Spyware and Trojan Horses [SS1]

1 - Abstract

This seminar covers a contemporary issue in Computer Security; Spyware and Trojan Horses. These are separate security threats to networked systems, both of which are realised using differing software development techniques.

We introduce the concepts of Spyware and Trojan Horses, followed by detailing how each is constructed and installed. We go into depth on their operation, which is revealed with the aid of demonstration software. Following our examples, we present a range of preventions, solutions and cures to each threat posed. We discuss the issues surrounding the user's interaction with such software and conclude by specifying an optimal solution (embodied using our "System X") for the avoidance of the threats posed.

This seminar is aimed at both everyday computer users, Software Engineers and Computer Security professionals. The differing levels of information conveyed will be of use to each of the aforementioned groups. We are confident that each group will receive sufficient information to minimise the risks posed to them by Spyware, Trojan Horses and other affiliated network-based software.

2 - Introduction

Spyware and Trojan Horses are both separate entities realised through software. In addition, we present the web-based Tracking Cookie protocol. Each of these entities may be placed under one category which poses a significant computer security threat, "Malware". This is a term applied to any software which may act in a malicious manner, undesirable to the user. For each individual "Malware" threat, we discuss;

• The mechanisms and technologies relied upon for it's operation.

• The effects it causes for both end-users and computer security professionals.

• We give examples and demonstrations of each threat in operation.

• We discuss the short and long term solutions to the problems posed.

Finally, we discuss a series of preventions for both home and business users, prior to presenting "System X", which has suitable Spyware, Trojan Horse and Tracking Cookie detection and prevention mechanisms. We propose a series of short and long-term solutions to each individual problem. Distributed within the seminar and downloadable from our supporting website, is a CD image with all the required software for Spyware and Trojan Horse detection and removal.

2.1 - Definitions

The first stage in determining exactly what a software entity does, is to seek it's precise definition. (The most useful mechanism for contemporary definitions is Google, by typing the keyword define, followed by the string you wish to locate a definition for).

Spyware is:

And, a Trojan Horse is:

Although the definitions of each seem particularly similar, they are in-fact quite different. Spyware is software which is installed on your computer and can gather information pertaining to your use. The data collected is often habitual, for example, the genre of sites you visit frequently. This data is passed back to a corporation for analysis and data mining. Trojan Horses are generally installed by people who wish to gain access to your computer. They appear to be useful programs which have additional malicious content. This malicious content can allow a malicious party to remotely connect to your computer, use it to relay spam or to perform a Distributed Denial of Service (DDoS) attack. All of these concepts will be discussed in more detail later.

2.2 - Symptoms

The user may experience certain effects as a direct result of having either a Trojan Horse or Spyware installed on their computer. The range of possible effects of "Malware" are vast, but the most commonly experienced are discussed here. Possibly the most prevalent of these is the use of targeted pop-ups. These separate browser windows will appear in the foreground of the desktop, to advertise or inform the user of whatever their sender wishes to convey. Pop-ups are a commonly encountered entity for any internet user. Targeted pop-ups have content tailored to meet the interests of the user, and are a direct result of Spyware. Further symptoms and problems of Spyware include; a slow connection to the internet (which is accentuated for users with a dial-up connection), targeted e-mails (spam), system crashes or unwanted program customisation. Unwanted program customisation examples include addition toolbars in the browser (most commonly Microsoft Internet Explorer), which the user may enter a search string into. However, instead of providing useful content in response to the search request, these toolbars will pass advertisements and sponsored hyperlinks back to the user, in addition to passing their search string to the Spyware vendor.

Another prevalent problem, which does not directly affect the user is that their own personal privacy is being breached. By sending their personal details; specifically name, age and location, in addition to their searched string, the Spyware vendor can build a picture up pertaining to them. They can disseminate this information to understand their interests, habits and patterns of computer use. Many people will be offended by such a course of action being taken with their personal details.

The following points summarise the combined effects of Spyware and Trojan Horses (approached from a user perspective):

• They can be installed on your computer automatically (often (in the case of the Trojan Horse), without your consent).

• They perform the collection of data from your computer without your consent.

• They can execute program code on your computer without your consent.

• They can assign a unique code to you, which they can use to uniquely identify your machine.

• They can collect data pertaining to your habitual computer use.

• They are particularly difficult to completely remove and are sometimes automatically re-installed.

• They perform undesirable tasks without your consent.

Trojan Horses have more severe symptoms which are transparent to the end-user. These may also include slow connections, targeted e-mail (spam) and system crashes. However, more sinister actions beside these are the purpose of the Trojan. Their creators can usually access them, which in turn gives access to the user's computer. This is known as a "backdoor". Once access has been gained by the malicious party, they have (albeit unauthorized) access to data and system settings on that machine. These unauthorized privileges may be used for any number computer security breaches or types of digital crime.

2.3 - Similarities and Differences

It is necessary for the reader to understand the two categories which we are to discuss in more detail. For this reason, we have composed the following table (see Table 1) and it's synopsis. This should allow the reader to accurately distinguish Spyware programs from a Trojan Horse.

Table 1: Similarities and Differences between Spyware and Trojan Horses

Table 1 shows that Spyware and Trojan Horses are quite different, with a few similarities. One can assume that due to the different motivations for each, with Spyware being legal and commercially motivated, that the everyday user is more likely to be infected with a piece of Spyware than a Trojan Horse. However, this is not a metric to be taken too seriously, as it is equally plausible for a machine to contract a Trojan Horse. The relatively new nature of Spyware signifies that it is an expanding and viable business, which over time will only become more accentuated. Technologies are already in-place to minimise it's effects, but these rely on everyday users understanding and using them. The remainder of this handout, and it's associated seminar, concentrates on the technical aspects of each threat and proposes new and existing solution and prevention strategies.

We aim to answer this and a number of other questions by the end of this handout / seminar. Specifically, we will look at the extent to which Open Source software is affected, the ways in which software can be hidden and installed (without user knowledge) on an operating system, the extent of the problems posed and the extent to which user privacy is invaded.

3 - Spyware

Spyware exists on the internet in many different guises. Some software is relatively benign and only pushes pop-up browser adverts onto the client machine. However, some is more malicious and can perform key-logging to capture from the client keyboard buffer a string containing every keystroke made. Many different examples exist, many of which are difficult to understand due to their 'hidden' characteristics. SpywareGuide is an excellent website which reports on many known Spyware variants and rates them in terms of their malicious activities.

3.1 - Spyware Examples

Many client machines may contain a piece of Spyware, even yours! Here are some common examples.

• GAIN Gator

• Gator E-Wallet

• Cydoor

• BonziBuddy

• MySearch Toolbar

• DownloadWare

• Dogpile Toolbar

Hundreds of examples exist! Those given above are common, but relatively benign.

3.2 – Advantages

Even though Spyware has long been thought of as the 'enemy' of user privacy, users have been downloading Spyware software in their millions. The GAIN network is currently comprised of over 40 million consumers who have given GAIN permission to deliver adverts based, in part, on their online Web surfing behavior. The reasons for this compliance are the advantages user receives in return.

1. Precision Marketing - Users understand that websites providing free services have to generate revenue, and that advertising is a legitimate way to do so. In which case, most users would prefer to be shown banner adverts and pop-up adverts which may be of interest to them.

2. Traditionally small software developers would create revenue by offering their software as shareware, either with reduced functionality, or a trial period, prior to the user purchasing the software. However, many users download shareware with no intention of purchasing it. Through Spyware supported software, developers are able to ensure an income which does not rely on the good will of users, paying for the software they use. A number of applications including "DivX Pro", "IMesh", "KaZaA" and "Winamp Pro" are supported by Spyware. It is often the case that users understand the implications of downloading these applications and installing Spyware, but find this trade off acceptable.

3. Enhanced Website Interaction - Website preferences, login details and other details of a users website visit are often stored in the form of a cookie on the client machine. Cookies enhance the user experience and increase ease of use.

3.3 – Disadvantages

1. Browser profiles are being created without the users consent or understanding. Often novice users do not understand the implications of installing Spyware on their computer, especially since the Spyware companies disguise it as helpful or useful software.

2. Spyware programs have been designed to be impossible for a user to remove or disable them. Windows built-in ‘add/remove programs’ has no effect and in some case the software re-installs itself on boot-up.

3. Spyware increases the number of adverts the user is exposed to, which can be very disruptive. In some cases pop-up adverts have been purposefully designed to look like Windows system messages, and even clicking the ‘No’ option opens a further web browser. A further concern is; if a computer system is being used by many age groups and adults are viewing websites inappropriate for young children, pop-ups for this market would then be targeted at the client system and expose all age groups to the related advertising.

4.  The real functions of the Spyware applications are kept hidden from the user, so the user is unaware of what data is being collected on them, who has access to the data or what the data is being used for.

5.  Spyware applications can be badly written and slow users machines down or even corrupt their systems.

6. Spyware automatically installs ‘helpful’ tools, which are in effect an irritation. These can include search bars (a type of browser plug-in), or the ability to open multiple browser windows for advertising or whilst performing searches. This often leaves the user closing a browser window every few minutes.

7. The number of users who have Spyware on their machines is around 20 million; this mass collection of data for commercial use could have privacy issues we have yet to understand.

3.4 – Network Technology

The network infrastructure which is used for Spyware implementation is relatively complex. Due to the commercial nature of Spyware, very few details are given pertaining to it's construction. The diagram shown in Figure 1 and our technical analysis should not be deemed to be entirely accurate.

The Spyware entity exists on the client machine. The client operation is given in section 3.5 of this handout. The client machine is connected to a network appliance, which may be a router, network switch or modem (any device providing internet access). The internet connection is used by the client to make various session contacts with Spyware affiliated servers. The Spyware will locate an available port on the client machine, and forward it's network traffic through this port. Data pertaining to the user's habitual use is concatenated and routed through the internet to the Spyware Server. This is added to the User Data database, which may be connected to the server using a suitable database connection technology (e.g. JDBC, ODBC). Banner adverts are subsequently accessed using the same access technology on a different database, and routed back through the internet to the end user. These targeted adverts will appear on the user's desktop.

The user contracts Spyware in the initial circumstance from one of two sources.

1. Spyware may be installed by the download of a Spyware supported program from an FTP site or other software server. CNET Download.com is one such example. The FTP / HTTP Get request will initiate the download of the software onto the client machine. Installation will be performed by the user and during this installation they will be asked permission to install the Spyware as well as the software.

2. Spyware may be installed through accessing a website, whose prime aim is to post Spyware onto the client. The Spyware installation will be embedded within the web page. ActiveX (a Microsoft technology) is then utilised to install the Spyware (generally as a browser plug-in), on the client. ActiveX is a mechanism which allows applications to be run within other applications. This installation will allow the Spyware to operate every time the browser is opened. [Note: ActiveX technologies were formerly known as COM+ / COM / OLE (in chronological order)].

Figure 1: A Typical Spyware Network

3.5 – Client Technology

Spyware operation on the Client machine is again, an unknown process. However, when one reads further into the Spyware domain, it becomes more transparent as to how this software achieves its goals. Once the Spyware has been installed (Section 3.4), its operation is composed of two processes. One, a memory resident application which is created at boot-up, the other a plug-in which operates when the Browser software is run. Strings of URLs visited by the user are passed from the Browser interface to the Spyware plug-in. In the example utilised in Figure 2, this is GAIN's Gator. The URLs visited are forwarded from the plug-in to the memory-resident process started at boot. This can perform a series of actions. Personal data collected by the plug-in is sent from the main process through the internet to the Spyware server. Banner adverts and pop-ups pulled from this database are sent back to the user. These advertisements are pushed to the desktop by the memory resident process. In addition to this, various alterations are made by the memory-resident process to the keys in the client registry, ensuring that the Spyware entity starts at boot. Furthermore, file locks are implemented by the process on the operating system kernel, ensuring that the Spyware is very difficult for the user to completely remove. In some cases, complete removal will simply result in re-installation.

Figure 2: Client-Side Spyware Operation

3.6 – Server Technology

The final component of Spyware operation is the server side operation. The client (in Figure 3), refers to the client of the Spyware vendor. They will require access to data on customers in return for payment. Furthermore, they require their advertisements to be posted to user's machines. Therefore, they will more than likely use access software provided by the Spyware vendor, along with a secure connection. For this, we would advocate the use of Java RMI, Microsoft DCOM or CORBA (Common Object Request Broker Architecture).

Once the remote connection to the Spyware server is initiated, the client is able to access objects on the server. These may (for we cannot be entirely sure), perform a number of the following processes with user and advert data...

• User object instantiation and submission to a database. JDBC would be a suitable connection technology,

• Advert object instantiation, composed of text, images, URLs and keywords. Again, submission of these adverts to the database.

• Data mining could be performed on client data to achieve statistical analysis, trend statistics pertaining to habitual use, etc.

Clients may also submit their adverts in return for payment to a client submission site and access usage statistics using a client statistics site. Matching must also be performed by making objects comparable, allowing adverts to be pushed back to the user which match their habitual use.

Figure 3: Server-Side Spyware Operation

3.7 – Spyware Defence

There are mechanisms available which users may execute to defend themselves from Spyware. These consist of user initiatives, (ways in which the user can be better informed to deal with Spyware), and technical initiatives (ways in which the user and implement technology to defend against Spyware).

Technical Initiatives

• Spyware Removal Programs – Software which scans the client hard drive, memory and registry for known Spyware components and removes them.

• Pop-up Blockers – Software which stops websites and applications launching browser windows containing adverts.

• Firewall Technology – Blocks unauthorised network traffic (discussed in more detail later).

• Disable ActiveX Controls – This technology opens the client up to many forms of attack on their system. The use of sandboxed technologies like Java Applets over the web is far safer.

User Initiatives

• Issue Awareness – Understanding the disadvantages of Spyware allows users to make an educated decision on whether they want to partake.

• Legitimate Software Vendors – Using reputable software vendors and checking that software is signed by a Certificate Authority (CA) can lower the risk of Spyware.

•  Technical Knowledge – The user may not understand what they are giving their consent to when they install Spyware-supported software. Increased understanding of Spyware would allow users to detect Spyware themselves.

• Browser – The choice of browser can affect the users’ vulnerability to Spyware.

• Operating System – Spyware is designed to run on systems running Windows, as this is the vast majority of the market advertisers are targeting. Open source distributions of Linux are far more resilient to Spyware-associated problems.

• E-Mail – Ignoring unsolicited e-mail (spam) and not opening attachments from unknown recipients will protect users from being attacked via e-mails.

3.7 – GAIN Case Study

In order to gain insight into how Spyware works, we chose to install some popular Spyware applications and analyze their effects. We installed iMesh (a peer-to-peer download client), which includes a compulsory Gator (GAIN/Claria) installation. Following this, we accessed a number of internet sites whilst simultaneously analysing the network traffic using IRIS 3.7, a popular network analyser. Figure 4 shows a screenshot of IRIS in action. Highlighted in the top pane of the application are the packets being sent to Gator from our client machine.

Our results were interesting...

·        Whilst visiting websites we observed a number of pop-up adverts with the GAIN logo.

·        Whilst performing a search on Google, a window appeared containing a search on the same string, only with sponsored links

·        The results from IRIS showed, regular packets being sent to ‘gbs.gator.com’ and 'ss.gator.com' during the session.

·        The data being sent to Gator is encrypted and so we were unable to see what information was being collected.

Figure 4 <Click Here> (This is a large image)

Figure 4: Our client performing "Packet Sniffing" on Spyware Software*

3.8 – Ad-aware

Ad-aware, developed by Lavasoft is currently the most popular Spyware removal software available. Ad-ware works much the same as a virus checker. Ad-aware scans the memory, registry and hard drive of the client computer and checks for items which require quarantine. These may include aggressive advertising components and user tracking components. A team of developers at Lavasoft, constantly watch for emerging Spyware technologies and reverse engineer them to identify the components. Lavasoft provide regular updates for Ad-aware users and additional plug-ins are available to gain extra file information and to disable the Windows Messenger Service.

3.9 – Vulnerable Systems

Any computer with an internet connection will be vulnerable to infection by Spyware. However, it is unknown for Open Source operating systems (Linux / UNIX), to be infected with Spyware. It would not be worth the Spyware vendor developing Spyware of this category of OS, as relatively few people use Linux and UNIX in comparison to those who use Microsoft Windows. All Microsoft operating systems are in some way affected by Spyware, some to greater extents than others. Internet Explorer has a number of security holes, which allow Spyware operation to proceed. Therefore, it is recommended to use other browsers such as Mozilla or Opera.

4 - Tracking Cookies

4.1 – Cookies

What is a cookie?

A piece of information sent by a web server to a user's browser. (A web server is the computer that "hosts" a web site and responds to requests from a user's browser.) Cookies may include information such as login or registration identification, user preferences, online "shopping cart" information, etc. The browser saves the information and sends it back to the web server whenever the browser returns to the web site. The web server may use the cookie to customize the display it sends to the user, or it may keep track of the different pages within the site that the user accesses. Browsers may be configured to alert the user when a cookie is being sent, or to refuse to accept cookies. Some sites, however, cannot be accessed unless the browser accepts cookies. – Google definition.

How do ‘Tracking Cookies’ work?

Unfortunately Tracking Cookies don’t all work in one way, because their aim is manipulate the use of a cookie by allowing more than one domain to view it. This is achieved by finding a suitable weakness in the implementation of the cookie protocol in the client browser. However, these "holes" are constantly being found and patched, and so tracking cookies are continuously developing to find new ways of operating.

4.2 – Case Study – DoubleClick

Regular internet users all have undoubtedly heard of DoubleClick. According to their website their purpose is to “develop the tools that advertisers, direct marketers and web publishers use to plan, execute and analyze marketing programs.” In other words, to "spy" on internet users and sell that information to advertisers, marketers and web publishers in return for profit.

How does DoubleClick work?

Web publishers subscribe to the ‘DoubleClick’ service, which involves them putting a cookie request on their home page for the ‘DoubleClick’ cookie. When such a site is hit, it requests the cookie and analyses it to understand who the client user is, and any other information pertaining to them that is stored in the cookie file. It then sends a request to ‘DoubleClick’ with the client user’s ID, requesting all available marketing information about them. (It would appear that the marketing information they send to the web publisher is gathered by this same method of the user hitting ‘DoubleClick’ enabled sites). The website can then send the client user targeted marketing through the range of mechanisms, they have available. If a ‘DoubleClick’ enabled site is hit and the client does not have a ‘DoubleClick’ cookie, the website provides them with one. This is the reason you might find a ‘DoubleClick’ cookie on your machine, even though you have never visited the domain doubleclick.net yourself. This whole process will occur without the knowledge or consent of the user.

4.3 – Tracking Cookie Implementation

According to the cookie protocol specification, cookies will allow a more efficient connection between the server the delivers the cookie and the client machine which receives it.

How are multiple domains able to access the same cookie?

When browsers initially implemented the cookie protocol, Netscape (who specified the protocol) and Internet Explorer, left several security holes allowing Spyware companies to manipulate the use of cookies for their own purposes. The method described for ‘DoubleClick’ relies on a security vulnerability in Internet Explorer. When the cookie is created and the domain of the cookie is specified, if the domain is written without any periods, it fools IE into believing this is an intranet address and giving it a lower security level, allowing others to access the cookie. This method was discovered and fixed in Internet Explorer version 6. Figure 5 is a schematic diagram showing the implementation of the cookie protocol.

Figure 5: Tracking Cookie Protocol Schematic*

This method has also proved popular and effective. The web publisher of the enabled site embeds an image from the Spyware company, (residing on the Spyware web server) into its home page (e.g. a banner advert). When the client downloads the homepage, the client browser automatically requests the image on the home page from the Spyware companies web server also sending the Spyware cookie. The Spyware web server returns the image with an updated Spyware cookie for the clients machine. This method is very cleaver as it doesn’t require a cookie to be shared. Since tracking cookies are still rife and remain a large problem, there remain a number of loop-holes in the browsers protocol implementation which need to be addressed.

4.4 – Tracking Cookie Code

Cookies are either implemented from the website’s application server or on the client-side JavaScript. Given that a method has been found to access the tracking cookie, the following code listing shows sample code for the addition, retrieval and update of the tracking cookie.

Listing 1: Sample JavaScript for the addition, update and retrieval of a Tracking Cookie*

4.5 – Tracking Cookie Defence

There are a variety of ways in which a user can protect themselves from tracking cookies. These are listed below...

• Run Spyware removal applications, which detect tracking cookies and remove them. One such example is Ad-aware.

• Manually delete all cookies after each browsing session.

• Disabling cookies (in the browser options control panel) solves the problem, but many sites are unusable without cookies.

• Some of the Spyware companies offer ‘opt-out’ cookies, which inform any enabled website that the user does not wish to participate in the scheme (e.g Doubleclick Opt-out).

• There are a number of technical work-arounds detailed on the internet, including replacing tracking cookies with write protected zero length files of the same name. However, with the number of tracking cookies currently in use, this is not an effective solution.

5 - Trojan Horses

5.1 – What is a Trojan Horse?

Trojan Horses are malicious programs designed to open a security "hole" in a system. They arrive on a system in much the same way as a virus does: either they are disguised as something innocent or they are concealed within another program. The only requirement is that some installation code is run once. This installation code copies the Trojan to an inconspicuous place (for example, the Windows directory), starts the Trojan and takes measures to ensure it is neither removed or detected. Alterations are made to system files (specifically, registry keys) to start the Trojan at system boot-up.

As with Spyware, ActiveX components embedded within web pages are a common method of infection. The most common is an e-mail with an executable attachment. Normally the message is an attempt to persuade the user that they must run the executable.

Once installed, Trojans allow a remote user to:

• Spy on the user's activities.

• Disrupt a system (By shutting it down, for example).

• Relay a malicious connection so as to disguise an attacker's true location (done to relay spam, or for hacking).

• Use resources such as bandwidth and files.

• Access confidential data.

5.2 - How does a Trojan Horse work?

Trojans work by waiting for a remote connection. To prove the connection is from the attacker, password authentication is normally used. The Trojan will have been preconfigured with a given password before being sent to the victim. To allow use on systems with rapidly-changing dynamic IP addresses, the Trojan may 'phone home' to report its IP address. Because it is relatively easy to extract the location of 'home', a third party is normally used, such as an IRC or ICQ server. Once run, the Trojan becomes memory-resident and will obfuscate (or hide) itself from system logs and process lists.

5.3 - Trojan Horse Examples (Back Orifice)

A long list of Trojans can be found here. In this hand-out, we aim to cover a few Trojans with features that distinguish them from the rest:

• Back Orifice:
  Back Orifice (BO) was developed by the Cult of the Dead Cow and was ahead of its time when released at DefCon 6 in 1998 . The Trojan affects Windows 95 and 98 although there are clients for all major operating systems.

The authentication and encryption used are both extendable through a modular system of plug-ins. By default authentication is by password and packets are sent unencrypted. Packets are sent over IP using either TCP or UDP. The port used is configurable and (if the phone home feature is used) variable. A plug-in is available to allow BO to pick a port based on what it can detect about the victim's firewall - greatly increasing the chances it can get through. Further plug-ins are available for encryption and the AES and CAST-256 protocols have been implemented.

A typical Back Orifice session is shown in Figures 6, 7 and 8, respectively.
 

Figure 6: The Back Orifice Protocol [1] - Infection Stage

The attacker may infect the victim with a Trojan Horse using a number of mechanisms. Peer-to-peer networks, e-mail and file downloads are the most common forms of infection. Following this, the Trojan is installed and once installed, it becomes a memory resident process which is started at system boot-up. The executed Trojan will locate an available port and IP Address on the victim's machine, prior to sending a 'phone-home' message to the attacker, using the IRC or ICQ protocol. The attacker is then able to directly connect to the Trojan Horse.

Figure 7: The Back Orifice Protocol [2] - Execution Stage

Once a connection is established to the client machine by the attacker, the attacker is able to execute a command. This may be any type of command, from changing the colour of the desktop background, to formatting the hard drive of the victim's client. In Figure 7, we show the connection being requested and allowed, prior to the information request being sent and information being returned. The protocol would behave in this manner, were the attacker to request a file from the victim's machine.

Figure 8: The Back Orifice Protocol [3] - Removal Stage.

Finally, once the attacker has performed all the actions they wish to, a cleanup command is sent to the victim's client. This will remove all traces of the Trojan Horse from the victim's machine; including all files and registry keys. It is not possible to detect that an attack has taken place after the cleanup command is executed.

5.4 – Other Trojan Horse Examples

• M$ Rootkit:
  M$ Rootkit is an example of a root kit. A root kit is a very dangerous Trojan that must be installed on a system as root. They integrate with the OS kernel in such a way as to gain full access to a system: Exercising total control while hiding themselves from users and system administrators. If the attacker has access to the local network, M$ root kit includes a simple TCP/IP stack that can be used to avoid the connection appearing in logs. It is virtually undetectable once installed on a system.

• iSpyNow:
  iSpyNow is commercial and marketed towards those wanting to spy. It is significant in that it includes a web-based client, allowing anyone with authentication details and a web-browser to exploit the Trojan.

• Assassin Trojan:
  Assassin Trojan is similar to Back Orifice. For a fee, the authors will write a custom version that differs enough from past versions to escape detection by virus scanners.

• Magic Lantern:
  Magic Lantern has yet to be detected in the wild but is rumoured to exist. It is a Trojan developed by the FBI to infect suspect's computers and report back any suspicious activity. Doing so has severe civil rights implications and is only legal with recent anti-terrorism legislation passed in the US. Whether or not it should show up in virus scanners has split the virus checking world in two.

• Key-logging can also be done using hardware.

5.5 – Impact of Trojan Horses

The Trojan Horse is able to perform many (some extremely malicious) attacks. One particular example is the distribution of a Trojan to perform a Distributed Denial of Service (DDoS) attack. This relies on the Trojan executable to be distributed to as many machines as possible, and installed. When a certain time period passes, the DDoS attack will be launched and all available Trojans will request the same URL. The web server hosting this URL will fail, possibly crashing.

By the number of Trojans in common use (according to McAfee), the most vulnerable OS is Win9x. This includes 95, 98 and ME. The safest is MacOS X, followed by MacOS Classic, Linux and WinNT. By the ease with which they can be compromised, Linux/Unix rank as the hardest (so long as the root user is not used for day-to-day tasks) and Win9x is the easiest. MacOS X is regarded as relatively safe, followed by WinNT and MacOS classic.

Trojan Horses are detected by all good virus checkers, such as those from McAfee and Norton. The university has a site license for McAfee that extends to home use, so it is worth looking here to see how you obtain a copy.

A firewall will stop many of the simpler Trojans from working (such as NetBus) and an intrusion detection system (discussed later in this handout) can be used to spot Trojan-like behaviour. Regular PC rebuilds and OS updates will clean out Trojans and root kits, although damage may have already been done by the time they do.

Figure 10: A Typical Intrusion Detection System*

The combination of the Intrusion Detection System and a firewall will allow maximum filtering of network traffic and will definitely prevent the majority of Trojan Horse attacks. There are some important points that should be considered when integrating an IDS with a network. Initially, the IDS must capture and monitor all traffic within the network, not just that between itself and a switch. Therefore, it is advisable to used mirrored ports on the switch to enable the IDS to view the whole network. It is also necessary to place the IDS before the firewall in the network to get maximal detection of intrusion, as some intrusive packets may be filtered out by the firewall.

[1] "Spyware" Definition - BlackICE Internet Security Systems - http://blackice.iss.net/glossary.php
[2] "Trojan Horse" Definition - Texas State Library and Archives Commission - http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html
[3] Zeinalipour-Yazti, D. “Exploiting the Security Weaknesses of the Gnutella Protocol”, University of California. 
[4] Joshi, R. “Network Security Applications”, Merchantile Communications, CANIT Conference 2003.
[5] CERT Advisory CA-1999-02 - http://www.cert.org/advisories/CA-1999-02.html
[6] Spyware Guide – http://www.spyware-guide.com
[7] Trojan Horses - http://www.mpsmits.com/highlights/trojan_horses.shtml
[8] Trojan Horse - Back Orifice - http://www.nwinternet.com/~pchelp/bo/bo.html
[9] NetBus - http://www.nwinternet.com/~pchelp/nb/netbus.htm
[10] BBC News - http://news.bbc.co.uk/1/hi/technology/3153229.stm
[11] Wired News – “Judge takes bite out of Gator” www.wired.com/news/politics/0,1283,53875,00.html
[12] Tracking Cookies – Demonstration at - http://www.irt.org/instant/chapter10/tracker/index4.htm
[13] BonziBuddy - http://www.bonzi.com/bonzibuddy/bonzibuddyfreehom.asp
[14] Unwanted Links (Spyware) – http://www.unwantedlinks.com
[15] Andersen, R. "Security Engineering", First Edition, J. Wiley and Sons, 2001.
[16] Scacchi, W. “Privacy and Other Social Issues”, Addison-Wesley, 2003 - http://www.ics.uci.edu/~wscacchi/Tech-EC/Security+Privacy/Privacy.ppt

8 - Table, Figure and Listing Sources

The following information pertains to the Tables, Figures and Code Listings in this document. Those which are not entirely derived and produced by Andrew Brown, Tim Cocks and Kumutha Swampillai are not covered under the terms of the GNU Free Documentation Licence. These items also have their subtitles marked with an asterisk (*) in the main body of the text. Permission must be gained from the authors of these items (given in 7 - Bibliography and Internet References) for their reproduction and redistribution.

8.1 - Tables

Table 1: Similarities and Differences between Spyware and Trojan Horses - Derived and produced by Andrew Brown, Tim Cocks and Kumutha Swampillai

8.2 - Listings

Listing 1: Sample JavaScript for the addition, update and retrieval of a Tracking Cookie* - Implemented by Andrew Brown, Tim Cocks and Kumutha Swampillai, with assistance from demonstration given at [12].

8.3 - Figures

Figure 1: A Typical Spyware Network - Derived and produced by Andrew Brown, Tim Cocks and Kumutha Swampillai.

Figure 2: Client-Side Spyware Operation - Derived and produced by Andrew Brown, Tim Cocks and Kumutha Swampillai.

Figure 3: Server-Side Spyware Operation - Derived and produced by Andrew Brown, Tim Cocks and Kumutha Swampillai.

Figure 4: Our client performing "Packet Sniffing" on Spyware Software* - Screenshot of IRIS v3.7 Network Analyser - Professional Networks Ltd. See http://www.pnltools.com.

Figure 5: Tracking Cookie Protocol Schematic* - Produced by Andrew Brown, Tim Cocks and Kumutha Swampillai, with inspiration and assistance from presentation given at [16].

Figure 6: The Back Orifice Protocol [1] - Infection Stage - Derived and produced by Andrew Brown, Tim Cocks and Kumutha Swampillai.

Figure 7: The Back Orifice Protocol [2] - Execution Stage - Derived and produced by Andrew Brown, Tim Cocks and Kumutha Swampillai.

Figure 8: The Back Orifice Protocol [3] - Removal Stage - Derived and produced by Andrew Brown, Tim Cocks and Kumutha Swampillai.

Figure 9: Packet Filtering (Top) vs. Stateful Inspection (Bottom)* - Produced by Andrew Brown, Tim Cocks and Kumutha Swampillai, with inspiration and assistance from presentation given at [4].

Figure 10: A Typical Intrusion Detection System*- Produced by Andrew Brown, Tim Cocks and Kumutha Swampillai, with inspiration and assistance from presentation given at [4].

This HTML Document contains the seminar handout for "Spyware and Trojan Horses" [SS1]. This deliverable is in partial fulfilment of the requirements of the module; (06-17417) Computer Security, School of Computer Science, The University of Birmingham. The other deliverable for this assessment was a seminar and associated slides. These may be found on the Computer Security Module Web Page. This assessment was supervised by Dr. Mark Ryan.

Andrew J Brown - ug24ajb@cs.bham.ac.uk

Tim G P Cocks - ug19tgc@cs.bham.ac.uk

Kumutha B Swampillai - ug71kbs@cs.bham.ac.uk

Last updated (and submitted):- Thursday 12th February, 2004.

The opinions which we express within this page are not guaranteed to reflect those of The University of Birmingham and / or it's School of Computer Science.

[END]