Eye Spy
Articles and Tips:
Protocol Analysis Institute, LLC
01 Oct 2005
The excitement of setting up a new computer quickly fades when you run an antispyware tool against your pristine new baby and find that it is riddled with software programs watching where you go and what you do. Yes, your new computer is spying on you; it's examining every Web site you visit, tracking your online activity and reporting this information up to a third party who wants to market to you based on the results. Throw the evil thing out the window--now!
If you have that kind of experience with your own home computer, imagine what you'll probably experience with all the computers on your network--perhaps hundreds or even thousands of them! Simply, your corporate data might be at more risk than you thought. Let's take a look at what the issues are and how you might want to address them.
If you ever wrestled with Gator, then you know how painful the process of adware removal can be. The Gator Corporation, founded in 1998, defined itself as "the world's largest behavioral marketing network." Gator wasn't created with a destructive aspect in mind; it was simply irritating adware. On its original Web site, Gator stated: "The Gator Advertising and Information Network (GAIN) is the world's largest behavioral marketing network. The average GAIN campaign generates click through rates 20 times that of traditional banner ads."
In March 2005, a spyware program made it into the limelight because it was spread using spam. The spam messages advertised "desperate housewives" looking for a good time. Folks who clicked on any link in the e-mails would find their systems infected with a nasty dose of spyware.
Even Instant Messenger (IM) users are not safe; the Bropia worm demonstrated how Microsoft's MSN Messenger could be used to spread malicious code. The code is hidden in attachments to messages that appear to come from a known IM contact. When the reader clicks on the attachment, the malicious code is copied to the local system and a new message is sent to someone on the local IM buddy list. This type of IM-based forwarding could be used to spread malware, spyware, adware and the like.
It is estimated that more than 99 percent of computers have some sort of active intrusive spyware loaded on them. How does this garbage get on your computer? What is it doing there? How can you eradicate it? How can you prevent it from ever slithering under your front door again? You are in luck, my friend. We're going to delve into the seedy world of spyware, adware, malware and other trash in this article.
A Rose by Any Other Name...
Let's first define some of the terminology used to differentiate this junk because it is NOT all the same. Different elements are often lumped together under the term "spyware," when in actuality, they perform entirely separate functions, such as browser hijacking.
Adware
Adware refers to software that submits the user to intrusive advertising banners and popup ads. Adware might or might not have embedded spyware elements. Adware is primarily an annoyance. Gator, now called Claria, is the most prevalent adware source to date.
Keyloggers
Keyloggers are software programs (or hardware"plugs") that capture all keystrokes typed on the computer keyboard. The keystroke information might include confidential information such as user names, passwords and account information that are probably sent to a third party to be exploited. (See www.usdoj.gov/criminal/cybercrime/jiangPlea.htm for information on the "Kinko's Keylogger Case" in which a 24-year-old man secretly installed keylogger software on Kinko's computers throughout Manhattan to collect user names and passwords so he could access their online bank accounts and create other accounts.)
Malware
Malware is software that contains malicious code intended to harm or disrupt the operations of a host. Trojans, viruses and worms are examples of malware. (See www.usdoj.gov/criminal/cybercrime/juvenileSent.htm for information on the case of the 14-year-old hacker who developed and released the RPCSDBOT worm that brought down Microsoft's Web site for four hours.)
Spyware
Spyware is software that monitors user activity and transmits that information to third-party sites. Spyware may also include adware that is targeted toward the users' preferences based on the spyware findings.
Trackers
Trackers are elements of other software programs that gather information about a user, perhaps saving that information through tracking cookies, browser helper objects, toolbars and other means. These trackers are a concern because they do not necessarily differentiate between confidential information and general information on the user. For example, if a tracking cookie maintains details on your visit to an online pharmacy it might not distinguish your user name at that pharmacy from the orders you have placed online at that pharmacy.
Scumware
Scumware is a general term that refers to unwanted software that is planted on a system. This term encompasses trackers, malware, spyware, adware and any other potentially unwanted program (PUP).
Note: In this article, I use the general term scumware to refer to all these unwanted programs.
How Did My System Get Infected?
The results displayed by a spyware/adware removal program can be disheartening. How did your system get filled up with all that junk? Figure 1 shows the results of running Ad-Aware SE on one of my new instructor machines. This scumware can get onto your system in several ways:
Figure 1
Preinstall
The software was already installed on your system when you bought it. I highly recommend you run a spyware/adware detection tool on any new system to determine what has been preloaded. On a Windows system, you will find numerous tracking cookies installed as part of Internet Explorer.
Drive-by downloads
Scumware is installed without your knowledge when you visit a Web site or simply open an HTML e-mail message. The code on the Web site may take advantage of a browser security flaw to install the software on your system.
Deceptive popup windows
In this case, the scumware considers the user as its best friend; deceptive popup windows may indicate that clicking "yes" will disable the popup window feature. But much to the chagrin of the user, this "yes" also meant to install the scumware in the background.
Downloaded applications
Again, the user is the vehicle for getting the scumware installed. Users get more than they asked for when downloading great new games, screensavers and emoticon packs. Kids are becoming a hot new market to spyware/adwarebased marketers because they are likely to be more trusting and click "download" more freely.
Media files
Unless you have updated Windows to Service Pack 2 and you are running Windows Media Player 10 or later, you may be confronted with a misleading popup that implies the user must click "Yes" to view the media file. Click "Yes" and the spyware/adware software installs itself. (See www.benedelman.org/news/010205-1.html to read Media Files That Spread Spyware by Ben Edelman.)
P2P applications
I personally cringe when I hear someone extol the virtues of Kazaa, Grokster and eDonkey. You get what you deserve when you download these programs. In some cases these programs prompt you to install toolbars and related database streamline technology. In truth, they might be installing a slew of spyware/adware programs and adding numerous registry keys to your system. One example is Kazaa that installs Claria software. (As I mentioned, Claria, formerly known as Gator, defines themselves as the leader in "behavioral marketing" and maintains the seventh largest decision support database in the world!)
Regardless of your OS, if you haven't updated it to include the latest security fixes, now might be the time.
Security flaws
It's true, Windows Service Pack 2 can help protect your system from these folks by blocking popups, alerting you to malicious file downloads and blocking attachments. Regardless of your OS, if you haven't updated it to include the latest security fixes, now might be the time.
Figure 2 shows the Task Manager window on a system that is infected with adware. As you can see in the figure, Golden Retriever Cash Back and AdTools.exe are listed as running processes. Golden Retriever Cash Back is another name for Bargain Buddy and Bulls Eye Network and exactadvertising. AdTools is a Windupdates adware variant.
Figure 2: Task Manager shows both Bargain Buddy and AdTools running on the infected system.
Bargain Buddy uses an Internet Explorer Browser Helper Object (BHO) and a startup process. The BHO monitors Web pages requested by the user and all the words entered into forms online. An advertisement might be shown when there is a match between sites and keywords entered by the user and a preset list of sites and keywords defined by Bargain Buddy. The Bargain Buddy process may also contact its creator's server to download updates to the list of advertisements and to the Bargain Buddy software itself. Ideally, we'd like to capture a trace file of that communication to see to whom Bargain Buddy is talking and what it is saying.
Watching Spyware Download
During the BYOL ("Bring Your Own Laptop") sessions at Brainshare 2005 we examined the trace file from a browser hijack session. The step-by-step instructions for examining the trace file (and the Laura's Lab Kit DVD that contains the trace file) were in the March/April 2005 issue of Novell Connection. If you didn't get your own free copy of Laura's Lab Kit, you can download the DVD ISO image from http://download.novell.com/cached/files/llk_v6.iso and burn your own DVD. You can download the trace file evilprogram.dmp from www.packet-level.com/byol and read the accompanying article online at the magazine's Web site. To review the evilprogram.dmp trace file, install the latest copy of Ethereal (www.ethereal.com) and WinPcap if you are running Ethereal on a Windows system. WinPcap is the Windows packet capture driver (available at www.winpcap.org).
Figure 3 shows the client, 24.6.125.19 requesting a file, bkinst.exe, from the Virtumonde host at 208.48.15.13.
Figure 3: Follow the trace file to see the client make a request for the bkinst.exe file using and HTTP session.
In this trace, pay particular attention to packet 350 when someone establishes a DCE RPC (Distributed Computing Environment Remote Procedure Call) connection to our client, 24.6.125.19. Right mouse click on packet 350 and select Follow TCP Stream to filter out all traffic and see what is downloaded to the client. See the "MEOW MEOW" text?
As you follow that trace file, you notice the client performs a DNS query for updates.virtumonde.com (packet 381). This is the server from which the client wants to get the bkinst.exe file. In packet 400, the client performs another DNS query. This time, it's looking for virtumonde.com. It finds and makes an HTTP connection to 209.123.150. Instead of downloading something from this second server; however, it sends something up to it using an HTTP POST command (packet 405). In response, the Virtumonde server sends our clients some new configuration information in packet 412:
|
AdCategoy: |
Some |
|
ConnectionPerDay: |
2 |
|
PopUpPerDay: |
24 |
|
SetIDWas: |
Unreleased |
|
StatisticsUploadDelay: |
1 |
|
StealFocus: |
a (perhaps "active"?) |
Virtumonde is associated with StopGuard, a browser hijack program. Other domains associated with StopGuard are genericscanner.com and vantagesoftware.com.
Removing Spyware/Adware
Unfortunately, at the current time, one single solution can't remove all spyware, adware and the other junk that invades our privacy. We are dependent on running a series of different tools to spot a variety of problems.
To compound the problem, numerous spyware/adware removal programs are worthless and don't provide any benefit. Many of these bogus programs are listed online at www.spywarewarrior.com/rogue_anti-spyware.htm. On June 23, 2005, the U.S. Federal Trade Commission announced that it had taken action against Trustsoft, the company behind SpyKiller 2005, an "antispyware" product. The FTC specifically named several of the more deceptive and unfair practices that are employed by many bogus antispyware applications. These deceptive and unfair practices include:
claiming falsely to have scanned a system remotely and detected spyware
using high pressure sales tactics through popups and spam to compel users to buy an antispyware application
selling an antispyware product that falsely detects spyware on a system
selling an antispyware product that fails to remove a substantial amount of spyware from a system
You can read the filed complaint against Trustsoft at www.ftc.gov/os/caselist/0523059/050623comp0523059.pdf.
So the first step to cleaning a system would be to get some reliable antispyware software. Eric Howes tests and documents the performance of antispyware tools. His research findings are online at http://spywarewarrior.com/asw-features.htm.
Once you have installed some reputable antispyware software, begin this four-step process for cleaning a system:
STEP 1 Run your virus scanning program
First, you really want to ensure your system is not hindered by a virus or trojan. In addition, many of the virus detection manufacturers can spot and eradicate spyware and adware quite efficiently.
STEP 2 Run anti-spyware scanners
You'll notice I said scanners with an "s" at the end. You'll need to run more than one anti-spyware/adware scanning package at this time; like I said, no single solution exists to date.
Several free antispyware scanners are available online and some have the option to upgrade to a commercial version:
Ad-aware Personal Edition (www.lavasoftusa.com)
Spybot Search& Destroy (http://spybot.safer-networking.de/en/mirrors/index.html)
Note: On December 16, 2004, Microsoft acquired Giant Company Software, Inc., a well-respected antispyware vendor. Currently, the Microsoft Windows AntiSpyware program is in its beta phase. For more information, refer to www.microsoft.com/athome/security/spyware/.
STEP 3 Register online at www.SpywareWarrior.com
This is the golden resource folks! SpywareWarrior's Web site is filled with advice, tools, research and it's all free! Because you are eventually going to need these folks, go ahead and register today at Spyware Warrior. I suggest you also take a look at the forums that opened online on January 19, 2004 at the same URL. You might recognize the names of many of the top spyware/adware programs people are trying to eradicate from their networks (CoolWebSearch, StopGuard, 180Solutions, Gator and on and on). The Spyware Warriors who moderate the forums are truly saints--folks who donate their time and expertise to help others.
STEP 4 Run HijackThis
HijackThis is an auditing tool that lists registry entries, autorun settings and other system configuration file information. Use HijackThis to export a log file listing entries on your system. These HijackThis logs are used by the Spyware Warriors to identify rogue software on your system. HijackThis is freely available at http://spywarewarrior.com/sww-help.htm.
Figure 4 shows the partial results from a HijackThis log.
Figure 4: HijackThis shows registry keys and other system settings.
Each HijackThis entry is prefaced by an alphanumeric code such as R2 or O4. The following list defines the HijackThis alphanumeric codes:
|
R |
Registry, StartPage/SearchPage changes |
|
RO |
Changed registry value |
|
R1 |
Created registry value |
|
R2 |
Created registry key |
|
R3 |
Created extra registry value where only one should be |
|
F |
niFiles, autoloading entries |
|
F0 |
Changed inifile value |
|
F1 |
Created inifile value |
|
F2 |
Changed inifile value, mapped to registry |
|
F3 |
Created inifile value, mapped to registry |
|
N |
Netscape/Mozilla StartPage/SearchPage changes |
|
N1 |
Change in prefs.js of Netscape 4.x |
|
N2 |
Change in prefs.js of Netscape 6 |
|
N3 |
Change in prefs.js of Netscape 7 |
|
N4 |
Change in prefs.js of Mozillas |
|
O |
Other, several sections which represent: |
|
O1 |
Hijack of auto.search.msn.com with Hosts file |
|
O2 |
Enumeration of existing Internet Explorer BHO's |
|
O3 |
Enumeration of existing Internet Explorer toolbars |
|
O4 |
Enumeration of suspicious autoloading registry entries |
|
O5 |
Blocking of loading Internet Options in Control Panel |
|
O6 |
Disabling of Internet Options Main tab with policies |
|
O7 |
Disabling of Regedit with Policies |
|
O8 |
Extra Internet Explorer context menu items |
|
O9 |
Extra Tools menu items and buttons |
|
O10 |
Breaking of Internet access by New.Net or WebHancer |
|
O11 |
Extra options in Internet Explorer Advanced Settings tab |
|
O12 |
Internet Explorer plugins for file extensions or MIME types |
|
O13 |
Hijack of default URL prefixes |
|
O14 |
Changing of IERESET.INF |
|
O15 |
Trusted Zone Autoadd |
|
O16 |
Download Program Files item |
|
O17 |
Domain hijack |
|
O18 |
Enumeration of existing protocols and filters |
|
O19 |
User stylesheet hijack |
|
O20 |
AppInit_DLLs autorun registry value |
|
O21 |
ShellServiceObjectDelayLoad (SSODL) autorun registry key |
|
O22 |
SharedTaskScheduler autorun registry key |
|
O23 |
Enumeration of NT Services |
When using HijackThis, DO NOT start checking off items and deleting them; there are some seriously weird-named Windows programs out there. More than once I have looked at an entry and thought "now THAT just can't be good so I'm going to nuke it" only to find out that it was some funky required Windows element!
HijackThis automatically opens an Explorer window so you can save your log file. Upload this log file to www.spywarewarrior.com and be patient! They review almost all uploads and respond to them within 72 hours. There is a "bump" forum where you can repost your log file if absolutely necessary, but keep in mind that reposting can gain you more enemies than friends.
You will receive a response from one of the warriors. They will provide you with step-by-step instructions on removing the junk from your system. Follow the steps precisely and, when finished, run HijackThis again. Post your new log files and check in again. Some really stubborn spyware programs and files may require multiple steps and several HijackThis logs to finally clean the local system. Patience is key in truly cleaning off a system. It might be a long and grueling process to get rid of extremely stubborn spyware that may morph into different executables each time a system is rebooted.
Spyware/Adware Prevention
How do you stop spyware and adware from ruining your computing life? Let's look at a simple list of things you can do to make it through the muck and mire of spyware and adware.
Educate users.
As you most likely know, your users are one of the biggest security vulnerabilities on the network. Consider that sweet lady in accounting who takes her laptop home and begins downloading freeware games like a fanatical Halo addict desperately searching for her next MedPak. She isn't intentionally trying to mess up her system; it's just an ignorant innocent mistake, right? You get the idea.
Install quality spyware/adware scanning software.
Again, note that no single program does it all right now, but check out Spybot Search& Destroy, Ad-aware and Pest Patrol. In addition, see Eric Howes' spyware/adware removal tool comparisons at www.spywarewarrior.com. Eric has done some wonderful research on how well each of these programs work to identify and remove PUPs.
Install quality antispyware protection programs.
Now we find many virus detection tools can identify spyware and adware being planted on a drive. Two programs devoted to blocking spyware are Spyware Blaster and Spyware Guard from JavaCool.
Lock down Internet Explorer.
Set up Internet Zones, Privacy, Security and Popup Blocker settings in the Tools section of Internet Explorer. Eric Howes developed an interesting program called Enough is Enough (https://netfiles.uiuc.edu/ehowes/www/resource6.htm) that will perform four basic functions:
Locks down Internet and Restricted sites zones with restrictive settings for options like ActiveX, Java, scripting and so forth.
Restrict the use of cookies without completely disabling them for trusted sites or single session use.
Disable certain Advanced settings, including Install on Demand and third-party browser add-ons ("plugins").
Install Microsoft's Internet Explorer PowerTweaks WebZone accessory which places two new options on the Internet Explorer Tools menu and two buttons on the Toolbar for "Add to Trusted Zone" and "Add to Restricted Zone."
Note: For some users, Enough is Enough may be too restrictive and "break" or block certain desired Web sites until they are added to the Trusted Sites list.
For Internet Explorer, put bad sites on a restricted zone
or check out IE-SPYAD which adds an up-to-date list of sites and domains that are associated with known advertisers, marketers and "crapware pushers" to Internet Explorer's Restricted sites zone. When this list of sites and domains is merged into the Windows Registry, the Web sites for these companies will not be able to use cookies, ActiveX controls, Java applets, scripting or use your browser to push unwanted popups, cookies or autoinstall programs onto your system. IE-SPYAD was developed by Eric Howes at https://netfiles.uiuc.edu/ehowes/www/resource.htm.
Consider another browser other than Internet Explorer
(for example, Firefox or Opera). I'm not saying that the other browsers don't have vulnerabilities--they all do; however, their vulnerabilities are not as prevalent and as popular as the Internet Explorer vulnerabilities.
Consider outbound filtering and blocking.
You really don't want spyware or keyloggers sending your information up to a third-party server. You also don't want this scumware setting up a secondary channel for communication (as you saw in the evilprogram.dmp trace file). Filtering/blocking programs, such as ZoneAlarm, should alert you when a rogue program is attempting to connect with other hosts or communicate across the Internet.
Keep Windows updated.
Although this point may cause you to cringe, it is true that Windows Service Pack 2 (SP2) offers improved security for Windows and Internet Explorer. Some improvements offered by SP2 include:
Internet Explorer Popup Blocker enables you to disable popups
Internet Explorer download monitoring warns you of potentially harmful downloads and provides the option to block malicious files
Internet Explorer Add-on Manager allows you to manage plugins
Outlook Express privacy update limits spammers from validating your e-mail address
Attachment Manager monitors and disables potentially unsafe attachments
Read licenses and privacy policies.
(Yes, this could be painful!) Most nefarious applications hide their intent in poorly worded, lengthy and confusing licenses. Claria's license for example, is 43 percent longer than the US Constitution. Claria's license references numerous separate pages that are "incorporated by reference." Some of the more outrageous licenses restrict users from uninstalling the software or suing the maker.
For some interesting reading on Claria's License Agreement, visit www.benedelman.org/spyware/claria-license/ to read Claria License Agreement is Fifty-Six Pages Long by Ben Edelman. Ben Edelman, a Ph.D. candidate at Harvard University, researches the methods and effects of spyware with a focus on installation methods and revenue sources.
Check out
CleanSoftware.org.This site maintains a list of free software that is free of the following elements:
Adware - aggressive, unwelcome advertising
Spyware - components that track, record and report your actions
Data mining - analysis of personal data for marketing purposes
Parasites - unwelcome, hidden and unexpected components
Misleading or tricky license agreements
Threats to personal privacy
Threats to user and/or data security
Get to know the Spyware Warrior folks well!
At some point you will come up against some really nasty scumware that can't be removed with any automated tool. In that case, you'll need to use HijackThis to build a log file to post online at www.spywarewarrior.com.
Ideally, I like to see people capture trace files of the bootup sequence on systems that may have scumware on them. These trace files help us understand how the scumware works, how it updates itself and who it talks to.
The more you, as a network administrator, understand this stuff, the better off you are, not to mention your end users. Just imagine how many of them play an innocent online game during their lunch break. But remember, before they can start that game, they probably have to click at least one of those "I agree" buttons to start the onslaught of scumware. They have no idea of what's about to happen to their privacy--and possibly their corporate data. As you might become painfully aware by now, your corporate data is at risk. Many of your users' computers are probably infected because users haven't taken the basic steps to avoid such a problem. It's now your job to inform them. So get to work. Defeating spyware is one of our greatest privacy and security battles on today's networks.
Editor's note: Consider downloading the PDF of this article from www.novell.com/connectionmagazine and sending it around to your users. It might make your job easier.
Who ya gonna call?
Now that you know something has to be done, what are YOU going to do? How are you going to install your solution across your enterprise? Well, Novell ZENworks Desktop Management can automatically install applications, including antispyware and antiadware programs, onto desktops connected to the system. ZENworks allows administrators to create applications in eDirectory and then assign those applications to any or all users or desktops known to the directory. When those devices connect, or when an assigned user logs into the system, ZENworks automatically delivers the application described. And when you need to update those patterns or software, just update your application in eDirectory and ZENworks automatically updates any previously installed version on all the appropriate desktops.
* Originally published in Novell Connection Magazine
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.