Spywarekingsofchaos.comSlide 3IncidentWhat’s going on?Take-away lessonsOutlineSlide 8What is spyware?How one becomes infectedTypes of spywareSpyware trendsIndustrial responsesLegislative responsesSlide 15Measurement studyApproachAnalyzing ExecutablesAnalyzing Drive-by DownloadsExecutable Study ResultsInfection of ExecutablesSpyware popularityDrive-by Download ResultsSlide 24SummarySlide 26My view on the problemHow to stop the shuckstersThe criminalsAdvanced techniquesQuestions?SpywareSpywareSteven GribbleSteven GribbleDepartment of Computer Science and EngineeringDepartment of Computer Science and EngineeringUniversity of WashingtonUniversity of Washingtonkingsofchaos.comkingsofchaos.comA benign web site for an online gameA benign web site for an online game—earns revenue from ad networks by showing bannersearns revenue from ad networks by showing banners—but, it relinquishes control of the ad contentbut, it relinquishes control of the ad contentkingsofchaos.comkingsofchaos.comA benign web site for an online gameA benign web site for an online game—earns revenue from ad networks by showing bannersearns revenue from ad networks by showing banners—but, it relinquishes control of the ad contentbut, it relinquishes control of the ad contentbanner ad fromadworldnetwork.com(a legitimate ad network)inline javascript loadsHTML from ad providerIncidentIncidentkingsofchaos.com was given this “ad content”kingsofchaos.com was given this “ad content”<script type="text/javascript">document.write(‘ \u003c\u0062\u006f\u0064\u0079\u0020\u006f\u006e\u0055\u006f\u0077\u0050\u006f\u0070\u0075\u0070\u0028\u0029\u003b\u0073\u0068\u006f\u0077\u0048\u0069 …etc.This “ad” ultimately:—bombarded the user with pop-up ads—hijacked the user’s homepage—exploited an IE vulnerability to install spywareWhat’s going on?What’s going on?The advertiser was an ex-email-spammerHis goal:—force users to see ads from his servers—draw revenuedraw revenue from ad “affiliate programs” from ad “affiliate programs”Apparently earned several millions of dollarsApparently earned several millions of dollarsWhy did he use spyware?Why did he use spyware?—control PC and show ads even when not on the Webcontrol PC and show ads even when not on the WebTake-away lessonsTake-away lessonsYour PC has value to third partiesYour PC has value to third parties—spyware tries to steal this value from youspyware tries to steal this value from youadware: eyeballs and demographic informationadware: eyeballs and demographic informationspyware: sensitive data, PC resourcesspyware: sensitive data, PC resourcesWeb content should never be trustedWeb content should never be trusted—even if its direct provider iseven if its direct provider isConsumer software and OSs are weakConsumer software and OSs are weak—browsers are bug-riddenbrowsers are bug-ridden—OSs do not protect users from malicious softwareOSs do not protect users from malicious softwareyet, this is increasingly the world we live inyet, this is increasingly the world we live inOutlineOutlineBackgroundBackgroundMeasurement studyMeasurement studyDiscussion on spyware mitigationDiscussion on spyware mitigationOutlineOutlineBackgroundBackground—definitionsdefinitions—trendstrends—defensesdefensesMeasurement studyMeasurement studyDiscussion on spyware mitigationDiscussion on spyware mitigationWhat is spyware?What is spyware?Incredibly difficult to define “spyware” preciselyIncredibly difficult to define “spyware” precisely—no clean line between good and bad behaviorno clean line between good and bad behaviorSpyware is a Spyware is a software parasitesoftware parasite that: that:—collects information of value and relays it to a third partycollects information of value and relays it to a third party—hijacks functions or resources of PChijacks functions or resources of PC—installs surreptitiously, without consent of userinstalls surreptitiously, without consent of user—resists detection and de-installationresists detection and de-installationSpyware provides value to others, but not to youSpyware provides value to others, but not to youHow one becomes infectedHow one becomes infectedSpyware piggybacked on executablesSpyware piggybacked on executables—model for profiting from free softwaremodel for profiting from free software—e.g., Kazaa installed 2-7 adware programse.g., Kazaa installed 2-7 adware programsDrive-by downloadsDrive-by downloads—Web site attempts to install software through browserWeb site attempts to install software through browser—may involve exploiting browser vulnerabilitiesmay involve exploiting browser vulnerabilitiesTrojan downloaders / “tricklers”Trojan downloaders / “tricklers”—spyware that fetches additional spywarespyware that fetches additional spyware—snowball effectsnowball effectTypes of spywareTypes of spyware ClassClass# signatures# signatures Cookies and web bugsCookies and web bugs47 47 Browser hijackersBrowser hijackers272 272 AdwareAdware210 210 KeyloggersKeyloggers75 75 DialersDialers201 201 Backdoors / trojans / tricklersBackdoors / trojans / tricklers279 279 From the “Spybot S&D” database, Feb. 2005 .Spyware trendsSpyware trendsMost Internet PCs have, or have had, itMost Internet PCs have, or have had, it—80% of Internet-connected PCs are infected80% of Internet-connected PCs are infected—[AOL/NCSA online safety study, Oct. 2004][AOL/NCSA online safety study, Oct. 2004]Much of the Web has itMuch of the Web has it—1 in 8 executables on Web piggyback spyware1 in 8 executables on Web piggyback spyware—0.1% of random Web pages try “drive-by” installs0.1% of random Web pages try “drive-by” installs—[UW study, Oct. 2005][UW study, Oct. 2005]Convergence of threatsConvergence of threats—worms, viruses, spyware, botnets are fusingworms, viruses, spyware, botnets are fusing—e.g., many spyware programs now install spam relayse.g., many spyware programs now install spam relaysIndustrial responsesIndustrial responsesAnti-spyware toolsAnti-spyware tools—predominantly signature basedpredominantly signature based—e.g., AdAware, Spybot S&D, Microsoft AntiSpywaree.g., AdAware, Spybot S&D, Microsoft AntiSpywareBlacklisted URLs in firewalls,
View Full Document