Slide 1
Spyware and RootkitDefinition of SpywareSpyware is software that
aids in gathering information about a person or organization
without their knowledge and that may send such information to
another entity without the consumers consent, or that asserts
control over a computer without the consumers knowledge.In short,
Application that send information from your computer to the creator
of the spyware without your attention.
History of spywareThe first recorded use of the term Spyware
occurred on 16 October 1995 in a Usenet post that poked fun at
Microsofts business model.In 1999 Zone Labs used the term when they
made a press release for the Zone Alarm Personal FirewallAs of
2006, Spyware has become one of the preeminent security threats to
computer system running Microsoft Windows operating system.
Classification of Spyware Spyware is mostly classified into four
types:System MonitorsTrojans AdwareTracking cookies
1) System monitorsA system monitor is a hardware or software
component used to monitor resources and performance in a computer
system.2) TrojansNon-self-replicating type of malware program
Having some malicious codewhen executed carries out action
determined by the nature of the TrojanTypically causing loss or
theft of data, and possible system harm.The Trojan often acts as a
backdoor, contacting a controller which can then have unauthorized
access to the affected computer.3) Adware Adware, or
advertising-supported software, is any software package which
automatically renders advertisements in order to generate revenue
for its author.The advertisements may be in the users interface of
the software or on a screen presented to the user during the
installation process.4) Tracking cookiesTracking cookies are not
viruses or malicious code. Cookies are only text files and
therefore cannot be dangerous to your computer. The main purpose of
cookies is to identify users and possibly prepare customized web
pages for them.
Gator, Cydoor, and eZulaThese three are spyware programsAll
three are spybot or adware class programsThey are typically
packaged with popular free software.They all send and retrieve
information from remote servers using the HTTP protocol.
GatorGator is adware that collects and transmits information
about a users Web activity. Goal is toGather demographic
informationGenerate a profile of the users interests for targeted
advertisements. Gator can be installed on a users computer in
several ways. When a user installs one of several free software
programs produced by Claria Corporation (the company that produces
Gator), such as a free calendar application or a time
synchronization client.
CydoorCydoor displays targeted pop-up advertisements whose
contents are dictated by the users browsing history.User is
connected to the InternetThe Cydoor client pre-fetches
advertisements from the Cydoor servers.Displayed whenever the user
runs an application that contains Cydoor, whether the user is
online or offline.
eZulaeZula attaches itself to a clients Web browser and modifies
incoming HTML to create links to advertisers from specific
keywords. When a client is infected with eZula, these artificial
links are displayed and highlighted within rendered HTML.It is also
known as Top Text, ContextPro or Hot Text.
Effects of SpywarePositive Effect Spyware is mostly used for the
purpose of tracking and string internet users movements on the web
and serving up pop-up ads to internet users.Negative Effect A
computers performance by installing additional software,
redirecting web browser searches, changing computer setting,
reducing connection speeds, changing the homepage or even
completely disrupting network connection ability.
What is a Root kit? Collection of attacker tools installed after
an intruder has gained accessLog cleanersFile/process/user hiding
toolsNetwork sniffersBackdoor programsIn short, Root kits are
software that makes an operating system lie
The Legendary Q 12Root kit GoalsRemove evidence of original
attack and activity that led to root kit installationHide future
attacker activity (files, network connections, processes) and
prevent it from being loggedEnable future access to system by
attackerInstall tools to widen scope of penetrationSecure system so
other attackers cant take control of system from original
attacker13 Attacker can install it once they've obtained root
accessResult of direct attack on a systemExploited a known
vulnerabilityPassword cracking,Social engineeringPhishing with
embedded linkWebsite enticement games, adult websites or
torrentsHow do you get infected with a root kit?14How root kits
work?Vulnerable system targetedUnpatched,Zero-day exploit,Poor
configuration - leaving vulnerable processes upTargeted system
exploitedRoot or Administrator access is obtained!!!Root kit
Payload is installed
Gandhinagar Institute of TechnologySpywareSpyware and
rootkitOperating System15 Root kit OperationsRoot kit hides its
presenceControls interfaces between Operating System
componentsIntercepts and alters interface communications C:\>
dir RootkitFile.exeC:\> no files found
16 Root kit OperationsExample 1. Application tries to see if
executable file for root kit X exists 2. Application calls Find
File API, via Operating System 3. Invisible to application, root
kit X has compromised API interface to file manager 4. Root kit
intercepts applications call to Find File, returns incorrect
message file does not exist 5. Root kit file is hidden from
application and its users despite fact that it clearly still
exists
17Classification of Root kits Root kits are classified in two
types,User ModeKernel Mode
18Operating System DesignIntel has four privilege levels or
ringsLinux and many other OS vendors use only two ringsUser Mode :
In this level some restriction in accessing system hardware and
certain memory regions apply. User address space restricted to
application memory mapsKernel Mode : Everything is allowed
Supervisor /Kernel ModeUser Mode19User Mode Root kits
Critical operating system components are replaced or modified by
attacker to create backdoors, hide on the system
Example ProgramsLinux Root Kit 5 (lrk5)T0rnKit for Linux,
SolarisOther platform specific Root kitsSunOS, AIX, SCO,
Solaris2020Kernel-level Root KitsThe operating system itself is
modified to allow backdoor access and allow attacker to hide
Example ProgramsKnark for LinuxAdore for LinuxPlasmoids Solaris
Kernel-level RootkitHacker Defender - Windows
2121THANK YOU
