SpywareSpywareSteven GribbleSteven GribbleDepartment of Computer Science and EngineeringDepartment of Computer Science and EngineeringUniversity of WashingtonUniversity of Washingtonkingsofchaoskingsofchaos.com.comA benign web site for an online gameA benign web site for an online game——earns revenue from ad networks by showing bannersearns revenue from ad networks by showing banners——but, it relinquishes controlbut, it relinquishes control of the ad contentof the ad contentkingsofchaoskingsofchaos.com.comA benign web site for an online gameA benign web site for an online game——earns revenue from ad networks by showing bannersearns revenue from ad networks by showing banners——but, it relinquishes controlbut, it relinquishes control of the ad contentof the ad contentbanner ad fromadworldnetwork.com(a legitimate ad network)inline javascript loadsHTML from ad providerIncidentIncidentkingsofchaoskingsofchaos.com was given.com was given this this ““ad contentad content””<script type="text/javascript">document.write(‘\u003c\u0062\u006f\u0064\u0079\u0020\u006f\u006e\u0055\u006f\u0077\u0050\u006f\u0070\u0075\u0070\u0028\u0029\u003b\u0073\u0068\u006f\u0077\u0048\u0069 …etc. This “ad” ultimately:— bombarded the user with pop-up ads— hijacked the user’s homepage— exploited an IE vulnerability to install spywareWhatWhat’’s going on?s going on? The advertiser was an ex-email-spammer His goal:— force users to see ads from his servers——draw revenuedraw revenue from ad from ad ““affiliate programsaffiliate programs””Apparently earned several millions of dollarsApparently earned several millions of dollarsWhy did he use Why did he use spywarespyware??——control PC and show ads even when not on the Webcontrol PC and show ads even when not on the WebTake-away lessonsTake-away lessonsYour PC has value to third partiesYour PC has value to third parties——spyware spyware tries to steal this value from youtries to steal this value from youadwareadware: : eyeballs and demographic informationeyeballs and demographic informationspywarespyware:: sensitive data, PC resourcessensitive data, PC resourcesWeb content should never be trustedWeb content should never be trusted——even if itseven if its direct provider isdirect provider isConsumer software and Consumer software and OSs OSs are weakare weak——browsers are bug-riddenbrowsers are bug-ridden——OSs OSs do not protect users from malicious softwaredo not protect users from malicious softwareyet, this is increasingly the world we live inyet, this is increasingly the world we live inOutlineOutlineBackgroundBackgroundMeasurement studyMeasurement studyDiscussion on Discussion on spyware spyware mitigationmitigationOutlineOutlineBackgroundBackground——definitionsdefinitions——trendstrends——defensesdefensesMeasurement studyMeasurement studyDiscussion on Discussion on spyware spyware mitigationmitigationWhat isWhat is spyware spyware??Incredibly difficult to define Incredibly difficult to define ““spywarespyware”” precisely precisely——no clean line between good and bad behaviorno clean line between good and bad behaviorSpyware Spyware is a is a software parasitesoftware parasite that: that:——collects information of value and relays it to a third partycollects information of value and relays it to a third party——hijacks functions or resources of PChijacks functions or resources of PC——installs surreptitiously, without consent of userinstalls surreptitiously, without consent of user——resists detection and de-installationresists detection and de-installationSpyware Spyware provides value to others,provides value to others, but not to youbut not to youHow one becomes infectedHow one becomes infectedSpyware Spyware piggybacked on executablespiggybacked on executables——model for profiting from free softwaremodel for profiting from free software——e.g.,e.g., Kazaa Kazaa installedinstalled 2-7 2-7 adware adware programsprogramsDrive-by downloadsDrive-by downloads——Web site attempts to install software through browserWeb site attempts to install software through browser——may involve exploiting browser vulnerabilitiesmay involve exploiting browser vulnerabilitiesTrojan Trojan downloaders downloaders / / ““tricklerstricklers””——spyware spyware that fetches additional that fetches additional spywarespyware——snowball effectsnowball effectTypes of Types of spywarespyware ClassClass# signatures# signatures Cookies and web bugs Cookies and web bugs4747 Browser hijackers Browser hijackers272272 AdwareAdware210210 KeyloggersKeyloggers7575 DialersDialers201201Backdoors / Backdoors / trojans trojans // tricklers tricklers279279From the “Spybot S&D” database, Feb. 2005 .Spyware Spyware trendstrendsMost Internet PCs have, or have had, itMost Internet PCs have, or have had, it——80% of Internet-connected PCs are infected80% of Internet-connected PCs are infected——[AOL/NCSA online safety study, Oct. 2004][AOL/NCSA online safety study, Oct. 2004]Much of the Web has itMuch of the Web has it——1 in 8 executables on Web piggyback 1 in 8 executables on Web piggyback spywarespyware——0.1% of random Web pages0.1% of random Web pages try try ““drive-bydrive-by”” installs installs——[UW study, Oct. 2005][UW study, Oct. 2005]Convergence of threatsConvergence of threats——worms, viruses, worms, viruses, spywarespyware, , botnets botnets are fusingare fusing——e.g., many e.g., many spyware spyware programs now install spam relaysprograms now install spam relaysIndustrial responsesIndustrial responsesAnti-spyware Anti-spyware toolstools——predominantly signature basedpredominantly signature based——e.g., e.g., AdAwareAdAware, , Spybot Spybot S&D, Microsoft S&D, Microsoft AntiSpywareAntiSpywareBlacklisted URLs in firewalls, NIDSBlacklisted URLs in firewalls, NIDS——e.g., UW tipping point machinee.g., UW tipping point machineSandboxes forSandboxes for isolating isolating untrusted untrusted contentcontent——e.g., e.g., GreenBorderGreenBorderLegislative responsesLegislative responsesFederal Federal ““SPY ACTSPY ACT””——Oct. 6: passed in House, received in SenateOct. 6:
View Full Document