21
Definition of Spyware Spyware is software that aids in gathering information about a person or organization without their knowledge and that may send such information to another entity without the consumer’s consent, or that asserts control over a computer without the consumer’s knowledge. In short, Application that send information from your computer to the creator of the spyware without your attention.

Spyware and rootkit

  • Upload
    nik1020

  • View
    58

  • Download
    3

Embed Size (px)

Citation preview

Definition of SpywareSpyware is software that aids in gathering information

about a person or organization without their knowledge and that may send such information to another entity without the consumer’s consent, or that asserts control over a computer without the consumer’s knowledge.

In short, Application that send

information from your computer

to the creator of the spyware

without your attention.

History of spyware

The first recorded use of the term Spyware occurred on 16 October 1995 in a Usenet post that poked fun at Microsoft’s business model.

In 1999 Zone Labs used the term when they made a press release for the Zone Alarm Personal Firewall

As of 2006, Spyware has become one of the preeminent security threats to computer system running Microsoft Windows operating system.

Classification of Spyware “Spyware” is mostly classified into four types:

1) System Monitors

2) Trojans

3) Adware

4) Tracking cookies

1) System monitorsA system monitor is a hardware or software component

used to monitor resources and performance in a computer system.

2) TrojansNon-self-replicating type of malware program Having some malicious codewhen executed carries out action determined by the nature of

the TrojanTypically causing loss or theft of data, and possible system

harm.The Trojan often acts as a backdoor, contacting a controller

which can then have unauthorized access to the affected computer.

3) Adware Adware, or advertising-supported software, is any

software package which automatically renders advertisements in order to generate revenue for its author.

The advertisements may be in the users interface of the software or on a screen presented to the user during the installation process.

4) Tracking cookiesTracking cookies are not viruses or malicious code. Cookies are only text files and therefore cannot be

dangerous to your computer. The main purpose of cookies is to identify users and

possibly prepare customized web pages for them.

Gator, Cydoor, and eZulaThese three are spyware programsAll three are “spybot” or “adware” class programsThey are typically packaged with popular free software.They all send and retrieve information from remote

servers using the HTTP protocol.

GatorGator is adware that collects and transmits information

about a user’s Web activity. Goal is to

◦ Gather demographic information◦ Generate a profile of the user’s interests for targeted

advertisements. Gator can be installed on a user’s computer in several

ways. ◦ When a user installs one of several free software programs

produced by Claria Corporation (the company that produces Gator), such as a free calendar application or a time synchronization client.

CydoorCydoor displays targeted pop-up advertisements whose

contents are dictated by the user’s browsing history.User is connected to the Internet

◦ The Cydoor client pre-fetches advertisements from the Cydoor servers.

◦ Displayed whenever the user runs an application that contains Cydoor, whether the user is online or offline.

eZulaeZula attaches itself to a client’s Web browser and

modifies incoming HTML to create links to advertisers from specific keywords.

When a client is infected with eZula, these artificial links are displayed and highlighted within rendered HTML.

It is also known as Top Text, ContextPro or Hot Text.

Effects of SpywarePositive Effect

Spyware is mostly used for the purpose of tracking and string internet users’ movements on the web and serving up pop-up ads to internet users.

Negative Effect A computer’s performance by installing additional

software, redirecting web browser searches, changing computer setting, reducing connection speeds, changing the homepage or even completely disrupting network connection ability.

What is a Root kit? Collection of attacker tools installed after an intruder has

gained access• Log cleaners• File/process/user hiding tools• Network sniffers• Backdoor programs• In short, Root kits are software that

makes an operating system lie

Root kit Goals

1. Remove evidence of original attack and activity that led to root kit installation

2. Hide future attacker activity (files, network connections, processes) and prevent it from being logged

3. Enable future access to system by attacker

4. Install tools to widen scope of penetration

5. Secure system so other attackers can’t take control of system from original attacker

Attacker can install it once they've obtained root access– Result of direct attack on a system

• Exploited a known vulnerability• Password cracking,• Social engineering

Phishing with embedded linkWebsite enticement – games, adult websites or torrents

How do you get infected with a root kit?

How root kits work?

• Vulnerable system targeted• Unpatched,• Zero-day exploit,• Poor configuration - leaving vulnerable processes up• Targeted system exploited• Root or Administrator access is obtained!!!• Root kit Payload is installed

Root kit Operations

• Root kit hides its presence• Controls interfaces between Operating System components

– Intercepts and alters interface communications

C:\> dir RootkitFile.exe

C:\> no files found

Root kit Operations

Example 1. Application tries to see if executable file

for root kit X exists

2. Application calls Find File API, via Operating System

3. Invisible to application, root kit X has compromised

API interface to file manager

4. Root kit intercepts application’s call to Find File,

returns incorrect message file does not exist

5. Root kit file is hidden from application and its users

despite fact that it clearly still exists

Classification of Root kits

“Root kits” are classified in two types,

• User Mode

• Kernel Mode

Operating System Design Intel has four privilege levels

or rings Linux and many other OS

vendors use only two rings◦ User Mode : In this level some

restriction in accessing system hardware and certain memory regions apply. User address space restricted to application memory maps

◦ Kernel Mode : Everything is allowed

Supervisor /Kernel Mode

User Mode

User Mode Root kits

– Critical operating system components are replaced or modified by attacker to create backdoors, hide on the system

– Example Programs• Linux Root Kit 5 (lrk5)

• T0rnKit for Linux, Solaris

• Other platform specific Root kits– SunOS, AIX, SCO, Solaris

Kernel-level Root Kits– The operating system itself is modified to allow backdoor

access and allow attacker to hide

– Example Programs– Knark for Linux

– Adore for Linux

– Plasmoid’s Solaris Kernel-level Rootkit

– Hacker Defender - Windows

THANK YOU