A Crawler-Based Study of Spyware in the Web

Total Page:16

File Type:pdf, Size:1020Kb

A Crawler-Based Study of Spyware in the Web A Crawler-based Study of Spyware in the Web Alex Moshchuk, Tanya Bragin, Steve Gribble, Hank Levy What is spyware? z Broad class of malicious and unwanted software z Steal control of a PC for the benefit of a 3rd party z Characteristics: z Installs without user knowledge or consent z Hijacks computer’s resources or functions z Collects valuable information and relays to a 3rd party z Resists detection and uninstallation You know it when you see it How do people get spyware? z Spyware piggybacked on popular software z Kazaa, eDonkey z Drive-by downloads z Web page installs spyware through browser z With or without user consent z Trojan downloaders z Spyware downloads/installs more spyware Why measure spyware? z Understand the problem before defending against it z Many unanswered questions z What’s the spyware density on the web? z Where do people get spyware? z How many spyware variants are out there? z What kinds of threats does spyware pose? z New ideas and tools for: z Detection z Prevention Approach z Large-scale study of spyware: z Crawl “interesting” portions of the Web z Download content z Determine if it is malicious z Two strategies: z Executable study z Find executables with known spyware z Drive-by download study z Find Web pages with drive-by downloads Outline z Introduction z Executable file study z Drive-by download study z Summary z Conclusions Analyzing executables z Web crawler collects a pool of executabes z Analyze each in a virtual machine: z Clone a clean WinXP VM z Automatically install executable z Run analysis to see what changed z Currently, an anti-spyware tool (Ad-Aware) z Average analysis time – 90 sec. per executable Executable study results z Crawled 32 million pages in 9,000 domains z Downloaded 26,000 executables z Found spyware in 12.3% of them z Most installed just one spyware program z Only 6% installed three or more spyware variants z Few spyware variants encountered in practice z 142 unique spyware threats Main targets z Visit a site and download a program z What’s the chance that you got spyware? news kids random pirate music and movies wallpapers and screensavers games celebrities blacklisted 0 5 10 15 20 25 30 % of executables that are infected Popularity z A small # of sites have large #of spyware executables: z A small # of spyware variants are responsible for the majority of infections: Types of spyware z Quantify the kinds of threats posed by spyware z Consider five spyware functions z What’s the chance an infected executable contains each function? Keylogger 0.05% Dialer 1.2% Trojan downloader 12% Browser hijacker 62% Adware 88% Example of a Nasty Executable z http://aaa1screensavers.com/ z “Let all your worries melt away into this collection of clouds in the sky – 100% free!” z http://aaa1screensavers.com/free/clouds.exe z Installs 11 spyware programs initially z Includes a trojan downloader; continually installs more spyware z 10 more within first 20 minutes z 12 new items on desktop, 3 browser toolbars z Shows an ad for every 1.5 pages you visit z CPU usage is constantly 100% z No uninstallers z Ad-Aware can’t clean z System stops responding in 30 mins z Restarting doesn’t help z Unusable system and no screensaver! Outline z Introduction z Executable file study z Drive-by download study z Summary z Conclusions Finding drive-by downloads z Evaluate the safety of browsing the Web z Approach: automatic virtual browsing z Render pages in a real browser inside a clean VM z Internet Explorer z Mozilla Firefox z Identify malicious pages z Define triggers for suspicious browsing activity z Run anti-spyware check only when trigger fires Event triggers z Real-time monitoring for non-normal behavior: z Process creation z File events z Example: foo.exe written outside IE folders. z Registry events z Example: new auto-start entry for foo.exe z No false negatives (theoretically) z 41% false positives: z Legitimate software installations z Background noise z Spyware missed by our anti-spyware tool More on automatic browsing z Caveats and tricks z Restore clean state before navigating to next page z Speed up virtual time z Monitor for crashes and freezes z Deciding what to say to security prompts: z “yes” z Emulate user consent z “no” (or no prompt) z Find security exploits Example of a security exploit z http://www.1000dictionaries.com/free_games_1.html Ads Help ActiveX Control <iframe 1> http://www.tribeca.hu/test.php C:\windows\helpctr\tools.htm Check browser and referrer <object 1> inject code <iframe 2> <object 2> z Local help objects bypass security JavaScript; VBscript restrictions; unsecured “local zone” http://www.tribeca.hu/ie/writehta.txt: z Cross-zone scripting vulnerability in GET http://www.tribeca.hu/ie/mhh.exe ActiveX Help allows JavaScript to save as c:\calc.exe inject code into a local help control run Drive-by download results (unpatched Internet Explorer, unpatched WinXP) z Examined 50,000 pages z 5.5% carried drive-by downloads z 1.4% exploited browser vulnerabilities news browser exploits kids with user consent random wallpapers and screensavers celebrities blacklist music and movies games pirate 0 5 10 15 20 25 30 35 % of pages with drive-by downloads Types of spyware z Is drive-by download spyware more dangerous? Drive-by Executables Downloads Keylogger 0.05% 0% Dialer 1.2% 0.2% Trojan Downloader 12% 50% Browser hijacker 62% 84% Adware 88% 75% Is Firefox better than IE? z Repeat drive-by download study with adult 0 Mozilla Firefox celebrity 33 z Found 189 (0.4%) pages with games 0 drive-by downloads kids 0 music 1 z All require user consent news 0 z All are based on Java pirate 132 z Work in other browsers random 0 wallpaper 0 z Firefox is not 100% safe blacklist 23 Total: 189 z However, much safer than IE Summary z Lots of spyware on the Web z 1 in 8 programs is infected with spyware z 1 in 18 Web pages has a spyware drive-by download z 1 in 70 Web pages exploits browser vulnerabilities z Most of it is just annoying (adware) z But a significant fraction poses a big risk z Spyware companies target specific popular content z Most piggy-backed spyware in games & celebrity sites z Most drive-by downloads in pirate sites z Few spyware variants are encountered in practice Conclusion and Future Work z Addressed key questions about spyware z Built useful tools and infrastructure z More details: A Crawler-based Study of Spyware in the Web NDSS06 z Looking forward: z Real-time protection with a trigger-based Web proxy z Automatically detect new spyware z Use triggers as truth z Increase the scale of the study z Study change of spyware over time (see paper!) Questions?.
Recommended publications
  • F-1 Attachment F ACCESSING the FCC NETWORK USING WINDOWS
    Attachment F ACCESSING THE FCC NETWORK USING WINDOWS 3.1 OR 3.11 This attachment describes how to access the FCC Network from a system that is running the Microsoft Windows 3.1 or Windows for Workgroups 3.11 operating system. This involves using the FCC-supplied Point-to-Point Protocol (PPP) Dialer. This attachment summarizes the hardware and software required for the PPP Dialer, then describes the procedures for performing the following tasks: C Downloading the Dialer files from the Internet or the FCC Bulletin Board C Extracting the Dialer from the downloaded files C Installing the Dialer application C Configuring PPP C Establishing a PPP connection The attachment also describes how to troubleshoot and uninstall the PPP Dialer application, and tells how to get help from the FCC. Conventions The instructions in this attachment use the following typographical conventions: bold Represents objects on the screen that you click with the mouse pointer, including buttons, Internet links, icons, tabs, menu items (e.g., Cancel button, Auctions link, Save option in the File menu). italic Represents field names or areas of a screen (e.g., Licensee Name field, Applicant Information area of a screen). bold italic Represents characters that you must type exactly as they appear in the instructions. For example, if you are instructed to type http://www.fcc.gov, you should type all of the characters shown in bold italic exactly as they are printed. SMALL CAPS Represents keys on the keyboard (e.g., ENTER, CTRL, ESC). F-1 Hardware and Software Requirements Applicants who want to connect to the FCC Network using the FCC PPP Dialer will need the following hardware and software.
    [Show full text]
  • Interaction Dialer Installation and Configuration Guide
    Interaction Dialer Installation and Configuration Guide 2018 R4 Last updated June 6, 2018 (See Change Log for summary of changes.) Abstract This document explains how to install Interaction Dialer. Interaction Dialer is a set of client/server extensions that add predictive dialing and campaign management capabilities to the PureConnect platform. iii Copyright and Trademark Information Interactive Intelligence, Interactive Intelligence Customer Interaction Center, Interaction Administrator, Interaction Attendant, Interaction Client, Interaction Designer, Interaction Tracker, Interaction Recorder, Interaction Mobile Office, Interaction Center Platform, Interaction Monitor, Interaction Optimizer, and the “Spirograph” logo design are registered trademarks of Genesys Telecommunications Laboratories, Inc. Customer Interaction Center, EIC, Interaction Fax Viewer, Interaction Server, ION, Interaction Voicemail Player, Interactive Update, Interaction Supervisor, Interaction Migrator, and Interaction Screen Recorder are trademarks of Genesys Telecommunications Laboratories, Inc. The foregoing products are ©1997-2017 Genesys Telecommunications Laboratories, Inc. All rights reserved. Interaction Dialer and Interaction Scripter are registered trademarks of Genesys Telecommunications Laboratories, Inc. The foregoing products are ©2000-2017 Genesys Telecommunications Laboratories, Inc. All rights reserved. Messaging Interaction Center and MIC are trademarks of Genesys Telecommunications Laboratories, Inc. The foreg oing p rodu cts are ©2001-2017 Genesys
    [Show full text]
  • System Center Endpoint Protection for Mac
    System Center Endpoint Protection for Mac Installation Manual and User Guide Contents Context menu 19 System Center Endpoint Protection 3 System requirements 3 Advanced user 20 Import and export settings 20 Installation 4 Import settings 20 Typical installation 4 Export settings 20 Proxy server setup 20 Custom installation 4 Removable media blocking 20 Uninstallation 5 21 Beginners guide 6 Glossary Types of infiltrations 21 User interface 6 Viruses 21 Checking operation of the system 6 Worms 21 What to do if the program does not work properly 7 Trojan horses 21 Work with System Center Endpoint Adware 22 Spyware 22 Protection 8 Potentially unsafe applications 22 Antivirus and antispyware protection 8 Potentially unwanted applications 22 Real-time file system protection 8 Real-time Protection setup 8 Scan on (Event triggered scanning) 8 Advanced scan options 8 Exclusions from scanning 8 When to modify Real-time protection configuration 9 Checking Real-time protection 9 What to do if Real-time protection does not work 9 On-demand computer scan 10 Type of scan 10 Smart scan 10 Custom scan 11 Scan targets 11 Scan profiles 11 Engine parameters setup 12 Objects 12 Options 12 Cleaning 13 Extensions 13 Limits 13 Others 13 An infiltration is detected 14 Updating the program 14 Update setup 15 How to create update tasks 15 Upgrading to a new build 15 Scheduler 16 Purpose of scheduling tasks 16 Creating new tasks 16 Creating user-defined task 17 Quarantine 17 Quarantining files 17 Restoring from Quarantine 17 Log files 18 Log maintenance 18 Log filtering 18 User interface 18 Alerts and notifications 19 Alerts and notifications advanced setup 19 Privileges 19 System Center Endpoint Protection As the popularity of Unix-based operating systems increases, malware authors are developing more threats to target Mac users.
    [Show full text]
  • Recommended Practice for Securing Control Systems Modems
    Recommended Practice for Securing Control System Modems January 2008 ABSTRACT This paper addresses an often overlooked “backdoor” into critical infrastructure control systems created by modem connections. A modem’s connection to the public telephone system is similar to a corporate network connection to the Internet. By tracing typical attack paths into the system, this paper provides the reader with an analysis of the problem and then guides the reader through methods to evaluate existing modem security. Following the analysis, a series of methods for securing modems is provided. These methods are correlated to well-known networking security methods. iii ACKNOWLEDGEMENT This document was developed for the U.S. Department of Homeland Security to provide guidance for modem security for control systems. The author team consisted of subject matter expertise from the Idaho National Laboratory (James Davidson & Jason Wright) For additional information or comments, please send inquires to the Control Systems Security Program at [email protected]. iv CONTENTS ABSTRACT.................................................................................................................................................iii ACKNOWLEDGEMENT ........................................................................................................................... iv ACRONYMS..............................................................................................................................................vii 1. INTRODUCTION.............................................................................................................................
    [Show full text]
  • Cybercrime and Cyber-Security Issues Associated with China: Some Economic and Institutional Considerations
    Cybercrime and Cyber-security Issues Associated with China: Some Economic and Institutional Considerations By: Nir Kshetri Kshetri, Nir (2013). “Cybercrime and Cyber-security Issues Associated with China: Some Economic and Institutional Considerations" Electronic Commerce Research 13 (1): 41-69. The original publication is available at: http://link.springer.com/article/10.1007%2Fs10660-013-9105-4 ***Reprinted with permission. No further reproduction is authorized without written permission from Springer Verlag. This version of the document is not the version of record. Figures and/or pictures may be missing from this format of the document. *** Abstract: China is linked to cybercrimes of diverse types, scales, motivations and objectives. The Chinese cyberspace thus provides an interesting setting for the study of cybercrimes. In this paper, we first develop typology, classification and characterization of cybercrimes associated with China, which would help us understand modus operandi, structures, profiles and personal characteristics of cybercrime organizations and potential perpetrators, the signature aspects and goals of cybercrimes, the nature and backgrounds of the criminal groups involved, characteristics of potential targets for criminal activities, the nature and extent of the damage inflicted on the victims and the implications to and responses elicited from various actors. We then examine this issue from developmental and international political economy angles. Specifically, we delineate salient features of China’s politics, culture, human capital and technological issues from the standpoint of cyber-security and analyze emerging international relations and international trade issues associated with this phenomenon. Our analysis indicates that China’s global ambition, the shift in the base of regime legitimacy from MarxLeninism to economic growth, the strong state and weak civil society explain the distinctive pattern of the country’s cyber-attack and cyber- security landscapes.
    [Show full text]
  • Cybercrime Presentation
    Cybercrime ‐ Marshall Area Chamber of October 10, 2017 Commerce CYBERCRIME Marshall Area Chamber of Commerce October 10, 2017 ©2017 RSM US LLP. All Rights Reserved. About the Presenter Jeffrey Kline − 27 years of information technology and information security experience − Master of Science in Information Systems from Dakota State University − Technology and Management Consulting with RSM − Located in Sioux Falls, South Dakota • Rapid Assessment® • Data Storage SME • Virtual Desktop Infrastructure • Microsoft Windows Networking • Virtualization Platforms ©2017 RSM US LLP. All Rights Reserved. RSM US LLP 1 Cybercrime ‐ Marshall Area Chamber of October 10, 2017 Commerce Content - Outline • History and introduction to cybercrimes • Common types and examples of cybercrime • Social Engineering • Anatomy of the attack • What can you do to protect yourself • Closing thoughts ©2017 RSM US LLP. All Rights Reserved. INTRODUCTION TO CYBERCRIME ©2017 RSM US LLP. All Rights Reserved. RSM US LLP 2 Cybercrime ‐ Marshall Area Chamber of October 10, 2017 Commerce Cybercrime Cybercrime is any type of criminal activity that involves the use of a computer or other cyber device. − Computers used as the tool − Computers used as the target ©2017 RSM US LLP. All Rights Reserved. Long History of Cybercrime John Draper uses toy whistle from Cap’n Crunch cereal 1971 box to make free phone calls Teller at New York Dime Savings Bank uses computer to 1973 funnel $1.5 million into his personal bank account First convicted felon of a cybercrime – “Captain Zap” 1981 who broke into AT&T computers UCLA student used a PC to break into the Defense 1983 Department’s international communication system Counterfeit Access Device and Computer Fraud and 1984 Abuse Act was passed ©2017 RSM US LLP.
    [Show full text]
  • The Android Platform Security Model∗
    The Android Platform Security Model∗ RENÉ MAYRHOFER, Google and Johannes Kepler University Linz JEFFREY VANDER STOEP, Google CHAD BRUBAKER, Google NICK KRALEVICH, Google Android is the most widely deployed end-user focused operating system. With its growing set of use cases encompassing communication, navigation, media consumption, entertainment, finance, health, and access to sensors, actuators, cameras, or microphones, its underlying security model needs to address a host of practical threats in a wide variety of scenarios while being useful to non-security experts. The model needs to strike a difficult balance between security, privacy, and usability for end users, assurances for app developers, and system performance under tight hardware constraints. While many of the underlying design principles have implicitly informed the overall system architecture, access control mechanisms, and mitigation techniques, the Android security model has previously not been formally published. This paper aims to both document the abstract model and discuss its implications. Based on a definition of the threat model and Android ecosystem context in which it operates, we analyze how the different security measures in past and current Android implementations work together to mitigate these threats. There are some special cases in applying the security model, and we discuss such deliberate deviations from the abstract model. CCS Concepts: • Security and privacy → Software and application security; Domain-specific security and privacy architectures; Operating systems security; • Human-centered computing → Ubiquitous and mobile devices. Additional Key Words and Phrases: Android, security, operating system, informal model 1 INTRODUCTION Android is, at the time of this writing, the most widely deployed end-user operating system.
    [Show full text]
  • What Is Spyware - ALL Spyware Definition in One Place
    What is Spyware - ALL Spyware definition in one place Adware Adware is any type of advertising-supported software that will play, display, or download advertisements automatically on a user's computer once the software has been installed on it or while the application is in use. Some adware can also be spyware due to its privacy-invasive characteristics. BackDoor A backdoor in a computer system (or cryptosystem or algorithm) is a means of circumventing regular authentication, securing remote computer access, accessing plaintext, etc., while remaining to be undetected. A backdoor may appear to be an installed program or a modification to a program or hardware device that's already installed. Baiting Baiting uses tangible media and relies on the curiosity or greed of the victim. Baiting involves an attacker leaving a malware infected media such as a CD ROM or USB flash drive in a public place where it is likely to be found, appearing to be legitimate and appealing, and waits to be used by the victim. Baiting is easy to perform as in this example where an attacker might create a malware loaded CD with a company logo on it, and the words "Company Reorganization Plan" on the front. The media is left on the lobby floor of the targeted company. An employee could find it and then insert it into a computer to satisfy their curiosity. By inserting the CD into a computer to view its contents, the user unknowingly installs malware on it, allowing the attacker access to his computer and possibly, the company's computer network.
    [Show full text]
  • The Ghost in the Browser Analysis of Web-Based Malware
    The Ghost In The Browser Analysis of Web-based Malware Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. {niels, deanm, panayiotis, kewang, ngm}@google.com Abstract tions of exploits against any user who visits the infected As more users are connected to the Internet and conduct page. their daily activities electronically, computer users have be- In most cases, a successful exploit results in the auto- come the target of an underground economy that infects hosts matic installation of a malware binary, also called drive-by- with malware or adware for financial gain. Unfortunately, download. The installed malware often enables an adversary even a single visit to an infected web site enables the attacker to gain remote control over the compromised computer sys- to detect vulnerabilities in the user’s applications and force tem and can be used to steal sensitive information such as the download a multitude of malware binaries. Frequently, banking passwords, to send out spam or to install more ma- this malware allows the adversary to gain full control of the licious executables over time. Unlike traditional botnets [4] compromised systems leading to the ex-filtration of sensitive that use push-based infection to increase their population, information or installation of utilities that facilitate remote web-based malware infection follows a pull-based model and control of the host. We believe that such behavior is sim- usually provides a looser feedback loop. However, the popu- ilar to our traditional understanding of botnets. However, lation of potential victims is much larger as web proxies and the main difference is that web-based malware infections are NAT-devices pose no barrier to infection [1].
    [Show full text]
  • Bitdefender Endpoint Security Tools for Windows
    Bitdefender Endpoint Security Tools for Windows USER'S GUIDE Bitdefender Endpoint Security Tools for Windows User's Guide Publication date 2019.01.29 Copyright© 2019 Bitdefender 50340A34392034390AFE02048790BF8082B92FA06FA080BA74BC7CC1AE80BA996CE11D2E80BA74C7E78C2E80 82FFB239EA2080FEAAAAAAAABF800006AA3FB00000FBD5EFE73AD5009CF2544B4C3D00A6B67D616B878031FB 500EA66D0063567F854DF700E84116D29479001E1671326B0580C5FB204BC43D8067FDFBC34DB780D0D21797 1C6C00C7917C347B4580254D7859B54800EE712FF15D9700606495D7DC7D00AFBD83E36BFD8058E6B23EC589 003A89EEB31DAF00C8C91627818C001FB72BF86BFB803D6ABDBFC000809E5E6C015DFE80A54917860DD200B3 0202C06377805DE366E8361180DF05ED2359FA00AD5455C690B200A3E97B50FB728034D4AF78869180FFA96A 063B6F80D53484FF0C718046A5B3D16B298071D6D5BE608100E375ABE609FE8000DA16331D8A00FEF606A13E AF80825B662EA68800BADF6BE52EFE80BA891646848B00BA9C21A5EE700082CC28DA84E080FEA1EC237E1780 Legal Notice All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from an authorized representative of Bitdefender. The inclusion of brief quotations in reviews may be possible only with the mention of the quoted source. The content can not be modified in any way. Warning and Disclaimer. This product and its documentation are protected by copyright. The information in this document is provided on an “as is” basis, without warranty. Although every precaution has been taken in
    [Show full text]
  • Assessment of Anti Spyware Tools for Signature And
    Scui.Int.(Lahore),26(5),2071-2076,2014 ISSN 1013-5316; CODEN: SINTE 8 2071 ASSESSMENT OF ANTI SPYWARE TOOLS FOR SIGNATURE AND BEHAVIOR BASE TECHNIQUES Nabeel Alam Khattak1, Dave Chadwick2, Riaz Ahmed Bhatti1, Shafqat Ali Shad1, Faisal Shafique Butt1, Ehsan Ullah Munir1 Department of Computer Science, COMSATS Institute of Information Technology, Wah Cantt, Pakistan1. School of Computing and Mathematical Sciences, University of Greenwich, London, UK2 [email protected], [email protected], [email protected], [email protected], [email protected], [email protected] ABSTRACT: In the modern computational world spyware became evident whether its personal computers or business units. Intention of this research paper is to do critical analysis of spy -wares and techniques used by anti spy-wares. From this paper a user can easily understand what is spyware and how it effect the user system. From this paper the user will also identify “how it works?”. This paper will also show the user how to compare the best tool and where to find the anti spyware? INTRODUCTION Background A spy-ware is a software through which the people steal Spy ware has long history. Many people worked on personal information of the user without his knowledge spyware. They first define and then derived its form and [15]. Some Internet technologies and delivery methods to classes. They thought that spyware only steal the the third person are known collectively as spyware. information but after some practical work they came to Many of spywares are legal, free and can inflict havoc on know that it transfer the information to the third party.
    [Show full text]
  • Encyclopedia of Multimedia Technology and Networking
    Encyclopedia of Multimedia Technology and Networking Second Edition Margherita Pagani Bocconi University, Italy Volume I A-Ev INFORMATION SCIENCE REFERENCE Hershey • New York Director of Editorial Content: Kristin Klinger Senior Managing Editor: Jennifer Neidig Managing Editor: Jamie Snavely Assistant Managing Editor: Carole Coulson Cover Design: Lisa Tosheff Printed at: Yurchak Printing Inc. Published in the United States of America by Information Science Reference (an imprint of IGI Global) 701 E. Chocolate Avenue, Suite 200 Hershey PA 17033 Tel: 717-533-8845 Fax: 717-533-8661 E-mail: [email protected] Web site: http://www.igi-global.com/reference and in the United Kingdom by Information Science Reference (an imprint of IGI Global) 3 Henrietta Street Covent Garden London WC2E 8LU Tel: 44 20 7240 0856 Fax: 44 20 7379 0609 Web site: http://www.eurospanbookstore.com Copyright © 2009 by IGI Global. All rights reserved. No part of this publication may be reproduced, stored or distributed in any form or by any means, electronic or mechanical, including photocopying, without written permission from the publisher. Product or company names used in this set are for identification purposes only. Inclusion of the names of the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered trademark. Library of Congress Cataloging-in-Publication Data Encyclopedia of multimedia technology and networking / Margherita Pagani, editor. -- 2nd ed. p. cm. Includes bibliographical references and index. Summary: "This publication offers a research compendium of human knowledge related to the emerging multimedia digital metamarket"--Provided by publisher. ISBN 978-1-60566-014-1 (hardcover) -- ISBN 978-1-60566-015-8 (ebook) 1.
    [Show full text]