may be surreptitiously engaged in spy- ware activities. For instance, the FTP client CuteFTP Spyware can either live in its own process, or it can be [Glo03] once spied on its users in the background. attached to one or more host process, either through a Secondly, many spywares embed themselves into web plugin, or by replacing library files. Clearly, the pres- browsers as either plugins or toolbars and they cannot ence of spyware that lives in its own process can be be selectively denied access to network. easily detected by examining the system’s process ta- ble. Network activity that is generated by such spyware 4.2 Signatures Based on Databases can also be easily isolated for analysis and detection of suspicious activity. Spyware that lives in its own pro- This is the approach taken by many existing spyware cess include Gator and SaveNow. detectors [Lav03, BPS03, Spy03]. They maintain an up-to-date database of the latest versions of all known 3.2 Frequency of Reporting spyware. The database includes lists of files installed by the spyware, the process names under which they By its very nature, spyware must periodically send over run, etc. the network, reports of its observations. Spyware can Each spyware installs few dynamically linked li- be categorized according to the frequency of such re- braries (DLLs) in the Windows system directory. This porting. Many simply send a report immediately after serves as an easy test for their detection. For instance user activity has been observed. Others can batch up Cydoor [Med03] installs CD CLINT.DLL CD GIF.DLL such reports and send a larger or summarized report af- and CD SWF.DLL. ter every few minutes or after every few instances of Existing spyware detectors also examine the list of user activity. processes running in the system to detect instances of Gator, Comet Cursor, Alexa, and Google Toolbar spyware that may be running. For example, Gator runs all send information with every user click in the web under the process name of GMT.exe, while SaveNow browser. SaveNow sends information once a minute. runs as save.exe. 3
Database based spyware detection is a very powerful processes. Second, each process can be studied in iso- technique for detecting existing spyware. However, it lation for spyware activity. has its limitations. It cannot detect new spyware or new For spyware that runs as a separate process, it is easy versions of spyware that are not in the database. Also, to test each class of signatures. A browser workload spyware can get around these detectors by having clever is created, where the browser visits few fixed sites and installations where the names of the installation files are fills out forms with some fixed information. All of the changed to be random strings. network signature classes are easily detectable by look- ing at the packets generated by these processes. Class 4.3 Network-Based Signatures 1 can be detected by looking at the total number of unique hosts that the process connects to. The pack- Based on the spyware analyzed in Section 2, it appears ets can be scanned to look for the names of the web that network-based detection schemes can be more ro- sites/information filled in the form. bust and flexible than detection mechanisms based on For spyware that embed themselves into the browser, firewalls or databases. In particular, a network-based a similar approach can be taken. There could be mul- detector can analyze the outgoing packet stream for any tiple pieces of spyware running; each visit to a website of the following classes of signatures. could generate lots of packets to various different hosts. Class 1 can be detected by looking for destination hosts 1. Network activity in the form of packets being sent that repeat periodically in the logs. With a spyware con- to a fixed destination or to a small set of fixed des- necting to n random hosts, each host will repeat with a tinations. 1 frequency of n on average. Packets to each such des- tination host can be scanned for instances of the other 2. Network activity that is correlated with browser signature classes. activity. 3. Network activity that is seen periodically at fixed 4.3.2 Packet Sniffer intervals. This section describes the implementation of the per- 4. Packets containing the names of the websites vis- process packet sniffer. There are two aspects of the im- ited by the browser. plementation: 5. Packets containing information that has recently 1. Getting Packets: The WinPcap [Win03b] Win- been entered into a web form. dows packet capture library is used. This library is used by many current packet sniffers, such as Win- It is expected that Class 1 signatures should be sat- Dump [Win03a] and Ethereal [Eth03]. It includes isfied by all spyware but perhaps also by many other a kernel-level packet filter, a low-level dynamic benign applications. All spyware should also satisfy ei- link library, and a high-level system-independent ther Class 2 or Class 3 signatures, and these would be library. We use the library to isolate the TCP pack- good indications of spyware activity. Finally, the pres- ets sent from the given machine. These packets ence of Class 4 or Class 5 signatures would be a clear have the information about the TCP ports used to indication that spyware is present in the system. send the packets but do not reveal the names of Table 4.3 summarizes the various signatures satisfied processes that generated them. by the applications studied in Section 2. 2. Getting Process Names: The IP helper API of the Microsoft Platform SDK can be used to access the 4.3.1 Detecting Network Signatures data structure storing the list of open TPC ports on We have implemented a packet sniffer that traces the the system. Windows XP has an extended query packets back to the processes (along with their names) feature that gives the additional information about that created them. It serves two important purposes. the PIDs of the processes using these ports. This First, it segregates the network activities of trusted pro- information, joined with the port information of cesses and helps the user to concentrate on only those the packets, helps in tracing the packets back to network packets that correspond to potential spyware the originating processes. 4
1 2 3 4 5 √ √ √ √ Alexa √ √ √ Comet Cursor √ √ √ √ Gator √ √ √ Google Toolbar √ √ KeySpy √ √ √ SaveNow √ √ √ √ Web3000 Figure 1: Signature classes satisfied by various pieces of spyware 5 Removal of Spywares Gator contacts gator.com servers and Comet Cursor contacts cometlabs.com servers. After spyware activity has been detected in the sys- tem, an interesting and intriguing problem deals with blocking the spyware activity. For the database based 6 Related Work spyware detectors, it is easy to uninstall the spywares as they contain the list of files installed by the spy- The general problem of detecting attacks against a com- wares. For network signature based detectors, it is a puter system over a network is called network intru- much harder problem. One possibility is to block the sion detection. Monitoring network activity to detect spywares at network level. Care has to be taken to spyware is a special case of network intrusion detec- block the packets sent by the spywares as well as pack- tion in which an illicit program, installed on the system ets sent to spywares. The incoming traffic to spywares alongside legitimate software, sends personal informa- need to be blocked because remote hosts may be send- tion about the user to a remote site over the network. ing them advertisements to display or even executables Most network intrusion detection systems to run on the user machine. For spywares identified as (NIDSs) [MHL94] work by inspecting IP packets separate processes, all the packets sent to the process or and reconstructing the higher level interactions be- the packets sent by the process can be dropped. For spy- tween end hosts and remote users. For example, wares sitting inside the browser, a list of remote hosts Heberlein et al. [HDL+ 90] have developed a network corresponding to the spyware activity can be made and security monitor that compares current network usage any packets with those hosts as source or destination patterns with a historical profile to detect abnormal can be dropped. activity. Spyware blocking at network level is of course not The EMERALD environment [PN97] is a distributed foolproof and complete removal of these spywares from NIDS that can track malicious activity in large net- the system is sought. Again, for spywares with process works. EMERALD surveillance and response monitors names, the names of the executables are known and the are distributed over a network and can be independently Windows Installer can be summoned up to remove the tuned. These monitors provide data to an event-analysis corresponding program. For spywares running inside system that combines signature analysis with statistical browser, this is an almost intractable problem as it is profiling to detect suspicious network activity. impossible to know the application whose installation Bro [Pax98] is a passive network monitoring system brought the spyware. Two approximate strategies can for detecting intruders in real-time on high-speed net- be employed here. First, the spyware detector can run works. The network traffic stream is filtered and re- continuously in the background and coordinate with the duced to a series of events. These events are then pro- Windows Installer. If spyware activity suddenly crops cessed by event handlers, written in a specialized script- up in the system, the detector can relate it to the appli- ing language. Event handlers in Bro can update state cation Installer installed and try removing it. Another information, synthesize events, generate logging infor- possible strategy is to perform a DNS lookup for the mation, and generate real-time notifications. remote host that spyware is contacting and try to re- Sekar et al. [SGVS99] have designed a rule and late its name with names of applications. For example, pattern-based NIDS that features a specification lan- 5
guage with a strict typing discipline. The specification [HDL+ 90] L. Heberlein, G. Dias, K. Levitt, B. Mukherjee, language allows the user to define rules and patterns in J. Wood, and D. Wolber. A network security mon- network packets corresponding to anomalous behavior. itor. In IEEE Symposium on Research in Security and Privacy, pages 296–304, May 1990. Writing the rules for a rule-based NIDS, how- ever, requires expert security knowledge and is an ex- [IIP03] IIPwr. IIPwr Package. pensive process that often involves hours of tedious http://www.iipwr.com/IIPwrPackage.htm, 2003. programming and debugging. Lee et al. [LPS99] [Lav03] Lavasoft. Ad-aware. http://www.lavasoftusa.com/, have developed a data mining framework for adap- 2003. tively learning these rules for use in Network Flight [LPS99] Wenke Lee, Christopher T. Park, and Salvatore J. Recorder [NFR97]. Stolfo. Automated intrusion detection methods us- There does not appear to be any previous work done ing NFR. In USENIX Intrusion Detection Work- on spyware detection, either by identifying such rules, shop, 1999. or by applying network intrusion detection techniques [Med03] Cydoor Desktop Media. Cydoor. to the problem. Our work deals with extending these http://www.cydoor.com/, 2003. techniques for spyware detection by identifying the net- [MHL94] B. Mukherjee, L. Heberlein, and K. Levitt. Net- work signatures common to spywares. work intrusion detection. In IEEE Network, pages There are many commercial software products avail- 26–41, May/June 1994. able that detect the presence of spyware by examin- [Net03] Netsonic. Web3000. http://www.web3000.com/, ing the host’s file system. These are based on signa- 2003. ture databases and look for the installations of the cur- rently known spywares. These systems are limited in [NFR97] Network flight recorder. http://www.nfr.com/, 1997. the scope as they cannot detect new or unknown spy- ware. We plan to extend the scope using our tech- [Pax98] Vern Paxson. Bro: A system for detecting net- niques. work intruders in real-time. In Computer Net- works, pages 2425–2463, December 1998. [PN97] Phillip A. Porras and Peter G. Neumann. Emerald: 7 Conclusions Event monitoring enabling responses to anoma- lous live disturbances. In NIST-NCSC National Information Systems Security Conference, 1997. References [SGVS99] R. Sekar, Y. Guang, S. Verma, and T. Shanbhag. [Ale03] Alexa. Alexa Toolbar. http://www.alexa.com/, A high-performance network intrusion detection 2003. system. In ACM Conference on Computer and Communications Security, pages 8–17, 1999. [BPS03] Bullet Proof Soft. BPS Sypware Remover. [SN03] Sherman Networks. KaZaa media desktop. http://www.bulletproofsoft.com/, 2003. http://www.kazaa.com/, 2003. [CS03] Comet Systems. Comet cursor. [Spy03] Spybot. Spybot S&D. http://security.kolla.de/, http://cometcursor.cometsystems.com/, 2003. 2003. [Eth03] The Ethereal Network Analyzer. [Whe03] WhenU.com. SaveNow. http://www.ethereal.com/, 2003. http://www.whenu.com/about savenow.html, 2003. [FPI03] Free Peers Inc. BearShare. http://www.bearshare.com/, 2003. [Win03a] Windump: tcpdump for Windows. http://windump.polito.it/, 2003. [GC03] Gator Corporation. Gator. http://www.gator.com/, [Win03b] Winpcap: the free packet capture architecture for 2003. Windows. http://winpcap.polito.it/, 2003. [Glo03] GlobalSCAPE. CuteFTP. [ZL03] Zone Labs. Zone Alarm. http://www.cuteftp.com/, 2003. http://www.zonelabs.com/, 2003. [Goo03] Google. Google Toolbar. http://toolbar.google.com/, 2003. 6

Recommended

Information security & EthicalHacking
Information security & EthicalHackingInformation security & EthicalHacking
Information security & EthicalHackingAve Nawsh
 
Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Mohammed Jaseem Tp
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Communityamiable_indian
 
SMB Guide-to-Ransomware
SMB Guide-to-RansomwareSMB Guide-to-Ransomware
SMB Guide-to-RansomwareDave Augustine
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions www.ijeijournal.com
 
The malware (r)evolution
The malware (r)evolutionThe malware (r)evolution
The malware (r)evolutionITrust - Cybersecurity as a Service
 
Spyware report
Spyware reportSpyware report
Spyware reportMatthew Deonon
 
trojon horse Seminar report
trojon horse Seminar report trojon horse Seminar report
trojon horse Seminar reportNamanKikani
 

Recommended

Information security & EthicalHacking
Information security & EthicalHackingInformation security & EthicalHacking
Information security & EthicalHackingAve Nawsh
 
Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Mohammed Jaseem Tp
 
Honeypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat CommunityHoneypots - Tracking the Blackhat Community
Honeypots - Tracking the Blackhat Communityamiable_indian
 
SMB Guide-to-Ransomware
SMB Guide-to-RansomwareSMB Guide-to-Ransomware
SMB Guide-to-RansomwareDave Augustine
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions www.ijeijournal.com
 
The malware (r)evolution
The malware (r)evolutionThe malware (r)evolution
The malware (r)evolutionITrust - Cybersecurity as a Service
 
Spyware report
Spyware reportSpyware report
Spyware reportMatthew Deonon
 
trojon horse Seminar report
trojon horse Seminar report trojon horse Seminar report
trojon horse Seminar reportNamanKikani
 
Detection and prevention of keylogger spyware attacks
Detection and prevention of keylogger spyware attacksDetection and prevention of keylogger spyware attacks
Detection and prevention of keylogger spyware attacksIAEME Publication
 
Types of malware threats
Types of malware threatsTypes of malware threats
Types of malware threatsEC-Council
 
( Ethical hacking tools ) Information grathring
( Ethical hacking tools ) Information grathring( Ethical hacking tools ) Information grathring
( Ethical hacking tools ) Information grathringGouasmia Zakaria
 
MALWARE AND ITS TYPES
MALWARE AND ITS TYPESMALWARE AND ITS TYPES
MALWARE AND ITS TYPESdaniyalqureshi712
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeydicanhasfay
 
News2 bytes
News2 bytesNews2 bytes
News2 bytesShreyasi Rao
 
1738 1742
1738 17421738 1742
1738 1742Editor IJARCET
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In DetailGreater Noida Institute Of Technology
 
Internet security
Internet securityInternet security
Internet securitygohel
 
spyware
spywarespyware
spywareAkhil Kumar
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.Anuj Khandelwal
 
Introduction to Malwares
Introduction to MalwaresIntroduction to Malwares
Introduction to MalwaresAbdelhamid Limami
 
The trojan horse virus
The trojan horse virusThe trojan horse virus
The trojan horse virusHTS Hosting
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...wajug
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data BreachKunal Sharma
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of RansomwareTharindu Edirisinghe
 
Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackGavin Davey
 
IBPS SO
IBPS SOIBPS SO
IBPS SOJitendra kadu
 
Phishing and being phished!
Phishing and being phished! Phishing and being phished!
Phishing and being phished!n|u - The Open Security Community
 
nullcon 2011 - Fuzzing with Complexities
nullcon 2011 - Fuzzing with Complexitiesnullcon 2011 - Fuzzing with Complexities
nullcon 2011 - Fuzzing with Complexitiesn|u - The Open Security Community
 
Spam – The Evolution
Spam – The EvolutionSpam – The Evolution
Spam – The Evolutionn|u - The Open Security Community
 

More Related Content

What's hot

Detection and prevention of keylogger spyware attacks
Detection and prevention of keylogger spyware attacksDetection and prevention of keylogger spyware attacks
Detection and prevention of keylogger spyware attacksIAEME Publication
 
Types of malware threats
Types of malware threatsTypes of malware threats
Types of malware threatsEC-Council
 
( Ethical hacking tools ) Information grathring
( Ethical hacking tools ) Information grathring( Ethical hacking tools ) Information grathring
( Ethical hacking tools ) Information grathringGouasmia Zakaria
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeydicanhasfay
 
Internet security
Internet securityInternet security
Internet securitygohel
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.Anuj Khandelwal
 
The trojan horse virus
The trojan horse virusThe trojan horse virus
The trojan horse virusHTS Hosting
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...wajug
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data BreachKunal Sharma
 
Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackGavin Davey
 

What's hot (19)

Detection and prevention of keylogger spyware attacks
Detection and prevention of keylogger spyware attacksDetection and prevention of keylogger spyware attacks
Detection and prevention of keylogger spyware attacks
 
Types of malware threats
Types of malware threatsTypes of malware threats
Types of malware threats
 
( Ethical hacking tools ) Information grathring
( Ethical hacking tools ) Information grathring( Ethical hacking tools ) Information grathring
( Ethical hacking tools ) Information grathring
 
MALWARE AND ITS TYPES
MALWARE AND ITS TYPESMALWARE AND ITS TYPES
MALWARE AND ITS TYPES
 
Honeypot Presentation - Using Honeyd
Honeypot Presentation - Using HoneydHoneypot Presentation - Using Honeyd
Honeypot Presentation - Using Honeyd
 
News2 bytes
News2 bytesNews2 bytes
News2 bytes
 
1738 1742
1738 17421738 1742
1738 1742
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
 
Internet security
Internet securityInternet security
Internet security
 
spyware
spywarespyware
spyware
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.
 
Introduction to Malwares
Introduction to MalwaresIntroduction to Malwares
Introduction to Malwares
 
The trojan horse virus
The trojan horse virusThe trojan horse virus
The trojan horse virus
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
 
Case Study of RSA Data Breach
Case Study of RSA Data BreachCase Study of RSA Data Breach
Case Study of RSA Data Breach
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of Ransomware
 
Analysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin AttackAnalysis of RSA Lockheed Martin Attack
Analysis of RSA Lockheed Martin Attack
 
IBPS SO
IBPS SOIBPS SO
IBPS SO
 

Viewers also liked

nullcon 2011 - Memory analysis – Looking into the eye of the bits
nullcon 2011 - Memory analysis – Looking into the eye of the bitsnullcon 2011 - Memory analysis – Looking into the eye of the bits
nullcon 2011 - Memory analysis – Looking into the eye of the bitsn|u - The Open Security Community
 
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable coden|u - The Open Security Community
 
An analysis of a facebook spam exploited through browser add-ons - Whitepaper
An analysis of a facebook spam exploited through browser add-ons - WhitepaperAn analysis of a facebook spam exploited through browser add-ons - Whitepaper
An analysis of a facebook spam exploited through browser add-ons - Whitepapern|u - The Open Security Community
 
Web Application Finger Printing - Methods/Techniques and Prevention
Web Application Finger Printing - Methods/Techniques and PreventionWeb Application Finger Printing - Methods/Techniques and Prevention
Web Application Finger Printing - Methods/Techniques and Preventionn|u - The Open Security Community
 
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationnullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationn|u - The Open Security Community
 

Viewers also liked (20)

Phishing and being phished!
Phishing and being phished! Phishing and being phished!
Phishing and being phished!
 
nullcon 2011 - Fuzzing with Complexities
nullcon 2011 - Fuzzing with Complexitiesnullcon 2011 - Fuzzing with Complexities
nullcon 2011 - Fuzzing with Complexities
 
Spam – The Evolution
Spam – The EvolutionSpam – The Evolution
Spam – The Evolution
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
nullcon 2011 - Memory analysis – Looking into the eye of the bits
nullcon 2011 - Memory analysis – Looking into the eye of the bitsnullcon 2011 - Memory analysis – Looking into the eye of the bits
nullcon 2011 - Memory analysis – Looking into the eye of the bits
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detection
 
nullcon 2011 - Penetration Testing a Biometric System
nullcon 2011 - Penetration Testing a Biometric Systemnullcon 2011 - Penetration Testing a Biometric System
nullcon 2011 - Penetration Testing a Biometric System
 
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
 
Cracking Salted Hashes
Cracking Salted HashesCracking Salted Hashes
Cracking Salted Hashes
 
An analysis of a facebook spam exploited through browser add-ons - Whitepaper
An analysis of a facebook spam exploited through browser add-ons - WhitepaperAn analysis of a facebook spam exploited through browser add-ons - Whitepaper
An analysis of a facebook spam exploited through browser add-ons - Whitepaper
 
Security Issues in Android Custom Rom - Whitepaper
Security Issues in Android Custom Rom - WhitepaperSecurity Issues in Android Custom Rom - Whitepaper
Security Issues in Android Custom Rom - Whitepaper
 
Cracking CTFs - Sysbypass CTF Walkthrough
Cracking CTFs - Sysbypass CTF WalkthroughCracking CTFs - Sysbypass CTF Walkthrough
Cracking CTFs - Sysbypass CTF Walkthrough
 
Web Application Finger Printing - Methods/Techniques and Prevention
Web Application Finger Printing - Methods/Techniques and PreventionWeb Application Finger Printing - Methods/Techniques and Prevention
Web Application Finger Printing - Methods/Techniques and Prevention
 
Phishing and being phished!
Phishing and being phished!Phishing and being phished!
Phishing and being phished!
 
Club hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughClub hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthrough
 
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentationnullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
nullcon 2011 - Automatic Program Analysis using Dynamic Binary Instrumentation
 
Project Jugaad
Project JugaadProject Jugaad
Project Jugaad
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
 
OSSIM Overview
OSSIM OverviewOSSIM Overview
OSSIM Overview
 
Legiment Techniques of IDS/IPS Evasion
Legiment Techniques of IDS/IPS EvasionLegiment Techniques of IDS/IPS Evasion
Legiment Techniques of IDS/IPS Evasion
 

Similar to Spiffy Spyware Stuff

When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and SpywaresAnkit Mistry
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2CFabrizio Farinacci
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 
20 Trip-Wire-.pdf
20 Trip-Wire-.pdf20 Trip-Wire-.pdf
20 Trip-Wire-.pdfG Srinu
 
20 Trip-Wire-.pdf
20 Trip-Wire-.pdf20 Trip-Wire-.pdf
20 Trip-Wire-.pdfG Srinu
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET Journal
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.pptshreyng
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021IJMER
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiSTO STRATEGY
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 

Similar to Spiffy Spyware Stuff (20)

Spyware and rootkit
Spyware and rootkitSpyware and rootkit
Spyware and rootkit
 
When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.When developer's api simplify user mode rootkits developing.
When developer's api simplify user mode rootkits developing.
 
Security Handbook
Security Handbook Security Handbook
Security Handbook
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and Spywares
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2C
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
It kamus virus security glossary
It kamus virus security glossaryIt kamus virus security glossary
It kamus virus security glossary
 
20 Trip-Wire-.pdf
20 Trip-Wire-.pdf20 Trip-Wire-.pdf
20 Trip-Wire-.pdf
 
20 Trip-Wire-.pdf
20 Trip-Wire-.pdf20 Trip-Wire-.pdf
20 Trip-Wire-.pdf
 
Computer security
Computer securityComputer security
Computer security
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 
43 automatic
43 automatic43 automatic
43 automatic
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

Spiffy Spyware Stuff

  • 1. Spiffy Spyware Stuff Tushar Dalvi Nilesh Dalvi Abstract There are several softwares available that maintain a database of all the known spywares and the files they An increasing number of shareware softwares today install and use the database to detect the presence of come with spyware programs, programs that collect spywares on one’s system. While they have proven browsing habits of users and other information and pe- to be quite effective, spyware writers can easily get riodically report them to remote host. In this paper, we around them by having clever installations that change discuss the use of network based signatures for detect- the names of the files installed to a random string. ing spywares. We present a survey of commonly found In this work, we propose the use of network based spywares and their working. We also propose a set of signatures to detect spywares. This scheme works by basic network signatures and demonstrate that most of analyzing the packets in the output network stream and the commonly found spywares satisfy them. correlating them with the browser activity to infer spy- ware activity. Network signatures can not only detect adwares that send browsing information but other spy- 1 Introduction ing softwares like key loggers. Spyware is Internet jargon for Advertising Supported Our contributions in this project are : software (Adware). It is a way for shareware authors 1. Analyzing various spywares currently in circula- to make money from a product, other than by selling it tion and studying their network activity. to the users. There are several large media companies that offer them to place banner ads in their products 2. Proposing a set of basic signatures to look for and in exchange for a portion of the revenue from banner demonstrating their effectiveness on current spy- sales. wares. While this may be a great concept, the downside is that the advertising companies also install additional 3. Providing a tool that sniffs packets and stores tracking software on the system, which is continuously along with the process that generated it. This tool calling home, using user’s Internet connection and is useful in analyzing spywares/detecting signa- reports statistical data. While according to the pri- tures. vacy policies of the companies, there will be no sensi- The rest of the paper is organized as follows. In Sec- tive or identifying data collected from the user’s system tion 1, we describe the workings of spywares most com- and the user shall remain anonymous, it still remains monly found today. In Section 3, we classify these spy- the fact that a live server is active on one’s computer wares into various categories. In Section 4, we discuss continuously sending information about the user and the strategies for detecting these spywares, including user’s browsing habits. A spyware has complete access our network based signature technique. In Section 6, to one’s computer and data and a malicious spyware we describe the related work and we conclude in Sec- may send user passwords and credit card information. tion 7. Spywares also consume one’s CPU, memory and band- width on someone else’s behalf. The hangover from record downloads of programs 2 Common Spyware that include adware and other spywares has created a matching demand for utilities designed to block Most spyware that is included in the popular software unwanted pop-up ads or remove spyware altogether. packages available on the Internet comes from a small 1
  • 2. set of highly used spyware. The activity of a number data.alexa.com, including the names of all the URLs of such spyware (as well as some uncommon pieces of visited by the browser. spyware) has been analyzed, and the results are pre- It uses HTTP for communication. HTTP seems to sented here. be the favorite among spywares, perhaps because many users in academic/corporate environments are behind firewalls and most ports are blocked, while HTTP is 2.1 Gator always the safest choice. The Gator Advertising and Information Network (GAIN) [GC03], powered by The Gator Corporation, 2.4 Google Toolbar comes with many popular software applications and services. It delivers ads, information, and software The Google Toolbar [Goo03] is an Internet Explorer based on the web sites viewed by the user. plugin designed to give the user easier access to Gog- Gator runs as a standalone process called GMT.exe gle’s services. Because it is a browser plugin, the tool- and monitors user’s browser activity to attempt to bet- bar does not appear in a process of its own. With the ter target the ads shown. It randomly selects one PageRank feature disabled, using the toolbar is no dif- of the following six hosts to which to send infor- ferent from using the Google search page itself. With mation: bannerserver.gator.com, ss.gator.com, PageRank turned on, however, on every web access, rs.gator.com, gs.gator.com, bg.gator.com and the URL being visited is sent to Google via HTTP to search.gator.com. Each time a website is visited, it retrieve the PageRank information. The toolbar is care- sends one of these hosts information about the name of ful, however, to not relay to Google any data that was the website, the local time, a uniquely identifiable ma- entered into web forms, or to relay intranet URLs. chine ID, browser type, etc. Not everything that was sent was in plain text. No personal information or pass- 2.5 KeySpy words were seen in the packets, but the plain text did KeySpy [IIP03] is a commercial keylogger application not account for everything it sent. produced by IIPwr. It is invisibly installed on a vic- tim system, set to execute whenever the system reboots, 2.2 Comet Cursor and does not appear in a process of its own. It sits in the background, silently monitoring and recording all Comet Cursor [CS03] is an Internet Explorer toolbar. user keystrokes, window titles, as well as all process Since it does not run as a separate process, it was dif- names, IDs, and start and stop activities. At regular in- ficult to isolate its network activity for study. To study tervals (configurable by the attacker), KeySpy sends a Comet Cursor’s traffic, the ambient network activity of report via e-mail to the attacker, optionally in an en- the system was reduced as much as possible, and all crypted form. When sending its report, KeySpy spawns packets that could otherwise be accounted for were dis- a separate process to open its TCP connection to the carded. It was observed that Comet Cursor randomly SMTP server. Once the report has been sent, this pro- sends information to either rs.cometsystems.com or cess terminates, eliminating any lingering CLOSE WAIT log.cc.cometsystems.com. or TIME WAIT entries that might show up in a casual Comet Cursor’s activity immediately follows the netstat. browser activity. It is more selective in what it sends. Names of websites visited by browsers were never seen 2.6 SaveNow in the packets. However, it does send all the search terms entered in the forms in search engines such as SaveNow [Whe03] is adware that is often bundled as a Google and Yahoo. The names of the search engines third-party component with other software, including are perhaps hard coded inside the Comet Cursor code. popular file-sharing packages such as KaZaa [SN03] and BearShare [FPI03]. It lives in a process of its own, 2.3 Alexa called save.exe, monitoring the user’s browser activ- ity to attempt to better target the ads shown. As often Alexa [Ale03] is another Internet Explorer toolbar, as once a minute (triggered by the user’s browser activ- powered by Amazon. It sends its information to ity), SaveNow contacts an Akamai server via HTTP to 2
  • 3. download its ads. It does not appear to send any infor- KeySpy reports are sent every few minutes; their fre- mation about what sites have been visited, or what data quency is uncorrelated with user activity. has been entered into web forms. 3.3 Content of Reports 2.7 Web3000 4 Strategies for Detection Web3000 [Net03] is another Ad network. Its software is bundled with Netsonic Download Accelerator in the In this section, traditional techniques for detecting spy- form of Ezula TopText. It inserts its own text adver- ware are first described. These include detection based tisements as pop-ups linked to highlighted words in a on firewalls and databases detection. Then network- Web page. It does not show up in the process list un- based signatures are discussed. der the Windows Task Manager, but HTTP packets are seen to be transmitted to www.ezula.com containing 4.1 Firewall-Based Detection the names of all the URLs visited by the browser. One simple way of detecting spyware is to install a fire- wall, such as Zone Alarm [ZL03]. Zone Alarm blocks 3 Classes of Spyware all the processes from connecting to the Internet or act- ing as servers. Access to the network can be selectively Based on the observations above, it appears that spy- enabled by the user on a per-process basis, depending ware can be classified into several categories accord- on the processes that user recognizes. Many pieces of ing to their behaviour. This classification is useful in spyware that attempt to hide themselves from the user guiding the development of strategies for dealing with come to surface in this way. spyware. There are two downsides to the firewall approach. First, a process recognized by the user as requiring 3.1 Process Location network access may be surreptitiously engaged in spy- ware activities. For instance, the FTP client CuteFTP Spyware can either live in its own process, or it can be [Glo03] once spied on its users in the background. attached to one or more host process, either through a Secondly, many spywares embed themselves into web plugin, or by replacing library files. Clearly, the pres- browsers as either plugins or toolbars and they cannot ence of spyware that lives in its own process can be be selectively denied access to network. easily detected by examining the system’s process ta- ble. Network activity that is generated by such spyware 4.2 Signatures Based on Databases can also be easily isolated for analysis and detection of suspicious activity. Spyware that lives in its own pro- This is the approach taken by many existing spyware cess include Gator and SaveNow. detectors [Lav03, BPS03, Spy03]. They maintain an up-to-date database of the latest versions of all known 3.2 Frequency of Reporting spyware. The database includes lists of files installed by the spyware, the process names under which they By its very nature, spyware must periodically send over run, etc. the network, reports of its observations. Spyware can Each spyware installs few dynamically linked li- be categorized according to the frequency of such re- braries (DLLs) in the Windows system directory. This porting. Many simply send a report immediately after serves as an easy test for their detection. For instance user activity has been observed. Others can batch up Cydoor [Med03] installs CD CLINT.DLL CD GIF.DLL such reports and send a larger or summarized report af- and CD SWF.DLL. ter every few minutes or after every few instances of Existing spyware detectors also examine the list of user activity. processes running in the system to detect instances of Gator, Comet Cursor, Alexa, and Google Toolbar spyware that may be running. For example, Gator runs all send information with every user click in the web under the process name of GMT.exe, while SaveNow browser. SaveNow sends information once a minute. runs as save.exe. 3
  • 4. Database based spyware detection is a very powerful processes. Second, each process can be studied in iso- technique for detecting existing spyware. However, it lation for spyware activity. has its limitations. It cannot detect new spyware or new For spyware that runs as a separate process, it is easy versions of spyware that are not in the database. Also, to test each class of signatures. A browser workload spyware can get around these detectors by having clever is created, where the browser visits few fixed sites and installations where the names of the installation files are fills out forms with some fixed information. All of the changed to be random strings. network signature classes are easily detectable by look- ing at the packets generated by these processes. Class 4.3 Network-Based Signatures 1 can be detected by looking at the total number of unique hosts that the process connects to. The pack- Based on the spyware analyzed in Section 2, it appears ets can be scanned to look for the names of the web that network-based detection schemes can be more ro- sites/information filled in the form. bust and flexible than detection mechanisms based on For spyware that embed themselves into the browser, firewalls or databases. In particular, a network-based a similar approach can be taken. There could be mul- detector can analyze the outgoing packet stream for any tiple pieces of spyware running; each visit to a website of the following classes of signatures. could generate lots of packets to various different hosts. Class 1 can be detected by looking for destination hosts 1. Network activity in the form of packets being sent that repeat periodically in the logs. With a spyware con- to a fixed destination or to a small set of fixed des- necting to n random hosts, each host will repeat with a tinations. 1 frequency of n on average. Packets to each such des- tination host can be scanned for instances of the other 2. Network activity that is correlated with browser signature classes. activity. 3. Network activity that is seen periodically at fixed 4.3.2 Packet Sniffer intervals. This section describes the implementation of the per- 4. Packets containing the names of the websites vis- process packet sniffer. There are two aspects of the im- ited by the browser. plementation: 5. Packets containing information that has recently 1. Getting Packets: The WinPcap [Win03b] Win- been entered into a web form. dows packet capture library is used. This library is used by many current packet sniffers, such as Win- It is expected that Class 1 signatures should be sat- Dump [Win03a] and Ethereal [Eth03]. It includes isfied by all spyware but perhaps also by many other a kernel-level packet filter, a low-level dynamic benign applications. All spyware should also satisfy ei- link library, and a high-level system-independent ther Class 2 or Class 3 signatures, and these would be library. We use the library to isolate the TCP pack- good indications of spyware activity. Finally, the pres- ets sent from the given machine. These packets ence of Class 4 or Class 5 signatures would be a clear have the information about the TCP ports used to indication that spyware is present in the system. send the packets but do not reveal the names of Table 4.3 summarizes the various signatures satisfied processes that generated them. by the applications studied in Section 2. 2. Getting Process Names: The IP helper API of the Microsoft Platform SDK can be used to access the 4.3.1 Detecting Network Signatures data structure storing the list of open TPC ports on We have implemented a packet sniffer that traces the the system. Windows XP has an extended query packets back to the processes (along with their names) feature that gives the additional information about that created them. It serves two important purposes. the PIDs of the processes using these ports. This First, it segregates the network activities of trusted pro- information, joined with the port information of cesses and helps the user to concentrate on only those the packets, helps in tracing the packets back to network packets that correspond to potential spyware the originating processes. 4
  • 5. 1 2 3 4 5 √ √ √ √ Alexa √ √ √ Comet Cursor √ √ √ √ Gator √ √ √ Google Toolbar √ √ KeySpy √ √ √ SaveNow √ √ √ √ Web3000 Figure 1: Signature classes satisfied by various pieces of spyware 5 Removal of Spywares Gator contacts gator.com servers and Comet Cursor contacts cometlabs.com servers. After spyware activity has been detected in the sys- tem, an interesting and intriguing problem deals with blocking the spyware activity. For the database based 6 Related Work spyware detectors, it is easy to uninstall the spywares as they contain the list of files installed by the spy- The general problem of detecting attacks against a com- wares. For network signature based detectors, it is a puter system over a network is called network intru- much harder problem. One possibility is to block the sion detection. Monitoring network activity to detect spywares at network level. Care has to be taken to spyware is a special case of network intrusion detec- block the packets sent by the spywares as well as pack- tion in which an illicit program, installed on the system ets sent to spywares. The incoming traffic to spywares alongside legitimate software, sends personal informa- need to be blocked because remote hosts may be send- tion about the user to a remote site over the network. ing them advertisements to display or even executables Most network intrusion detection systems to run on the user machine. For spywares identified as (NIDSs) [MHL94] work by inspecting IP packets separate processes, all the packets sent to the process or and reconstructing the higher level interactions be- the packets sent by the process can be dropped. For spy- tween end hosts and remote users. For example, wares sitting inside the browser, a list of remote hosts Heberlein et al. [HDL+ 90] have developed a network corresponding to the spyware activity can be made and security monitor that compares current network usage any packets with those hosts as source or destination patterns with a historical profile to detect abnormal can be dropped. activity. Spyware blocking at network level is of course not The EMERALD environment [PN97] is a distributed foolproof and complete removal of these spywares from NIDS that can track malicious activity in large net- the system is sought. Again, for spywares with process works. EMERALD surveillance and response monitors names, the names of the executables are known and the are distributed over a network and can be independently Windows Installer can be summoned up to remove the tuned. These monitors provide data to an event-analysis corresponding program. For spywares running inside system that combines signature analysis with statistical browser, this is an almost intractable problem as it is profiling to detect suspicious network activity. impossible to know the application whose installation Bro [Pax98] is a passive network monitoring system brought the spyware. Two approximate strategies can for detecting intruders in real-time on high-speed net- be employed here. First, the spyware detector can run works. The network traffic stream is filtered and re- continuously in the background and coordinate with the duced to a series of events. These events are then pro- Windows Installer. If spyware activity suddenly crops cessed by event handlers, written in a specialized script- up in the system, the detector can relate it to the appli- ing language. Event handlers in Bro can update state cation Installer installed and try removing it. Another information, synthesize events, generate logging infor- possible strategy is to perform a DNS lookup for the mation, and generate real-time notifications. remote host that spyware is contacting and try to re- Sekar et al. [SGVS99] have designed a rule and late its name with names of applications. For example, pattern-based NIDS that features a specification lan- 5
  • 6. guage with a strict typing discipline. The specification [HDL+ 90] L. Heberlein, G. Dias, K. Levitt, B. Mukherjee, language allows the user to define rules and patterns in J. Wood, and D. Wolber. A network security mon- network packets corresponding to anomalous behavior. itor. In IEEE Symposium on Research in Security and Privacy, pages 296–304, May 1990. Writing the rules for a rule-based NIDS, how- ever, requires expert security knowledge and is an ex- [IIP03] IIPwr. IIPwr Package. pensive process that often involves hours of tedious http://www.iipwr.com/IIPwrPackage.htm, 2003. programming and debugging. Lee et al. [LPS99] [Lav03] Lavasoft. Ad-aware. http://www.lavasoftusa.com/, have developed a data mining framework for adap- 2003. tively learning these rules for use in Network Flight [LPS99] Wenke Lee, Christopher T. Park, and Salvatore J. Recorder [NFR97]. Stolfo. Automated intrusion detection methods us- There does not appear to be any previous work done ing NFR. In USENIX Intrusion Detection Work- on spyware detection, either by identifying such rules, shop, 1999. or by applying network intrusion detection techniques [Med03] Cydoor Desktop Media. Cydoor. to the problem. Our work deals with extending these http://www.cydoor.com/, 2003. techniques for spyware detection by identifying the net- [MHL94] B. Mukherjee, L. Heberlein, and K. Levitt. Net- work signatures common to spywares. work intrusion detection. In IEEE Network, pages There are many commercial software products avail- 26–41, May/June 1994. able that detect the presence of spyware by examin- [Net03] Netsonic. Web3000. http://www.web3000.com/, ing the host’s file system. These are based on signa- 2003. ture databases and look for the installations of the cur- rently known spywares. These systems are limited in [NFR97] Network flight recorder. http://www.nfr.com/, 1997. the scope as they cannot detect new or unknown spy- ware. We plan to extend the scope using our tech- [Pax98] Vern Paxson. Bro: A system for detecting net- niques. work intruders in real-time. In Computer Net- works, pages 2425–2463, December 1998. [PN97] Phillip A. Porras and Peter G. Neumann. Emerald: 7 Conclusions Event monitoring enabling responses to anoma- lous live disturbances. In NIST-NCSC National Information Systems Security Conference, 1997. References [SGVS99] R. Sekar, Y. Guang, S. Verma, and T. Shanbhag. [Ale03] Alexa. Alexa Toolbar. http://www.alexa.com/, A high-performance network intrusion detection 2003. system. In ACM Conference on Computer and Communications Security, pages 8–17, 1999. [BPS03] Bullet Proof Soft. BPS Sypware Remover. [SN03] Sherman Networks. KaZaa media desktop. http://www.bulletproofsoft.com/, 2003. http://www.kazaa.com/, 2003. [CS03] Comet Systems. Comet cursor. [Spy03] Spybot. Spybot S&D. http://security.kolla.de/, http://cometcursor.cometsystems.com/, 2003. 2003. [Eth03] The Ethereal Network Analyzer. [Whe03] WhenU.com. SaveNow. http://www.ethereal.com/, 2003. http://www.whenu.com/about savenow.html, 2003. [FPI03] Free Peers Inc. BearShare. http://www.bearshare.com/, 2003. [Win03a] Windump: tcpdump for Windows. http://windump.polito.it/, 2003. [GC03] Gator Corporation. Gator. http://www.gator.com/, [Win03b] Winpcap: the free packet capture architecture for 2003. Windows. http://winpcap.polito.it/, 2003. [Glo03] GlobalSCAPE. CuteFTP. [ZL03] Zone Labs. Zone Alarm. http://www.cuteftp.com/, 2003. http://www.zonelabs.com/, 2003. [Goo03] Google. Google Toolbar. http://toolbar.google.com/, 2003. 6