__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ TECHNICAL BULLETIN Parasite Programs; Adware, Spyware, and Stealth Networks Revised November 11, 2002 23:00 GMT August 16, 2002 22:00 GMT Number CIACTech02-004 ______________________________________________________________________________ PROBLEM: Programs are being intentionally packaged with legitimate software to display advertising on your screen, gather information on your browsing habits, and to sell your unused CPU cycles and disk space. Current applications are relatively benign but could easily be used for an invasion of privacy or other malicious purposes. PLATFORM: Primarily Windows platforms but could be any platform that connects to the Internet. ABSTRACT: Recent reports from Internet marketing companies outlining their plans has brought to light the capabilities of parasite programs that are being installed along with legitimate programs. These parasite programs give the outside company the ability to watch your browsing habits, examine your files, and use your unused computer cycles and disk space. Most of these programs currently place directed advertising on your computer but have the ability to do much more. Buried in the fine print of the user agreements for those programs are legal releases that may allow the software company uncontrolled access to your computer. The stated future plans of at least one of these companies includes selling your unused disk space and computer cycles to other companies. In this bulletin we will discuss what is going on now, what could be done with the existing technology, and how to detect and get rid of it. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/techbull/CIACTech02-004.shtml OTHER LINKS: "Stealth P2P Network Hides Inside Kazaa", CNet News, 4/17/02 http://news.com.com/2100-1023-873181.html "Excerpt from Brilliant Digital Entertainment's Annual Report," CNet News, 4/2/02, http://news.com.com/2102-1023- 873905.html CIACTech02-002: Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code, http://www.ciac.org/ciac/ techbull/CIACTech02-002.shtml AdAware, http://download.com.com/3000-2094-10115988.html SSD, http://patrick.kolla.de/software/spybotsd /navi.en.html BHOCop, http://download.com.com/3000-2353-5930345.html LavaSoft, http://www.lavasoft.de PepiMK, http://patrick.kolla.de PC Magazine, http://www.pcmag.com Brilliant Digital, http://www.brilliantdigital.com KaZaA, http://www.kazaa.com Symantec Article on Friendgreet Worm, http://securityresponse.symantec.com/ avcenter/venc/data/pf/w32.friendgreet.worm.html ______________________________________________________________________________ [Revision: 11/11/02, Added description of FriendGreet worm.] Introduction ============ A recent article on CNet News brought to light the advances in stealth and parasite programming and some of the plans of the purveyors of these programs. Parasite programs are independent, computer programs that are distributed and installed along with a known program. The article described the Securities and Exchange Commission filing of Brilliant Digital Entertainment, a digital advertising company. Brilliant Digital makes a viewer, b3d Projector, for displaying digital advertising. In this case, the Brilliant Digital software was being bundled with the popular Kazaa file trading program. According to the article, Brilliant Digital was planning to use the unused disk space and CPU cycles on machines that had downloaded Kazaa. In fact, they were planning to market those cycles and disk space to other companies. We need to separate the operation of the Parasite programs from resource sharing programs such as the SETI Screensaver that searches for intelligent signals in SETI data while your screensaver is running. Programs of this type ask to be run on your system when you are not using it and must be directly installed by you (not included as an extra along with some other program). That is, they are up front about what they are planning to do with your system (it’s not hidden in the fine print.) This bulletin will take a closer look at Parasite programs, what they do, what they could do, and how to get rid of them. It is our conclusion that programs of this type should not be allowed to run within any company or government facility. How Do These Programs Work? =========================== We currently place parasite programs in three broad classes: Adware, Spyware, and Stealth Networks. Most of these programs get onto a system by piggybacking on an installer for some other program that you have purchased or downloaded onto your system. Unlike computer viruses, which attach themselves to other programs in order to steal a ride onto another person’s system, parasite programs are intentionally attached to the programs they ride on. Adware ------ Probably the best known parasites are the Adware programs. The most well known adware are those that display advertisements on different web pages you might visit. These ads are intentionally inserted by the owner of the web pages being visited and generally consist of a few lines of html or JavaScript. Generally, the owner of the web page is paid a few cents for each person who links from that page to the page of the company being advertised. The links are generally standard html image tags with the source of the image being the advertising company or JavaScript that accomplishes the same thing. In addition to requesting an advertisement to display, these tags often send the subject matter in the page being examined so that the advertisement delivered to your browser is targeted to what you are interested in. Along with a request for an advertisement image, your web browser returns to the advertising site any cookies that the site might have previously sent to you. These cookies identify your computer to the advertising company. They do not identify you unless you have given them your personal information. The cookies are also used to target the advertising to things you might be interested in by generating a profile of the subjects of the pages your web browser visits. A variant of this type displays an image that is only one pixel in size. This type of ad does not contain any advertising but is only used for profiling your browsing habits. This type of adware also includes those annoying pop-up windows containing advertising that appear when you visit certain web pages. The visited pages simply contain a little JavaScript that opens a window and inserts the advertising image in it. Active adware is another type of adware which consists of a program running on your system that retrieves the advertisements and displays them according to some condition such as when you are running the KaZaA Media Desktop. These programs have a stash of advertisements stored on your computer so they do not depend on being connected to the Internet in order to display ads. They update their ads whenever you are connected to the Internet and display them whenever you are using your computer. Spyware ------- Spyware is a very different beast from adware though they are both trying to figure out what you are interested in so they can send you more targeted advertising. While adware knows the subject of the page you were looking at when the ad appeared, spyware actively tracks all your browsing and reports back to a marketing server. Adware can only get information about you when you access a web page that contains an ad from the adware server. Spyware, on the other hand, tracks all your browsing. Spyware generally hooks into your browser history file to get a list of all pages you have visited, your favorites list to get a list of all links you saved, your Temporary Internet file to get more pages you have visited, and your cookies file to get a list of what other companies you visit. If it can find a cookie for its company, it can link you with any adware information is has collected. This information is all collected and sent back to the spyware server. It then proceeds to gather information about any future pages you should visit. The SaveNow program included with KaZaA appears to be doing just that as it has open connections to the index files in your Temporary Internet Files, History, and Cookies directories. Stealth Networks ---------------- Stealth networks are networks of computers that share specific types of information. Generally, they are file sharing networks that work peer to peer instead of client to server. That is, files are stored on many different machines and machines pass search requests from machine to machine until the file is found. These networks use the normal networks to communicate but operate as if they were a separate network. Stealth networks can be used to store files on and queue jobs for execution on someone else’s system. To operate, they must have a program installed on each person’s system that is going to be a part of the network. The Brilliant Digital’s Altnet is such a stealth network. Browser Helper Objects ---------------------- Browser Helper Objects (BHO) are another way that adware, spyware, or stealth network software can get on a system. BHOs are essentially add-in programs for Internet Explorer (See CIAC Technical Bulletin CIACTech02-002: Microsoft Browser Helper Objects (BHO) Could Hide Malicious Code). BHOs run and are active whenever Internet Explorer is running. As they are executable code, they can do anything a program can do. The problem is that there is no way within Internet Explorer to see what BHOs are attached, to prevent them from becoming attached, or to remove them. To detect them, you need to find their entries in the Windows registry. Risks of Allowing Parasite Programs to Run ========================================== The current crop of parasite programs are more annoying than anything else and may be an invasion of privacy. As far as we know, current parasite programs do not cause damage, future ones could easily do so. Parasite programs, by their nature, have access to your system and all the files on it. Imagine if a parasite program is spread by a rival company or by the agent of a foreign power. Consider the things such a program could do. It has access to all your files and has access to the Internet. - It could send your files to a competitor’s server. - It could monitor your e-mail and send out the contents. - It could send email as you. - It could allow a real, human spy a backdoor into your system. - It could allow a competitor to do their developing using your computer power. - It could change documents and specifications on your system to damage a research or engineering project. It does not take much thought to envision all sorts of malicious things that a program could do if given this much access to your system. What’s In the Fine Print? ========================= As you install different programs, most display their user agreement as part of the installation process. You have read these agreements a thousand times so you probably click OK and continue without looking closely at them. Unfortunately, by clicking OK you are acknowledging that you have read the agreement and agree to its terms. Many newer programs, especially those that you don’t pay for, have very interesting terms that you should read and consider before continuing with the installation. Read the fine print. You might be surprised at what you find. For example, the following statements are from the KaZaA agreement. We may add, delete or change some or all of the software’s functionality provided in connection with KaZaA at any time. Note here that they can change the functionality of KaZaA at any time to add new features. There is no mention here of asking you if you want the feature change. In fact, the following statement says they can do it automatically. You acknowledge that KaZaA or parties appointed by KaZaA may from time to time provide programming fixes, updates and upgrades to you, including automatic updates to the KaZaA Media Desktop, through electronic dissemination and other means. You consent to such automatic updates and agree that the terms and conditions of this Agreement will apply to all such updates. A new feature might be to give full access to your files to a marketing company, a competitor, or a foreign agent. Now, you might think that other parts of the agreement should define what the Software does and what it is allowed to do, but consider the following statement. KaZaA reserves the right to change or modify any of the terms and conditions of this license and any of the policies governing the Software at any time in its sole discretion without direct notice to you. Your continued use of the software following these changes will constitute your acceptance of such terms. You have agreed to let KaZaA change these terms and conditions at any time to whatever they want and they do not have to notify you about the change. By continuing to use the Software after the policy change, you are agreeing to those changes even though you don’t know that a change has occurred. Again, they can do anything they want with your system and you have agreed to let them do so. When the KaZaA package is installed, there are several other packages piggy backed on it. In fact, because of its popularity, KaZaA has sold itself to marketing companies as a way to get their software on a user’s system. While you can choose to not install that software, you must opt-out. That is, the software is installed automatically unless you do something (uncheck some check boxes). b3d Projector - A program for displaying 3-D images from Brilliant Digital. Medialoads - A media downloader. New.net - A browser plug-in to access domains, like .mp3, .sport etc. SAVENOW - A plug-in for great shopping offers. However, if you uninstall KaZaA, only KaZaA and the b3d Projector are removed all the others must be removed separately. Of particular interest here is Brilliant Digital Entertainment. Brilliant Digitals license agreement, like the KaZaA agreement, states that BDE Reserves the right to change or modify any of the terms and conditions of this agreement and any of the policies governing the services at any time in its sole discretion. Your continued use of the software following BDE’s changes will constitute your acceptance of such changes. So they can change the agreement whenever they want to. And the following statement, You hereby grant BDE the right to access and use the unused computing power and storage space on your computer/s an /or internet access or bandwidth for the aggregation of content and use in distributed computing. The user acknowledges and authorized this use without the right of compensation. Where they say they get to use your computer for free. One more interesting section is the termination section. The section basically says that either party can cancel this agreement at any time and if you cancel it, you must remove and destroy the software. However, stuck at the end of the statement is the following line. The following Sections shall survive any termination of this Agreement: 2, 3, 4, 5, 6, 7, 8, 9, and 10. Note that there are only 10 Sections in the Agreement to begin with and Section 1 is where you are granted the right to use this software. All the other provisions, including the right for BDE to use your machine for free are still in force. So what was BDE going to use your computer for? BDE made a submission to the Securities and Exchange Commission where they explained their plans. In February 2002, we formed Brilliant P2P, Inc., later renamed Altnet, Inc., to create a private, secure, peer-to-peer network utilizing existing, proven technology to leverage the processing, storage and distribution power of a peer-to-peer network comprised of tens of millions of users......To develop the Altnet private peer-to-peer network, each computer that comprises the network must be equipped with a software program. To distribute the program, we bundled it in a package, that we call ALTNET SECUREINSTALL, with our Digital Projector. Pursuant to an agreement with Sharman Networks, SecureInstall, along with the Digital Projector, is being downloaded as part of Sharman Networks KaZaA Media Desktop.....To maximize the efficiency of the Altnet network, selected users with higher than average processing power, significant free space on their hard drives and broadband connectivity to the Internet, will first be engaged by Altnet to become main hubs on the network. We refer to each of these hubs as a qualified PC, or QPC. We intend to enter into an end user agreement with the owner of each QPC pursuant to which we will compensate the owner for access to and use of their computers while logged onto the Internet........We intend to market Altnet's peer-to-peer services in three main areas: Network Services, Distributed Storage and Distributed Processing. So, what are they going to do with your disk space and processing power? They are going to sell it to other businesses to use. They are particularly targeting advertising companies to provide a place to store advertising content that they will push out to other systems. Note that while they do say they are going to compensate the owners of the computers they are using, they do not say how and they are not really required to compensate the owners according to the user agreement. Note also that while the AltNet software is included in the b2b Projector installation, no mention of it is made in the user agreement about what it is and how they plan to use it. The FriendGreet Worm -------------------- An adware program called FriendGreetings has reached the point that it is considered a worm by some antivirus programs. The program operates by sending you a notice that you have received a greeting card with a link to the FriendGreetings.com website where you can pick up the card. When you go to the website, you are told you must install an Active-X control to view the card. As part of the installation, you must agree to the control's license. Buried in the license agreement are statements that say you agree to let the control send a greeting card to everyone in your Outlook contacts list. Thus, this adware program has all the characteristics of a worm except that you have intentionally installed it and authorized it to send itself to all your friends. Detecting Parasite Programs =========================== Parasite programs are not easy to detect because they hide in obscure locations and link to seemingly harmless programs to get started. I must also mention that some free programs will not operate if their advertising components are disabled. Also, some parasites use the Web3000 package which replaces wsock32.dll. These packages must be carefully removed so that you restore the original wsock32.dll as part of the uninstallation. With that in mind, here are some ways to detect and eliminate parasites. Internet Explorer Settings -------------------------- One of the first things to do is to try and keep the programs out of your system. Some of these programs are installed with a downloaded installer program that you have to run but others are installed automatically when you access specific content on a web page. For example, if you access a Brilliant Digital animation on a web page, the b3d Projector is automatically installed along with its automatic update components. To have a chance of preventing it from being installed, make the following settings in Internet Explorer (5.5 or 6.0). 1. Open Internet Explorer and choose Tools, Internet Options, Security tab. 2. With the Internet zone selected, click the Custom button. 3. Make sure the options, Download signed ActiveX control, and Download unsigned ActiveX control are both set to Prompt or Disable and click OK twice. With the Prompt setting, you will be asked before these tools are installed on your system. If you choose to allow an installation, be sure you know what you are installing. AdAware ------- AdAware is a program distributed by Lavasoft (www.lavasoft.de). There are actually two programs: AdAware for detecting and removing parasites and RefUpdate for automatically downloading and updating the list of known parasites. AdAware is free to noncommercial users. Lavasoft is giving it away in the hopes that you will want to buy the Plus version which includes real time parasite detection. AdAware operates much like an antivirus program in that it has a list of signatures for the known adware and spyware programs. It uses that list to detect and remove those programs. AdAware backs up the removed parasites so that you can put them back if something breaks when they are removed. Because new adware and spyware programs are being developed all the time, the list of detection strings must be updated regularly. The companion RefUpdate program manages the update process. Spybot Search and Destroy (SSD) ------------------------------- Spybot Search and Destroy (SSD) is being developed by PepiMK Software and is currently in beta testing. It is similar to AdAware in that it uses a list of search strings to detect known parasite programs. The list of detected parasites appears to be built-in and not updatable without updating the whole program. SSD has additional features such as being able to insert fake spyware and adware programs so that programs that won’t run without the advertising will continue running. Keep in mind that the license agreements for using some programs require that the ads be there or you must stop using the program. BHOCop ------ BHOCop is a utility for detecting and removing Browser Helper Objects (BHO). BHOCop is distributed by PC Magazine and is available on Download.com (download.com.com). It detects BHOs by reading the Internet Explorer registry key where the BHOs are stored. It then disables the BHO without actually removing the software from your system by simply removing the registry key. The software can easily be restored by restoring the registry key from a backup file. BHO Cop can be set to run at startup and to reremove any BHOs that have automatically restored themselves from another source. Sysdiff ------- Sysdiff is part of the Windows 2000 Resource Kit. It is designed for system configuration to determine what files are added, deleted, or changed and what registry changes occur on a system when a program is installed. Run it once before an installation and again after the installation to see what files and registry changes an installer makes to a system. This is a more involved process than the simple scanners but it will tell you all the changes that an installer has made to a system. First, copy sysdiff.exe and sysdiff.inf onto your system. The sysdiff.inf file is usually found on the distribution disk for your operating system, not in the resource kit. A sample sysdiff.inf file is also available at, http://www.microsoft.com/technet/prodtechnol/winntas/deploy/advsysdf.asp The sysdiff.inf file allows you to prevent sysdiff from examining certain files or folders. After it is installed, run it first with a command like, sysdiff /snap baseline This takes an initial snapshot of your system and stores it in the file named baseline. After you have run the installer you are interested in, run sysdiff again with a command like the following, sysdiff /diff baseline diffs This command determines the changes in the system between when baseline was created and now and puts those changes in the file diffs. To be able to read the changes, dump the differences file with the command, sysdiff /dump diffs diffs.txt Which prints out the changes in diffs as plain text in diffs.txt. Sysdiff looks for three different kinds of changes, addition and deletion of files, changes to system ini files (system.ini, win.ini), and changes to the registry. Changes in each of these areas are listed separately in the output file. Oh -- Oh is also part of the Windows 2000 Resource kit. Run it once and reboot. When you run it again, it gives you a list of all open objects. Using the -t File option it lists all open files by process. This list tells you what programs are running and what files they are holding open. Of particular interest are programs other than Internet Explorer that are holding open files in the History, Temporary Internet Files, and Cookies directories. To use it, copy the oh.exe program onto your system, run it once and reboot your system. Oh installs a service that keeps track of open objects in your system. To see what files are currently open, run it with a command like the following. oh -t File -o outputfile.txt This command looks for all open File objects and puts the output in outputfile.txt. Check the help file for information on examining other open objects. Removing Parasite Programs ========================== Removing these programs depends on the particular program and may involve removing software and registry keys. In some cases, removing the program that installed the parasite removes the parasite software as well. In other cases it does not. The easiest way is to use the Add/Remove Programs control panel to remove the package and to then let a program like AdAware look for any leftovers. For example, removing the KaZaA program using the Add/Remove Programs control panel does not remove Media Loads Media Loads Installer New.Net Domains Save Now Each of these programs requires a separate uninstallation using the Add/Remove Programs control panel. It also does not remove some of the BDE Player registry keys. While those keys don't do anything after the player is removed, they can be removed with a program like AdAware. Conclusions =========== Because of their unknown nature and the high potential for abuse, parasite programs of the active adware, spyware, and stealth networks types should not be allowed on systems within companies or the government. In the future, it is likely that parasite program detection and removal will become a growth industry similar to virus detection and removal. It would seem reasonable for the antivirus community to start adding parasite program detection and removal to their antivirus offerings. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-102: MS SQL Server 2000 Resolution Service Buffer Overflow M-103: Multiple Vulnerabilities in OpenSSL M-104: Red Hat Linux Passwork Locking Race Vulnerability M-105: Unchecked Buffer in MDAC Function Vulnerability M-106: Cisco Concentrator RADIUS PAP Authentication Vulnerability M-107: Unchecked Buffer in Content Management Server M-108: Vulnerability in HP Apache Server PHP M-109: Common Desktop Environment (CDE) ToolTalk Buffer Overflow M-110: Buffer Overflow in Multiple Domain Name System (DNS) Libraries