malware_report_vimal_kumar
.pdf
A Brief History, Present and Future of
Spyware
1. Introduction
Steve Gibson of Gibson research, who wrote the first anti-spyware software, said spyware is “uninvited, unwanted, stealthful, invasive, annoying, exploitive, and potentially privacy-compromising PC add-on software whose ongoing presence in millions of PCs worldwide benefits not the computer’s owner and operator, but the interests of the publishers of this troubling new class of software [8].” These words abundantly summarize everything about spyware. It’s a program which is made to literally spy on you, while you surf the internet. This report will provide a brief survey of spyware, in which I will talk about, how the spyware as we know it came into existence, the classification of spyware, why does it exists in the first place and anti spyware techniques for its removal. In the end we will see how the future of spyware looks like before I conclude the report.
2. History of spyware
The term spyware was first used in a 1995 post on Usenet which made fun of Microsoft’s business model. Spyware programs started appearing on the internet around the late 1990s. First such known spyware was the Elf bowling program. On the outside it was a nice little free game, but inside it was a stealth program which sent information about the user to its creator NSoft. The first usage of the term
“spyware” in the sense we know it today was in the press release of Zone Lab’s Zone Alarm firewall. In
2001 Steve Gibson detected a malicious program on his computer which was sending information from his computer to some adware companies. To counter this, Gibson came up with the first anti-spyware software, OptOut. Since then the war between spyware and antispyware has become more and more complex. The evolution of spyware has followed the trend set by the evolution of virus, with the spyware authors devising new ways and techniques to evade detection and the antispyware companies trying hard to come up with newer detection and removal methods. In the initial stages of spyware’s evolution, even the aware internet users did not think spyware could be harmful as much as viruses and hackers. This provided the spyware makers an opportunity to grow and diversify without getting noticed [13]. Spyware
has come a long way since the Elf bowling program, evolving and getting more and more complex and dangerous with time. Just how much of a nuisance it has become can be seen from the statistics below.
A survey conducted by AOL and NCSA in 2004 found that 80% of the computers connected to the internet had some sort of spyware installed on them, 89% of those who were infected didn’t know it was there. An average of 93 spyware components was found on the infected machines [12]. An IDC survey of 600 corporate IT managers in 2004 revealed that spyware ranks fourth on the list of biggest security risks [10]. State of the net, from Consumer Reports says in 2007 spyware infections prompted 850,000 US household to replace their computers. The total financial loss was about $1.7 billion [1]. EarthLink’s
2009 Q4 report tracked the growth of spyware for a year and the results showed a staggering 230% increase [2]. We can clearly see that spyware is one of the fastest growing phenomenons on the internet these days and if we combine all different types of spyware together, it has become the single most popular download on the internet [11].
3. Types of spyware
Spyware is a generic term for a number of different malicious software. So what are the different types of spyware in existence?
3.1Adware
Adware is the most common type of spyware, which sits on your computer waiting for you to go online. As soon as you are connected to the internet, it inundates you with all sorts of popup ads. The motive behind this is to make you click on the ads, which generates revenue for the spyware installer. The adware may also monitor your browsing patterns. This information is sent to the spyware installer to show you targeted ads.
3.2Browser Hijackers
Browser Hijackers change a browser’s default settings and homepage. It may also change your search engine and redirects you to a specific page filled with popup and ads. Browser Hijackers are extremely annoying as they are generally very difficult to remove.
3.3Key Loggers
A key logger can either be hardware or a piece of software. In our context it will mostly be software which resides in the computer’s memory and records every keystroke. These are one of the most severe types of spyware. Key loggers record everything you type and send this information to a third party, who can analyze it easily for username, passwords and other personal information.
3.4Dialers
Dialers were widespread in the pre cable modem, dialup era. Dialers are used by pornographic vendors. They initiate the computer’s modem and if connected to a telephone line, call a phone number which generates revenue for the number owner on the expense of the user.
3.5Trojan Horses
Trojan horses are legitimate software, which unknown to the user has one or more sinister software hidden inside it. This hidden software may serve ads and spy on you. Most often the EULA for the Trojan horse would have a word about the hidden software buried so deep in the documentation that the user wouldn’t ever notice. On the other hand sometimes the spyware would be completely hidden.
3.6Cookies
Cookies are small files used by a web browser to store information about the user. By themselves, cookies are not bad; websites use them to remember the user and to personalize the browsing experience. Spyware and adware use these cookies to track your surfing patterns and store information about you so that you can be bombarded with ads as and when they like.
4. How can spyware harm you?
At best spyware is a nuisance, at its worst it can log all your keystrokes, invade your privacy and steal your passwords. Most spyware run at startup in the background hogging your resources. It generates pop up ads which render your browser too slow to work with, sometimes even crashing it. Spyware pesters you by changing your homepage, redirecting you to different web pages and hijacking your search. Some spyware monitor your browsing habits, some even go through your files and catalogue information about you, which can then be used to show you targeted ads via pop ups. Some spyware go beyond these boundaries to steal your passwords and also money. Since spyware is always running in the background a
severe infection can make the computer very slow and unresponsive, they also eat into your bandwidth which brings down your internet speed.
5. How does spyware spread?
Unlike viruses spyware does not install itself without the user’s permission however it tricks the user in installing it. Spyware can spread in a number of ways, a few of which are described below.
i.As Milton Friedman famously said, "There is no such thing as a free lunch”, the price to be paid for a lot of free software is spyware. You download a free utility and along comes the spyware without you even noticing it. The main culprit in this category is shareware. Companies which use spyware, pay the shareware providers to incorporate spyware in their products. Shareware like Kazaa are known to install a number of spyware with them.
ii.It could be disguised as useful software, for example, SpeedBit which was a program that could increase your surfing speed or an online friend like Bonzi buddy or the infamous WeatherBug. These software offer to help you for free but in fact they are spyware, monitoring you
and your computer.
Figure 1. Bonzi buddy
iii.Spyware can also arrive when you click on the unscrupulous pop ups which look like windows dialog boxes, if you have lower internet security settings.
iv.Spyware could also be installed through a virus or a worm. An example of this is the W32 Spybot worm which exploited vulnerabilities in Windows
XP to get installed. The W32 Spybot had the properties of worm, virus and spyware alike. It
multiplied itself like a virus, used security holes to exploit machines like a worm and worked to steal passwords and logged keystrokes like a spyware.
v.Spyware can also exploit a security hole in your browser or any program you are using and when you go to a website which has the spyware it downloads itself on the computer, this is called drive by download.
vi.Some of the spyware advertize themselves as anti-spyware to trick users in downloading them. These so called anti-spywares run fake scans, and provide fake results while doing their job in the background.
Figure 3. Fake antispyware
6. The spyware money trail
The sole purpose of the existence of most of the spyware is money. A low percentage of the spyware consists of key loggers and other programs which log your passwords and other information to directly steal from you. The rest of them make use of an unaware computer user to make money. Preston Gralla’s book “How personal &internet security works” [9] describes one of the ways spyware is used in making money. The process is summarized below.
It all starts with an affiliate program from a merchant, in which anyone can sign up and make money by delivering the ads that these merchants provide. Each participant receives a unique code, which is embedded in the ads they display. Each click on the link or the ad towards the merchant earns the participant money. Some notable affiliate programs are Google AdWords and Yahoo Search Marketing.
Yahoo Search Marketing was in news a few years ago for their alleged inability to stop the misuse of their program and also for posting deceiving ads themselves. Some merchants monitor those who participate in their programs while some do not. Those merchants who do not monitor their participants can be easily taken advantage of by exploiting their program. The next two parties in the game are the spyware author, who writes the spyware program and the person who wants to make money from this setup. Often these are two different parties but they can also be the same person. The person who is looking to make money strikes a deal with the spyware author. The spyware author includes the person’s affiliate program code in the spyware. The spyware is then distributed on to the internet by using any of the techniques mentioned in section 5. When the spyware gets downloaded on an unaware user’s computer, it starts popping up ads with the affiliate code embedded in them. When the user clicks these ads, the person with the affiliate code gets paid per click by the merchant. This revenue is then split between the person and the spyware author.
7. Legal issues related to spyware
Most countries have laws which render unauthorized access of a computer by a person who does not own it illegal. These laws have been put to use, to deal with virus writers, hackers etc., but spyware authors seem to be immune from them. The primary reason behind this immunity is that most spyware is installed with the user’s consent and is thus legal. The EULA or Terms of Service or the Terms of Use is a legally binding contract and online consent is achieved when you click the “I agree” button. Nobody installs spyware knowingly; it just takes a ride along with a shareware or a freeware that you install. In most of the cases the EULA will have a description of what is going to be installed on your computer. Since, a lot of people don’t care to read the EULA and certainly not till the end, they end up installing spyware legally without even knowing it. Because of this legality issue, major players in the antivirus arena like McAfee and Norton stayed at a distance from the antispyware business for a long time. This issue also puts antispyware software in a dodgy territory because they automatically remove the software which was downloaded by agreeing to the EULA, thus helping the user to breach the contract they made when installing the spyware bundled with freeware [18]. This is exactly what happened when New.net sued the antispyware company Lavasoft for branding their software “spyware” and stopping it from getting distributed in the way it was supposed to. Although New.net lost the lawsuit, there is still a lot of doubt about the issue of the legality of spyware. In another such incident, which shows how difficult it is to
implement these laws WhenU.com sued the state of Utah, and was successful in preventing the implementation of the Spyware control Act in the state.
8. Antispyware
Antispyware has borrowed a lot from its older cousin, the antivirus which has been here much before antispyware came into existence. Although antivirus techniques tackle an altogether different problem of separating illegitimate software programs from the legitimate ones, yet they are the most frequently used countermeasures against spyware [4]. As is the case with the antivirus software the antispyware software is also always one step behind the latest spyware, waiting for something to happen before taking an action
[5].In this section we briefly survey spyware detection techniques and the current state of art in this field.
8.1 Manual identification
Manual detection is perhaps the oldest malware detection technique known to man. It involves tracking and investigating the system changes made by the malware manually. This technique is effective in identifying both known and unknown spyware but comes at a high cost, since it is very time consuming and requires a professional to look at the infected system for substantial period of time [5].
8.2Signature based identification
This is the most widely used detection method used by a large number of antispyware. A signature consists of a unique pattern and properties of the malware in question. The antispyware contains a comprehensive database of signatures of spywares found till date. It checks every suspicious piece of software against this database to see if it is a spyware [6]. Thus an important thing to keep in mind from a user’s point of view is to keep his antispyware database updated. The flipside of this technique is that it cannot tackle latest spyware threats until its signature has been updated.
8.3Behavior based identification
To evade signature based identification, spyware authors started developing spyware which continuously kept morphing itself and thus had no particular signature. Detecting such polymorphic spyware is impossible using the signature based identification, so the antispyware people had to come up with a
different technique. Since, the spyware even after morphing itself performs a certain set of malicious actions, so the direction then turned to identifying behavior rather than signatures. Behavior based identification consists of matching the activities of a software with a set of malicious actions. If the software performs a number of malicious actions which exceeds a permissible limit, it is identified as spyware.
8.4Reverse firewalls
Packet filtering techniques, such as reverse firewalls are one of the recent methods being used for tackling spyware. Reverse firewalls prevent the host from connecting to unsafe locations [17]. This method works in two ways, first it stops a spyware from sending data back to its originator and second it can identify a spyware program, if the program repeatedly tries to send data to an unsafe location. The problem here is how to identify safe and unsafe locations by inspecting the packet?
8.5EULA analyzers
Another recent technique which has come up is analyzing the EULA of software you are about to install. Software such as EULAlyzer [19], exist on the internet which are free and will analyze the EULA for you. Most spyware vendors will have a description of the spyware software in the EULA, but often the
EULAs are written in “legalese” and are so long, tedious and convoluted that they are hard for an ordinary computer user to understand. EULA analyzer technique mines the EULA of legitimate and suspicious software alike to find traces of spyware and alerts the user even before the installation begins [4].
8.6Real time protection
Antispyware which provides real time protection are memory resident programs. These programs integrate themselves with the operating system so that they can monitor each executable file before it is executed. If a file is found to be suspicious its execution is prevented. Real time protection thus is a proactive approach compared to the other traditional reactive approaches.
8.7Antispyware suites
A new paradigm in the antispyware business is of antispyware suits. Spyware is constantly evolving and becoming more and more difficult to detect or manage. Thus, there is a need to integrate a number of
different detection and protection techniques which will be able to prevent, detect and remove spyware at various levels. One such suite is the eSoft complete antispyware solution [6]. The suit provides two levels of protection. The first level is the network level and eSoft’s network level antispyware is called Gateway antispyware. At this level the suite deals with the spyware by using methods like Intrusion prevention, signature matching and URL filtering. This prevents a number of spyware from entering the protected network. For the spyware which manages to bypass this level of security, there is a second level of protection called the Desktop antispyware. The desktop antispyware provides real time protection by keeping a watch on the memory and the registers, it also consists of a centralized management and reporting part which is used to manage detected threats and provide updated security at all times. An
explanatory figure is presented below.
Figure 4. eSoft's antispyware suite for enterprise [6]
9. New trends and the future of spyware
Spyware is constantly growing and evolving. From simple software for promoting ads, it has now grown into a serious security threat with financial motives behind it. A study by the Tel Aviv based Aladdin
Knowledge Systems in 2005 found that as much as 70 percent of the new virus and worm code also contained spyware components [3]. With time we will see, more and more such integration of spyware with viruses and worms. Spybot W32 is a prototype of such kind of future virus/worm/spyware. Coming together of spyware and virus authors is perhaps the most troublesome aspect of future for the antispyware industry. Recently, a virus was in circulation which could disable Zone Alarm so that the spyware can carry on doing their stuff without getting interrupted. New age spyware like the CoolWebSearch browser hijacker employ the update feature in much the same way as antispyware do, updating itself and mutating over time to evade detection. Mutating spyware is going to be the spyware of the future. Although behavior based detection technique are able to catch them but these techniques are not perfect and generate too many false positives and negatives. Eventually they require human intervention to take a decision. If the computer user is not aware and knowledgeable these spyware can work unnoticed. We have seen how prolific spyware’s growth has been in recent years. This becomes even more astonishing if we consider that there is no spyware toolkit, like viruses. A spyware author therefore has to be a technically capable person. What will happen if such a toolkit is developed and there is no reason to believe it won’t be? Any person with malicious intent and with no or little technical expertise will be able to write a spyware. The spyware bomb is just waiting to explode and if we are not ready and proactive we will be the ones at loss.
10.Conclusion
We started this report by looking at the history and origin of spyware. Then we talked about the specifics of the present day spyware, its types, its mode of operation and how it affects a user. In the next couple of sections we talked about how spyware is used to make money and the legal issues related to spyware. Towards the end we talked about some present day antispyware techniques before discussing the future of spyware.
As we saw from the statistics in the beginning of this report, spyware is growing tremendously and it is affecting enterprises and personal usage alike. One alarming aspect of this is that the worst is yet to come. Continuing the discussion at the end of the previous section, we are about to see a spyware boom and the need to be protected against it is now becoming a necessity. To mitigate the threat that spyware poses it needs to be attacked from as many fronts as possible at the same time. In the current scenario we have three different modes of attack and prevention, awareness, legal protection and antispyware protection. Let’s go over these three one by one.