Potentially Unwanted Programs Spyware and Adware

Total Page:16

File Type:pdf, Size:1020Kb

Potentially Unwanted Programs Spyware and Adware White Paper | September 2005 Potentially Unwanted Programs Spyware and Adware www.mcafee.com McAfee System Protection Solutions | October 2005 Page 2 Table of Contents What Are Potentially Unwanted Programs (PUPs)? 3 Behavior of Malicious Software 3 Types of PUPs 4 What Are the Risks Associated with PUPs? 6 How Do You Get PUPs on Your System? 7 How PUPs Work When Installed on a System 8 How Big Is the Problem? 9 McAfee VirusScan Online Figures and Trends 9 What Can Be Done about It? 10 Host-Based Products 10 Network-based IPS Products 11 Management and Policy Enforcement 11 McAfee Research 12 References 12 www.mcafee.com McAfee System Protection Solutions | October 2005 Page 3 Spyware and Adware What Are Potentially Unwanted Programs (PUPs)? 2004 saw a marked shift in the motives for malware writing Over the years, there have been a number of cases from political or mischievous purposes towards fi nancial gain. Identity theft, phishing, extortion by threatening where a commercial entity of some kind produced distributed denial-of-service (DDoS) attacks, intellectual a piece of code that was intentionally detected by property theft, and selling compromised machine lists to anti-virus software, including McAfee®’s. Usually spammers have become a common theme in malware. these fell into categories like: This trend began with the banking-specifi c autodialing in Bugbear.b and widespread utilization of Sobig..f-infected • Utility programs repackaged and distributed as part of a machines for spamming in 2003, and has become de rigueur root kit or remote access Trojan, and scripted or altered in 2004, with widespread proliferation of keylogging, in such a way to hide them or bypass all of the normal password-stealing, remote DDoS capabilities, and backdoor safeguards of the original application. Examples include installation amongst most major threats in 2004. IRC clients, FTP servers, sniffers, etc. It is unclear whether the malware authors are adopting • Products which, by their very nature, are designed to ease techniques used by aggressive marketing companies, or administration by circumventing security measures or whether marketers are using ideas spawned by malware allowing remote administration. These sorts of programs, authors, but there is clearly a war going on for the use of like password crackers, remote control programs, remote YOUR computer system and its data and resources. Today process creators, and the like, are natural backdoors for we have: hackers or malware authors, and many users want to know if these programs are present on their systems • Adware removing other adware • Applications that began as hacker tools or Trojans, but • Viruses removing other viruses and backdoors were good enough to fi nd legitimate use as administrator • Viruses distributing adware software, e.g., Netbus • Bot armies being stolen or compromised and re-purposed Today a signifi cant number of programs are using aggressive marketing techniques, akin to those long employed by • Viruses and PUPs intentionally shutting down, disabling, spammers, to create more intrusive and, the developers or weakening security tools like IE security settings, would say, more effective products and services. The clear fi rewall settings, and anti-virus products gap between malicious code written by anti-social teenagers McAfee Research has for some time applied the technology and non-malicious code written by legitimate corporations developed for virus and Trojan detection to software is rapidly dwindling, where it exists at all. This aggressive products, that for whatever reason, our customers fi nd marketing stance is even touted as “viral marketing,” a term objectionable. McAfee scan engines since version 4100 perhaps more appropriate than intended. Viral marketing include an additional detection type (beyond virus or can be defi ned as using a consumer’s resources to generate Trojan) called appp or program. more interest than could be achieved by direct marketing, with or without the consumer’s knowledge and consent. So what exactly is this stuff, and what does it do? At a high level, PUPs are any piece of software which a reasonably security- or privacy-minded computer user Behavior of Malicious Software may want to be informed of, and, in some cases, remove. There are essentially six types of behavior seen by our PUPs are usually made by a legitimate corporate entity for researchers in traditional malware: some benefi cial purpose (to whom they may be benefi cial is debatable), but so alter the security state of the computer • Installation—getting onto a system and modifying that on which they are installed, or the privacy posture of the system so the code runs frequently or every time the user using the computer, that most users will want to be computer starts up aware of them. www.mcafee.com McAfee System Protection Solutions | October 2005 Page 4 • Surveying—fi nding new targets; seen only in viruses • Interception, redirection, or retransmission of non- personal data (search keywords, URL history, etc.) to or by • Replication—getting onto those new targets; seen third parties (Payload) only in viruses • Interception, redirection, or retransmission of personal • Concealment—hiding the presence of or preventing the data (names, addresses, passwords, account names, removal of the software banking information, etc.) to or by third parties (Payload) • Injection—getting inside the code or data of other innocuous processes on the system to gain additional Types of PUPs privileges, achieve concealment, or deliver payload McAfee Research breaks PUPs down into six major • Payload—doing something to the host computer, categories and an “other” category. Most PUPs are communicating data to third parties, or receiving functionally similar, if not identical, to Trojan horses. In commands from third parties some cases, the software is innocuous by design, but can Surveying and replication are only ever seen in viruses, but be easily misused in ways that have unintended security or the other techniques used by both true malware and PUPs privacy impacts. can be virtually identical. In fact, in McAfee Research’s experience, there are few or no functional differences Spyware between many PUPs and many Trojan horses except for the Software whose function includes the transmission of distribution of the former by a legitimate entity with an end- personal information to a third party without the user’s user license agreement (EULA). knowledge and explicit consent. Software that does one or more of the following is likely to Adware be considered a PUP by McAfee Research: Software whose primary function is to make revenue through • Bundling with other software, especially where the host advertising targeted at the person using the computer on software comes with additional components is not spelled which it is installed. This revenue can be made by the vendor out very clearly (Installation) or partners of the vendor. This does not imply that any • Installing by taking advantage of an exploit (Installation) personal information is captured or transmitted as part of the software’s functioning, though that may be the case. • Failure to show taskbar or tray icons when running (Concealment) Password Crackers • Hiding of processes, fi les, services, registry keys, or other Software designed to allow a legitimate user or evidence (Concealment) administrator to recover lost or forgotten passwords from • File names, resources attempt to mimic system fi les or accounts or data fi les. When in the hands of an attacker, other third-party fi les (Concealment) these same tools allow access to confi dential information and represent a security and privacy threat. • Lacks of clear and obvious uninstall function (Concealment) Remote Administration Tools • Uninstall fails to work correctly, or installs or deletes fi les unrelated to the software (Concealment) Software designed to allow remote control of a system by a knowledgeable administrator. Remote administration • Uninstall requires long surveys or other tricks to tools, however, when controlled by a party other than the accomplish (Concealment) legitimate owner or administrator are a large security threat. • Firewalls, anti-virus software, or other security measures disabled (Concealment) Dialers • Application (e.g., Internet Explorer) or operating system Software that redirects Internet connections to a party (e.g., Windows® Firewall) security settings altered other than the user’s default ISP for the purpose of securing (Concealment) additional connection charges for a content provider, vendor, or other third party. • Injection into other running processes (Injection) • Downloading and execution of arbitrary third-party content (Payload) www.mcafee.com McAfee System Protection Solutions | October 2005 Page 5 Jokes browser helper objects. McAfee does not detect all browser helper objects, though many adware components that Software that has no malicious payload or use, and does happen to be browser helper objects are detected. not impact security or privacy states, but that may alarm or annoy a user. Browser Hijackers Other PUPs Browser hijackers are programs that replace the browser home page, search page, search results, error message Many innocuous pieces of software, such as FTP servers, pages, or other browser content with unexpected or have been misused to assist the replication or payload unwanted content. Browser hijackers may install cleanly behaviors of traditional malware. and obviously, uninstall correctly, and make it very clear
Recommended publications
  • The Spyware Used in Intimate Partner Violence
    The Spyware Used in Intimate Partner Violence Rahul Chatterjee∗, Periwinkle Doerflery, Hadas Orgadz, Sam Havronx, Jackeline Palmer{, Diana Freed∗, Karen Levyx, Nicola Dell∗, Damon McCoyy, Thomas Ristenpart∗ ∗ Cornell Tech y New York University z Technion x Cornell University { Hunter College Abstract—Survivors of intimate partner violence increasingly are decidedly depressing. We therefore also discuss a variety report that abusers install spyware on devices to track their of directions for future work. location, monitor communications, and cause emotional and physical harm. To date there has been only cursory investigation Finding IPS spyware. We hypothesize that most abusers find into the spyware used in such intimate partner surveillance (IPS). spyware by searching the web or application stores (mainly, We provide the first in-depth study of the IPS spyware ecosystem. Google Play Store or Apple’s App Store). We therefore We design, implement, and evaluate a measurement pipeline that combines web and app store crawling with machine learning to started by performing a semi-manual crawl of Google search find and label apps that are potentially dangerous in IPS contexts. results. We searched for a small set of terms (e.g., “track my Ultimately we identify several hundred such IPS-relevant apps. girlfriend’s phone without them knowing”). In addition to the While we find dozens of overt spyware tools, the majority are results, we collected Google’s suggestions for similar searches “dual-use” apps — they have a legitimate purpose (e.g., child to seed further searches. The cumulative results (over 27,000+ safety or anti-theft), but are easily and effectively repurposed returned URLs) reveal a wide variety of resources aimed at for spying on a partner.
    [Show full text]
  • Automatic Classifying of Mac OS X Samples
    Automatic Classifying of Mac OS X Samples Spencer Hsieh, Pin Wu and Haoping Liu Trend Micro Inc., Taiwan TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information Contents and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted 4 upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing Introduction herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy 6 is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to Mac OS X Samples Dataset the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. 10 Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as Classification of Mach-O Files to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. 11 Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, Malware Families indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content 15 thereof.
    [Show full text]
  • Analyzing Android Adware
    San Jose State University SJSU ScholarWorks Master's Projects Master's Theses and Graduate Research Spring 2018 Analyzing Android Adware Supraja Suresh San Jose State University Follow this and additional works at: https://scholarworks.sjsu.edu/etd_projects Part of the Computer Sciences Commons Recommended Citation Suresh, Supraja, "Analyzing Android Adware" (2018). Master's Projects. 621. DOI: https://doi.org/10.31979/etd.7xqe-kdft https://scholarworks.sjsu.edu/etd_projects/621 This Master's Project is brought to you for free and open access by the Master's Theses and Graduate Research at SJSU ScholarWorks. It has been accepted for inclusion in Master's Projects by an authorized administrator of SJSU ScholarWorks. For more information, please contact [email protected]. Analyzing Android Adware A Project Presented to The Faculty of the Department of Computer Science San Jose State University In Partial Fulfillment of the Requirements for the Degree Master of Science by Supraja Suresh May 2018 ○c 2018 Supraja Suresh ALL RIGHTS RESERVED The Designated Project Committee Approves the Project Titled Analyzing Android Adware by Supraja Suresh APPROVED FOR THE DEPARTMENTS OF COMPUTER SCIENCE SAN JOSE STATE UNIVERSITY May 2018 Dr. Mark Stamp Department of Computer Science Dr. Katerina Potika Department of Computer Science Fabio Di Troia Department of Mathematics ABSTRACT Analyzing Android Adware by Supraja Suresh Most Android smartphone apps are free; in order to generate revenue, the app developers embed ad libraries so that advertisements are displayed when the app is being used. Billions of dollars are lost annually due to ad fraud. In this research, we propose a machine learning based scheme to detect Android adware based on static and dynamic features.
    [Show full text]
  • Mcafee Potentially Unwanted Programs (PUP) Policy March, 2018
    POLICY McAfee Potentially Unwanted Programs (PUP) Policy March, 2018 McAfee recognizes that legitimate technologies such as commercial, shareware, freeware, or open source products may provide a value or benefit to a user. However, if these technologies also pose a risk to the user or their system, then users should consent to the behaviors exhibited by the software, understand the risks, and have adequate control over the technology. McAfee refers to technologies with these characteristics as “potentially unwanted program(s),” or “PUP(s).” The McAfee® PUP detection policy is based on the process includes assessing the risks to privacy, security, premise that users should understand what is being performance, and stability associated with the following: installed on their systems and be notified when a ■ Distribution: how users obtain the software including technology poses a risk to their system or privacy. advertisements, interstitials, landing-pages, linking, PUP detection and removal is intended to provide and bundling notification to our users when a software program or technology lacks sufficient notification or control over ■ Installation: whether the user can make an informed the software or fails to adequately gain user consent to decision about the software installation or add- the risks posed by the technology. McAfee Labs is the ons and can adequately back out of any undesired McAfee team responsible for researching and analyzing installations technologies for PUP characteristics. ■ Run-Time Behaviors: the behaviors exhibited by the technology including advertisements, deception, and McAfee Labs evaluates technologies to assess any impacts to privacy and security risks exhibited by the technology against the degree of user notification and control over the technology.
    [Show full text]
  • A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics
    UNIVERSIDAD POLITECNICA´ DE MADRID ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics PH.D THESIS Platon Pantelis Kotzias Copyright c 2019 by Platon Pantelis Kotzias iv DEPARTAMENTAMENTO DE LENGUAJES Y SISTEMAS INFORMATICOS´ E INGENIERIA DE SOFTWARE ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF: Doctor of Philosophy in Software, Systems and Computing Author: Platon Pantelis Kotzias Advisor: Dr. Juan Caballero April 2019 Chair/Presidente: Marc Dasier, Professor and Department Head, EURECOM, France Secretary/Secretario: Dario Fiore, Assistant Research Professor, IMDEA Software Institute, Spain Member/Vocal: Narseo Vallina-Rodriguez, Assistant Research Professor, IMDEA Networks Institute, Spain Member/Vocal: Juan Tapiador, Associate Professor, Universidad Carlos III, Spain Member/Vocal: Igor Santos, Associate Research Professor, Universidad de Deusto, Spain Abstract of the Dissertation Potentially unwanted programs (PUP) are a category of undesirable software that, while not outright malicious, can pose significant risks to users’ security and privacy. There exist indications that PUP prominence has quickly increased over the last years, but the prevalence of PUP on both consumer and enterprise hosts remains unknown. Moreover, many important aspects of PUP such as distribution vectors, code signing abuse, and economics also remain unknown. In this thesis, we empirically and sys- tematically analyze in both breadth and depth PUP abuse, prevalence, distribution, and economics. We make the following four contributions. First, we perform a systematic study on the abuse of Windows Authenticode code signing by PUP and malware.
    [Show full text]
  • Common Threats to Cyber Security Part 1 of 2
    Common Threats to Cyber Security Part 1 of 2 Table of Contents Malware .......................................................................................................................................... 2 Viruses ............................................................................................................................................. 3 Worms ............................................................................................................................................. 4 Downloaders ................................................................................................................................... 6 Attack Scripts .................................................................................................................................. 8 Botnet ........................................................................................................................................... 10 IRCBotnet Example ....................................................................................................................... 12 Trojans (Backdoor) ........................................................................................................................ 14 Denial of Service ........................................................................................................................... 18 Rootkits ......................................................................................................................................... 20 Notices .........................................................................................................................................
    [Show full text]
  • (Malicious Software) Installed on Your Computer Without Your Consent to Monitor Or Control Your Computer Use
    Spyware is a type of malware (malicious software) installed on your computer without your consent to monitor or control your computer use. Clues that spyware is on a computer may include a barrage of pop-ups, a browser that takes you to sites you don't want, unexpected toolbars or icons on your computer screen, keys that don't work, random error messages, and sluggish performance when opening programs or saving files. In some cases, there may be no symptoms at all. While the term spyware suggests that software that secretly monitors the user's computing, the functions of spyware extend well beyond simple monitoring. Spyware programs can: Collect information stored on the computer or attached network drives, Collect various types of personal information, such as Internet surfing habits, sites that have been visited Collect user names and passwords stored on your computer as well as those entered from the keyboard. Interfere with user control of the computer Install additional software on the computer Redirect Web browser activity. Change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet or functionality of other programs. The best defense against spyware and other unwanted software is not to download it in the first place. Here are a few helpful tips that can protect you from downloading software you don't want: Update your operating system and Web browser software, and set your browser security high enough to detect unauthorized downloads. Use anti-virus and anti-spyware, as well as a firewall software, and update them all regularly.
    [Show full text]
  • Welcome to the Jungle:1 the State Privacy Implications of Spam, Phishing and Spyware
    February 2005 Welcome to the Jungle:1 The State Privacy Implications of Spam, Phishing and Spyware Section I: An Overview It’s a Jungle Out There: In an environment in which 53% of all reported fraud complaints to the Federal Trade Commission (FTC) in 2004 were Internet-related, the Internet and email threats of spam, phishing and spyware all are real threats with real consequences.2 They are increasingly used by criminals, instead of just novice teenage hackers3 and can be lucrative alone or in furthering a larger criminal enterprise. Armed with these incentives, spammers, phishers and spyware purveyors are motivated and possess the expertise to avoid the attempts of law enforcement, industry and others to bring these threats in hand. Moreover, while banks, financial institutions, ISPs (Internet Service Providers) and even online auction site users have borne the initial brunt of threats like phishing, other sectors are becoming targets as the first wave of targeted sectors puts in place more effective security measures. This could place government and citizen information at risk of unauthorized disclosure and could lead to serious consequences, such as the release of sensitive homeland security and critical infrastructure information or personal information that could result in identity theft. In addition, spam, phishing and spyware infringe upon citizens’ perceived “right to be left alone” while surfing the Internet and using email. The fact that so many individuals’ privacy has been impacted to varying extents by these threats has compounded their significance. For example, a 2004 phishing attack spoofed4 an email from the FDIC (Federal Deposit Insurance Corporation).
    [Show full text]
  • Rethinking Security
    RETHINKING SECURITY Fighting Known, Unknown and Advanced Threats kaspersky.com/business “Merchants, he said, are either not running REAL DANGERS antivirus on the servers managing point- of-sale devices or they’re not being updated AND THE REPORTED regularly. The end result in Home Depot’s DEMISE OF ANTIVIRUS case could be the largest retail data breach in U.S. history, dwarfing even Target.” 1 Regardless of its size or industry, your business is in real danger of becoming a victim of ~ Pat Belcher of Invincea cybercrime. This fact is indisputable. Open a newspaper, log onto the Internet, watch TV news or listen to President Obama’s recent State of the Union address and you’ll hear about another widespread breach. You are not paranoid when you think that your financial data, corporate intelligence and reputation are at risk. They are and it’s getting worse. Somewhat more controversial, though, are opinions about the best methods to defend against these perils. The same news sources that deliver frightening stories about costly data breaches question whether or not anti-malware or antivirus (AV) is dead, as reported in these articles from PC World, The Wall Street Journal and Fortune magazine. Reports about the death by irrelevancy of anti-malware technology miss the point. Smart cybersecurity today must include advanced anti-malware at its core. It takes multiple layers of cutting edge technology to form the most effective line of cyberdefense. This eBook explores the features that make AV a critical component of an effective cybersecurity strategy to fight all hazards targeting businesses today — including known, unknown and advanced cyberthreats.
    [Show full text]
  • A Poisoned Apple: the Analysis of Macos Malware Shlayer By: Minh D
    A Poisoned Apple: The Analysis of macOS Malware Shlayer by: Minh D. Nguyen Abstract Historically, the Microsoft Windows operating system family, which currently runs on more than 70 percent of computers in the world,7 has been the main target for malware. However, with the growing popularity of Apple’s MacBook products, the macOS operating system has become a new platform for attackers to target the general computer users. According to the 2016/2017 Security Report of AV-TEST, the number of malware samples for macOS detected in 2016 has increased by an astonishing 370 percent compared to the same figure in 2015.3 In order to address the rising interest of attackers in the macOS operating system, this project provides an analysis of a newly discovered malware for macOS, Shlayer, to reveal a well- known tactic that attackers can utilize to infect machines running on any operating system, and discusses possible countermeasures for this strategy. I. Introduction macOS is often hailed as a more secure operating system compared to its counterpart Microsoft Windows.2 However, in reality, many attacking techniques targeting Windows machines can also be applied to macOS machines. The analysis of the new Shlayer malware, discovered by researchers of Intego in February 2018,1 will reveal a familiar strategy that attackers often utilize to target victim machines without regards of the operating system. With the worldwide growth of macOS usage, it is important to recognize this attacking method and understand that in many cases, the success of an attack does not depend on the security of the operating system but on the awareness of the user.
    [Show full text]
  • Adobe Acrobat Pro Reset Document Password
    Adobe Acrobat Pro Reset Document Password Rutilated Hyman sometimes donned any uprises justled illatively. Mike springed his jillets frustrating third-class Ossieor tyrannically temp, but after Aziz Bogdan baldly overstaffsentitles and her denned cabernet. weakly, bracteal and anthroposophical. Quotidian and creepiest Learn safe to do when you grit your password. Need your PDFs on loan go? You reserved your sidewalk to the Adobe PDF format and Adobe Acrobat, the de facto standard for creating and managing PDF files. You did receive help directly from her article author. Discuss: How they disable Protected View in Microsoft Word associate in to comment. It often indicates a user profile. If error had bought PDF Expert before the app moved to a subscription model, you will be able provide access this feature great free. Open the Comments modal. Edit: is now have our desktop application too. Security concerns often arise beneath the conflict between security and functionality. To guard your minds in peace and gotten help you tactfully dodge any priest of your future purchase wheat have created this web blog. How those Change PDF Permissions. Most of us in our lifetime did change across password protected PDF at school once. The best for the layout similar issue and create the adobe acrobat pro reset document password from pdfs no contractual obligations are as. Moreover, erasing passwords from one file at a time unless both tiresome and troublesome. Open fire original PDF file. Lets users insert, delete, and rotate pages, and create bookmarks and thumbnails. Also removes printing restrictions from files. Adobe Acrobat Reader routinely receives a dozen to more security patches every month.
    [Show full text]
  • Ransomware and Cyber Risk Management
    Ransomware and Cyber Risk Management By Randy Werner Ransomware and cyber extortion represent one of the more malicious types of hacker attacks making the rounds today. It sneaks into computer systems, encrypts files, and demands a ransom before decrypting the files. A major problem is that ransomware does not always decrypt files even after the ransom is paid. Being prepared and taking precautions against cyber risk exposures such as ransomware is therefore essential. Otherwise, if not prepared, you are at the mercy of criminals who prey on unprepared and unsuspecting businesses and individuals. Ransom demands range from a few hundred dollars to several thousand, depending on the size of the victim. Not all ransomware attacks are reported to authorities, so estimates of the total amount paid over the past few years vary widely, ranging up to $300 million. The more notorious names among ransomware are CryptoLocker, CryptoWall, TorrentLocker and Locky, among others. Some attacks rely on software that now has known fixes, so a solution might be found online. However, other ransomware is technically advanced and has no known fix, except for the victim to rely on current backup files. The primary defense is to institute frequent backups of the files you do not want to lose. Some ransomware even seeks out backup copies of files, so best practices include creating multiple backups in different locations. Cloud services, or remote backup services, and external or USB hard drives are options to consider for multiple backups. Even with backup files in place, a firm may still spend many hours gathering, re-entering and reconstructing data.
    [Show full text]