Techniques of Techniques and Adware Spyware Eric Chien SecuritySymantec Response From theauthor. proceedingsthe of permission with Used of the VB2005 Conference. WHITE PAPER: SYMANTEC SECURITY RESPONSE White Paper: Symantec Security Response Techniques of Adware and Spyware Contents Abstract.......................................................................................................................................6 Background................................................................................................................................. 6 Delivery vectors...........................................................................................................................8 Social engineering banner ads...................................................................................................8 Drive by Downloads.................................................................................................................... 9 Automatic refresh....................................................................................................................... 9 Active X........................................................................................................................................10 Continual Prompting...................................................................................................................11 Bundled and chained installs..................................................................................................... 11 Peer to peer installation............................................................................................................. 12 Exploits........................................................................................................................................12 Load points................................................................................................................................. 13 Anti-Removal and stealth techniques........................................................................................14 Simple obfuscation..................................................................................................................... 14 Watchdog techniques................................................................................................................. 15 Files..............................................................................................................................................15 Registry........................................................................................................................................15 Processes.....................................................................................................................................16 Code injection............................................................................................................................. 16 3 White Paper: Symantec Security Response Techniques of Adware and Spyware Contents (continued) Direct memory write................................................................................................................... 16 Application initialization registry key........................................................................................ 17 Windows hook.............................................................................................................................17 Winlogon notification packages................................................................................................. 18 Permission modification.............................................................................................................18 File locking.................................................................................................................................. 19 Object access control lists..........................................................................................................19 Account privileges.......................................................................................................................19 Rootkit techniques......................................................................................................................20 Usermode.................................................................................................................................... 20 Kernel mode................................................................................................................................ 21 Data Gathering............................................................................................................................21 Aggregate browsing habits.........................................................................................................22 Computing habit profiles............................................................................................................22 System information.................................................................................................................... 22 Personally-identifiable and confidential information............................................................... 23 Removal.......................................................................................................................................24 Conclusion.................................................................................................................................. 26 References.................................................................................................................................. 27 4 White Paper: Symantec Security Response Techniques of Adware and Spyware Contents (continued) Appendicies.................................................................................................................................28 About the Author.........................................................................................................................31 5 Techniques of Adware and Spyware Abstract A whole class of threats commonly known as adware and spyware has proliferated over the last few years with very few impediments. These programs are security risks that are typically used to gather marketing information or display advertisements in order to generate revenue. Not only are these threats far more widespread than traditional malware, but they also utilize techniques that are far more advanced than those used in traditional threats. No doubt this is because adware and spyware programs are being created by registered corporations with professional developers rather than by hobbyist virus writers. This paper will examine the techniques used by adware and spyware in their attempts to remain resident on the system and examine the types of data being extracted from the user’s system. These techniques will be compared to similar techniques being used by traditional malicious software and we will speculate at the point at which adware and spyware becomes more akin to a Trojan horse. Solutions will be discussed including exploring the necessity of full system repair including repairing the registry, process scanning, and address the removal of other advanced hooking concepts such as Winsock layered service providers. This paper discusses adware and spyware programs that are typically used to facilitate advertising or gather data for market research. Because these programs are updated constantly and potentially produced by affiliates, each program is identified only by its common name within the paper. Appendix A contains MD5s and other identifying information about the actual samples analyzed. Background In 1987, the first publicly recorded use of the word ‘adware’ appeared on the Internet in the Usenet newsgroup comp.sys.mac. Amusingly, the post refers to a Macintosh application rather than a Windows application. Example 1: Newsgroup posting referring to adware Newsgroups: comp.sys.mac Date: Tue, 21-Jul-87 15:39:54 EDT Subject: FastEddie 3.1 announcement … FastEddie 3.1 has been released by Cottage Software as “AdWare” (as they like to call it) without the restrictions of earlier demo-versions which were limited to handle small files only. They call it AdWare because a window comes up every so often which advertises Cottage Software. However, adware would not be on the radar of security companies until 15 years later, when Permissioned Media, Inc. forced anti-virus companies to re-evaluate what was and wasn’t a virus. In October 2002, Permissioned Media, Inc. released a software program that sent a link to itself to everyone in the 6 Techniques of Adware and Spyware Microsoft Outlook contact list, just like a mass-mailing email worm. The difference was that this functionality was specified in an end user license agreement (EULA) on installation of the program. Figure 1: The mass-mailing functionality of W32.Friendgreet.worm was specified in a EULA. While this program may have been intended to perform market research, due to the fact it self-replicated, it was categorized as a worm, irrespective of the EULA. Today, programs identified as adware and spyware by security vendors generally do not self-replicate, but do often exhibit behaviors more akin to malicious software – such as techniques to trick users into executing the application, avoid being noticed, and prevent removal. This paper will discuss the common and potentially malicious delivery vectors, load points, anti-removal, and stealth techniques used by adware and spyware and also give