Home > Archives > June 2006 >

Machine Shop

Drive-By Spyware

An academic study finds that Internet Explorer needs to take a note from Firefox to help stop spyware.

By Simson Garfinkel

E-mail this article  |  Printer friendly

Advertisers

Earlier this year researchers at the University of Washington published an important study of spyware on the Internet based on their analysis of 40 million webpages. The study is important for CSOs because it shows not just the magnitude of the spyware problem but also the specific kinds of behavior on the part of users that result in these devilish programs being installed on their computers. And it illustrates a significant difference in the security levels provided by Microsoft's Internet Explorer browser and Mozilla Firefox.

Spyware today is generally malicious software that exists for the sole purpose of leaking confidential information from a victim's computer to an outside organization. Some spyware merely shows pop-up advertisements or collects marketing demographics that are reported back to a central clearinghouse. Makers of this software bristle at the label of "spyware," preferring the demure term "adware" instead. Other programs capture every keystroke and mouse click, periodically uploading the data to hijacked servers controlled by shadowy hacker organizations. The keystrokes are typically used for collecting passwords and other information useful for fraud and theft. The most malicious spyware allows a computer to be remotely controlled over the Internet. These programs have been used to penetrate corporate networks and are implicated in some large-scale thefts of financial information.

Titled "A Crawler-Based Study of Spyware on the Web" and published this February at the Annual Network and Distributed System Security Symposium in San Diego, the University of Washington (UW) study used a cluster of 10 dual-processor Pentium 4 computers running a total of 40 virtual machines to crawl over 2,500 websites. The researchers started by doing searches on Google for specific keywords. They took the list of resulting URLs and explored every link on every page, to a maximum depth of three clicks.

The crawling computers were set to download and run any executable program encountered on the webpages. The researchers then scanned the computers with Lavasoft's AdAware, which was configured to report only actual spyware, excluding cookies or hostile entries in the computer's registry. After a machine was infected and then scanned with AdAware, it would automatically reload a "clean" virtual machine and start crawling the Web again. According to the authors, it took on average 92 seconds to create a clean virtual machine, install an executable, and perform an AdAware sweep. In other words, each Web-crawling virtual machine was infected with another spyware program roughly every minute and a half.

The researchers scanned 18.2 million URLs in May 2005 and nearly 22 million in October 2005. Each time, they found that roughly 20 percent of the domains scanned offered programs for download, and of those, roughly 20 percent (or 4 percent of all domains in total) had executables that were infected with spyware. But the breakdown by domain categories is revealing. Roughly 11 percent of the executables downloaded from "adult" websites and 16 percent of the executables downloaded from "celebrity" websites were infected with spyware in October 2005, but only 3 percent of the executables from "kids" or "music" websites were infected. And none of the executables downloaded from the "news" websites were infected. Interestingly, only 2 percent of those downloaded from websites offering pirated software were infected with spyware.

Not surprisingly, with adequate controls, website operators can make a significant difference in the spyware content of their downloads. Consider CNet's Download.com. In May 2005, the researchers found that 4.6 percent of the 2,370 executables downloaded were infected with spyware. But during summer 2005 CNet started a policy of scanning downloads for spyware before making them available. As a result, by October 2005 just 0.3 percent of the 1,944 executables that the researchers downloaded were infected.

One of the key distinguishing features of spyware is that these programs typically get installed covertly and then continue to hide their presence. One way spyware hides its presence is by piggybacking on programs that users want to install—for example, screen savers and wallpaper (roughly 12 percent of these executables that the researchers examined in October 2005 were infected). But spyware can also get installed during the normal course of the user's Web browsing. This is called a "drive-by download attack," and as part of their study the UW researchers specifically looked for websites employing this kind of attack.

To detect different kinds of drive-by downloads, the researchers explored four computer configurations. The first was a (simulated) computer user who browses the Web using Internet Explorer and always clicks the "yes" button on pop-up windows. The second configuration also used Internet Explorer but clicked "no" on every pop-up. The third configuration used Firefox and clicked "yes" on every pop-up. The fourth used Firefox as well but always clicked "no." The Internet Explorer systems crawled a total of 90,000 URLs that spanned nine categories: adult, celebrity, games, kids, music, news, pirate, wallpaper and random. The Firefox systems crawled a total of 45,000 URLs.

What It Means to You

The results of this part of the UW study bear serious reflection by CSOs and CISOs. Of the 90,000 URLs crawled with Internet Explorer, 1,734 (2 percent) downloaded spyware when the user clicked the "yes" button—and 129 downloaded spyware even if the user clicked "no." These webpages downloaded, and in many cases installed, spyware by taking advantage of bugs in Internet Explorer itself.

By contrast, Firefox downloaded just 36 infected files when the user clicked "yes" in response to every security dialogue—and it downloaded no files at all when the user clicked "no." According to the researchers, what caused Firefox to download the files was an applet written in Java. Running inside the Java "sandbox," the applet requires the user's explicit permission to download and install the hostile programs. So it looks like the Java security model actually works—at least, it did for the UW test. Unfortunately, if you can convince a user to click the "yes" button, the bad applications can still be installed.

To be sure, Firefox has security vulnerabilities. But the researchers at UW found that these vulnerabilities have not been exploited by spyware authors—at least, not by the spyware authors whose wares were tested in the fairly significant scope of this study. The highest percentage of sites offering drive-by downloads for Internet Explorer were found in the pirate (29 percent), games (9.9 percent) and music (8.8 percent) categoriest. For Firefox, the only categories that offered drive-by downloads were pirate (1.6 percent), celebrity (0.3 percent) and music (0.26 percent).

There are a lot of take-home messages here for CSOs. First and most obvious, spyware is a serious problem on the Internet. Although not a single news site was found to have spyware, the hostile programs were detected on every other kind of website analyzed. CNet's Download.com still had a few instances of spyware after the company began scanning its downloads!

The second lesson is that spyware can get installed through drive-by downloads even when the computer user tells his computer not to install the hostile program—but this happened only when the Web browsing was done with Internet Explorer. Firefox had no such problems.

One of the problems with this study was the researchers' definition of spyware. Rather than get involved in a philosophical discussion of what is spyware and what is not, the researchers took a very simplistic view: Anything that AdAware identified as spyware is spyware; anything that it does not identify as spyware is not. Although this definition is fine for the purpose of a research study, it probably underestimates the spyware problem as far as CSOs are concerned. The reason why AdAware almost certainly underestimates spyware is that AdAware makes spyware decisions based on whether a program is in the Lavasoft spyware database, and not on how the program actually behaves. For CSOs, behavior and use are the critical factors in deciding whether a program poses a threat to your enterprise. For example, many spyware scanners consider Virtual Network Computing (VNC) to be spyware because the program is frequently used by attackers to monitor a victim's PC. But I recently installed a copy of VNC on my mother's Macintosh—not to spy on her but so that I could log in to her computer from my house and perform necessary systems administration.

The Hits Keep Coming

The spyware problem is a big one, and it's likely to get worse. One reason is economics. According to Gartner, last year American consumers lost more than a billion dollars to phishing scams alone—much of that made possible by spyware installed on victims' computers. In order to get a handle on this spyware problem, we need a multipronged approach. First, browsers must be made more secure; there is no excuse for drive-by downloads and installs. Next, the purveyors of spyware must receive significant penalties. Third, we need to force vendors to drop "antispyware" as a separate software category and build antispyware capabilities into their antivirus products. And lastly, corporate America must wean itself from Internet Explorer until the security controls are greatly improved.

Simson Garfinkel, PhD, CISSP, is researching computer forensics and human thought at Harvard University. Reach him at machineshop@cxo.com.