How do we get Spyware How Spyware operates Spyware effects Man In Middle attack Counter-Measures Anti-Malware Techniques Bibliography Introduction: From the early days of cracking passwords and stealing information from personal computers, to deadly Internet based attacks that can shake entire’s nation security, cyber crimes have evolved from the endeavors of entertainment by cyber kiddies to organized crimes and terrorist activities of cyber mafia.
Virus Attacks, hacking, browser hijacks, spam, phishing and so on are various manifestations of malicious activities that have evolved on the internet in last couple of decades. Malware is one such tool that has emerged as a widely preferred choice to consummate criminal activities on the Internet. Malware is new genre of hostile software, written in a high level language. Normally they target technical vulnerabilities in the system. Spyware, adware, Trojans, virus, worms are very common form of Malware prevalent on the Internet. It propagates through emails, IM and other web services.
It can be categorized into criminal and business malware. Criminal malware is used in cyber terrorism and vandalism; while business malware is used for business/monetary benefits. Spyware is a software program that collects personal information of the users without their formal consent. Unlike viruses and worms, spyware does not usually self replicate, or intrude into the system directly or spread from one system to another; instead, it intrudes into a system by deceiving the user or exploiting software vulnerabilities in a system. Once it gets into the system, its implications can range from disturbing to devastating.
It propagates using personalization cookies, tracking cookies, Trojans, drive-by downloads, hacking and piggybacking. Malware: Along with viruses, malware is the biggest threat today to the computer users. It can hijack the browser, redirect search results, serve up pop-ups and many more. Malware stands for “malicious software” and is used to identify all unwanted and potentially unwanted software. We can get infected by malware in several ways. It often comes bundled with other programs (examples include kazaa and i-mesh). These are usually pop-up ads, that send revenue from the ads to the program’s authors.
Others are installed from the website, pretending to be software needed to view the site. Its most destructive feature is that once we are infected with the malware, it tends to multiply!! Earlier, it was mainly written for the destruction of computers and their data but now a days malware development is a big business. It is mostly used as a tool for extorting money out of its victims. In the form of rogue security programs, these are used to convince uneducated computer users to purchase the removal software from the same people who have written it. The types of malware are:
Adware- It is the class of software that monitors the internet use for known e-commerce sites. When a user attempts to reach a site, adware pops-up suggesting an alternate site which may or may not be legitimate. Porn Dialers- This software was used heavily during the days when modem was the primary mechanism for connecting to the internet. This used to silently disconnect a modem from its service providers and redial to another premium rate telephone number. The resulting phone number charges, usually that of far-removed countries, would be found by the user only on its next telephone bill.
Backdoors- These are the software tools which are mostly used to bypass existing security mechanisms present in either operating system or any application. Exploits- It is a general term used to describe any software code that is specifically designed to take advantage of a known weakness in operating system or application code. When vulnerabilities exist on a system, the exploits can be created to grant attacker administrative privileges, disclose or destroy any data or complete any task. Key loggers- These are the original spyware.
It is a type of malware that is mostly used to “spy” on the user of a system. One way to accomplish this is to log every keystroke typed into that system and then using that data to extract credit card & social security numbers and all other sensitive information. Trojans- It is software that illegitimately performs some action that is different than its stated purpose. It may appear to be a legitimate software package that accomplishes a task desired by the user but at the same time after installing it can also perform some illegitimate tasks like destroying personal data.
Examples of malware: GAIN- It is one of the oldest and best known examples of malware, created by Claria company. webHancer- It is a spyware application that is commonly bundled with other programs. Upon installation, it starts a program that runs in the background and collect details of the webpages we visit. ISTBar- It is a combination of toolbar and hijacker. It installs a toolbar with search functions provided by slotch. com. Recent Attacks:- Katrina-themed Malware attack Hits the Net – – This malicious site hosted in Poland harbors a secondary line of attack designed especially to dupe windows users.
It cynically offers a “free scan” for the zotob worm that in reality infects users. It also exploits well known IE vulnerabilities to install a variety of Trojans including Cgab-A, Borobot-Q etc. Most Recent Malware: Stealth Malware Stealth is a program that deliberately tries to conceal its presence in the system. It may try to hide changes it introduced in the system, including dropped files, file changes, running processes, registry settings etc. Malware Development Life Cycle- In recent years, malware has evolved in complexity to rival many decent sized software projects.
This indicates an improvement in decent methodologies that enables malware producers to improve their output and capability to achieve maximum gain. Following are the steps generally deployed by the creators of malware to ensure its success: Get the malware onto the target system. Ensure the survival of the malware in the target system. Once establish engage its payload. There are several ways by which malware can be installed on the target machine. Some of these include websites or vulnerabilities in software installed on target machine. There are also actively spreading worms, which propagates via emails, peer to peer network, and IM.
A growing trend is not to target vulnerabilities in software but to exploit the users of that software. Malware tricks the users and entice the user to download. One of the major requirement of malware is to remain undetected and viable once installed on the target machine. For this purpose the most common techniques used are compression and encryption. Now a days two more techniques are getting common i. e. code obfuscation and executable injectors. Once establish the main job of malware is to deliver the payload. This payload varies from malware to malware. Spyware-
It is a type of malicious software that collects information from a computing system without his/her consent. It can capture keystrokes, screenshots, internet usage habit & other personal information. The data is then delivered to online attackers who sell it to others or use it themselves for marketing or identify theft. How do we get spyware:- The main culprits in spyware transmission are:- Unprotected web browsing – Many advertising companies send tracking files, called “cookies,” along with their banner, ads or provide “special offers” that, when clicked, install extra software without our consent.
Peer-to-peer applications – Kazza Lite is a notorious carrier of spyware installation packages. Many MP3 sharing sites also cause spyware problems. Opportunistic “freeware” or “shareware” programs – Weatherbug is one such program which collects more information than it is authorized. Web browsers using cookies – Any web browser can permit spyware to be installed on clicking the page that installs it. Some legitimate commercial software – Windows Media Player and America Online are considered sources of spyware.
Each installation of Windows Media Player includes a uniquely identifying number that is provided to Microsoft, and America Online installs additional software packages that report data usage to advertising companies. How Spyware operates: When keywords of interest like names of banks, online payment systems etc are observed, the spyware starts its data collection process. The most common area of interest for spyware is the data sent using HTTPS i. e. HyperText Transfer Protocol Secure. This HTTPS is mainly used for very sensitive data and uses Secure Socket Layers(SSL) & Transport Layer Security(TLS).
Encryption using these SSL & TLS makes it difficult to intercept data during transmission but when spyware is running on the end user’s computer, it is collected before encryption. Man-In-Middle Attack Man in Middle Attack or Bucket Brigade Attack can be active as well as passiveform of eavesdropping. It is a type of attack in which the cyber criminal funnels communication between two users and none of the user is aware that the communication is being illegally monitored. The man in middle employ spyware that when loaded on the consumer’s computer redirects the web browser to the fake site.
Countermeasures: Users/Organizations can formulate their anti-malware strategy depending upon the type and complexity of Malware attacks that they are exposed to, and the level of risk associated with such attacks. Different organizations use different tools and approaches to counter malware attacks. These tools and approaches are often based on their functionality, suitability and a cost. The two basic approaches are: Reactive Approach Proactive Approach Reactive Approach- It is an incident response process.
In this method, once a problem is encountered, the investigation of the problem, analysis and findings remedy, and documenting the resolutions for future is done and that too mostly in same order. The existing anti malware tools available, identify the malware by scanning the computer executable files & check if any know malware have sneaked into the system. This is done by detecting programs that are making changes to the operating system registry. Here, there are only three alternatives for dealing with malware:- Running Malware removable tool to detect and repair malware.
If, anti-malware tool fails, Malware can be removed manually by the administrator or formatting the system. Use anti-Malware tool to prevent them from entering the system. Proactive approach- In this approach, the Malware can be deleted even before they get executed. It can be done in following ways:- Apply latest firmware to hardware systems and routers as recommended by vendors. Apply latest security patches to server applications and other applications. Ensure recent anti virus software is running. Maintain a database that keeps track of what patches have been applied.
Enable firewalls. Enforce strong password policies. Use Least-privileged user account(LUA). This will do less damage as compared to high privileged processes. Anti-Malware techniques: When a worm or virus starts spreading into the computer networks, one must be able to react quickly to minimize the outbreak and damage it can cause. Traditionally, organizations use firewalls and antivirus scanning tools in order to prevent Malware from entering the system. These tools are used as a protective wall between a node and its network and the internet.
The main motive is to prevent malicious code from entering into the system. However, these firewalls & antivirus scanning tools and traffic monitors are not free from technical vulnerabilities, that can still be exploited by new generation Malware. Advanced Anti-Malware techniques: Integrating filters ‘with signatures’ – Having layers of application filter on the network, will increase the efficiency of the security tools. Advanced antivirus tools, firewalls, web and email filters can be clubbed together, with latest updates/patches to prevent Malware from entering the system.
This approach reduces the probability of Malware intrusion to minimum possible. Though not zero. For example, Malware that attacks the web-browser normally bypasses the firewalls, but gets identified and deleted by web filters. Similarly, a new Malware whose signature is not there in any of the filters can still sneak into the network unnoticed. ‘Multi-Layered Defense’ without signatures- It is very much similar to the ‘Integrating Filters’ approach but the only differentiating factor is that they can detect any malware even without their definition or signatures.
In the integrating filters with signature technique there is a vulnerability i. e. these are amenable to attacks by unidentified or reported Malware. To overcome that vulnerability ‘Malware without signature’ approach must be adopted. It includes following technologies.