Monday, October 1, 2007

Security

1.Network security

Network security consists of the provisions made in an underlying computer network infrastructure, policies adopted by the network administrator to protect the network and the network-accessible resources from unauthorized access and the effectiveness (or lack) of these measures combined together.

How different is it from computer security?

Securing any network infrastructure is like securing possible entry points of attacks on a country by deploying appropriate defense. Computer security is more like providing means of self-defense to each individual citizen of the country. The former is better and practical to protect the civilians from getting exposed to the attacks. The preventive measures attempt to secure the access to individual computers--the network itself--thereby protecting the computers and other shared resources such as printers, network-attached storage connected by the network. Attacks could be stopped at their entry points before they spread. As opposed to this, in computer security the measures taken are focused on securing individual computer hosts. A computer host whose security is compromised is likely to infect other hosts connected to a potentially unsecured network. A computer host's security is vulnerable to users with higher access privileges to those hosts.

Process

Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are allowed to be accessed by the network users. Though effective to prevent unauthorized access, this component fails to check potentially harmful contents such as computer worms being transmitted over the network. An intrusion prevention system (IPS) helps detect and prevent such malware. IPS also monitors for suspicious network traffic for contents, volume and anomalies to protect the network from attacks such as denial of service. Communication between two hosts using the network could be encrypted to maintain privacy. Individual events occurring on the network could be tracked for audit purposes and for a later high level analysis.

Honeypots, essentially decoy network-accessible resources, could be deployed in a network as surveillance and early-warning tools. Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques. Such analysis could be used to further tighten security of the actual network being protected by the honeypot.

2.Computer virus
A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. The original virus may modify the copies or the copies may modify themselves, as occurs in a metamorphic virus. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such as a floppy disk, CD, or USB drive. Additionally, viruses can spread to other computers by infecting files on a network file system or a file system that is accessed by another computer. Viruses are sometimes confused with computer worms and Trojan horses. A worm can spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a file that appears harmless until executed.

Many personal computers are now connected to the Internet and to local area networks, facilitating the spread of malicious code. Today's viruses may also take advantage of network services such as the World Wide Web, e-mail, and file sharing systems to spread, blurring the line between viruses and worms. Furthermore, some sources use an alternative terminology in which a virus is any form of self-replicating malware.

Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply replicate themselves and perhaps make their presence known by presenting text, video, or audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss.

History

The Creeper virus was first detected on ARPANET, the forerunner of the Internet in the early 1970s. It propagated via the TENEX operating system and could make use of any connect modem to dial out to remote computers and infect them. It would display the message "I'M THE CREEPER : CATCH ME IF YOU CAN.". It is rumored that the Reaper program that appeared shortly after and sought out copies of the Creeper and deleted them, may have been written by the creator of the Creeper in a fit of regret.

A program called "Elk Cloner" is commonly credited with being the first computer virus to appear "in the wild" — that is, outside the single computer or lab where it was created, but that claim is false. See the Timeline of notable computer viruses and worms for other earlier viruses. It was however the first virus to infect computers "in the home". Written in 1982 by Richard Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread by floppy disk. This virus was originally a joke, created by a high school student and put onto a game. The disk could only be used 49 times. The game was set to play, but release the virus on the 50th time of starting the game. Only this time, instead of playing the game, it would change to a blank screen that read a poem about the virus named Elk Cloner. The poem that showed up on the screen is as follows: It will get on all your disks. It will infiltrate your chips. Yes it's Cloner! It will stick to you like a fly on a glue stick. It will modify RAM too. Send in the Cloner! The computer would then be infected.

The first PC virus was a boot sector virus called (c)Brain, created in 1986 by two brothers, Basit and Amjad Farooq Alvi, operating out of Lahore, Pakistan. The brothers reportedly created the virus to deter pirated copies of software they had written. However, analysts have claimed that the Ashar virus, a variant of Brain, possibly predated it based on code within the virus.

Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early days of the personal computer, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk.

Traditional computer viruses emerged in the 1980s, driven by the spread of personal computers and the resultant increase in BBS and modem use, and software sharing. Bulletin board driven software sharing contributed directly to the spread of Trojan horse programs, and viruses were written to infect popularly traded software. Shareware and bootleg software were equally common vectors for viruses on BBS's. Within the "pirate scene" of hobbyists trading illicit copies of retail software, traders in a hurry to obtain the latest applications and games were easy targets for viruses.

Since the mid-1990s, macro viruses have become common. Most of these viruses are written in the scripting languages for Microsoft programs such as Word and Excel. These viruses spread in Microsoft Office by infecting documents and spreadsheets. Since Word and Excel were also available for Mac OS, most of these viruses were able to spread on Macintosh computers as well. Most of these viruses did not have the ability to send infected e-mail. Those viruses which did spread through e-mail took advantage of the Microsoft Outlook COM interface.

Macro viruses pose unique problems for detection software. For example, some versions of Microsoft Word allowed macros to replicate themselves with additional blank lines. The virus behaved identically but would be misidentified as a new virus. In another example, if two macro viruses simultaneously infect a document, the combination of the two, if also self-replicating, can appear as a "mating" of the two and would likely be detected as a virus unique from the "parents".[2]

A virus may also send a web address link as an instant message to all the contacts on an infected machine. If the recipient, thinking the link is from a friend (a trusted source) follows the link to the website, the virus hosted at the site may be able to infect this new computer and continue propagating.

The newest species of the virus family is the cross-site scripting virus. The virus emerged from research and was academically demonstrated in 2005. This virus utilizes cross-site scripting vulnerabilities to propagate. Since 2005 there have been multiple instances of the cross-site scripting viruses in the wild, most notable sites affected have been MySpace and Yahoo.

Etymology

The word virus is derived from and used in the same sense as the biological equivalent. The term "virus" is often used in common parlance to describe all kinds of malware (malicious software), including those that are more properly classified as worms or Trojans. Most popular anti-virus software packages defend against all of these types of attack. In some technical communities, the term "virus" is also extended to include the authors of malware, in an insulting sense. The English plural of "virus" is "viruses". Some people use "virii" or "viri" as a plural, but this is rare. For a discussion about whether "viri" and "virii" are correct alternatives of "viruses", see plural of virus.

The first known use of the term virus related to computers is in a 1972 science fiction novel by David Gerrold, When H.A.R.L.I.E. Was One,. The book describes a fictional computer program called "VIRUS" that worked just like a virus (and was countered by a program called "VACCINE").

The term "computer virus" with current usage appears in the comic book Uncanny X-Men #158, written by Chris Claremont and published in 1982.

The 1973 movie "Westworld" doesn't actually use the word virus, but a scientist refers to "an analogy to an infectious disease process spreading" to explain endemic robot malfunctions. Another scientist from the film adds that it's "It's only a theoretical concept."

The first academic use of the term was first used in a publication by Fred Cohen in his 1984 paper Experiments with Computer Viruses, where he credits Len Adleman with coining it.

Replication strategies

In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user tries to start an infected program, the virus' code may be executed first. Viruses can be divided into two types, on the basis of their behavior when they are executed. Nonresident viruses immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.

Nonresident viruses

Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file.

Resident viruses

Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation. For example, the replication module can be called each time the operating system executes a file. In this case, the virus infects every suitable program that is executed on the computer.

Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. Fast infectors are designed to infect as many files as possible. For instance, a fast infector can infect every potential host file that is accessed. This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently. For instance, some slow infectors only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably, and will at most infrequently trigger anti-virus software that detects suspicious behavior by programs. The slow infector approach does not seem very successful, however.

Vectors and hosts

Viruses have targeted various types of transmission media or hosts. This list is not exhaustive:

Inhospitable vectors

It is difficult, but not impossible, for viruses to tag along in source files, seeing that computer languages are built for human eyes and experienced operators. With the notable exception of WMF, it is almost impossible for viruses to tag along in data files like MP3s, MPGs, OGGs, JPGs, GIFs, PNGs, MNGs, PDFs, and DVI files (this is not an exhaustive list of generally trusted file types). Even if a virus were to 'infect' such a file, it would be inoperative since there would be no way for the viral code to be executed. A caveat must be mentioned from PDFs, that like HTML, may link to malicious code. Further, an exploitable buffer overflow in a program which reads the data files could be used to trigger the execution of code hidden within the data file, but this attack is substantially mitigated in computer architectures with an execute disable bit.

It is worth noting that some virus authors have written an .EXE extension on the end of .PNG (for example), hoping that users would stop at the trusted file type without noticing that the computer would start with the final type of file. See Trojan horse (computing). A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. The original virus may modify the copies or the copies may modify themselves, as occurs in a metamorphic virus. A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such as a floppy disk, CD, or USB drive. Additionally, viruses can spread to other computers by infecting files on a network file system or a file system that is accessed by another computer. Viruses are sometimes confused with computer worms and Trojan horses. A worm can spread itself to other computers without needing to be transferred as part of a host, and a Trojan horse is a file that appears harmless until executed.

Methods to avoid detection

In order to avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on the MS-DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. This approach does not fool anti-virus software, however, especially that which maintains and dates Cyclic Redundancy Codes on file changes.

Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. For example the CIH virus, or Chernobyl Virus, infects Portable Executable files. Because those files had many empty gaps, the virus, which was 1 KB in length, did not add to the size of the file.

Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them.

As computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced. Defending a computer against viruses may demand that a file system migrate towards detailed and explicit permission for every kind of file access.

Avoiding bait files and other undesirable hosts

A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many anti-virus programs perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected. For this reason, some viruses are programmed not to infect programs that are known to be part of anti-virus software. Another type of host that viruses sometimes avoid is bait files. Bait files (or goat files) are files that are specially created by anti-virus software, or by anti-virus professionals themselves, to be infected by a virus. These files can be created for various reasons, all of which are related to the detection of the virus:

  • Anti-virus professionals can use bait files to take a sample of a virus (i.e. a copy of a program file that is infected by the virus). It is more practical to store and exchange a small, infected bait file, than to exchange a large application program that has been infected by the virus.
  • Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods. This is especially useful when the virus is polymorphic. In this case, the virus can be made to infect a large number of bait files. The infected files can be used to test whether a virus scanner detects all versions of the virus.
  • Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system.

Since bait files are used to detect the virus, or to make detection possible, a virus can benefit from not infecting them. Viruses typically do this by avoiding suspicious programs, such as small program files or programs that contain certain patterns of 'garbage instructions'.

A related strategy to make baiting difficult is sparse infection. Sometimes, sparse infectors do not infect a host file that would be a suitable candidate for infection in other circumstances. For example, a virus can decide on a random basis whether to infect a file or not, or a virus can only infect host files on particular days of the week.

Stealth

Some viruses try to trick anti-virus software by intercepting its requests to the operating system. A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS. The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "clean". Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.

Self-modification

Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures. A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses. If a virus scanner finds such a pattern in a file, it notifies the user that the file is infected. The user can then delete, or (in some cases) "clean" or "heal" the infected file. Some viruses employ techniques that make detection by means of signatures difficult but probably not impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.

Encryption with a variable key

A more advanced method is the use of simple encryption to encipher the virus. In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module, which would (for example) be appended to the end. In this case, a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible. Since these would be symmetric keys, stored on the infected host, it is in fact entirely possible to decrypt the final virus, but that probably isn't required, since self-modifying code is such a rarity that it may be reason for virus scanners to at least flag the file as suspicious.

An old, but compact, encryption involves XORing each byte in a virus with a constant, so that the exclusive-or operation had only to be repeated for decryption. It is suspicious code that modifies itself, so the code to do the encryption/decryption may be part of the signature in many virus definitions.

Polymorphic code

Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts that stay the same on each infection, making it very difficult to detect directly using signatures. Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body. See Polymorphic code for technical detail on how such engines operate.

Some viruses employ polymorphic code in a way that constrains the mutation rate of the virus significantly. For example, a virus can be programmed to mutate only slightly over time, or it can be programmed to refrain from mutating when it infects a file on a computer that already contains copies of the virus. The advantage of using such slow polymorphic code is that it makes it more difficult for anti-virus professionals to obtain representative samples of the virus, because bait files that are infected in one run will typically contain identical or similar samples of the virus. This will make it more likely that the detection by the virus scanner will be unreliable, and that some instances of the virus may be able to avoid detection.

Metamorphic code

To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that use this technique are said to be metamorphic. To enable metamorphism, a metamorphic engine is needed. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly language code, 90% of it part of the metamorphic engine.

Vulnerability and countermeasures

The vulnerability of operating systems to viruses

Just as genetic diversity in a population decreases the chance of a single disease wiping out a population, the diversity of software systems on a network similarly limits the destructive potential of viruses.

This became a particular concern in the 1990s, when Microsoft gained market dominance in desktop operating systems and office suites. The users of Microsoft software (especially networking software such as Microsoft Outlook and Internet Explorer) are especially vulnerable to the spread of viruses. Microsoft software is targeted by virus writers due to their desktop dominance, and is often criticized for including many errors and holes for virus writers to exploit. Integrated applications (such as Microsoft Office) and applications with scripting languages with access to the file system (for example Visual Basic Script (VBS), and applications with networking features) are also particularly vulnerable.

Although Windows is by far the most popular operating system for virus writers, some viruses also exist on other platforms. Any operating system that allows third-party programs to run can theoretically run viruses. Some operating systems are less secure than others. Unix-based OS's (and NTFS-aware applications on Windows NT based platforms) only allow their users to run executables within their protected space in their own directories.

As of 2006, there are relatively few security exploits targeting Mac OS X (with a Unix-based file system); the known vulnerabilities fall under the classifications of worms and Trojans. The number of viruses for the older Apple operating systems, known as Mac OS Classic, varies greatly from source to source, with Apple stating that there are only four known viruses, and independent sources stating there are as many as 63 viruses. It is safe to say that Macs are less likely to be exploited due to their secure Unix base, and because a Mac-specific virus could only infect a small proportion of computers (making the effort less desirable). Virus vulnerability between Macs and Windows is a chief selling point, one that Apple uses in their Get a Mac advertising.

Windows and Unix have similar scripting abilities, but while Unix natively blocks normal users from having access to make changes to the operating system environment, Windows does not. In 1997, when a virus for Linux was released – known as "Bliss" – leading antivirus vendors issued warnings that Unix-like systems could fall prey to viruses just like Windows. The Bliss virus may be considered characteristic of viruses – as opposed to worms – on Unix systems. Bliss requires that the user run it explicitly (making it a trojan), and it can only infect programs that the user has the access to modify. Unlike Windows users, most Unix users do not log in as an administrator user except to install or configure software; as a result, even if a user ran the virus, it could not harm their operating system. The Bliss virus never became widespread, and remains chiefly a research curiosity. Its creator later posted the source code to Usenet, allowing researchers to see how it worked.

The role of software development

Because software is often designed with security features to prevent unauthorized use of system resources, many viruses must exploit software bugs in a system or application to spread. Software development strategies that produce large numbers of bugs will generally also produce potential exploits.

Anti-virus software and other preventive measures

Many users install anti-virus software that can detect and eliminate known viruses after the computer downloads or runs the executable. There are two common methods that an anti-virus software application uses to detect viruses. The first, and by far the most common method of virus detection is using a list of virus signature definitions. This works by examining the content of the computer's memory (its RAM, and boot sectors) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known virus "signatures". The disadvantage of this detection method is that users are only protected from viruses that pre-date their last virus definition update. The second method is to use a heuristic algorithm to find viruses based on common behaviors. This method has the ability to detect viruses that anti-virus security firms’ have yet to create a signature for.

Some anti-virus programs are able to scan opened files in addition to sent and received emails 'on the fly' in a similar manner. This practice is known as "on-access scanning." Anti-virus software does not change the underlying capability of host software to transmit viruses. Users must update their software regularly to patch security holes. Anti-virus software also needs to be regularly updated in order to prevent the latest threats.

One may also prevent the damage done by viruses by making regular backups of data (and the Operating Systems) on different media, that are either kept unconnected to the system (most of the time), read-only or not accessible for other reasons, such as using different file systems. This way, if data is lost through a virus, one can start again using the backup (which should preferably be recent). If a backup session on optical media like CD and DVD is closed, it becomes read-only and can no longer be affected by a virus. Likewise, an Operating System on a bootable can be used to start the computer if the installed Operating Systems become unusable. Another method is to use different Operating Systems on different file systems. A virus is not likely to affect both. Data backups can also be put on different file systems. For example, Linux requires specific software to write to NTFS partitions, so if one does not install such software and uses a separate installation of MS Windows to make the backups on an NTFS partition (and preferably only for that reason), the backup should remain safe from any Linux viruses. Likewise, MS Windows can not read file systems like ext3, so if one normally uses MS Windows, the backups can be made on an ext3 partition using a Linux installation.

Recovery methods

Once a computer has been compromised by a virus, it is usually unsafe to continue using the same computer without completely reinstalling the operating system. However, there are a number of recovery options that exist after a computer has a virus. These actions depend on severity of the type of virus.

Virus removal

One possibility on Windows XP and Vista is a tool known as System Restore, which restores the registry and critical system files to a previous checkpoint. Often a virus will cause a system to hang, and a subsequent hard reboot will render a system restore point from the same day corrupt. Restore points from previous days should work provided the virus is not designed to corrupt the restore files. Some viruses, however, disable system restore and other important tools such as Task Manager and Command Prompt. An example of a virus that does this is CiaDoor.

Administrators have the option to disable such tools from limited users for various reasons. The virus modifies the registry to do the same, except, when the Administrator is controlling the computer, it blocks all users from accessing the tools. When an infected tool activates it gives the message "Task Manager has been disabled by your administrator.", even if the user trying to open the program is the administrator.

Operating system reinstallation

As a last ditch effort, if a virus is on your system and anti-viral software can't clean it, then reinstalling the operating system may be required. To do this properly, the hard drive is completely erased (partition deleted and formatted, not quick-formatted) and the operating system is reinstalled, and separately scanned for infection before erasing the original hard drive and reinstalling installed from media known not to be infected. Important files should first be backed up, if possible.

3.Computer worm

A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.

Naming and history

The name worm comes from The Shockwave Rider, a science fiction novel published in 1975 by John Brunner. Researchers John F Shoch and Jon A Hupp of Xerox PARC chose the name in a paper published in 1982; The Worm Programs, Comm ACM, 25(3):172-180, 1982), and it has since been widely adopted.

The first implementation of a worm was by these same two researchers at Xerox PARC in 1978.Shoch and Hupp originally designed the worm to find idle processors on the network and assign them tasks, sharing the processing load, and so improving the 'CPU cycle use efficiency' across an entire network. They were self-limited so that they would spread no farther than intended.

Payloads

Many worms have been created which are only designed to spread, and don't attempt to alter the systems they pass through. However, as the Morris worm and Mydoom showed, the network traffic and other unintended effects can often cause major disruption. A payload is code designed to do more than spread the worm - it might delete files on a host system (e.g., the ExploreZip worm), encrypt files in a cryptoviral extortion attack, or send documents via e-mail. A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a "zombie" under control of the worm author - Sobig and Mydoom are examples which created zombies. Networks of such machines are often referred to as botnets and are very commonly used by spam senders for sending junk email or to cloak their website's address. Spammers are therefore thought to be a source of funding for the creation of such worms, and worm writers have been caught selling lists of IP addresses of infected machines. Others try to blackmail companies with threatened DoS attacks.

Backdoors, however they may be installed, can be exploited by other malware, including worms. Examples include Doomjuice, which spreads using the backdoor opened by Mydoom, and at least one instance of malware taking advantage of the rootkit backdoor installed by the Sony/BMG DRM software utilized by millions of music CDs prior to late 2005.

Worms with good intent

Beginning with the very first research into worms at Xerox PARC there have been attempts to create useful worms. The Nachi family of worms, for example, tried to download and install patches from Microsoft's website to fix vulnerabilities in the host system — by exploiting those same vulnerabilities. In practice, although this may have made these systems more secure, it generated considerable network traffic, rebooted the machine in the course of patching it, and, most importantly, did its work without the consent of the computer's owner or user.

Most security experts regard all worms as malware, whatever their payload or their writers' intentions.

Protecting against dangerous computer worms

Worms spread by exploiting vulnerabilities in operating systems. If user interaction is required for the malware to spread, it is called a trojan horse.

All vendors supply regular security updates (see "Patch Tuesday"), and if these are installed to a machine then the majority of worms are unable to spread to it. If a vendor acknowledges a vulnerability but has yet to release a security update to patch it, a zero day exploit is possible. However, these are relatively rare.

Users need to be wary of opening unexpected email, and should not run attached files or programs, or visit web sites that are linked to such emails. However, as the I LOVEYOU worm showed, and as phishing attacks become more efficient, tricking users will always be possible.

Anti-virus and anti-spyware software are helpful, but must be kept up-to-date with new pattern files at least every few days. The use of a firewall is also recommemded.

4.Trojan horse

In the context of computer software, a Trojan horse is a program that installs malicious software while under the guise of doing something else. Though not limited in their payload, Trojan horses are more notorious for installing backdoor programs which allow unauthorized non permissible remote access to the victim's machine by unwanted parties - normally with malicious intentions. Unlike a computer virus, a Trojan horse does not propagate by inserting its code into other computer files. The term is derived from the classical myth of the Trojan Horse. Like the mythical Trojan Horse, the malicious code is hidden in a computer program or other computer file which may appear to be useful, interesting, or at the very least harmless to an unsuspecting user. When this computer program or file is executed by the unsuspecting user, the malicious code is also executed resulting in the set up or installation of the malicious Trojan horse program. (See Social engineering.)

Often the term is shortened to simply Trojan.

There are two common types of Trojan horses. One is ordinary software that has been corrupted by a hacker. A hacker inserts malicious code into the program that executes while the program is used or modified. Examples include various implementations of weather alerting programs, computer clock setting software, and peer-to-peer file sharing utilities. The other type of Trojan is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into executing the file or program.

Trojan horse programs cannot operate autonomously, in contrast to some other types of malware, like viruses or worms. Trojan horse programs depend on actions by the intended victims. As such, if Trojans replicate and distribute themselves, each new victim must run the Trojan.

In the field of computer architecture, 'Trojan Horse' can also refer to security loopholes that allow kernel code to access anything for which it is not authorized.

History of the term

The term 'Trojan horse' is generally attributed to Daniel Edwards of NSA. He is given credit for identifying the attack form in the report "Computer Security Technology Planning Study".

A very classic example is due to computer pioneer Ken Thompson in his 1983 ACM Turing Award lecture. Thompson noted that it is possible to add code to the UNIX "login" command that would accept either the intended encrypted password or a particular known password, allowing a back door into the system with the latter password. Furthermore, Thompson argued, the C compiler itself could be modified to automatically generate the rogue code, to make detecting the modification even harder. Because the compiler is itself a program generated from a compiler, the Trojan horse could also be automatically installed in a new compiler program, without any detectable modification to the source of the new compiler.

Example of a Trojan horse

A simple example of a Trojan horse would be a program named "waterfalls.scr" which claimed to be a free waterfall screensaver. When run, it would instead open computer ports and allow hackers to access the user's computer remotely.

Types of Trojan horse payloads

Trojan horse payloads are almost always designed to do various harmful things, but can also be harmless. They are broken down in classification based on how they breach and damage systems. The nine main types of Trojan horse payloads are:

  • Remote Access.
  • Email Sending
  • Data Destruction
  • Downloader
  • Proxy Trojan (disguising others as the infected computer)
  • FTP Trojan (adding or copying data from the infected computer)
  • security software disabler
  • denial-of-service attack (DoS)
  • URL trojan (directing the infected computer to only connect to the internet via an expensive dial-up connection)

Some examples of damage are:

  • erasing or overwriting data on a computer
  • encrypting files in a cryptoviral extortion attack
  • corrupting files in a subtle way
  • upload and download files
  • allowing remote access to the victim's computer. This is called a RAT (remote administration tool)
  • spreading other malware, such as viruses: this type of Trojan horse is called a 'dropper' or 'vector'
  • setting up networks of zombie computers in order to launch DDoS attacks or send spam.
  • spying on the user of a computer and covertly reporting data like browsing habits to other people (see the article on spyware)
  • making screenshots
  • logging keystrokes to steal information such as passwords and credit card numbers
  • phishing for bank or other account details, which can be used for criminal activities
  • installing a backdoor on a computer system
  • opening and closing CD-ROM tray
  • harvesting e-mail addresses and using them for spam
  • restarting the computer whenever the infected program is started
  • deactivating or interfering with anti-virus and firewall programs
  • deactivating or interfering with other competing forms of malware

Methods of infection

The majority of Trojan horse infections occur because the user was tricked into running an infected program. This is why it is advised to not open unexpected attachments on emails -- the program is often a cute animation or an image, but behind the scenes it infects the computer with a Trojan or worm. The infected program doesn't have to arrive via email; it can be sent in an Instant Message, downloaded from a Web site or by FTP, or even delivered on a CD or floppy disk. (Physical delivery is uncommon, but if one were the specific target of an attack, it would be a fairly reliable way to infect a computer.) Furthermore, an infected program could come from someone who sits down at a computer and loads it manually. However, receiving a Trojan in this manner is very rare. It is usually received through a download.

Road apple

A road apple is a real-world variation of a Trojan Horse that uses physical media and relies on the curiosity of the victim. The attacker leaves a malware infected floppy disc, CD ROM or USB flash drive in a location sure to be found or that is commonly visited, gives it a legitimate looking label and then waits in the hopes that someone will eventually use it. An example of this would be to get the corporate logo from the web site of the software that is infected and affixing a legitimate-looking label (e.g. "Employee Salaries Summary FY06") for the infected physical media.

Methods of deletion

Since Trojan horses take a variety of forms, there is no single method for deleting them. The simplest responses involve clearing the temporary internet files on a computer, or finding the file and deleting it manually. In some cases, registry editing or other treatments are needed. In extreme cases, it may even be necessary to reset the computer back to its factory defaults, or to purchase anti-virus software.

Well-known trojan horses

5.Spyware

Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent.

While the term spyware suggests software that secretly monitors the user's behavior, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, but can also interfere with user control of the computer in other ways, such as installing additional software, redirecting Web browser activity, or diverting advertising revenue to a third party. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is captured under the term privacy-invasive software.

In response to the emergence of spyware, a small industry has sprung up dealing in anti-spyware software. Running anti-spyware software has become a widely recognized element of computer security best practices for Microsoft Windows desktop computers. A number of jurisdictions have passed anti-spyware laws, which usually target any software that is surreptitiously installed to control a user's computer.

History and development

The first recorded use of the term spyware occurred on October 16, 1995 in a Usenet post that poked fun at Microsoft's business model.Spyware at first denoted hardware meant for espionage purposes. However, in early 2000 the founder of Zone Labs, Gregor Freund, used the term in a press release for the ZoneAlarm Personal Firewall. Since then, "spyware" has taken on its present sense.According to a 2005 study by AOL and the National Cyber-Security Alliance, 61% of surveyed users' computers had some form of spyware. 92% of surveyed users with spyware reported that they did not know of its presence, and 91% reported that they had not given permission for the installation of the spyware. As of 2006, spyware has become one of the preeminent security threats to computer systems running Microsoft Windows operating systems. In an estimate based on customer-sent scan logs, Webroot Software, makers of Spy Sweeper, said that 9 out of 10 computers connected to the Internet are infected.Computers where Internet Explorer (IE) is the primary browser are particularly vulnerable to such attacks not only because IE is the most widely-used, but because its tight integration with Windows allows spyware access to crucial parts of the operating system.

Before Internet Explorer 7 was released, the browser would automatically display an installation window for any ActiveX component that a website wanted to install. The combination of user naiveté towards malware and the assumption by Internet Explorer that all ActiveX components are benign, led, in part, to the massive spread of spyware. Many spyware components would also make use of flaws in Javascript, Internet Explorer and Windows to install without user knowledge or permission.

The registry also contains numerous locations that allow software to be executed automatically when the operating system boots. Spyware often exploits this design to help it circumvent attempts at removal. The spyware typically will link itself from each of location in the registry that allows execution. Once running, the spyware will periodically check if any of these links are removed. If so, they will be automatically restored. This ensures that the spyware will execute when the operating system is booted even if some (or most) of the registry links are removed.

Comparison

Spyware, adware and tracking

The term adware frequently refers to any software which displays advertisements, whether or not the user has consented. Programs such as the Eudora mail client display advertisements as an alternative to shareware registration fees. These classify as "adware" in the sense of advertising-supported software, but not as spyware. Adware in this form does not operate surreptitiously or mislead the user, and provides the user with a specific service.

Although most adware is spyware in a different sense for a different reason: it displays advertisements related to what it finds from spying on you. Claria Corporation's Gator Software and Exact Advertising's BargainBuddy are examples. Visited Web sites frequently install Gator on client machines in a surreptitious manner, and it directs revenue to the installing site and to Claria by displaying advertisements to the user. The user receives many pop-up advertisements.

Other spyware behavior, such as reporting on websites the user visits, occurs in the background. The data is used for "targeted" advertisement impressions. The prevalence of spyware has cast suspicion upon other programs that track Web browsing, even for statistical or research purposes. Some observers describe the Alexa Toolbar, an Internet Explorer plug-in published by Amazon.com, as spyware, and some anti-spyware programs such as AdAware report it as such. Many of these adware distributing companies are backed by millions of dollars of adware-generating revenues. Adware and spyware are similar to viruses in that they can be malicious in nature, however, people are now profitting from these threats making them more and more popular.

Similarly, software bundled with free, advertising-supported programs such as P2P act as spyware, (and if removed disable the 'parent' program) yet people are willing to download it. This presents a dilemma for proprietors of anti-spyware products whose removal tools may inadvertently disable wanted programs. For example, recent test results show that bundled software (WhenUSave) is ignored by popular anti spyware program AdAware, (but removed as spyware by most scanners) because it is part of the popular (but recently decommissioned) Edonkey client. To address this dilemma, the Anti-Spyware Coalition has been working on building consensus within the anti-spyware industry as to what is and isn't acceptable software behavior. To accomplish their goal, this group of anti-spyware companies, academics, and consumer groups have collectively published a series of documents including a definition of spyware, risk model, and best practices document.

Spyware, virus and worm

Unlike viruses and worms, spyware does not usually self-replicate. Like many recent viruses, however, spyware — by design — exploits infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of personal information (including financial information such as credit card numbers); monitoring of Web-browsing activity for marketing purposes; or routing of HTTP requests to advertising sites.

Routes of infection

Spyware does not directly spread in the manner of a computer virus or worm: generally, an infected system does not attempt to transmit the infection to other computers. Instead, spyware gets on a system through deception of the user or through exploitation of software vulnerabilities.

Most spyware is installed without users' knowledge. Since they tend not to install software if they know that it will disrupt their working environment and compromise their privacy, spyware deceives users, either by piggybacking on a piece of desirable software such as Kazaa, or tricking them into installing it (the Trojan horse method). Some "rogue" anti-spyware programs masquerade as security software, while being spyware themselves.

The distributor of spyware usually presents the program as a useful utility — for instance as a "Web accelerator" or as a helpful software agent. Users download and install the software without immediately suspecting that it could cause harm. For example, Bonzi Buddy, a spyware program targeted at children, claims that:

He will explore the Internet with you as your very own friend and sidekick! He can talk, walk, joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the ability to compare prices on the products you love and help you save money! Best of all, he's FREE![

Spyware can also come bundled with shareware or other downloadable software, as well as music CDs. The user downloads a program and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software. In other cases, spyware authors have repackaged desirable free software with installers that add spyware.

A third way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. Internet Explorer prevents websites from initiating an unwanted download. Instead, it requires a user action, such as clicking on a link. However, links can prove deceptive: for instance, a pop-up ad may appear like a standard Windows dialog box. The box contains a message such as "Would you like to optimize your Internet access?" with links which look like buttons reading Yes and No. No matter which "button" the user presses, a download starts, placing the spyware on the user's system. Later versions of Internet Explorer offer fewer avenues for this attack.

Some spyware authors infect a system through security holes in the Web browser or in other software. When the user navigates to a Web page controlled by the spyware author, the page contains code which attacks the browser and forces the download and installation of spyware. The spyware author would also have some extensive knowledge of commercially-available anti-virus and firewall software. This has become known as a "drive-by download", which leaves the user a hapless bystander to the attack. Common browser exploits target security vulnerabilities in Internet Explorer and in the Sun Microsystems Java runtime.

The installation of spyware frequently involves Internet Explorer. Its popularity and history of security issues have made it the most frequent target. Its deep integration with the Windows environment and scriptability make it an obvious point of attack into Windows. Internet Explorer also serves as a point of attachment for spyware in the form of Browser Helper Objects, which modify the browser's behaviour to add toolbars or to redirect traffic.

In a few cases, a worm or virus has delivered a spyware payload. Some attackers used the Spybot worm to install spyware that put pornographic pop-ups on the infected system's screen.By directing traffic to ads set up to channel funds to the spyware authors, they profit personally.

Effects and behaviors

A spyware program is rarely alone on a computer: an affected machine can rapidly be infected by many other components. Users frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic, all of which slow the computer down. Stability issues, such as application or system-wide crashes, are also common. Spyware which interferes with networking software commonly causes difficulty connecting to the Internet.

In some infections, the spyware is not even evident. Users assume in those situations that the issues relate to hardware, to Windows installation problems, or a virus. Some owners of badly infected systems resort to contacting technical support experts, or even buying a new computer because the existing system "has become too slow". Badly infected systems may require a clean reinstallation of all their software in order to return to full functionality.

Only rarely does a single piece of software render a computer unusable. Rather, a computer is likely to have multiple infections. As the 2004 AOL study noted, if a computer has any spyware at all, it typically has dozens of different pieces installed. The cumulative effect, and the interactions between spyware components, cause the symptoms commonly reported by users: a computer which slows to a crawl, overwhelmed by the many parasitic processes running on it. Moreover, some types of spyware disable software firewalls and anti-virus software, and/or reduce browser security settings, thus opening the system to further opportunistic infections, much like an immune deficiency disease. Some spyware has disabled or even removed competing spyware programs, on the grounds that more spyware-related annoyances make it even more likely that users will take action to remove the programs. One spyware maker, Avenue Media, even sued a competitor, Direct Revenue, over this; the two later settled with an agreement not to disable each others' products.

Some other types of spyware (Targetsoft, for example) modify system files so they will be harder to remove. Targetsoft modifies the "Winsock" Windows Sockets files. The deletion of the spyware-infected file "inetadpt.dll" will interrupt normal networking usage. Unlike users of many other operating systems, a typical Windows user has administrative privileges, mostly for convenience. Because of this, any program the user runs (intentionally or not) has unrestricted access to the system. Spyware, along with other threats, has led some Windows users to move to other platforms such as Linux or Apple Macintosh, which are less attractive targets for malware. This is because these programs are not granted unrestricted access to the operating system (due to the Unix underpinnings upon which both Linux and Mac OS X are built though some allege it's mainly due to the far smaller number of machines installed with these operating systems making spyware development potentially less profitable for these platforms.

Advertisements

Many spyware programs display advertisements. Some programs simply display pop-up ads on a regular basis; for instance, one every several minutes, or one when the user opens a new browser window. Others display ads in response to specific sites that the user visits. Spyware operators present this feature as desirable to advertisers, who may buy ad placement in pop-ups displayed when the user visits a particular site. It is also one of the purposes for which spyware programs gather information on user behavior. Pop-ups are one of users' most common complaints about spyware.

Many users complain about irritating or offensive advertisements as well. As with many banner ads, many spyware advertisements use animation or flickering banners which can be visually distracting and annoying to users. Pop-up ads for pornography often display indiscriminately. Links to these sites may be added to the browser window, history or search function. When children are the users, this could possibly violate anti-pornography laws in some jurisdictions.

A further issue in the case of some spyware programs has to do with the replacement of banner ads on viewed web sites. Spyware that acts as a web proxy or a Browser Helper Object can replace references to a site's own advertisements (which fund the site) with advertisements that instead fund the spyware operator. This cuts into the margins of advertising-funded Web sites.

"Stealware" and affiliate fraud

A few spyware vendors, notably 180 Solutions, have written what the New York Times has dubbed "stealware", and what spyware-researcher Ben Edelman terms affiliate fraud, a form of click fraud. Stealware diverts the payment of affiliate marketing revenues from the legitimate affiliate to the spyware vendor.

Spyware which attacks affiliate networks places the spyware operator's affiliate tag on the user's activity—replacing any other tag, if there is one. The spyware operator is the only party that gains from this. The user has their choices thwarted, a legitimate affiliate loses revenue, networks' reputations are injured, and vendors are harmed by having to pay out affiliate revenues to an "affiliate" who is not party to a contract.

Affiliate fraud is a violation of the terms of service of most affiliate marketing networks. As a result, spyware operators such as 180 Solutions have been terminated from affiliate networks including LinkShare and ShareSale.

Identity theft and fraud

In one case, spyware has been closely associated with identity theft. In August 2005, researchers from security software firm Sunbelt Software believed that the makers of the common CoolWebSearch spyware had used it to transmit "chat sessions, user names, passwords, bank information, etc.",but it turned out that "it actually (was) its own sophisticated criminal little trojan that's independent of CWS." This case is currently under investigation by the FBI.

The Federal Trade Commission estimates that 27.3 million Americans have been victims of identity theft, and that financial losses from identity theft totaled nearly $48 billion for businesses and financial institutions and at least $5 billion in out-of-pocket expenses for individuals.

Spyware-makers may commit wire fraud with dialer program spyware. These can reset a modem to dial up a premium-rate telephone number instead of the usual ISP. Connecting to these suspicious numbers involves long-distance or overseas charges which invariably result in high charges. Dialers are ineffective on computers that do not have a modem, or are not connected to a telephone line.

Digital rights management

Some copy-protection technologies have borrowed from spyware. In 2005, Sony BMG Music Entertainment was found to be using rootkits in its XCP digital rights management technology Like spyware, not only was it difficult to detect and uninstall, it was so poorly written that most efforts to remove it could have rendered computers unable to function. Texas state attorney general Greg Abbott filed suit, and three separate class-action suits were filed. Sony BMG later provided a workaround on its website to help users remove it.

Beginning in April 25, 2006, Microsoft's Windows Genuine Advantage Notifications application installed on most Windows PCs as a "critical security update". While the main purpose of this deliberately non-uninstallable application is making sure the copy of Windows on the machine was lawfully purchased and installed, it also installs software that has been accused of "phoning home" on a daily basis, like spyware. It can be removed with the RemoveWGA tool.

Spyware and cookies

Anti-spyware programs often report Web advertisers' HTTP cookies, the small text files that track browsing activity, as spyware. While they are not always inherently malicious, many users object to third parties using space on their personal computers for their business purposes, and so many anti-spyware programs offer to remove them.

Examples of spyware

These common spyware programs illustrate the diversity of behaviors found in these attacks. Note that as with computer viruses, researchers give names to spyware programs which may not be used by their creators. Programs may be grouped into "families" based not on shared program code, but on common behaviors, or by "following the money" of apparent financial or business connections. For instance, a number of the spyware programs distributed by Claria are collectively known as "Gator". Likewise, programs which are frequently installed together may be described as parts of the same spyware package, even if they function separately.

  • CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the infected computer's hosts file to direct DNS lookups to these sites.
  • Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites.
  • Zango (formerly 180 Solutions) transmits detailed information to advertisers about the Web sites which users visit. It also alters HTTP requests for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies.
  • HuntBar, aka WinTools or Adware.Websearch, was installed by an ActiveX drive-by download at affiliate Web sites, or by advertisements displayed by other spyware programs — an example of how spyware can install more spyware. These programs add toolbars to IE, track aggregate browsing behavior, redirect affiliate references, and display advertisements.
  • Movieland, also known as Moviepass.tv or Popcorn.net, is a movie download service that has been the subject of thousands of complaints to the Federal Trade Commission (FTC), the Washington State Attorney General's Office, the Better Business Bureau, and others by consumers claiming they were held hostage by its repeated pop-up windows and demands for payment. The FTC has filed a complaint against Movieland.com and eleven other defendants (list), charging them with having "engaged in a nationwide scheme to use deception and coercion to extract payments from consumers." The complaint alleges that the software repeatedly opened oversized pop-up windows that could not be closed or minimized, accompanied by music that lasted nearly a minute, demanding payment of at least $29.95 to end the pop-up cycle; and claiming that consumers had signed up for a three-day free trial but did not cancel their membership before the trial period was over, and were thus obligated to pay.

Legal issues related to spyware

Criminal law

Unauthorized access to a computer is illegal under computer crime laws, such as the U.S. Computer Fraud and Abuse Act, the U.K.'s Computer Misuse Act and similar laws in other countries. Since the owners of computers infected with spyware generally claim that they never authorized the installation, a prima facie reading would suggest that the promulgation of spyware would count as a criminal act. Law enforcement has often pursued the authors of other malware, particularly viruses. However, few spyware developers have been prosecuted, and many operate openly as strictly legitimate businesses, though some have faced lawsuits.

Spyware producers argue that, contrary to the users' claims, users do in fact give consent to installations. Spyware that comes bundled with shareware applications may be described in the legalese text of an end-user license agreement (EULA). Many users habitually ignore these purported contracts, but spyware companies such as Claria claim these demonstrate that users have consented.

Despite the ubiquity of EULAs and of "clickwrap" agreements, under which a single click can be taken as consent to the entire text, relatively little case law has resulted from their use. It has been established in most common law jurisdictions that a clickwrap agreement can be a binding contract in certain circumstances. This does not, however, mean that every such agreement is a contract or that every term in one is enforceable.

Some jurisdictions, including the U.S. states of Iowa and Washington, have passed laws criminalizing some forms of spyware. Such laws make it illegal for anyone other than the owner or operator of a computer to install software that alters Web-browser settings, monitors keystrokes, or disables computer-security software.

In the United States, lawmakers introduced a bill in 2005 entitled the Internet Spyware Prevention Act, which would imprison creators of spyware.

Civil law

Former New York State Attorney General and now current Governor Eliot Spitzer has pursued spyware companies for fraudulent installation of software.[In a suit brought in 2005 by Spitzer, the California firm Intermix Media, Inc. ended up settling by agreeing to pay US$7.5 million and to stop distributing spyware.

The hijacking of Web advertisements has also led to litigation. In June 2002, a number of large Web publishers sued Claria for replacing advertisements, but settled out of court.

Courts have not yet had to decide whether advertisers can be held liable for spyware which displays their ads. In many cases, the companies whose advertisements appear in spyware pop-ups do not directly do business with the spyware firm. Rather, they have contracted with an advertising agency, which in turn contracts with an online subcontractor who gets paid by the number of "impressions" or appearances of the advertisement. Some major firms such as Dell Computer and Mercedes-Benz have sacked advertising agencies which have run their ads in spyware.

Libel suits by spyware developers

Litigation has gone both ways. Since "spyware" has become a common pejorative, some makers have filed libel and defamation actions when their products have been so described. In 2003, Gator (now known as Claria) filed suit against the website PC Pitstop for describing its program as "spyware".PC Pitstop settled, agreeing not to use the word "spyware", but continues to describe harm caused by the Gator/Claria software.As a result, other antispyware and antivirus companies have also used other terms such as "potentially unwanted programs" or greyware to denote these products.

Remedies and prevention

As the spyware threat has worsened, a number of techniques have emerged to counteract it. These include programs designed to remove or to block spyware, as well as various user practices which reduce the chance of getting spyware on a system.

Nonetheless, spyware remains a costly problem. When a large number of pieces of spyware have infected a Windows computer, the only remedy may involve backing up user data, and fully reinstalling the operating system.

Anti-spyware programs

Report on scan of an infected system from Lavasoft's Ad-Aware

Many programmers and some commercial firms have released products designed to remove or block spyware. Steve Gibson's OptOut, mentioned above, pioneered a growing category. Programs such as Lavasoft's Ad-Aware SE and Patrick Kolla's Spybot - Search & Destroy rapidly gained popularity as effective tools to remove, and in some cases intercept, spyware programs. More recently Microsoft acquired the GIANT AntiSpyware software, rebranding it as Windows AntiSpyware beta and releasing it as a free download for Genuine Windows XP and Windows 2003 users. In early spring, 2006, Microsoft renamed the beta software to Windows Defender, and it was released as a free download in October 2006. Microsoft currently ships the product for free with Windows Vista. Other well-known anti-spyware products include:

Major anti-virus firms such as Symantec, McAfee and Sophos have come later to the table, adding anti-spyware features to their existing anti-virus products. Early on, anti-virus firms expressed reluctance to add anti-spyware functions, citing lawsuits brought by spyware authors against the authors of web sites and programs which described their products as "spyware". However, recent versions of these major firms' home and business anti-virus products do include anti-spyware functions, albeit treated differently from viruses. Symantec Anti-Virus, for instance, categorizes spyware programs as "extended threats" and now offers real-time protection from them (as it does for viruses). Recently, the anti-virus company Grisoft, creator of AVG Anti-Virus, acquired anti-spyware firm Ewido Networks, re-labeling their Ewido anti-spyware program as AVG Anti-Spyware. This shows a trend by anti virus companies to launch a dedicated solution to spyware and malware. Zone Labs, creator of Zone Alarm firewall have also released an anti spyware program.

Microsoft Anti-Spyware, in real-time protection blocks an instance of the AlwaysUpdateNews from being installed.

Anti-spyware programs can combat spyware in two ways:

  • 1. They can provide real time protection against the installation of spyware software on your computer. This type of spyware protection works the same way as that of anti-virus protection in that the anti-spyware software scans all incoming network data for spyware software and blocks any threats it comes across.
  • 2. Anti-spyware software programs can be used solely for detection and removal of spyware software that has already been installed onto your computer. This type of spyware protection is normally much easier to use and more popular. With this spyware protection software you can schedule weekly, daily, or monthly scans of your computer to detect and remove any spyware software that has been installed on your computer. This type of anti-spyware software scans the contents of the windows registry, operating system files, and installed programs on your computer and will provide a list of any threats found, allowing you to choose what you want to delete and what you want to keep.

Such programs inspect the contents of the Windows registry, the operating system files, and installed programs, and remove files and entries which match a list of known spyware components. Real-time protection from spyware works identically to real-time anti-virus protection: the software scans disk files at download time, and blocks the activity of components known to represent spyware. In some cases, it may also intercept attempts to install start-up items or to modify browser settings. Because many spyware and adware are installed as a result of browser exploits or user error, using security software (some of which are antispyware, though many are not) to sandbox browsers can also be effective to help restrict any damage done.

Earlier versions of anti-spyware programs focused chiefly on detection and removal. Javacool Software's SpywareBlaster, one of the first to offer real-time protection, blocked the installation of ActiveX-based and other spyware programs.

Like most anti-virus software, many anti-spyware/adware tools require a frequently-updated database of threats. As new spyware programs are released, anti-spyware developers discover and evaluate them, making "signatures" or "definitions" which allow the software to detect and remove the spyware. As a result, anti-spyware software is of limited usefulness without a regular source of updates. Some vendors provide a subscription-based update service, while others provide updates free. Updates may be installed automatically on a schedule or before doing a scan, or may be done manually.

Not all programs rely on updated definitions. Some programs rely partly (for instance many antispyware programs such as Windows Defender, Spybot's TeaTimer and Spysweeper) or fully (programs falling under the class of Hips such as BillP's WinPatrol), on historical observation. They watch certain configuration parameters (such as certain portions of the Windows registry or browser configuration) and report any change to the user, without judgment or recommendation. While they do not rely on updated definitions, which may allow them to spot newer spyware, they can offer no guidance. The user is left to determine "what did I just do, and is this configuration change appropriate?"

Windows Defender's Spynet attempts to alleviate this through offering a community to share information, which helps guide both users, who can look at decisions made by others, and analysts, who can spot fast-spreading spyware. A popular generic spyware removal tool used by those with a certain degree of expertise is HijackThis, which scans certain areas of the Windows OS where spyware often resides and presents a list with items to delete manually. As most of the items are legitimate windows files/registry entries it is advised for those who are less knowledgeable on this subject to post a HijackThis log on the numerous antispyware sites and let the experts decide what to delete.

If a spyware program is not blocked and manages to get itself installed, it may resist attempts to terminate or uninstall it. Some programs work in pairs: when an anti-spyware scanner (or the user) terminates one running process, the other one respawns the killed program. Likewise, some spyware will detect attempts to remove registry keys and immediately add them again. Usually, booting the infected computer in safe mode allows an anti-spyware program a better chance of removing persistent spyware. Killing the process tree can also work.

A new breed of spyware (Look2Me spyware by NicTechNetworks is a good example) is starting to hide inside system-critical processes and start up even in safe mode. With no process to terminate they are harder to detect and remove. Sometimes they do not even leave any on-disk signatures. Rootkit technology is also seeing increasing use,as is the use of NTFS alternate data streams. Newer spyware programs also have specific countermeasures against well known anti-malware products and may prevent them from running or being installed, or even uninstall them. An example of one that uses all three methods is Gromozon, a new breed of malware. It uses alternate data streams to hide. A rootkit hides it even from alternate data streams scanners and actively stops popular rootkit scanners from running.

Malicious websites attempt to install spyware on readers' computers.

Fake anti-spyware programs

Malicious programmers have released a large number of fake anti-spyware programs, and widely distributed Web banner ads now spuriously warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware — or worse, may add more spyware of their own.

The recent proliferation of fake or spoofed antivirus products has occasioned some concern. Such products often bill themselves as antispyware, antivirus, or registry cleaners, and sometimes feature popups prompting users to install them. They are called rogue software.

Known offenders include:

On 2006-01-26, Microsoft and the Washington state attorney general filed suit against Secure Computer for its Spyware Cleaner product. On 2006-12-04, the Washington attorney general announced that Secure Computer had paid $1 million to settle with the state. As of that date, Microsoft's case against Secure Computer remained pending.

Security practices

To deter spyware, computer users have found several practices useful in addition to installing anti-spyware programs.

Many system operators install a web browser other than IE, such as Opera or Mozilla Firefox. Although these have also suffered some security vulnerabilities, their comparatively small market share compared to Internet Explorer makes it uneconomic for hackers to target users on those browsers.Though no browser is completely safe, Internet Explorer is at a greater risk for spyware infection due to its large user base as well as vulnerabilities such as ActiveX.

Some ISPs — particularly colleges and universities — have taken a different approach to blocking spyware: they use their network firewalls and web proxies to block access to Web sites known to install spyware. On March 31, 2005, Cornell University's Information Technology department released a report detailing the behavior of one particular piece of proxy-based spyware, Marketscore, and the steps the university took to intercept it.Many other educational institutions have taken similar steps. Spyware programs which redirect network traffic cause greater technical-support problems than programs which merely display ads or monitor users' behavior, and so may more readily attract institutional attention.

Some users install a large hosts file which prevents the user's computer from connecting to known spyware related web addresses. However, by connecting to the numeric IP address, rather than the domain name, spyware may bypass this sort of protection.

Spyware may get installed via certain shareware programs offered for download. Downloading programs only from reputable sources can provide some protection from this source of attack. Recently, CNet revamped its download directory: it has stated that it will only keep files that pass inspection by Ad-Aware and Spyware Doctor.

Notable programs distributed with spyware

6.Malware

Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a portmanteau of the words "malicious" and "software". The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Many normal computer users are however still unfamiliar with the term, and most never use it. Instead, "computer virus" is used in common parlance and often in the general media to describe all kinds of malware, though not all malware is a virus. Another term that has been recently coined for malware is badware, perhaps due to the anti-malware initiative Stopbadware or corruption of the term "malware".

Software is considered malware based on the perceived intent of the creator rather than any particular features. It includes computer viruses, worms, trojan horses, spyware, dishonest adware, and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of California, West Virginia, and several other U.S. states.

Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains harmful bugs.

Purposes

Many early infectious programs, including the first Internet Worm and a number of MS-DOS viruses, were written as experiments or pranks generally intended to be harmless or merely annoying rather than to cause serious damage. Young programmers learning about viruses and the techniques used to write them might write one to prove that they can do it, or to see how far it could spread. As late as 1999, widespread viruses such as the Melissa virus appear to have been written chiefly as pranks.

A slightly more hostile intent can be found in programs designed to vandalize or cause data loss. Many DOS viruses, and the Windows ExploreZip worm, were designed to destroy files on a hard disk, or to corrupt the filesystem by writing junk data. Network-borne worms such as the 2001 Code Red worm or the Ramen worm fall into the same category. Designed to vandalize web pages, these worms may seem like the online equivalent to graffiti tagging, with the author's alias or affinity group appearing everywhere the worm goes.

However, since the rise of widespread broadband Internet access, more malicious software has been designed for a profit motive. For instance, since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation.Infected "zombie computers" are used to send email spam, to host contraband data such as child pornography, or to engage in distributed denial-of-service attacks as a form of extortion.

Another strictly for-profit category of malware has emerged in spyware -- programs designed to monitor users' web browsing, display unsolicited advertisements, or redirect affiliate marketing revenues to the spyware creator. Spyware programs do not spread like viruses; they are generally installed by exploiting security holes or are packaged with user-installed software, such as Limewire.

Infectious malware: viruses and worms

The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any other particular behavior. Originally, the term computer virus was used for a program which infected other executable software, while a worm transmitted itself over a network to infect other computers. More recently, the words are often used interchangeably.

Today, some draw the distinction between viruses and worms by saying that a virus requires user intervention to spread, whereas a worm spreads automatically. Using this distinction, infections transmitted by email or Microsoft Word documents, which rely on the recipient opening a file to infect the system, would be classified as viruses, not worms.

Capsule history of viruses and worms

Before Internet access became widespread, viruses spread on personal computers by infecting programs or the executable boot sectors of floppy disks. By inserting a copy of itself into the machine code instructions in these executables, a virus causes itself to be run whenever the program is run or the disk is booted. Early computer viruses were written for the Apple II and Macintosh, but they became more widespread with the dominance of the IBM PC and MS-DOS system. Executable-infecting viruses are dependent on users exchanging software or boot floppies, so they spread heavily in computer hobbyist circles.

The first worms, network-borne infectious programs, originated not on personal computers, but on multitasking Unix systems. The first well-known worm was the Internet Worm of 1988, which infected SunOS and VAX BSD systems. Unlike a virus, this worm did not insert itself into other programs. Instead, it exploited security holes in network server programs and started itself running as a separate process. This same behavior is used by today's worms as well.

With the rise of the Microsoft Windows platform in the 1990s, and the flexible macro systems of its applications, it became possible to write infectious code in the macro language of Microsoft Word and similar programs. These macro viruses infect documents and templates rather than applications, but rely on the fact that macros in a Word document are a form of executable code.

Today, worms are most commonly written for the Windows OS, although a small number are also written for Linux and Unix systems. Worms today work in the same basic way as 1988's Internet Worm: they scan the network for computers with vulnerable network services, break in to those computers, and copy themselves over. Worm outbreaks have become a cyclical plague for both home users and businesses, eclipsed recently in terms of damage by spyware.

Concealment: Trojan horses, rootkits, and backdoors

For a malicious program to accomplish its goals, it must be able to do so without being shut down, or deleted by the user or administrator of the computer it's running on. Concealment can also help get the malware installed in the first place. By disguising a malicious program as something innocuous or desirable, users may be tempted to install it without knowing what it does. This is the technique of the Trojan horse or trojan.

Often attempting to delete malicious software on a computer may activate the software, causing damage and the infection of other files in the computer. Some anti virus programs that fail to stop Malware and Trojans on the computer have a virus chest file. This is an isolated folder where infected files can be stored and protected from usage until they are removed.

Broadly speaking, a Trojan horse is any program that invites the user to run it, but conceals a harmful or malicious payload. The payload may take effect immediately and can lead to many undesirable effects, such as deleting all the user's files, or more commonly it may install further harmful software into the user's system to serve the creator's longer-term goals. Trojan horses known as droppers are used to start off a worm outbreak, by injecting the worm into users' local networks.

One of the most common ways that spyware is distributed is as a Trojan horse, bundled with a piece of desirable software that the user downloads off the Web or a peer-to-peer file-trading network. When the user installs the software, the spyware is installed alongside. Spyware authors who attempt to act in a legal fashion may include an end-user license agreement which states the behavior of the spyware in loose terms, but knowing that users are unlikely to read or understand it.

Once a malicious program is installed on a system, it is often useful to the creator if it stays concealed. The same is true when a human attacker breaks into a computer directly. Techniques known as rootkits allow this concealment, by modifying the host operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process from being visible in the system's list of processes, or keep its files from being read. Originally, a rootkit was a set of tools installed by a human attacker on a Unix system where the attacker had gained administrator (root) access. Today, the term is used more generally for concealment routines in a malicious program.

A backdoor is a method of bypassing normal authentication procedures. Once a system has been compromised (by one of the above methods, or in some other way), one or more backdoors may be installed, in order to allow the attacker access in the future. The idea has often been floated that many computer manufacturers preinstall backdoors on their systems to provide technical support for customers, but this has never been reliably verified. Crackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors crackers may use Trojan horses, worms, or other methods.

Malware for profit: spyware, botnets, loggers, and dialers

During the 1980s and 1990s, it was usually taken for granted that malicious programs were created as a form of vandalism or prank. (Although some viruses were spread only to discourage users from illegal software exchange.) More recently, the greater share of malware programs have been written with a financial or profit motive in mind. This can be taken as the malware authors' choice to monetize their control over infected systems: to turn that control into a source of revenue.

Since 2003 or so, the most costly form of malware in terms of time and money spent in recovery has been the broad category known as spyware. [citation needed] Spyware programs are commercially produced for the purpose of gathering information about computer users, showing them pop-up ads, or altering web-browser behavior for the financial benefit of the spyware creator. For instance, some spyware programs redirect search engine results to paid advertisements. Others often called "stealware" by the media overwrite affiliate marketing codes so that revenue goes to the spyware creator rather than the intended recipient.

Spyware programs are sometimes installed as Trojan horses of one sort or another. They differ in that their creators present themselves openly as businesses, for instance by selling advertising space on the pop-ups created by the malware. Most such programs present the user with an end-user license agreement which purportedly protects the creator from prosecution under computer contaminant laws. However, spyware EULAs have not yet been upheld in court.

Another way that financially-motivated malware creator can monetize their infections is to directly use the infected computers to do work for the creator. Spammer viruses, such as the Sobig and Mydoom virus families, are commissioned by e-mail spam gangs. The infected computers are used as proxies to send out spam messages. The advantage to spammers of using infected computers is that they are available in large supply (thanks to the virus) and they provide anonymity, protecting the spammer from prosecution. Spammers have also used infected PCs to target anti-spam organizations with distributed denial-of-service attacks.

In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as botnets. In a botnet, the malware or malbot logs in to an Internet Relay Chat channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously. Botnets can also be used to push upgraded malware to the infected systems, keeping them resistant to anti-virus software or other security measures.

Lastly, it is possible for a malware creator to profit by simply stealing from the person whose computer is infected. Some malware programs install a key logger, which copies down the user's keystrokes when entering a password, credit card number, or other information that may be useful to the creator. This is then transmitted to the malware creator automatically, enabling credit card fraud and other theft. Similarly, malware may copy the CD key or password for online games, allowing the creator to steal accounts or virtual items.

Another way of stealing money from the infected PC owner is to take control of the modem and dial an expensive toll call. Dialer (or porn dialer) software dials up a premium-rate telephone number such as a U.S. "900 number" and leave the line open, charging the toll to the infected user.

Vulnerability to malware

In this context, as throughout, it should be borne in mind that the “system” under attack may be of various types, e.g. a single computer and operating system, a network or an application.

Various factors make a system more vulnerable to malware:

  • Homogeneity – e.g. when all computers in a network run the same OS, if you can break that OS, you can break into any computer running it.
  • Defects – most systems containing errors which may be exploited by malware.
  • Unconfirmed code – code from a floppy disk, CD or USB device may be executed without the user’s agreement.
  • Over-privileged users – some systems allow all users to modify their internal structures.
  • Over-privileged code – most popular systems allow code executed by a user all rights of that user.

An oft-cited cause of vulnerability of networks is homogeneity or software monoculture. In particular, Microsoft Windows has such a large share of the market that concentrating on it will enable a cracker to subvert a large number of systems. Introducing inhomogeneity purely for the sake of robustness would however bring high costs in terms of training and maintenance.

Most systems contain bugs which may be exploited by malware. Typical examples are buffer overruns, in which an interface designed to store data in a small area of memory allows the caller to supply too much, and then overwrites its internal structures. This may used by malware to force the system to execute its code.

Originally, PCs had to be booted from floppy disks, and until recently it was common for this to be the default boot device. This meant that a corrupt floppy disk could subvert the computer during booting, and the same applies to CDs. Although that is now less common, it is still possible to forget that one has changed the default, and rare that a BIOS makes one confirm a boot from removable media.

In some systems, non-administrator users are over-privileged by design, in the sense that they are allowed to modify internal structures of the system. In some environments, users are over-privileged because they have been inappropriately granted administrator or equivalent status. This is a primarily a configuration decision, but on Microsoft Windows systems the default configuration is to over-privilege the user. This situation exists due to decisions made by Microsoft to prioritize compatibility with older systems above security configuration in newer systems and because typical applications were developed without the under-privileged users in mind. As privilege escalation exploits have increased this priority is shifting for the release of Microsoft Windows Vista. As a result, many existing applications that require excess privilege (over-privileged code) may have compatibility problems with Vista. However, Vista's User Account Control feature attempts to remedy applications not designed for under-privileged users through virtualization, acting as a crutch to resolve the privileged access problem inherent in legacy applications.

Malware, running as over-privileged code, can use this privilege to subvert the system. Almost all currently popular operating systems, and also many scripting applications allow code too many privileges, usually in the sense that when a user executes code, the system allows that code all rights of that user. This makes users vulnerable to malware in the form of e-mail attachments, which may or may not be disguised.

Given this state of affairs, users are warned only to open attachments they trust, and to be wary of code received from untrusted sources. It is also common for operating systems to be designed so that device drivers need escalated privileges, while they are supplied by more and more hardware manufacturers, some of whom may be unreliable.

Eliminating over-privileged code

Over-privileged code dates from the time when most programs were either delivered with a computer or written in-house, and repairing it would at a stroke render most anti-virus software almost redundant. It would, however, have appreciable consequences for the user interface and system management.

The system would have to maintain privilege profiles, and know which to apply for each user and program. In the case of newly installed software, an administrator would need to set up default profiles for the new code.

Eliminating vulnerability to rogue device drivers is probably harder than for arbitrary rogue executables. Two techniques, used in VMS, that can help are memory mapping only the registers of the device in question and a system interface associating the driver with interrupts from the device.

Other approaches are:

  • Various forms of virtualization, allowing the code unlimited access only to virtual resources
  • Various forms of sandbox or jail
  • The security functions of Java, in java.security

Such approaches, however, if not fully integrated with the operating system, would reduplicate effort and not be universally applied, both of which would be detrimental to security.

Academic research on malware: a brief overview

The notion of a self-reproducing computer program can be traced back to 1949 when John von Neumann presented lectures that encompassed the theory and organization of complicated automata.Neumann showed that in theory a program could reproduce itself. This constituted a plausibility result in computability theory. Fred Cohen experimented with computer viruses and confirmed Neumann's postulate. He also investigated other properties of malware (detectability, self-obfuscating programs that used rudimentary encryption that he called "evolutionary", and so on). His doctoral dissertation was on the subject of computer viruses.Cohen's faculty advisor, Leonard Adleman (the A in RSA) presented a rigorous proof that, in the general case, algorithmically determining whether a virus is or is not present is Turing undecidable.This problem must not be mistaken for that of determining, within a broad class of programs, that a virus is not present; this problem differs in that it does not require the ability to recognize all viruses. Adleman's proof is perhaps the deepest result in malware computability theory to date and it relies on Cantor's diagonal argument as well as the halting problem. Ironically, it was later shown by Young and Yung that Adleman's work in cryptography is ideal in constructing a virus that is highly resistant to reverse-engineering by presenting the notion of a cryptovirus.A cryptovirus is a virus that contains and uses a public key. In the cryptoviral extortion attack, the virus hybrid encrypts plaintext data on the victim's machine using the virus writer's public key. In theory the victim must negotiate with the virus writer to get the plaintext back (assuming there are no backups). Analysis of the virus reveals the public key, not the needed private decryption key. This result was the first to show that computational complexity theory can be used to devise malware that is robust against reverse-engineering.

Another growing area of computer virus research is to mathematically model the infection behavior of worms using models such as Lotka-Volterra equations, which has been applied in the study of biological virus. Various virus propagation scenarios have been studied by researchers such as propagation of computer virus, fighting virus with virus like predator codes, effectiveness of patching etc.

Emerging vectors and pathways

Wikis and Blogs

Innocuous wikis and blogs are not immune to hijacking. It has been reported that the German edition of Wikipedia has recently been used as an attempt to vector infection. Through a form of social engineering, users with ill intent have added links to web pages that contain malicious software with the claim that the web page would provide detections and remedies, when in fact it was a lure to infect.

Targeted SMTP Threats

Targeted SMTP threats also represent an emerging attack vector through which malware is propagated. As users adapt to widespread spam attacks, cybercriminals distribute crimeware to target one specific organization or industry, often for financial gain

7.Adware

Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used.

Application

Adware is software with advertising functions integrated into or bundled with a program. It is usually seen by the programmer as a way to recover programming development costs, and in some cases it may allow the program to be provided to the user free of charge or at a reduced price. The advertising income may allow or motivate the programmer to continue to write, maintain and upgrade the software product.

Some adware is also shareware, and so the word may be used as term of distinction to differentiate between types of shareware software. What differentiates adware from other shareware is that it is primarily advertising-supported. Users may also be given the option to pay for a "registered" or "licensed" copy to do away with the advertisements.

Controversy

There are concerns about adware because it often takes the form of spyware, in which information about the user's activity is tracked, reported, and often re-sold, often without the knowledge or consent of the user. Of even greater concern is malware, which may interfere with the function of other software applications, in order to force users to visit a particular web site.

It is not uncommon for people to confuse "adware" with "spyware" and "malware", especially since these concepts overlap. For example, if one user installs "adware" on a computer, and consents to a tracking feature, the "adware" becomes "spyware" when another user visits that computer, and interacts with and is tracked by the "adware" without their consent.

Spyware has prompted an outcry from computer security and privacy advocates, including the Electronic Privacy Information Center. Often, spyware applications send the user's browsing habits to an ad-serving company, which then targets adverts at the user based on their interests. Kazaa is one example of a popular file-sharing program that delivers target ads to its users.

Adware programs other than spyware do not invisibly collect and upload this activity record or personal information when the user of the computer has not expected or approved of the transfer, but some vendors of adware maintain that their application which does this is not also spyware, due to disclosure of program activities: for example, a product vendor may indicate that since somewhere in the product's Terms of Use there is a clause that third-party software will be included that may collect and may report on computer use, that this Terms of Use disclosure means the product is just adware.

A number of software applications are available to help computer users search for and modify adware programs to block the presentation of advertisements and to remove spyware modules. To avoid a backlash, as with the advertising industry in general, creators of adware must balance their attempts to generate revenue with users' desire to be left alone.

Well-known adware programs

The Eudora e-mail client is a popular example of an adware "mode" in a program. After a trial period during which all program features are available, the user is offered a choice: a free (but feature-limited), an ad-supported mode with all the features enabled, or a paid mode that enables all features and turns off the ads. If the user choose the ad-supported mode, Eudora becomes adware, although according to Qualcomm the program does not collect any information about user activity.

Prevention

Programs have been developed in order to detect, quarantine, and remove spyware. As there is many adware software that is also spyware or malware, most of these programs apply to adware too. Among the more prominent applications are Ad-Aware and Spybot Search & Destroy. These programs are designed specifically for spyware detection and will not detect viruses, although some commercial anti-virus programs can also detect adware and spyware.

Best practices for general security on the Internet, especially when browsing the World Wide Web (where a large portion of adware is installed from via security holes and social engineering), include the following:

  • Do not install excessive additional toolbars to your browser, as they may slow down the browser or become a source of adware or spyware.
  • Keeping up-to-date with security patches and operating system updates (in the case of Microsoft Windows, from Windows Update)
  • Set pre Internet Explorer versions previous to version 7 to prompt for ActiveX installation (this is turned on by default in version 7).
  • Using an alternative Web browser to Internet Explorer (e.g. Opera, Mozilla Firefox, Safari, etc.)
  • Install ad-blocking software (Trend Micro Internet Security and Norton Internet Security both support this feature; advanced users can use the MVPS HOSTS file). For users of Firefox, there is the Adblock extension, which can prevent harmful or annoying ads displayed on websites, while users of Opera have this functionality built into the browser. Internet Explorer users can download the free IE7 Pro extension that has ad blocking capabilities.
  • Use free alternatives of software from software that includes adware.
  • Use other alternatives of operating systems to Microsoft Windows (eg. Linux, Mac OS X).
8.Backdoor

A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining covert access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program and/or hardware device.

Overview

The threat of backdoors surfaced when multiuser and networked operating systems became widely adopted. Petersen and Turn discussed computer subversion in a paper published in the proceedings of the 1967 AFIPS Conference.They noted a class of active infiltration attacks that use "trapdoor" entry points into the system to bypass security facilities and permit direct access to data. The use of the word trapdoor here clearly coincides with more recent definitions of a backdoor. However, since the advent of public key cryptography the term trapdoor has acquired a different meaning. More generally, such security breaches were discussed at length in a RAND Corporation task force report published under ARPA sponsorship by J.P. Anderson and D.J. Edwards in 1970.

A backdoor in a login system might take the form of a hard coded user and password combination which gives access to the system. A famous example of this sort of backdoor was as a plot device in the 1983 film WarGames, in which the architect of the "WOPR" computer system had inserted a hardcoded password (his dead son's name) which gave the user access to the system, and to undocumented parts of the system (in particular, a video game–like simulation mode).

An attempt to plant a backdoor in the Linux kernel, exposed in November 2003, showed how subtle such a code change can be.In this case a two-line change appeared to be a typographical error, but actually gave the caller to the sys_wait4 function root access to the system.

Although the number of backdoors in systems using proprietary software (that is, software whose source code is not readily available for inspection) is not widely credited, they are nevertheless periodically (and frequently) exposed. Programmers have even succeeded in secretly installing large amounts of benign code as Easter eggs in programs, although such cases may involve official forbearance, if not actual permission.

It is also possible to create a backdoor without modifying the source code of a program, or even modifying it after compilation. This can be done by rewriting the compiler so that it recognizes code during compilation that triggers inclusion of a backdoor in the compiled output. When the compromised compiler finds such code, it compiles it as normal, but also inserts a backdoor (perhaps a password recognition routine). So, when the user provides that input, he gains access to some (likely undocumented) aspect of program operation. This attack was first outlined by Ken Thompson in his famous paper Reflections on Trusting Trust (see below).

Many computer worms, such as Sobig and Mydoom, install a backdoor on the affected computer (generally a PC on broadband running insecure versions of Microsoft Windows and Microsoft Outlook). Such backdoors appear to be installed so that spammers can send junk e-mail from the infected machines. Others, such as the Sony/BMG rootkit distributed silently on millions of music CDs through late 2005, are intended as DRM measures — and, in that case, as data gathering agents, since both surreptitious programs they installed routinely contacted central servers.

A traditional backdoor is a symmetric backdoor: anyone that finds the backdoor can in turn use it. The notion of an asymmetric backdoor was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology: Crypto '96. An asymmetric backdoor can only be used by the attacker who plants it, even if the full implementation of the backdoor becomes public (e.g., via publishing, being discovered and disclosed by reverse engineering, etc.). Also, it is computationally intractable to detect the presence of an asymmetric backdoor under black-box queries. This class of attacks have been termed kleptography; they can be carried out in software, hardware (for example, smartcards), or a combination of the two. The theory of asymmetric backdoors is part of a larger field now called cryptovirology.

There exists an experimental asymmetric backdoor in RSA key generation. This OpenSSL RSA backdoor was designed by Young and Yung, utilizes a twisted pair of elliptic curves, and has been made available.

Reflections on Trusting Trust

Ken Thompson's Reflections on Trusting Trust was the first major paper to describe black box backdoor issues, and points out that trust is relative. It described a very clever backdoor mechanism based upon the fact that people only review source (human-written) code, and not compiled machine code. A program called a compiler is used to create the second from the first, and the compiler is usually trusted to do an honest job.

Thompson's paper described a modified version of the Unix C compiler that would:

  • Put an invisible backdoor in the Unix login command when compiled, and as a twist
  • Also add this feature undetectably to future compiler versions upon their compilation as well.

Because the compiler itself was a compiled program, users would be extremely unlikely to notice the machine code instructions that performed these tasks. (Because of the second task, the compiler's source code would appear "clean".) What's worse, in Thompson's proof of concept implementation, the subverted compiler also subverted the analysis program (the disassembler), so that anyone who examined the binaries in the usual way would not actually see the real code that was running, but something else instead. This version was never released into the wild. It was released to a sibling Bell Labs organization as a test case; they never found the attack.

In theory, once a system has been compromised with a back door or Trojan horse, such as the Trusting Trust compiler, there is no way for the "rightful" user to regain control of the system. However, several practical weaknesses in the Trusting Trust scheme have been suggested. (For example, a sufficiently motivated user could painstakingly review the machine code of the untrusted compiler before using it. As mentioned above, there are ways to counter this attack, such as subverting the disassembler; but there are ways to counter that defense, too, such as removing the hard disk and physically examining the program's binary disk image — security is always a metaphorical arms race.)

Backdoors in the media

  • The popular movie WarGames is about a teenage hacker who discovers a backdoor inserted in the Department of Defense's computer system by the system's designer
  • The Keymaker in the Matrix Trilogy was a program used to create keys to the various backdoors of the Matrix.
  • Part of the plot of the Dan Brown novel Digital Fortress involves an attempt by the NSA to place a backdoor in an apparently unbreakable piece of encryption software; this theme may have been inspired by the real-life Clipper chip.
  • In the Battlestar Galactica miniseries, a Cylon agent states that she programmed backdoors into widely implemented military software to shut down human defenses and allow nuclear bombardment.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)