How Spyware works?

Introduction

• Spyware is an umbrella name for many types of malicious codes

• Spy on ones behavior• May watch web pages one visit and report

that information• May allow people to record the information • Install without knowledge or by tricking

Introduction• A typical Windows user has administrative privileges, mostly for

convenience. Because of this, any program the user runs has unrestricted access to the system. As with other operating systems, Windows users are able to follow the principle of least privilege and use non-administrator accounts.

• Alternatively, they can also reduce the privileges of specific vulnerable Internet-facing processes such as Internet Explorer.

• Since Windows Vista, by default, a computer administrator runs everything under limited user privileges. When a program requires administrative privileges, a User Account Control pop-up will prompt the user to allow or deny the action. This improves on the design used by previous versions of Windows.

How Spyware invades PC?

• Spyware invades PCs through:– Installing Free program installs spyware on PC– Clicking on a pop-up ad downloads and installs spyware on PC

• Often runs even when the program that it rides upon is not running– At the start up– Watches web activities and tracks every web site– Reports to the spyware website about the web activities done

by us– Spyware website creates profile of every individual– Website delivers targeted ads to the individual

Examples• CoolWebSearch, a group of programs, takes advantage of Internet Explorer

vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the infected computer's hosts file to direct DNS lookups to these sites.

• FinFisher, sometimes called FinSpy is a high-end surveillance suite sold to law enforcement and intelligence agencies. Support services such as training and technology updates are part of the package.

• Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites.

Example• HuntBar, WinTools or Adware.Websearch, was installed by an ActiveX drive-by

download at affiliate Web sites, or by advertisements displayed by other spyware programs—an example of how spyware can install more spyware. These programs add toolbars to IE, track aggregate browsing behavior, redirect affiliate references, and display advertisements.

• ovieland, also known as Moviepass.tv and Popcorn.net, is a movie download service that has been the subject of thousands of complaints to the Federal Trade Commission (FTC), the Washington State Attorney General's Office, the Better Business Bureau, and other agencies. Consumers complained they were held hostage by a cycle of oversized pop-up windows demanding payment of at least $29.95, claiming that they had signed up for a three-day free trial but had not cancelled before the trial period was over, and were thus obligated to pay.[29][30] The FTC filed a complaint, since settled, against Movieland and eleven other defendants charging them with having "engaged in a nationwide scheme to use deception and coercion to extract payments from consumers."

How spyware morphs itself to escape detection

• Polymorphic spywares– Change filename and location and also size of files– Cool web search and About:Blank home page

hijacking• Install at multiple locations at the hard disk• Anti-spyware if detects any such spyware; other

spywares are still alive in the machine• Spyware can inject itself in some other application • Silent Spyware vs. destructive program• Hiding itself in the windows registry files

How spyware invades Privacy

• By sending information to other server• Key logger keeps track of keys pressed• By installing other malicious software on the

system

How home page and search page hijackers work?

• Home page hijacker changes browsers’ start page– New home page includes many pop-up ads

• Search page hijacker changes normal search engine to a new one and overflows systems with so many pop ups.

• Even if the browser settings are changed, these spywares run at start up and change the default settings to the new ones

• Disguise themselves as add-ins to browser (Browser Helper Objects BHOs)

How dialers work?

• Installed similar to spyware• Checks presence of modem• Surreptitiously dials 900 phone number

(Charging 4$ per minute or more)• Keeps call connected for 10 minutes or more• Could not prove the call• Outdated due to DSL, Ethernet and Data Cards

these days

How Keyloggers work?

• Often installed in two parts– .exe file

• Automatically launches as startup

– .dll file• .exe file launches .dll file and it does most of the damage• Records all keystrokes

• Keystrokes recorded may be sent to the attacker directly or saved in a file and sent at regular intervals

• Attacker examines the key strokes and gets necessary information

How rootkits work?

• Used by intruder to gain access to someones’ PC without being detected

• Made of series of files and tools• Can be installed similar to shareware• Replace important components of OS with new

software of same size, creation date etc.• Installs backdoor daemon, automatic program • Many also install keyloggers or sniffers• May also send the log of the system

Following the spyware money trail

• Someone who wants to make money from spyware signs up for an affiliate program with a website or merchant

• The person gets a code that identifies him, so he can be paid for every link or click to the merchant

• Some merchants monitor those who sign up for affiliate programs, but many do not.

• Those wanting to make money from spyware are not often spyware authors. They make deal with spyware author in which spyware will include links to persons’ affiliate program ID.

How antispyware works?

• Searches signature of spyware• Compares signatures with signature base• Also checks suspicious behavior• Then antispyware deletes spyware. – May not be deleted completely– Hence specific software is required to delete all

spywares• Includes real-time protection

Thank you

Sharada Valiveti