Abstract image of a woman sitting on books and studying on a laptop

Presentation

Download as PPT, PDF
Mohd Arif, profile picture
Mohd Arif

This document summarizes a presentation on spyware and Trojan horses given on February 12, 2004. The presentation covered definitions of spyware and Trojan horses, examples of common spyware programs, how spyware and Trojans are installed secretly on computers, their effects, and demonstrations of how specific Trojans like Back Orifice operate. It also discussed defenses against spyware and Trojans, including spyware removal tools, firewalls, and making users more aware of the risks. The presentation concluded by discussing the security implications and proposing legislative and technical solutions.

Technology
1 of 36
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Spyware and Trojan Horses Computer Security Seminar Series [SS1] Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Your computer could be watching your every move! Image Source - http://www.clubpmi.it/upload/servizi_marketing/images/spyware.jpg Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Introduction Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Seminar Overview • Introduction to Spyware / Trojan Horses • Spyware – Examples, Mechanics, Effects, Solutions • Tracking Cookies – Mechanics, Effects, Solutions • Trojan Horses – Mechanics, Effects, More Examples • Solutions to the problems posed • Human Factors – Human interaction with Spyware • “System X” – Having suitable avoidance mechanisms • Conclusions – Including our proposals for solutions Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Definitions A general term for a program that surreptitiously monitors your actions. While they are sometimes sinister, like a remote control program used by a hacker, software companies have A REbeen known to use Spyware to gather data about customers. YW The practice is generally frowned upon. SP An apparently useful and innocent program containing additional JAN hidden code which allows the unauthorized collection, RO SE T R exploitation, falsification, or destruction of data. HO
Symptoms • Targeted Pop-ups SPYWARE • Slow Connection SPYWARE / TROJAN • Targeted E-Mail (Spam) SPYWARE • Unauthorized Access TROJAN HORSE • Spam Relaying TROJAN HORSE • System Crash SPYWARE / TROJAN • Program Customisation SPYWARE
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Summary of Effects • Collection of data from your computer without consent • Execution of code without consent • Assignment of a unique code to identify you • Collection of data pertaining to your habitual use • Installation on your computer without your consent • Inability to remove the software • Performing other undesirable tasks without consent Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Similarities / Differences Spyware Trojan Horses Commercially Motivated Malicious Internet connection required Any network connection required Initiates remote connection Receives incoming connection Purpose: To monitor activity Purpose: To control activity Collects data and displays pop-ups Unauthorized access and control Legal Illegal Not Detectable with Virus Checker Detectable with Virus Checker Age: Relatively New (< 5 Years) Age: Relatively Old ( > 20 Years) Memory Resident Processes Surreptitiously installed without user’s consent or understanding Creates a security vulnerability
Spyware
Software Examples • GAIN / Gator • Gator E-Wallet • Cydoor • BonziBuddy • MySearch Toolbar • DownloadWare • BrowserAid Image Sources… • Dogpile Toolbar GAIN Logo – The Gator Corporation – http://www.gator.com BonziBuddy Logo – Bonzi.com - http://images.bonzi.com/images/gorillatalk.gif DownloadWare Logo – DownloadWare - http://www.downloadware.net
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Spyware Defence User Initiatives… Technical Initiatives... • Issue Awareness • Spyware Removal Programs • Use Legitimate S/W Sources • Pop-up Blockers • Improved Technical Ability • Firewall Technology • Choice of Browser • Disable ActiveX Controls • Choice of OS – Not Sandboxed • Legal action taken against • E-Mail Filters breaches of privacy • Download Patches – Oct ’02 Doubleclick Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Spyware Removers Ad-aware (by Lavasoft) – Reverse Engineer Spyware – Scans Memory, Registry and Hard Drive for… • Data Mining components • Aggressive advertising components • Tracking components – Updates from Lavasoft – Plug-ins available • Extra file information • Disable Windows Messenger Service Image Source – Screenshot of Ad-aware 6.0. LavaSoft. See http://www.lavasoft.com Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Vulnerable Systems • Those with an internet connection! • Microsoft Windows 9x/Me/NT/2000/XP • Does not affect Open Source OSs • Non - fire-walled systems • Internet Explorer, executes ActiveX plug-ins • Other browsers not affected Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Trojan Horses Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Installation • Secretly installed when an infected executable is run – Much like a virus – Executables typically come from P2P networks or unscrupulous websites • ActiveX controls on websites – ActiveX allows automatic installation of software from websites – User probably does not know what they are running – Misleading descriptions often given – Not sandboxed! – Digital signatures used, signing not necessary Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Installation • Certificate Authority • Misleading Certificate Description • Who is trusted? Image Source – Screenshot of Microsoft Internet Explorer 6 security warning, prior to the installation of an ActiveX Control from “Roings”. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Effects • Allows remote access – To spy – To disrupt – To relay a malicious connection, so as to disguise the attacker’s location (spam, hacking) – To access resources (i.e. bandwidth, files) – To launch a DDoS attack Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Operation • Listen for connections • Memory resident • Start at boot-up • Disguise presence • Rootkits integrate with kernel • Password Protected Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Example: Back Orifice • Back Orifice – Produced by the “Cult of the Dead Cow” – Win95/98 is vulnerable – Toast of DefCon 6 – Similar operation to NetBus – Name similar to MS Product of the time Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 BO: Protocol • Modular authentication • Modular encryption – AES and CAST-256 modules available • UDP or TCP • Variable port – Avoids most firewalls • IP Notification via. ICQ – Dynamic IP addressing not a problem Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 BO: Protocol Example (1) TROJAN INFECTION OCCURS Attacker Victim ICQ SERVER IP ADDRESS IP ADDRESS AND PORT AND PORT CONNECTION Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 BO: Protocol Example (2) COMMAND COMMAND EXECUTED Attacker Victim CONNECTION REQUEST FOR INFORMATION INFORMATION Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 BO: Protocol Example (3) CLEANUP COMMAND EVIDENCE DESTROYED Attacker Victim Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Trojan Horse Examples • M$ Rootkit – Integrates with the NT kernel – Very dangerous – Virtually undetectable once installed – Hides from administrator as well as user – Private TCP/IP stack (LAN only) Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Trojan Horse Examples • iSpyNOW – Commercial – Web-based client • Assassin Trojan – Custom builds may be purchased – These are not found by virus scanners – Firewall circumvention technology Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Trojan Horse Examples • Hardware – Key loggers – More advanced? • Magic Lantern – FBI developed – Legal grey area (until recently!) – Split virus checking world Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Demonstration Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Vulnerable Systems Number of trojans in common use… RELATIVELY SAFE DANGEROUS MacOS MacOS X Linux/Unix WinNT Win 9x WinNT refers to Windows NT 4, 2000, XP and Server 2003. Win9x refers to Windows 95, 95SE, 98 and ME. Information Source: McAfee Security - http://us.mcafee.com/ Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Vulnerable Systems Ease of compromise… RELATIVELY SAFE DANGEROUS Linux/Unix MacOS X WinNT MacOS Win 9x WinNT refers to Windows NT 4, 2000, XP and Server 2003. Win9x refers to Windows 95, 95SE, 98 and ME. Information Source: McAfee Security - http://us.mcafee.com/ Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Conclusions Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Security Implications Short Term Long Term • Divulge personal data • Mass data collection • Backdoors into system • Consequences unknown • System corruption • Web becomes unusable • Disruption / Irritation • Web cons outweigh pros • Aids identity theft • Cost of preventions • Easy virus distribution • More development work • Increased spam • More IP addresses (IPv6) Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Solutions Short Term Long Term • Firewall • Add Spyware to Anti-Virus • Virus Checker • Automatic maintenance • Spyware Remover • Legislation • Frequent OS updates • Education on problems • Frequent back-up • Biometric access • Learning problems • Semantic web (and search) Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Firewalls Network / Internet • 3 Types… – Packet Filtering – Examines attributes of packet. – Application Layer – Hides the network by impersonating the server (proxy). – Stateful Inspection – Examines both the state and context of the packets. • Regardless of type; must be configured to work properly. • Access rules must be defined and entered into firewall. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Firewalls Network / Internet http - tcp 80 telnet - tcp 23 http - tcp 80 Packet Filtering ftp - tcp 21 Web Server Firewall Allow only http - tcp 80 192.168.0.10 : 1020 202.52.222.10: 80 202.52.222.10: 80 Stateful Inspection 192.168.0.10 : 1020 PC Firewall Only allow reply packets for requests made out Block other unregistered traffic Image Source – Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [4]. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Intrusion Detection Systems Network Server Switch Firewall IDS Server • Intrusion Detection – A Commercial Network Solution • An “Intelligent Firewall” – monitors accesses for suspicious activity • Neural Networks trained by Backpropagation on Usage Data • Could detect Trojan Horse attack, but not designed for Spyware PC • Put the IDS in front of the firewall to get maximum detection • In a switched network, put IDS on a mirrored port to get all traffic. • Ensure all network traffic passes through the IDS host. Image Source – Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [4]. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 “System X” Network / Internet / Standalone • Composed of… – Open Source OS – Mozilla / Opera / Lynx (!) Browser (Not IE) – Stateful Inspection Firewall – Anti-Virus Software – Careful and educated user – Secure permissions system – Regularly updated (possibly automatically) Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk

More Related Content

PPTX
System failure
chrispaul8676
 
PDF
Ce Hv6 Module 44 Internet Content Filtering Techniques
Kislaychd
 
PPTX
News Bytes - May 2015
n|u - The Open Security Community
 
PDF
Ce Hv6 Module 42 Hacking Database Servers
Kislaychd
 
PDF
Ce hv6 module 52 hacking rss and atom
Vi Tính Hoàng Nam
 
PDF
Ceh v5 module 09 social engineering
Vi Tính Hoàng Nam
 
PDF
A tale of mobile threats
Vincenzo Iozzo
 
PDF
Ethical Hacking
Syed Irshad Ali
 
System failure
chrispaul8676
 
Ce Hv6 Module 44 Internet Content Filtering Techniques
Kislaychd
 
News Bytes - May 2015
n|u - The Open Security Community
 
Ce Hv6 Module 42 Hacking Database Servers
Kislaychd
 
Ce hv6 module 52 hacking rss and atom
Vi Tính Hoàng Nam
 
Ceh v5 module 09 social engineering
Vi Tính Hoàng Nam
 
A tale of mobile threats
Vincenzo Iozzo
 
Ethical Hacking
Syed Irshad Ali
 

What's hot (10)

PPTX
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Eric Vanderburg
 
PDF
Modern cyber threats_and_how_to_combat_them_panel
Ramsés Gallego
 
PPT
Lec21 security
Vijay Kanth
 
PPSX
Computer and internet security
hoshmand kareem
 
PPTX
Hvordan stopper du CryptoLocker?
Steinar Aandal-Vanger
 
PPT
Firewalls (Distributed computing)
Sri Prasanna
 
PDF
File000145
Desmond Devendran
 
PDF
Ce hv6 module 53 hacking web browsers
Vi Tính Hoàng Nam
 
PPT
Module 2 threats-b
BbAOC
 
PDF
File000154
Desmond Devendran
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Eric Vanderburg
 
Modern cyber threats_and_how_to_combat_them_panel
Ramsés Gallego
 
Lec21 security
Vijay Kanth
 
Computer and internet security
hoshmand kareem
 
Hvordan stopper du CryptoLocker?
Steinar Aandal-Vanger
 
Firewalls (Distributed computing)
Sri Prasanna
 
File000145
Desmond Devendran
 
Ce hv6 module 53 hacking web browsers
Vi Tính Hoàng Nam
 
Module 2 threats-b
BbAOC
 
File000154
Desmond Devendran
 
Ad

Similar to Presentation (20)

PPT
Spyware (1).ppt
DarshanPadmapriya
 
PPT
Spyware
Babur Rahmadi
 
PPTX
SECURITY THREATS AND SAFETY MEASURES
Shyam Kumar Singh
 
PPTX
Spyware-A online threat to privacy
Vikas Patel
 
PPTX
Malware part 1
ShouaQureshi
 
PPTX
Lecture 2-1.pptx Lec 04 Risk Management.pptxLec 04 Risk Management.pptxLec 04...
1230200206
 
PPTX
MALWARE / VIRUS AND WORMS CHARACTERISTICS
nascramaprabhacs1
 
PPTX
MALWARE UNIT II PPT .pptx ..The unit covers about virus and worms and its fu...
nascramaprabhacs1
 
PPT
Lecture 12 malicious software
rajakhurram
 
PPT
091005 Internet Security
dkp205
 
PPT
list of Deception as well as detection techniques for maleware
AJAY VISHKARMA
 
PPTX
Surfing with Sharks KS ED TECH 2012
inf8nity
 
PPTX
Types of Malwares, Information security.
NandanaV18
 
PPTX
Final malacious softwares
Mirza Adnan Baig
 
PPTX
viruses.pptx
AsadbekAbdumannopov
 
PPTX
SECURITY THREATS.pptx SECURITY THREATS.pptx
anovalexter
 
PPTX
Malware ppt final.pptx
LakshayNRReddy
 
PDF
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
Connecting Up
 
PPT
malware introduction ppt test comptia security
jkscdwvpnzquqenzxk
 
PPTX
Spyware
Peeyush Sharma
 
Spyware (1).ppt
DarshanPadmapriya
 
Spyware
Babur Rahmadi
 
SECURITY THREATS AND SAFETY MEASURES
Shyam Kumar Singh
 
Spyware-A online threat to privacy
Vikas Patel
 
Malware part 1
ShouaQureshi
 
Lecture 2-1.pptx Lec 04 Risk Management.pptxLec 04 Risk Management.pptxLec 04...
1230200206
 
MALWARE / VIRUS AND WORMS CHARACTERISTICS
nascramaprabhacs1
 
MALWARE UNIT II PPT .pptx ..The unit covers about virus and worms and its fu...
nascramaprabhacs1
 
Lecture 12 malicious software
rajakhurram
 
091005 Internet Security
dkp205
 
list of Deception as well as detection techniques for maleware
AJAY VISHKARMA
 
Surfing with Sharks KS ED TECH 2012
inf8nity
 
Types of Malwares, Information security.
NandanaV18
 
Final malacious softwares
Mirza Adnan Baig
 
viruses.pptx
AsadbekAbdumannopov
 
SECURITY THREATS.pptx SECURITY THREATS.pptx
anovalexter
 
Malware ppt final.pptx
LakshayNRReddy
 
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
Connecting Up
 
malware introduction ppt test comptia security
jkscdwvpnzquqenzxk
 
Spyware
Peeyush Sharma
 
Ad

More from Mohd Arif (20)

PPT
Bootp and dhcp
Mohd Arif
 
PPT
Arp and rarp
Mohd Arif
 
PPT
User datagram protocol
Mohd Arif
 
PPT
Project identification
Mohd Arif
 
PPT
Project evalaution techniques
Mohd Arif
 
PPT
Pointers in c
Mohd Arif
 
PPT
Peer to-peer
Mohd Arif
 
PPT
Overview of current communications systems
Mohd Arif
 
PPT
Overall 23 11_2007_hdp
Mohd Arif
 
PPT
Objectives of budgeting
Mohd Arif
 
PPT
Network management
Mohd Arif
 
PPT
Networing basics
Mohd Arif
 
PPT
Loaders
Mohd Arif
 
PPT
Lists
Mohd Arif
 
PPT
Iris ngx next generation ip based switching platform
Mohd Arif
 
PPT
Ip sec and ssl
Mohd Arif
 
PPT
Ip security in i psec
Mohd Arif
 
PPT
Intro to comp. hardware
Mohd Arif
 
PPT
Heap sort
Mohd Arif
 
PPT
H.323 vs. cops interworking
Mohd Arif
 
Bootp and dhcp
Mohd Arif
 
Arp and rarp
Mohd Arif
 
User datagram protocol
Mohd Arif
 
Project identification
Mohd Arif
 
Project evalaution techniques
Mohd Arif
 
Pointers in c
Mohd Arif
 
Peer to-peer
Mohd Arif
 
Overview of current communications systems
Mohd Arif
 
Overall 23 11_2007_hdp
Mohd Arif
 
Objectives of budgeting
Mohd Arif
 
Network management
Mohd Arif
 
Networing basics
Mohd Arif
 
Loaders
Mohd Arif
 
Lists
Mohd Arif
 
Iris ngx next generation ip based switching platform
Mohd Arif
 
Ip sec and ssl
Mohd Arif
 
Ip security in i psec
Mohd Arif
 
Intro to comp. hardware
Mohd Arif
 
Heap sort
Mohd Arif
 
H.323 vs. cops interworking
Mohd Arif
 

Recently uploaded (20)

PPTX
TEXTILE technology diploma scope and career opportunities
kriti38
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
A proposed approach for plagiarism detection in Myanmar Unicode text
IAESIJAI
 
PDF
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
PDF
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
PDF
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PDF
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PPTX
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PDF
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
TEXTILE technology diploma scope and career opportunities
kriti38
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
A proposed approach for plagiarism detection in Myanmar Unicode text
IAESIJAI
 
Consumable AI The What, Why & How for Small Teams.pdf
Vivek Sai
 
Produktkatalog für HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
Convolutional neural network based encoder-decoder for efficient real-time ob...
IAESIJAI
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
Build Your First AI Agent with UiPath.pptx
suhanisingh58689
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
Five Habits of High-Impact Board Members
OnBoard
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 

Presentation

  • 1. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Spyware and Trojan Horses Computer Security Seminar Series [SS1] Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 2. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Your computer could be watching your every move! Image Source - http://www.clubpmi.it/upload/servizi_marketing/images/spyware.jpg Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 3. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Introduction Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 4. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Seminar Overview • Introduction to Spyware / Trojan Horses • Spyware – Examples, Mechanics, Effects, Solutions • Tracking Cookies – Mechanics, Effects, Solutions • Trojan Horses – Mechanics, Effects, More Examples • Solutions to the problems posed • Human Factors – Human interaction with Spyware • “System X” – Having suitable avoidance mechanisms • Conclusions – Including our proposals for solutions Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 5. Definitions A general term for a program that surreptitiously monitors your actions. While they are sometimes sinister, like a remote control program used by a hacker, software companies have A REbeen known to use Spyware to gather data about customers. YW The practice is generally frowned upon. SP An apparently useful and innocent program containing additional JAN hidden code which allows the unauthorized collection, RO SE T R exploitation, falsification, or destruction of data. HO
  • 6. Symptoms • Targeted Pop-ups SPYWARE • Slow Connection SPYWARE / TROJAN • Targeted E-Mail (Spam) SPYWARE • Unauthorized Access TROJAN HORSE • Spam Relaying TROJAN HORSE • System Crash SPYWARE / TROJAN • Program Customisation SPYWARE
  • 7. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Summary of Effects • Collection of data from your computer without consent • Execution of code without consent • Assignment of a unique code to identify you • Collection of data pertaining to your habitual use • Installation on your computer without your consent • Inability to remove the software • Performing other undesirable tasks without consent Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 8. Similarities / Differences Spyware Trojan Horses Commercially Motivated Malicious Internet connection required Any network connection required Initiates remote connection Receives incoming connection Purpose: To monitor activity Purpose: To control activity Collects data and displays pop-ups Unauthorized access and control Legal Illegal Not Detectable with Virus Checker Detectable with Virus Checker Age: Relatively New (< 5 Years) Age: Relatively Old ( > 20 Years) Memory Resident Processes Surreptitiously installed without user’s consent or understanding Creates a security vulnerability
  • 10. Software Examples • GAIN / Gator • Gator E-Wallet • Cydoor • BonziBuddy • MySearch Toolbar • DownloadWare • BrowserAid Image Sources… • Dogpile Toolbar GAIN Logo – The Gator Corporation – http://www.gator.com BonziBuddy Logo – Bonzi.com - http://images.bonzi.com/images/gorillatalk.gif DownloadWare Logo – DownloadWare - http://www.downloadware.net
  • 11. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Spyware Defence User Initiatives… Technical Initiatives... • Issue Awareness • Spyware Removal Programs • Use Legitimate S/W Sources • Pop-up Blockers • Improved Technical Ability • Firewall Technology • Choice of Browser • Disable ActiveX Controls • Choice of OS – Not Sandboxed • Legal action taken against • E-Mail Filters breaches of privacy • Download Patches – Oct ’02 Doubleclick Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 12. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Spyware Removers Ad-aware (by Lavasoft) – Reverse Engineer Spyware – Scans Memory, Registry and Hard Drive for… • Data Mining components • Aggressive advertising components • Tracking components – Updates from Lavasoft – Plug-ins available • Extra file information • Disable Windows Messenger Service Image Source – Screenshot of Ad-aware 6.0. LavaSoft. See http://www.lavasoft.com Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 13. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Vulnerable Systems • Those with an internet connection! • Microsoft Windows 9x/Me/NT/2000/XP • Does not affect Open Source OSs • Non - fire-walled systems • Internet Explorer, executes ActiveX plug-ins • Other browsers not affected Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 14. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Trojan Horses Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 15. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Installation • Secretly installed when an infected executable is run – Much like a virus – Executables typically come from P2P networks or unscrupulous websites • ActiveX controls on websites – ActiveX allows automatic installation of software from websites – User probably does not know what they are running – Misleading descriptions often given – Not sandboxed! – Digital signatures used, signing not necessary Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 16. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Installation • Certificate Authority • Misleading Certificate Description • Who is trusted? Image Source – Screenshot of Microsoft Internet Explorer 6 security warning, prior to the installation of an ActiveX Control from “Roings”. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 17. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Effects • Allows remote access – To spy – To disrupt – To relay a malicious connection, so as to disguise the attacker’s location (spam, hacking) – To access resources (i.e. bandwidth, files) – To launch a DDoS attack Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 18. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Operation • Listen for connections • Memory resident • Start at boot-up • Disguise presence • Rootkits integrate with kernel • Password Protected Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 19. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Example: Back Orifice • Back Orifice – Produced by the “Cult of the Dead Cow” – Win95/98 is vulnerable – Toast of DefCon 6 – Similar operation to NetBus – Name similar to MS Product of the time Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 20. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 BO: Protocol • Modular authentication • Modular encryption – AES and CAST-256 modules available • UDP or TCP • Variable port – Avoids most firewalls • IP Notification via. ICQ – Dynamic IP addressing not a problem Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 21. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 BO: Protocol Example (1) TROJAN INFECTION OCCURS Attacker Victim ICQ SERVER IP ADDRESS IP ADDRESS AND PORT AND PORT CONNECTION Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 22. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 BO: Protocol Example (2) COMMAND COMMAND EXECUTED Attacker Victim CONNECTION REQUEST FOR INFORMATION INFORMATION Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 23. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 BO: Protocol Example (3) CLEANUP COMMAND EVIDENCE DESTROYED Attacker Victim Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 24. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Trojan Horse Examples • M$ Rootkit – Integrates with the NT kernel – Very dangerous – Virtually undetectable once installed – Hides from administrator as well as user – Private TCP/IP stack (LAN only) Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 25. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Trojan Horse Examples • iSpyNOW – Commercial – Web-based client • Assassin Trojan – Custom builds may be purchased – These are not found by virus scanners – Firewall circumvention technology Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 26. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Trojan Horse Examples • Hardware – Key loggers – More advanced? • Magic Lantern – FBI developed – Legal grey area (until recently!) – Split virus checking world Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 27. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Demonstration Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 28. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Vulnerable Systems Number of trojans in common use… RELATIVELY SAFE DANGEROUS MacOS MacOS X Linux/Unix WinNT Win 9x WinNT refers to Windows NT 4, 2000, XP and Server 2003. Win9x refers to Windows 95, 95SE, 98 and ME. Information Source: McAfee Security - http://us.mcafee.com/ Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 29. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Vulnerable Systems Ease of compromise… RELATIVELY SAFE DANGEROUS Linux/Unix MacOS X WinNT MacOS Win 9x WinNT refers to Windows NT 4, 2000, XP and Server 2003. Win9x refers to Windows 95, 95SE, 98 and ME. Information Source: McAfee Security - http://us.mcafee.com/ Image Source – Image derived and produced by; Andrew Brown, Tim Cocks and Kumutha Swampillai, February 2004. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 30. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Conclusions Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 31. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Security Implications Short Term Long Term • Divulge personal data • Mass data collection • Backdoors into system • Consequences unknown • System corruption • Web becomes unusable • Disruption / Irritation • Web cons outweigh pros • Aids identity theft • Cost of preventions • Easy virus distribution • More development work • Increased spam • More IP addresses (IPv6) Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 32. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Solutions Short Term Long Term • Firewall • Add Spyware to Anti-Virus • Virus Checker • Automatic maintenance • Spyware Remover • Legislation • Frequent OS updates • Education on problems • Frequent back-up • Biometric access • Learning problems • Semantic web (and search) Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 33. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Firewalls Network / Internet • 3 Types… – Packet Filtering – Examines attributes of packet. – Application Layer – Hides the network by impersonating the server (proxy). – Stateful Inspection – Examines both the state and context of the packets. • Regardless of type; must be configured to work properly. • Access rules must be defined and entered into firewall. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 34. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Firewalls Network / Internet http - tcp 80 telnet - tcp 23 http - tcp 80 Packet Filtering ftp - tcp 21 Web Server Firewall Allow only http - tcp 80 192.168.0.10 : 1020 202.52.222.10: 80 202.52.222.10: 80 Stateful Inspection 192.168.0.10 : 1020 PC Firewall Only allow reply packets for requests made out Block other unregistered traffic Image Source – Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [4]. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 35. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 Intrusion Detection Systems Network Server Switch Firewall IDS Server • Intrusion Detection – A Commercial Network Solution • An “Intelligent Firewall” – monitors accesses for suspicious activity • Neural Networks trained by Backpropagation on Usage Data • Could detect Trojan Horse attack, but not designed for Spyware PC • Put the IDS in front of the firewall to get maximum detection • In a switched network, put IDS on a mirrored port to get all traffic. • Ensure all network traffic passes through the IDS host. Image Source – Image produced by Andrew Brown, Tim Cocks and Kumutha Swampillai; partially inspired by a diagram from [4]. Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk
  • 36. Spyware and Trojan Horses – Computer Security Seminar 12th February 2004 “System X” Network / Internet / Standalone • Composed of… – Open Source OS – Mozilla / Opera / Lynx (!) Browser (Not IE) – Stateful Inspection Firewall – Anti-Virus Software – Careful and educated user – Secure permissions system – Regularly updated (possibly automatically) Andrew Brown, Tim Cocks and Kumutha Swampillai http://birmingham.f9.co.uk