Monday, October 31, 2005

Combating Spyware

An Introduction to Spyware
If you believe the stories, the Internet is not a safe place. At every
click, you run the risk of your computer being silently coerced into
giving up passwords, credit card details, and private documents. You
hardly dare visit a new Web site for fear of being targeted by this
malicious software. Fortunately, the reality is somewhat different, and
in this course, you'll learn the truth behind spyware.

WARNING
This course covers concepts and topics in depth that are capable of
causing damage to your computer. Be sure to read the course and follow
instructions with care, especially where malicious software is being
discussed!

First of all, it's important to understand that the term spyware is
often used as a generic catchall category that lumps together a number
of distinctly different software traits. A perfectly normal application
can easily be classified as spyware because of a single function it
performs, when in reality, the function in question is legitimate. For
example, the File menu in Microsoft Word; when you click it, a list of
the most recent documents the application used to access is visible at
the bottom of the menu.

This type of functionality is called a usage tracker and is harmless;
in fact, it enhances your experience and productivity. However, if a
hidden application running on your computer without your knowledge
silently tracks every document you open, and then stores this
information for later use, it's considered malicious.

You'll find out about spam, the other part of this course title, in the
second half of this course.

Web site cookies are an interesting extension of usage tracking; not
only do they allow Web sites to provide personalized interfaces such as
user accounts, but they also allow in-depth tracking of Web browsing
behavior. Adware works on a similar principle and is also generally
harmless, although often irritating. You've probably seen some
shareware or freeware applications that, instead of having limited
functionality to encourage you to register, display context sensitive
advertisements in a window. It's common for shareware applications to
use adware techniques to earn their creators some money through advert
syndication, especially P2P (Peer to Peer) clients such as Kazaa or
eDonkey, shown in Figure 1-1.


Adware

There are a number of privacy concerns with adware, mainly because the
advertisements displayed within the application are retrieved from a
remote server on the Internet. As each advertisement is requested, the
remote server logs your computer's IP (Internet Protocol) address and
the time of the request, as well as other details. If you use the
application over a period of time, the owners of the remote server can
easily do the following:

Build a picture of your usage of the application.
Note the times you're most likely to be at the computer.
Note the length of time you use the application.
Note what you like doing when you use the application.
P2P Clients

P2P clients are also often the source of less innocent, true spyware.
In this case, the term spyware is used to refer to a specific type of
malicious application rather than as a generic term. A common technique
with many of these clients is to silently include a spyware application
within the installation process. The Kazaa P2P client is notorious for
doing this and includes (among other things) an application called
Gator.

Gator is also a Trojan application that masquerades as a legitimate and
useful program when, in reality, it's anything but. It integrates
itself into the operating system and monitors which Web sites are
viewed and which applications are accessed. This information is used to
display pop-up advertisements directly on your desktop, containing
supposed special offers for products that might interest you. One of
the most concerning "features" of Gator is its ability to store
commonly used information for Web page forms. This is great if you want
to save yourself from repeatedly entering your name and e-mail address,
but not so good when Gator remembers your credit card number and gives
it to Web sites without your consent.

Malware

Finally, and most seriously, there's an application category known as
malware. This is software specifically designed to invade your
computer, hijack normal operating system and application functions, and
actively prevent you from removing it. The only difference between
malware and a generic virus is that malware generally makes itself
known through its visibly destructive actions. Some well-known examples
of malware include the C2.Lop program, and the infamous CWS
(CoolWebSearch). Some variants of CWS actually invade the Microsoft
Windows networking subsystem, integrating themselves with the operating
system, which makes them difficult to remove.

The Problem with Spyware

At first glance, the spyware issues may seem quite obvious and easy to
avoid. Unfortunately, the hallmark of really good spyware is that you
don't know you're about to become a victim until it's too late. As
mentioned, although spyware is commonly associated with malicious Web
sites, it quite regularly gets bundled with legitimate software by less
than scrupulous developers. And just to really push the point home,
many software developers include a clause in their EULA (End-User
License Agreement) that prevents you removing the spyware if you want
to continue to use the application. The eDonkey P2P client is just one
example of this.

Although spyware tied to applications is relatively easy to avoid or
disable, Web-based spyware is a whole different game, as discussed in
the following sections.

Browser Hijacking

Web-based spyware usually targets security vulnerabilities within Web
browsers to install itself and modify the browser's functionality. This
is commonly referred to as browser hijacking. The most basic form of
hijacking is home page hijacking. As the name implies, a Web site
author can use JavaScript functions to set a browser's home page to any
Web site he selects. Although this may seem pointless and nothing more
than a minor inconvenience, if the new home page is full of syndicated
advertising banners, the author can quickly generate a lot of money
from hijacking Web browsers. If you're unlucky, the new home page is a
malware download site that infects your computer.

This is probably the most marked difference between spyware and
viruses: Whereas virus writers have to remain anonymous on threat of
prosecution, spyware authors actively publicize and financially benefit
from their malicious actions. The money they earn allows them to hire
expert programmers to create more sophisticated spyware, perpetuating
the cycle. There are a number of companies that actually provide
spyware development services, and will create custom spyware
applications to your specifications. It's a very thin legal line, but
companies continue to try and follow it.

Spyware Categories

Economics drives the entire spyware industry, so it's no wonder that
its creators want to make spyware as hard to remove and avoid as
possible. The vast majority of Web-based spyware falls into one of
three categories:

Toolbar hijacks: The most common types. They place a custom toolbar
within your Web browser that displays advertisements and tracks your
Web browsing.
Functionality hijacks: Prevents your Web browser and operating system
from functioning normally. In some cases, they pop up application
windows and advertisements on your desktop at random.
Dialer applications: Forces your computer to dial premium rate and
international phone numbers at random times.
It's often a fine line between spyware and legitimate software, because
many spyware applications include useful functions. A good example of
this is Alexa, which monitors the Web pages as you browse and displays
links and advertisements related to the page content. Some users may
find this a handy way to find related products and information, whereas
others may consider it annoying and an invasion of privacy. Alexa is
owned by Amazon.com, which does give it some legitimacy.

An Introduction to Spyware Mechanisms
All Web-based spyware is dependent on being able to use features and
security vulnerabilities within a Web browser to infect a computer.
Part of the reason that spyware is difficult to defend against is that
the features used to infect a computer are often the same as those used
by legitimate software to enhance functionality. The first step in
defense is to understand how spyware and malware work.

The life of spyware can be split into the following three stages:

Exploitation: Occurs when a malicious Web site exploits a feature or
security vulnerability in your browser and gains enough access to your
computer to start causing problems. It's an unfortunate fact that Web
browsers, especially Microsoft Internet Explorer, have plenty of
security flaws in them.
Infection: When the payload (the part of the spyware that actually does
the damage) is downloaded to your computer via the security hole
created in stage one.
Operation: Takes place as the spyware completes its tasks, such as
displaying toolbars, sending Web browsing information to its creators,
or dialing premium-rate phone numbers.
Misuse of Features

All Web-based spyware is dependant on being able to exploit features
and security vulnerabilities within a Web browser to infect a computer;
without the features and flaws, infection isn't possible. One of the
most common methods of attack is through ActiveX controls. These are
small programs downloaded to your computer to provide special
functionality not available through basic HTML (Hypertext Markup
Language) script, such as a Web-based interactive pie chart creator.
However, because these are executable programs whose purpose is to
extend the functionality of the Web browser, the developers of these
controls have extensive access to the internals of both Windows and the
Web browser.

Similarly, the active scripting functionality within Internet Explorer
is a two-edged sword. Many security vulnerabilities have been found
within both the ActiveX management system and the active scripting
system, and the access these systems are granted by default makes it
extremely easy for a malicious Web site to infect a computer. Internet
Explorer Security Zones, a topic covered later in the course, are
supposed to prevent these types of security issues, but unfortunately,
even this system has been proven unsecure.

Browser Helpers

Once spyware has exploited a security vulnerability, the payload is
installed on the victim's computer and usually hijacks Web browser
functions. The most common hijack technique is to use a BHO (Browser
Helper Object). A BHO is a DLL (Dynamic Link Library, a special type of
executable file) that has complete control over Internet Explorer,
allowing it to monitor and change anything it wants.

When Internet Explorer starts, it looks through the Registry for all
installed BHOs, and loads each one in turn. Although this may seem
perfect for little other than spyware, it's actually an extremely
useful plug-in system. Download managers and other utilities, such as
FlashGet or GetRight, use BHOs to seamlessly integrate their functions
with Internet Explorer to enhance its functionality. Although BHOs are
commonly associated with toolbars and visible functionality changes,
there's no requirement for this -- it's perfectly possible for a BHO to
be installed and never announce its presence. Perfect for spyware.

Linking Web Browsing and Windows
Other types of hijacking exploit the tight links between Internet
Explorer and Windows. It's common for spyware to use Windows policies
to force the computer to act a certain way; for example, to change the
Internet Explorer home page, and then set a policy to prevent you from
changing back. This type of hijacking can be very difficult to reverse
because it uses the Windows security system. In other words, to remove
it, you actually fight Microsoft's security mechanisms!

Spyware can also use the multiple ways Windows knows to automatically
start an application on boot, ensuring that the spyware is always
running. Once running on a victim computer, many types of spyware
actively seek out antispyware tools and attempt to disable them. They
also manipulate the Windows networking system to prevent the
unfortunate user from even downloading antispyware tools. Many of these
programs are deliberately named to sound like legitimate operating
system files, for example svchost32.exe; the legitimate Windows program
is named svchost.exe and deleting the wrong one can cause serious
damage.

Trojan Web Pages

One problem that's becoming more widespread is the use of Trojan Web
page techniques to keep a computer infected. Newer versions of Windows,
such as Microsoft Windows XP and Microsoft Windows Server 2003, use
custom Web page interfaces to provide access to operating system
functions. If spyware infects these pages, no matter how many times you
delete the spyware-related executable files and Registry entries that
appear, every time you access the infected management page, the spyware
reinfects your computer. This is a technique used by the CWS malware.

Although this may seem like a desperate situation, things aren't as bad
as they sound. Although spyware is annoying, a security risk, and in
some cases very difficult to get rid of, all is not lost. It's your
computer and you have overall control over it. You can remove most of
the spyware and malware either manually or with an automated tool. Best
of all, most spyware is very well known and removal techniques have
been studied in depth by antispyware researchers. If you do have
spyware, it's not the end of the world.

No comments:

Post a Comment