Protect what you value.
Spyware: A Morphing Campaign
�Spyware: A Morphing Campaign
www.mcafee.com
Table of Contents
A Touch of History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Money Talks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Where Are We Today? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Who’s Winning? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Spyware’s Social Aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Legal Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 About the Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
�Spyware: A Morphing Campaign
www.mcafee.com
Spyware: A Morphing Campaign
By Anna Stepanov
“As a rule, men worry more about what they cannot see than about what they can.” —Julius Caesar
In this paper, we will explore how spyware authors have changed their plan of attack . The direction of spyware today ought to make us wonder if we really should be more concerned with what we cannot see .
In the Gallic Wars, Julius Caesar systematically employed inside knowledge of the characteristics and weaknesses of the Gallic tribes to conquer each one of them . He, as every great military leader does, strove to understand his enemies to defeat them . Today, it seems that malware writers are using the same strategy against us . In modern computing, when everything from bank accounts to election ballots to poker games can be made virtual, we run an increasing risk of becoming victims to what we cannot see . Across the globe, our day-to-day existence relies on unseen servers, hidden processes, and the blind transfer of information . We have become so accustomed to things occurring automatically that we forget to question what is happening on our systems . This leads to a false sense of security, or at least a lack of suspicion that the security could be compromised . Enter spyware, unannounced . In the nearly eight years since the first spyware program appeared, the landscape has changed significantly . Spyware has become a business model, and a source of significant revenue for cybercriminals . At the same time, because of the proliferation of more sophisticated anti-spyware tools, the mechanisms for delivering and executing spyware and other potentially unwanted programs have slowly progressed from the clearly obtrusive pop-up–generating adware to ultra-stealthy espionage tools and Trojan horses .� In addition, the growing prevalence of rootkits signals a fundamental change in the battle for system security .�
� “Trojan: a program that appears to do one thing but actually does another (a.k.a. Trojan horse).” The Center for Democracy and Technology’s Anti-Spyware Coalition (ASC) Index: http://www.antispywarecoalition.org/index.htm � Rootkit: A program that fraudulently gains or maintains administrator-level access to a computer. It may also execute in a manner that prevents detection. Once a rootkit has gained access, it can be used to monitor traffic and keystrokes, create a backdoor into the system for the hacker’s use, alter log files, attack other machines on the network, and alter system tools to circumvent detection. Rootkits are an extreme form of “system modification software.” ASC Index: http://www.antispywarecoalition.org/index.htm
A Touch of History
Spyware and other potentially unwanted programs (PUPs) are a relatively new, albeit quick-to-flourish concept in the history of the Internet . Adware and spyware have been a natural, and very quickly developing, extension of Internet advertising, as well as an exploitation of various holes in browser and overall system security . In the early �990s, a number of legitimate companies began to advertise online . Pop-up ads displaying pitches for companies such as Sprint, Volvo, MCI, and other top companies were commonplace . Shortly thereafter, the concept of advertising on the web was widely accepted, with the nuisance of spam following quickly on its heels . Soon affiliate marketing—a “method of promoting web businesses in which an affiliate is rewarded for every visitor, subscriber, customer, and/or sale provided through his/her efforts”3—came into the picture . With the development of tracking methodology, the prospect of making revenue based on peoples’ surfing habits moved from a novel concept to a smart marketing practice . As market forces pushed the bundling of ads within products, the mechanisms for advertising became more and more intrusive . Delivering advertising in an unobtrusive, transparent form is what led to the eventual development of spyware .4 Spyware can also be defined as “technology that gathers information about a person and/or their computer, and transmits it to someone else: advertisers, law enforcement officials, hackers, etc . It sends information on you and/or your machine back to its home servers, including IP addresses, email addresses, system configurations, and, in some instances, credit card and personal information .”5 It is this drive for generating money—either by using
� Definition from Wikipedia: http://en.wikipedia.org/wiki/Affiliate_marketing � “In its narrow sense, spyware is a term for tracking software deployed without adequate notice, consent, or control for the user.” ASC Glossary of Terms: http://www.antispywarecoalition.org/documents/glossary.htm � Definition from Wikipedia: http://en.wikipedia.org/wiki/Spyware
�
�Spyware: A Morphing Campaign
www.mcafee.com
the information gleaned from spyware or by delivering advertising from adware—that has served as a huge incentive to the development of spyware and other PUPs .
Money Talks
What has fueled the significant rise in spyware, adware, and other PUPs in the last several years? The answer is simple: profit . The adware and spyware efforts have a very tangible driving force—unlike the often less tangible effects of other malicious security threats . Money is the reason that significant time and resources are invested into the varying techniques and delivery methods for spyware, adware, and other PUPs . According to FTC Commissioner Jonathan Leibowitz, the “dirty little secret” about harmful adware and PUPs is that the problem is driven by large, “reputable” companies that are paying for their ads to be delivered by these “harmful adware” programs .6 The adware model works like this . Advertisers design an ad for whatever product or service they are selling . Once the ad is ready, the adware company takes over and creates the software that delivers the ads . The adware company counts per-install commissions as their slice of the pie . Next a distributor may come into the picture, bundling the software—most often for free—as a means of distributing the ad delivery software to consumers . At this point the consumer, looking for something free, installs the bundle that sets off the chain reaction of unwanted and unknown behavior . Though it is often difficult to trace exactly who is sponsoring whom, the final outcome is the same: Advertisers pay adware companies, and distributors put adware on people’s machines . The tracking behavior of adware, if it were known to the user, would be unwanted, and it is the job of security companies to ensure that users are notified of this behavior . We do not consider adware’s behavior malicious in the sense that its purpose is to destroy or otherwise damage the machine . However, the installation of the ad software itself can result in possible changes to the browser, and the actual delivery of ads can and usually does impact the usability of the system . Nonetheless, the most damaging aspect of adware is the transmission of information about the web surfing and searching of users without their knowledge . This data will eventually benefit one or more parties financially .
Figure 1: The adware business model�
This is adware simply stated .� Unfortunately, there is another form of PUP that’s even worse—spyware . According to a survey by the Cyber Security Industry Alliance, 67 percent of participants feel spyware is a serious problem .9 In the strict sense, spyware is software that monitors and tracks user behavior while often gathering personally identifiable information on the user .�0 Tracking can in many ways be the more insidious threat .
� Diagram courtesy of the CDT: http://www.cdt.org/privacy/20060320adware.pdf � Adware: a type of advertising display software, specifically certain executable applications whose primary purpose is to deliver advertising content potentially in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions, and thus may also be categorized as tracking technologies. ASC Glossary of Terms: http://www.antispywarecoalition.org/documents/glossary.htm � https://www.csialliance.org/issues/spyware/ �0 Personally identifiable information is “personal information concerning an identified or identifiable individual, the collection, use or disclosure which the individual would ordinarily want to control.” ASC Glossary of Terms: http://www.antispywarecoalition.org/documents/ GlossaryJune292006.htm
� http://www.truste.org/pdf/quote_leibowitz.pdf
�
�Spyware: A Morphing Campaign
www.mcafee.com
Spyware is a class of stealthy and hard-to-find programs that are used for a wide range of both “benign” (as their sponsors would claim) and malicious purposes . These are the programs that are used to record keystrokes, log chat sessions, and even log the contents of emails as they are written . Spyware, in this form, has been defined by the Anti-Spyware Coalition (ASC) as “a term for tracking software deployed without adequate notice, consent, or control for the user .”�� Surveillance spyware such as eBlaster monitors essentially everything on a system, from programs being run, to file-sharing activity, to when the user logs on and off the system . Although most anti-spyware programs detect this nasty piece of software, eBlaster makes a real effort to obfuscate its activities, even as it sends log files from the victim’s machine to the host’s . This type of spyware is normally installed on the victims’ machines by simply clicking an ad or a link in a spam email, or even by using a legitimate software program . This kind of spyware can never be detected or removed by the user without a reliable anti-spyware product . Adware companies and spyware authors use distinct mechanisms . Either they try to beat the anti-spyware products by appearing benign, or they try to beat the security applications technologically by using stealthier techniques, such as rootkits . We will delve more into the social effects of the various types of spyware later in this paper . We will also examine why, even with the apparent decline of spyware as a whole, the problem continues to affect the entire computing and online experience .
30,000 25,000 20,000 15,000 10,000 5,000 0 2000 2001 2002 2003 2004 2005 2006 2007
PUPs (cumulative) Q3–Q4 2007 (estimate)
Figure 2: The prevalence of potentially unwanted programs has grown rapidly in five years, according to statistics issued by McAfee Avert Labs.
Adware vendors in particular are taking the apparent high road in cleaning up their acts, though to just below acceptable levels . This half-measure makes it more difficult for security companies to pin truly “unwanted” behavior on them, at least from the perspective of the consumer . For the IT administrator, however, most forms of this “grayware” will always remain unwanted on the corporate network, and will continue to be detected as such . However, the line continues to blur regarding proper disclosure and what the user is aware of having opted into . In general, security firms argue that the key factor is the actual behavior of the program, rather than what it does or does not report about its behavior . Reading a five-page end-user license agreement prior to installation is neither sufficient nor relevant disclosure to the user, so we give precedence to real behavior when classifying a particular program . Spyware and adware can also cause significant damage to systems plagued with these types of programs . A key aspect of remediation is how effectively an anti-spyware product cleans a system of the files, registry keys, and processes that compromise the health of a machine . Removing PUP files can often be extremely complex—particularly in the case of rootkits—and sometimes risky as well . Spyware and adware are increasingly designed to hide on users’ systems and hook onto key system resources .
Where Are We Today?
Are spyware and other PUPs still increasing? Although PUP detections seem to have consistently increased year over year, the types of unique detections have decreased . This could be for one of two reasons: Either the number of programs really is declining, or the way security vendors are classifying them has changed slightly . For instance, because of the Trojan-like characteristics of many of the newest— and even some of the old, but updated—PUPs and spyware, we now classify them as Trojans rather than as spyware . Either way, the samples we see in the field behave as Trojans do, rather than simply as PUPs . Thus, they fall into the category of malicious programs . Plus, spyware authors are morphing their delivery and installation mechanisms to be more sophisticated and obfuscated, as in the case of rootkits, which are increasingly becoming a menace . Rootkits pose a significant security threat because of the difficulty of finding and removing them .��
�� ASC Glossary of Terms: http://www.antispywarecoalition.org/documents/glossary.htm �� For more on rootkits, see http://www.mcafee.com/us/threat_center/white_paper.html for our April �00� and April �00� articles.
Who’s Winning?
What are security vendors doing to combat the hidden enemy? The drive behind the adware and spyware authors is too great for them to give up, so they have engaged in a fierce campaign to find ways around detection, in a fashion similar to the battle against anti-spam efforts . As we mentioned before, one of the ways PUP writers try to stay ahead of detection is to make detection criteria less and less applicable . By designing technologies that are not accounted for, or by smudging the line between a bad practice and something that could be considered
�
�Spyware: A Morphing Campaign
www.mcafee.com
acceptable in certain contexts, PUP authors try to work around anti-spyware safeguards . Security companies have worked hard to tighten and solidify their definitions, criteria, and analysis . What used to be a scattered collection of unique definitions has been molded into a compendium of industry-wide definitions and guidelines through the ASC . (Those documents can be found at http://www. antispywarecoalition.org/documents/index.htm . They are the result of significant work by industry and consumer advocacy groups .) Rootkits are a rapidly growing subset of PUPs . The stealthy nature of rootkits makes their detection and remediation extremely complex and risky . According to McAfee® Avert® Labs, there are more than ��,000 rootkits or variants currently “in the wild .” In fact, the widespread and increasing distribution of rootkits has forced changes not only in anti-virus technology but also in the core technologies of designers and implementers of both chips and operating systems .�3 Because of their capability to hide components and activity, rootkits have even been used by a number of “legitimate” programs . Among these was Sony BMG’s notorious XCP (for extended copy protection), which sparked a debate on copy protection and digital rights management (DRM), among other things . Without asking permission or informing the user, the rootkit installed silently and offered no uninstaller . In the end, Sony recalled all the CDs that it distributed with the rootkit package on it .�4 Recently, Sony has been in the news with another rootkitlike piece of software . This one was packaged with several Sony USB drives—specifically known as the Fingerprint Access software, which uses drivers and software developed by Fineart Technology . Essentially, the executable can be put in any directory; when run, it will hide all associated files and folders within its hidden directory .�5 Rootkits can arguably have good intentions such as in Sony’s case . However, implementing them creates the potential for exploitation—whether by malicious or legitimate authors, and there are few programs available that can effectively remediate their powerful capabilities .
Spyware’s Social Aspects
Spyware is not only a nuisance from a technical standpoint, but also carries the potential for criminal use . There have been nationwide initiatives to educate the general public on the dangers that these types of programs present, and how to combat them . Using spyware for surveillance in cases of domestic abuse is a serious matter . Installing software to track and control an unaware victim’s computer has social and legal implications . With so much of our lives dependent on computers and other technologies such as cell phones, the use of spyware is ideal for abusers, who often feel the need to control all aspects of a victim’s existence . Monitoring a victim’s online, cell phone, or general computing activity is of more value than ever in controlling or hurting a victim . There is a strong movement within the National Network to End Domestic Violence to educate victims and the general public about safe computing . Many security companies have made sizable monetary donations to this organization to assist in education and to provide aid for securing networks within shelters for victims of domestic violence . (For more information, visit http://www.nnedv.org/internet-safety.php .) The widespread distribution of adware can hurt and demoralize unsuspecting users of a system . In a McAfee Avert Labs blog, Hiep Dang, director of malware research, asks whether you could face prison time for not cleaning your spyware-infected PC .�6 The answer is, possibly, yes . Take the case of Julie Amero, an elementary school teacher who was tried and convicted in Connecticut for having exposed her seventh-grade students to pornography . (The conviction was thrown out by a second judge; Amero awaits another trial .)�7 Here’s an example in which an application that was downloaded and installed on a user’s system carried far-reaching implications . Technologists argue that the pornography on Amero’s system was a result of adware-generated pop-up ads . Nonetheless, the consequences have been horrendous: The children were harmed by the images, and Amero is living a nightmare as she fights for her reputation . This is perhaps the most highly publicized result of the distribution and infestation of adware, but it is clearly not the only one .
�� “Intel readies rootkit-rooting hardware,” http://www.theregister.co.uk/2005/12/09/intel_anti-rootkit_chip/ �� Definition from Wikipedia: http://en.wikipedia.org/wiki/2005_Sony_BMG_CD_copy_protection_scandal �� http://www.avertlabs.com/research/blog/index.php/2007/08/28/hide-me-sony-one-moretime �� McAfee Avert Labs Blog: http://www.avertlabs.com/research/blog/?p=174 �� Entry from Wikipedia: http://en.wikipedia.org/wiki/Julie_Amero
�
�Spyware: A Morphing Campaign
www.mcafee.com
Legal Issues
There have been a number of attempts by various groups to put tangible restraints on spyware and its authors . Specifically, the House of Representatives passed a controversial bill in �004 that was aimed at making spyware illegal .�� The result of the Internet Spyware Prevention Act, or I-SPY Act, has been strongly contested by various advertising agencies . Recently, Senator Mark Pryor of Arkansas has introduced the Counter Spy Act of �007, which has the intent of making it illegal for “companies and fraudsters” to implant spyware on a person’s computer without consent . According to Pryor and his supporters, “Spyware is a serious infringement upon basic levels of privacy and security . There are very few, if any, legitimate reasons for this practice to continue, but countless reasons for it to be stopped, including identity theft and sluggish computer performance .” Essentially, the Counter Spy Act provides that the Federal Trade Commission enforce the law as if a violation was an unfair or deceptive practice, thus opening the door to civil action—in addition to criminal penalties—for violation of the law .
occurs in their MeMedia program, MeMe .�9 In addition, the distinction between what we consider a Trojan versus a PUP has blurred significantly, as more and more PUPs are getting delivered and installed in Trojan format . As the landscape of PUPs and other security threats evolves to meet the fast-paced and changing needs of businesses and other organizations, we need to be on our guard more than ever . We face a stealthy and hidden enemy .
About the Author
Anna Stepanov manages the Anti-Spyware program for McAfee Avert Labs . She is a member of the ASC and has written articles for that organization as well as for Avert Labs . Stepanov has presented at the Anti-Phishing Working Group, and was a key player in the design of the anti-spam engine in the consumer version of ® McAfee’s SpamKiller .
Conclusion
Spyware has slowly faded from the radar of many home users and IT administrators as other technological “hazards” have taken center stage in recent months . However, the reality of spyware has not changed and, if anything, has morphed into a less perceptible, more egregious security threat . The threats have changed from the blatantly undesirable pop-up–delivering software to the silently installed piece of tracking software that is imperceptible . Adware companies such as WhenU have rebranded, and rebranded again, in the hopes of moving from the “inyour-face” delivery of ads to the subtle tracking that
�� SearchSecurity.com Definitions: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1093105,00.html �� McAfee Avert Labs Blog: http://www.avertlabs.com/research/blog/index.php/2007/06/14/when-is-whenu-meme/
McAfee, Avert Labs, SpamKiller, and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc ., and/or its affiliates in the US and/or other countries .
McAfee, Inc . 3965 Freedom Circle Santa Clara, CA 95054 ��� .�47 .�766 www.mcafee.com
McAfee Red in connection with security is distinctive of McAfee brand products . Any other non-McAfee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners . © �007 McAfee, Inc . All rights reserved . 6-na-cor-spy-wp-00�-��07
�
�