Sept 22, 2005 - This project is a combined project from CSC2231 (Internet Systems and Services) and ECE1776 (Computer Security, Cryptography and Privacy), under the supervision of Professor S. Saroiu and Professor D. Lie, respectively. The team consists of Ian Sin and Jesse Pool.

Implement a browsing monkey: Spyware is a recent addition to the growing list of Internet security problems. Spyware exists because it collects information that has financial value. This information is important to Internet vendors and advertisers -- they use it to build profiles of Internet behavior at large or to display targeted advertisements (e.g., browser pop-ups) to users. A new approach to address the proliferation of spyware programs is to create counterfeit information. This technique does not prevent spyware installations, nor does it recover from them; instead, it focuses on decreasing the value of the information spyware collects. Information about the behavior of real users has value to the vendors that produce spyware, yet mixing in counterfeit information can significantly devalue the aggregate information collected by the spyware. This project should implement a "browsing monkey".

A browsing monkey creates the illusion of a real user browsing the Web. The monkey should be undetectable to the system (hence creating the perfect illusion). The monkey is to be fed a transcript of actions on how and what to browse as well as timings as to how long it should wait between actions. The monkey browses the Web according to the transcript. To show the benefit of a browsing monkey, this project should also show how a real spyware program collects the actions of browsing monkeys, polluting the information they collect.

Oct 6, 2005 - The project proposal has been submitted and is available in [pdf].

Nov 3, 2005 - The WebMonkeys Project is on schedule and we have completed Phase 1. The WebMonkey, implemented in JavaScript, XPI and XPCOM can browse the Internet according to user input or randomly. We are now looking into Xen and thinking about how to put everything together. Some minor design changes have been made, but the overall system architecture remains the same. For more details, check out the progress report [pdf].

Nov 7, 2005 - We did a preliminary study on spyware using virtual machines in VMWare. The traffic was sniffed using Ethereal. Selected traces are available for download below. We also present some screenshots of interesting lessons we learned.

Lessons Learned

1. The definition of Spyware is very broad (ranging from website statistics counters to full blown aggressive adware).
2. It was easy to find IE exploits in the wild that can turn you machine into a spam hub.
3. Despite the availablility of sample exploit code for Firefox (Mozilla provides exploit code for most of their vulnerabilities) it is not easy find these exploits in the wild. (We didn't find any examples of Firefox browser exploits in the wild.)
4. Once Spyware was installed on the host operating system, it was generally browser independent (although context sensitive pop-ups are served in the default browser).
5. Over several hours of browsing with spyware, we never noticed it report on information other then that found in the browser activity. (i.e. Mouse movements and keyboard strokes where not reported.) It seems that the spyware we had was only interested in browsing activity.
6. Firefox does not incorporate the concept of security levels (probably a good thing).
7. Even if you use IE for a bit to surf, because Windows come with IE, and then later decide to switch to firefox because you think it's more secure, that's not going to help you. Once you get infected with spyware, it sits on the OS and monitors your browsing habits.
8. Using notepad to type some text did not seem to trigger the spyware to send out data. This is not a definitive conclusion since we did not spend much time investigating it.
9. aflashcounter.com exploit does not work in FF. It exploits some vulnerability in IE W2K and SP0.

Screenshots

1. Screenshot of aflashcounter.com infection. [PNG].
2. Screenshot of Zango calling home. [PNG].
3. Screenshot of KaZaA calling home. [PNG].

Traces

1. Windows 2000 using Internet Explorer 5.0 on aflashcounter.com. This website installed some executables which turned the computer in a spamming center. Pretty impressive.[Trace].
2. Windows XP (SP0) using Internet Explorer 6.0 and infected with Zango spyware/adware. This spyware monitors queries and keywords, with targeted popup ads. [Trace].
3. Windows XP (SP0) using Firefox 1.0 and again infected with Zango spyware/adware. This is a long 49 hour trace with queries to Google and CNN mostly. [Trace].
4. Windows XP (SP1) using Firefox 1.0 and infected with KaZaA spyware. [Trace].

Interesting Links

1. Ben Edelman - Analysis of Spyware
2. Browser independent spyware infection - Claims that it exploits JVM to get installed.
3. Symantec: Mozilla browsers more vulnerable than IE - News.com (Sept 19, 2005)
4. Spyware threat escalating, expert warns - ZDNet Australia (Oct 12, 2005)
5. Keystroke spying on the rise - News.com (Nov 15, 2005)
6. KaZaA founders to ‘borrow’ your PC to distribute content - The Register (June 6, 2003)
7. Will certification legitimize adware? - News.com (Nov 17, 2003)

Nov 14, 2005 - We have performed a more detailed analysis of some spyware, specifically the software installed with KaZaA. This was carried out on two Windows XP SP1 machines (one pristine version and one infected with spyware) running in VMWare and traces were taken using Ethereal. The browsers were Internet Explorer 6.0.2800 and Firefox 1.0. The sample websites were CNN.com (general browsing) and google.com (form filling). We made sure to issue identical HTTP GET requests by flushing the file cache, cookies and DNS cache. A "diff" of the traces "pristine vs spyware" was analyzed in each case as well as "pristine vs pristine" and "spyware vs spyware" over 3 trials. Future work includes analysis of other spyware including 180solutions, but the preliminary lessons from the KaZaA exercise were as follows:

1. The installed spyware didn't report the same websites in short periods of time. (i.e. Over three successive browses to CNN.com over a short period of time, only the first reported by the spyware).
2. For Google, all queries were reported to the spyware server. (Google is likely white-listed).
3. The destination IPs found across pristine vs spyware runs are the same to a predictable mask (CNN.com /18) in most cases. The only ones false positives were related to ad-servers, where some trials generated a pop-up while others did not.

The traces are available below in pcap format:

• Windows XP SP1 (pristine) and Firefox 1.0: [CNN Trace 1] [CNN Trace 2] [CNN Trace 3]
• Windows XP SP1 (pristine) and Internet Explorer 6.0.2800: [CNN Trace 1] [CNN Trace 2] [CNN Trace 3]
• Windows XP SP1 (KaZaA) and Firefox 1.0: [CNN Trace 1] [CNN Trace 2] [CNN Trace 3]
• Windows XP SP1 (KaZaA) and Internet Explorer 6.0.2800: [CNN Trace 1] [CNN Trace 2] [CNN Trace 3]
• Windows XP SP1 (Zango) and Firefox 1.0: [CNN Trace 1] [CNN Trace 2] [CNN Trace 3]
• Windows XP SP1 (Zango) and Internet Explorer 6.0.2800: [CNN Trace 1] [CNN Trace 2] [CNN Trace 3]

• Windows XP SP1 (pristine) and Firefox 1.0: [Google Trace 1] [Google Trace 2] [Google Trace 3]
• Windows XP SP1 (pristine) and Internet Explorer 6.0.2800: [Google Trace 1] [Google Trace 2] [Google Trace 3]
• Windows XP SP1 (KaZaA) and Firefox 1.0: [Google Trace 1] [Google Trace 2] [Google Trace 3]
• Windows XP SP1 (KaZaA) and Internet Explorer 6.0.2800: [Google Trace 1] [Google Trace 2] [Google Trace 3]
• Windows XP SP1 (Zango) and Firefox 1.0: [Google Trace 1] [Google Trace 2] [Google Trace 3]
• Windows XP SP1 (Zango) and Internet Explorer 6.0.2800: [Google Trace 1] [Google Trace 2] [Google Trace 3]

Dec 16, 2005 - After our spyware analysis and further discussions, the deliverables for the project were changed. Check out the final report. [pdf]

If you are interested in our tools or need more information on our project, please contact us at iansin or pool [at] eecg [dot] toronto [dot] edu.