Embed Size (px)
Citation preview
SpyWare!SpyWare!
IQxplorerIQxplorer
AgendaAgenda
Define SpyWareDefine SpyWare Discuss methods used for spyingDiscuss methods used for spying Focus on passive tracking Focus on passive tracking
methodsmethods Demonstrate one passive methodDemonstrate one passive method Discuss preventionDiscuss prevention ConclusionsConclusions
SpyWare DefinitionSpyWare Definition
SpyWare is a general term used SpyWare is a general term used to describe software that to describe software that performs certain behaviors such performs certain behaviors such as advertising, collecting personal as advertising, collecting personal information, or changing the information, or changing the configuration of your computer, configuration of your computer, generally without appropriately generally without appropriately obtaining your consent first.obtaining your consent first.
http://www.microsoft.com/athome/security/spyware/http://www.microsoft.com/athome/security/spyware/spywarewhat.mspxspywarewhat.mspx
SpyWare CategoriesSpyWare Categories
Advertising (Passive)Advertising (Passive)– Capture browsing historyCapture browsing history– Capture buying habitsCapture buying habits
Surveillance (Active)Surveillance (Active)– Key loggersKey loggers– System MonitorsSystem Monitors
SpyWare StatisticsSpyWare Statistics
90% of all internet connected 90% of all internet connected machines are infectedmachines are infected
~28 SpyWare traces on each ~28 SpyWare traces on each machinemachine
1/3 infected with surveillance 1/3 infected with surveillance SpyWareSpyWare
80% of infections were cookies80% of infections were cookies
Passive Tracking Passive Tracking MethodsMethods Web BeaconsWeb Beacons Cookies depositsCookies deposits
Web BeaconsWeb Beacons
Also know as Also know as – Web BugsWeb Bugs– Clear GIFsClear GIFs
Allows destination to log page hitsAllows destination to log page hits Can be used in conjunction with Can be used in conjunction with
cookiescookies
Cookie FieldsCookie Fields
ParameterParameter DescriptionDescriptionNameName
The name of the cookie.The name of the cookie. ValueValue
The value of the cookie.The value of the cookie. ExpireExpire The time the cookie expires. This is a Unix The time the cookie expires. This is a Unix
timestamp so is in number of seconds since the timestamp so is in number of seconds since the epoch. In other words, you'll most likely set this epoch. In other words, you'll most likely set this with the with the time()time() function plus the number of function plus the number of seconds before you want it to expire. seconds before you want it to expire.
PathPath The path on the server in which the cookie will be The path on the server in which the cookie will be available. available.
DomainDomainThe domain in which the cookie is availableThe domain in which the cookie is available
SecureSecure When set to When set to TRUETRUE, the cookie will only be set if a , the cookie will only be set if a secure connection exists. The default is secure connection exists. The default is FALSEFALSE..
httponlyhttponly When When TRUETRUE the cookie will be made accessible the cookie will be made accessible only through the HTTP protocol. only through the HTTP protocol.
Not supported on all browsers Not supported on all browsers
Web Beacon w/Cookie Web Beacon w/Cookie Example: Example: spywareWebBeaconCookieDeposit.htmlspywareWebBeaconCookieDeposit.html
<html><html><head><head><title>Web Beacon Cookie Deposit Example</title><title>Web Beacon Cookie Deposit Example</title></head></head><body><body><h1><b>Web Beacon Cookie Deposit Example:</b></h1><h1><b>Web Beacon Cookie Deposit Example:</b></h1><hr /><hr />
<img <img src="http://www.cs.uccs.edu/~cdshort/serverWebBeacon.phsrc="http://www.cs.uccs.edu/~cdshort/serverWebBeacon.php" alt="Picture" width="0" height ="0" border = "0" />p" alt="Picture" width="0" height ="0" border = "0" />
</body></body></html></html>
Server CodeServer CodeserverWebBeacon.phpserverWebBeacon.php
<?php <?php if (!(isset($_COOKIE["SpyCookie"]))){ if (!(isset($_COOKIE["SpyCookie"]))){ setcookie("SpyCookie", "ISpyOnYou", time()+3600);setcookie("SpyCookie", "ISpyOnYou", time()+3600);}}?>?><html><html> <head><head> <title>PHP Test</title><title>PHP Test</title> </head></head> <body><body><?php <?php $filename = 'cookieCapture.txt';$filename = 'cookieCapture.txt';$today = date("D M j G:i:s T Y");$today = date("D M j G:i:s T Y");$Content = "SpyCookie" . " : " . "$_COOKIE[SpyCookie]" . " : " . "$today\r\n"; $Content = "SpyCookie" . " : " . "$_COOKIE[SpyCookie]" . " : " . "$today\r\n"; if($handle = fopen($filename, 'a')){ if($handle = fopen($filename, 'a')){ fwrite($handle, $Content);fwrite($handle, $Content); fclose($handle);fclose($handle);}}?>?> </body></body></html> </html>
Cookie Capture FileCookie Capture File
[cdshort@windom public_html]$ cat cookieCapture.txt[cdshort@windom public_html]$ cat cookieCapture.txt
SpyCookie : ISpyOnYou : Fri Dec 1 18:30:17 MST 2006SpyCookie : ISpyOnYou : Fri Dec 1 18:30:17 MST 2006
SpyCookie : ISpyOnYou : Fri Dec 1 18:30:38 MST 2006SpyCookie : ISpyOnYou : Fri Dec 1 18:30:38 MST 2006
[cdshort@windom public_html]$ [cdshort@windom public_html]$
User
Web Server
`
Client
Internet
HTTP GET Request Spy Server
HTTP GET referral
HTTP Response
HTTP Response Cookie Deposit
Packet CapturePacket Capture
ConclusionsConclusions
Browser settings can prevent Browser settings can prevent cookie deposit cookie deposit
Be careful what you downloadBe careful what you download– Don’t open the door willinglyDon’t open the door willingly
The use of cookies is fundamentalThe use of cookies is fundamental– The information provided is minimalThe information provided is minimal
Questions?Questions?
ReferencesReferences
http://www.php.net/manual/en/function.setcookie.phphttp://www.php.net/manual/en/function.setcookie.php http://cs.uccs.edu/~cs301/php/php.htmlhttp://cs.uccs.edu/~cs301/php/php.html Tzu-Yen Wang, Shi-Jinn Horng, Ming-Yang Su, Chin-Hsiung Tzu-Yen Wang, Shi-Jinn Horng, Ming-Yang Su, Chin-Hsiung
Wu,Peng-Chu Wang and Wei-Zen Su. A Surveillance Spyware Wu,Peng-Chu Wang and Wei-Zen Su. A Surveillance Spyware Detection System Based on Data Mining Methods. 2006 IEEE Detection System Based on Data Mining Methods. 2006 IEEE Congress on Evolutionary Computation.Congress on Evolutionary Computation.
http://www.allaboutcookies.org/web-beacons/http://www.allaboutcookies.org/web-beacons/ Wes Ames, Understanding Spyware: Risk and Response, Wes Ames, Understanding Spyware: Risk and Response,
2004 IEEE IT Pro2004 IEEE IT Pro http://www.microsoft.com/athome/security/spyware/http://www.microsoft.com/athome/security/spyware/
spywarewhat.mspxspywarewhat.mspx http://www.earthlink.net/about/press/pr_spyAudit/http://www.earthlink.net/about/press/pr_spyAudit/
