February 6, 2018 | Author: Doris Stewart | Category: N/A
Download 3 Spyware Categories and Threat Levels...
Users Should Be Concerned of Spyware in Free P2P Software Laxma Nandikonda Helsinki University of Technology
[email protected]
Abstract
in their large EULAs which the users generally do not read or understand. For instance, the EULA which is used by Internet users are now a days using Peer-to-Peer networks Grokster1.6 consists of 35 pages of text [23]. One more mato share all kinds of files. The users are motivated both by jor drawback to the users of P2P that contain spyware is the the cost-free content and by the amount of content they can degradation of system performance. The Adware and other share. Because of the popularity of P2P software, it is tar- spyware elements consume considerable amount of storage, geted by spyware communities. There are various categories bandwidth and CPU load which makes the user systems of spyware that come bundled with the P2P software. This slow. paper is a literature study and describes different spyware elThe main aim of this paper is to identify the P2P fileements and their behavior in P2P applications and also the sharing programs that admit, in their EULAs to contain spythreat they pose to the users. The threat posed by these spy- ware. There are various kinds of spywares that the P2P software elements to the user is sometimes minimum, sometimes wares are bundled with. The threat to the user may be minimoderate and sometimes severe or disastrous. We have cate- mum, moderate and in some cases, severe or disastrous. Evgorized different spyware elements in different P2P applica- ery spyware in each P2P application will be studied for its tions by the threat they pose. We found that all the popular behaviour, what exactly it spies on and the threats they pose P2P softwares such as Kazaa, Morpheus, LimeWire, IMesh, based on the information from EULAs and selected other BearShare and AudioGalaxy contain some spyware elements sources. We will then categorize the P2P file-sharing proand pose a significant threat. grams according to the level of threat. The threat categories used are presented in (Sec. 3). KEYWORDS: P2P, Peer-to-Peer, Spyware, Adware, File-Sharing, Kazaa, Morpheus, LimeWire, IMesh, BearShare, AudioGalaxy. 2 Background
1 Introduction Peer-to-Peer (P2P) computing is basically a file-sharing program between peers connected directly instead of via a central server. P2P has become very popular in the last few years because the users can share all kinds of files for free of cost [2]. The popularity of P2P can be estimated from a survey that says approximately 5 million users are sharing 900 million files using P2P networks at any given time [24]. Tens of P2P softwares are available today over the Internet for free download. However, the companies which claim their P2P software is free are doing business by spying on the user’s computers and therefore often the users pay for the software in some manner. Most of these free P2P softwares contain some kind of spyware elements which are downloaded and installed with the P2P software itself [14]. Some of the spyware simply contain advertisements while others are more dangerous and could result in severe damage to the users or their organizations. The P2P and spyware organizations use the End User License Agreements (EULA) and privacy statements to specify the various components that come bundled with in their products. However, many spyware organizations do not clearly say in their EULA what they spy on the user computer and how they are going to use the personal information of the users [3]. They deceptively specify these things
2.1
Peer-to-Peer Computing
Since the introduction of P2P as simple file sharing protocols, it has been much developed, increasing its potential positively as well as negatively [1]. Today, P2P is also used for instant messaging, resource sharing such as CPU cycles and memory, grid computing etc.[14]. The popularity of file-sharing grew tremendously with the introduction of Napster. Napster is a file server which allows peers to share files through it. Because people were sharing copyrighted material through it, the legal authorities shut down Napster. Following the shut down of Napster, the Gnutella file-sharing protocol was introduced with a different idea. Unlike Napster, the Gnutella did not need any central server [24]. Therefore, it cannot be shut down by simply turning off one or few peers. Gnutella clients can connect to other Guntella clients and can share files without any central authority. But Gnutella was slow and did not have any advanced features like smart search facility which resulted in its popularity soon fading [24]. Then the next generation of P2P software, like Kazaa, Morpheus, Grokster etc. came along with more efficient protocols and with advanced features such as searching, supernodes where some nodes of the network serving as supernodes and some nodes with enough resources can serve to store caches and to help connect users etc.[24]. These features made them very popular because of the ease of searching and the increase in speed. Nowadays
HUT T-110.551 Seminar on Internetworking
2005-04-26/27
P2P software like Bittorrent, Blubster, Filetopia etc. are even able to mask the source and destination IP addresses and are using encryption to make the users feel safe from legal authorities [24]. Thus, today the users can share the files without any central control which is resulting in the loss of billions of dollars mainly to the multimedia industry. Indeed, controlling the illegal file sharing over a network of equals with P2P software installed over millions of machines has become almost impossible.
3.2
2.2
Threat - The threat posed by Trojan Horses depends on the purpose for which it is built. Therefore the threat can be minimum, moderate or severe. The viruses are usually delivered by trojan horses.
Definition of Spyware
Steve Gibson stresses that any “backchannel connection must be preceded by a complete and truthful disclosure of proposed backchannel usage, followed by the receipt of explicit, informed, consent for such use”[3]. Any software that breaks these rules is guilty of spying and is defined as spyware. However in this article we use the most commonly used definition that defines spyware as a hidden software that spies on the user by collecting information about the user, such as his e-mail address, web surfing habits, credit card details and other personal information and communicates this information to other intrested parties.
3 Spyware Categories and Threat Levels There are various spyware programs existing today and new spyware programs are appearing on a daily basis. Based on their behavior and threat level they can be categorized as follows.
3.1
Adware
Behaviour - Adware is the most common form of spyware in all of the P2P programs [2]. It displays advertisements such as pop-up ads, flash banners and other messages which are neither associated with the product nor with what the user is surfing at that moment. Most of the Adware stores the popup ads on the user machine and triggers them at appropriate times. Threat - The threat posed by Adware is generally minimum but it could be very annoying to the user if the frequency at which ad display is high. The Adware component collects the user browsing information such as web sites visited, response to ad display etc and send to the predefined destination servers [2]. Adware may also decrease the overall performance of the system. They take sufficient amount of memory to store ads. They consume sufficient amount of bandwidth to download ads regularly. The bandwidth consumption increases when the number of adware components are more and when they need to download high graphical ads such as 3D and flash banners. They also take CPU load when they need to display ads. The effect is particularly considerable for the users with slow Internet connection and users having relatively poor hardware configuration [2].
Trojan Horses
Behaviour - Trojan horse is a program that pretends as a normal application program. Once it gets installed on the user machine it can break the security and may cause the intended damage to the user. Different Trojan horses may be for different purposes. Once they get installed into the user system, they may download more Trojans in the backdoor and the system may become more susceptible to other Trojans. Some Trojans steal passwords, some steal personal information, some take control of your system etc.
3.3
Browser Hijackers
Behaviour - These are malicious programs that change the default or home page of the browser to their own intrested page. These programs also add their own bookmarks and can also redirect the user requests to different sites. It is also very difficult to remove these kinds of software. Threat - The threat posed by Browser Hijackers is minimum. By redirecting the user requests to a different server enables the third parties to collect user web surfing information. They can also be very annoying as the user can see that something against his wish is happening.
3.4
Key Loggers
Behaviour - Key loggers silently collects and logs all the key strokes the user enters in. They are then transmitted to their own servers using email or some other protocol. Threat - The threat posed by Key loggers vary from minimum to disastrous. These could be more dangerous when they log the usernames, passwords, credit card details, pin codes etc.
3.5
Browser Helper Object
Behaviour - A BHO is an utility object developed with the intention to help the user with what he is searching for. It gets loaded by the Internet Explorer whenever it is launched. But its purpose has been hijacked by spyware communities so that they can detect the events on the IE and triggers a respective action of its own intrest. BHO often installs as a toolbar or search box to the Internet Explorer. It can acquire the complete access to the web browser and can modify or spy or even redirect the user requests. The firewalls does not stop BHOs as these are developed as browser useful extensions. Threat - The threat posed by BHO can vary from minimum to maximum thus causing a severe damage to the users or their organizations. The BHOs can grab any POST/GET data from the forms within Internet Explorer before they are encrypted. The BHOs can create a new window that has links what the user is searching for, display pop-up ads and
HUT T-110.551 Seminar on Internetworking can take actions of its own intrest by listening to the user events within the browser.
2005-04-26/27
non-identifiable information of the user to its remote servers and creates a user profile [12]. The privacy policy of GAIN network says that it collects information about the web sites visited, the amount of time spent on each web site, num3.6 Data Miners ber of clicks, user response to online advertisements, web Behaviour - Data miners are software that track the user web log information, system settings, software and versions used, surfing behavior, collect information from the online forms first name, country, city, postal code and other non-personal the user enters into, collect information from other sources identifiable information on web pages and online forms and within the system etc. They dig all the information they can gator-eWallet password if the user has one. It also reads the and transmit to remote servers for their own business pur- cookies stored by other web sites and transmits to their own servers and third parties to request more appropriate ads.[12] poses. Once the user profile is created it allocates memory on the Threat - The threat posed by Data Miners vary from min- user machine. Then it will download and store the pop-up imum to maximum damage to the user. Data miners can be advertisements and banners that match the profile. It trigBHOs, key loggers. They can collect the user web surfing gers these pop-up advertisements and banners in real time information, shopping and e-mail communication details, in- when the user is surfing the related content on the web even stant messaging text and might collect system configuration though the software with which it was distributed is not acand other personal information. tive. Though the privacy policy of Gator states that they do not collect any personal identifiable information, the first name along with postal code, city makes some sort of per3.7 Remote Installers sonal identification and is objectionable to many users. The Behaviour - These are programs that pretends as an auto- GAIN AdServer regularly communicates with their remote update functionality in most of the P2P softwares. Once servers and rarely third party servers to update and mainthese remote installers are installed on the user machine, they tain the gain supported software, to retrieve advertisements may silently connect to the remote servers to update existing and banners [12]. And also depending upon the number of software, or to download new additional spyware elements. advertisers the GAIN network is supporting, the GAIN AdServer takes sufficient amount of memory, bandwidth and Threat - The threat posed by remote installers vary de- the power of the machine thus degrading the performance of pending on what new software being downloaded and in- the user machine. stalled. The threat may be severe if the installed software Cydoor also delivers advertisements based on the user besoftware is an intended trojan horse. The EULA’s do not haviour of web surfing. Cydoor collects user data such as specify what exact software will be downloaded and installed gender, age, interests, marital status, salary, area code, counbefore installing the P2P software. The EULA’s only specify try and education and distributes it to the parties that adverthat they often update or install new intrested components. tise with the Cydoor software[6]. The Cydoor component These could be trojan horses, data miners, key loggers and works in the same way as GAIN AdServer by allocating sometimes they may gain full control if the machine is poorly some memory to download and store the advertisements. It protected. also has an auto-update functionality that regularly contacts its servers and third parties to update their ads. The third party ad servers associated with cydoor technology makes 4 Material use of cookies[6]. Cydoor works with third-party ad servers such as ValWe have selected six different P2P application software that contain spyware. We have selected Kazaa, Morpheus, Bear- ueClick, Commission Junction, Advertising.com, RealMeShare, LimeWire, AudioGalaxy and IMesh since the down- dia.com, BeFree and others to serve advertising to the Cyload.com states that these are among the top downloads of door network [6]. Cydoor in its privacy policy states that the information collected by these third parties are not under the P2P software. control of Cydoor but they behave according to their own privacies [6]. All of these are basically adware that serves 4.1 Kazaa advertisements based on the user web interests. ValueClick Kazaa Media Desktop simply known as Kazaa is a second- serves ads and its advertisers pay to ValueClick only when generation peer-to-peer file sharing application. It is one of the user clicks on the ads displayed. ValueClick does not the most popular P2P software available today [25]. The collect any personal identifiable information. It collects inofficial kazaa website, www.kazaa.com claims that its file- formation such as browser type, IP address, Operating syssharing P2P program has been downloaded 385.2 million tem and version, web pages visited, user response to ads etc. Commission Junction, RealMedia.com, Advertising.com are times so far and over 1 million downloads every week. The Kazaa P2P software is distributed with compulsory all tracking cookies that work in the same way of providing adware from GAIN AdServer, Cydoor and also a number ads[8]. of optional third-party spyware elements such as New.net, One of the Kazaa versions has been found tampering with WebHancer, Ezula Toptext and OnFlow [16][8]. a system file of Windows operating system [13]. Windows The GAIN AdServer software collects and transmits the initially looks for the HOSTS file to resolve the IP address information regarding the web surfing behavior and other of a remote server that the user computer wants to connect
HUT T-110.551 Seminar on Internetworking to load an advertisement. Kazaa plays a trick and makes the Windows think that a dedicated ad server is located on the local machine at the IP address 127.0.0.1. When a web site tries to connect to its server to load an advertisement, Windows thinks that the ad server is located on the local machine and the real ad that is supposed to load never loads [13]. Instead Kazaa triggers its pop-up advertisements. Thus Kazaa also alters Windows system and network files without any permission from the user.
4.2
Morpheus
Morpheus uses its own proprietary peer-to-peer network protocol and can be used to search all other popular P2P networks like MusicCity, Bittorrent, Gnutella, eDonkey, Kazaa, FastTrack, NEOnet and other P2P networks [22]. Morpheus provides many advanced features for its users such as creation of playlist, file organization, instant messaging, and CPU utilization throttling functionality [17]. It also automatically resumes when a download stream is broken by selecting another source. It also boosts the download speed by selecting parts of files from different sources [17]. DoubleClick delivers advertisements to Morpheus users, which the PalTalk says, its web advertising partner. Once the user is registered with PalTalk, the user will receive emails from all the companies that are associated with PalTalk and DoubleClick. If the user wants to get rid of this spam, the only way is to unregister from all the companies he receives ads. The software may also include an element that monitors and collects the user communications information. The privacy policy of Paltalk states it also collects the user information through cookies, log files, gifs to create a user profile [18]. It collects personal identifiable information from its web site or it may also include software that collects personal identifiable information. It also ties the personal identifiable information to the user profile for its own marketing purposes. It may also disclose the non-personal identifiable information to third parties [18]. StreamCast Networks, the parent company of Morpheus includes a software with it called Browser Helper Object or browser plug-in [9]. The BHO integrates itself into Microsoft Internet Explorer. It silently re-directs the user requests through a third-party server such as Be Free to collect the user web surfing habits such as the number of times the user visits popular sites such as eBay, Amazon.com etc [9]. Big sellers like Amazon.com and others pay to web sites for redirecting traffic to them. Thus by inserting BHO into the Internet Explorer, it can also hijack the user requests to a different site without letting the users know that the Morpheus software is involved [9][10]. A version of Morpheus also includes a variant of BHO that estimates the physical location of the user 90% correctly which is one of its purpose by monitoring the urls in the web browser. It installs a process called Sentry.exe and Sentry.ini initialization file in a Windows System folder.[7] It collects any address information entered into the forms in Internet Explorer and sends the data its IPInsight servers. It also installs a downloader client that often downloads other untrusted pieces of code and can open a security hole on the users machine [7].
2005-04-26/27
4.3
BearShare
BearShare- BearShare is one of the popular P2P file sharing application that is based on open Gnutella protocol [8]. It is distributed with New.net, WeatherCast, SaveNow, BonziBuddy, Bonzy Web Compass and a few Others. New.net is installed as a plug-in for Internet Explorer. It redirects the DNS queries from the user to the new.net and adds its own subdomains such as .shop, .xxx, .inc, .tech, .sport etc [19]. It does not collect any information from the system but is developed to provide income to its company [19]. But often it may result in the lost of network connection. Since it is installed without the permission of the user and sending the user requests to a separate DNS network, it could result in a sever damage to the user. WeatherCast is an adware that provides weather information to the user. It also displays advertisements while serving as an information source. It installs files weather.exe and sometimes EmbedSE.dll and runs with a process name Weather.exe. WhenUSave is an adware program that serves ads based on the user web surfing habits. It collects user information and downloads ads based on the user intrests [8]. n-Case (Pad lookups ) and n-Case Interstitial Ad Delivery is also adware that collects information from the user web surfing habits and sends it to its server to serve more appropriate ads. It is difficult to remove once installed into the user machine. Bonzi Web Compass - It embeds itself into the Internet Explorer tool bar and when the user clicks it, it will open a web page showing free software and the Bonzi buddy element [8].
4.4
LimeWire
LimeWire is one of the popular P2P software developed to connect to the Gnutella network and is fully platform independent since it is written in Java. Since it is written in Java it takes quite much resources on a Windows machine and also degrades the performance of the machine. LimeWire carries a number of spyware elements with it such as ETraffic, ClickTillUWin, LimeShop, Aureate, Cydoor, Ezula Toptext. LimeWire installs a spyware element called ETraffic which is installed in a directory TopMoxie. This software does not provide any standard way to uninstall its software with it and is therefore hard to remove. Thus it resides on the user machine even after the uninstallation of its parent software LimeWire and silently continues its work if ever noticed by the user. LimeWire was also distributed with a trojan called W32.Dlder.Trojan which pretends as an ad application that gets installed with ClickTillUWin software [15]. This software promises the user to win a prize. It was also distributed with Kazaa, BearShare and Grokster. According to F-Secure organization, it collects all the urls the user visits and transmits them to its remote servers [15]. It also has an autoupdate functionality that opens a security hole on infected systems by downloading and activating other .exe files of their own intrest. Once the trojan gets installed, it downloads a file called explorer.exe from 2001-007.com website and installs the program into a users system folder. It then
HUT T-110.551 Seminar on Internetworking creates a startup key for the explorer.exe file and gets activated on next system startup.[15] Then it connects to its remote servers regularly and transmits the user web surfing information. It may get installed even when the users of LimeWire opt-out during installation process. It may also change the user firewall settings itself to access the Internet without users permission [15]. It may also install Ezula along with Aureate Adware, Cydoor and Limeshop which are basically adware that serve ads based on the user web surfing habits.
4.5
AudioGalaxy
AudioGalaxy became very popular immediately after the Napster was forced to shutdown by legal authorities. AudioGalaxy allows the users to search and download music files by album names, artist names and track names. It has a web interface and a small application called satellite that takes care of uploads and downloads. The satellite application automatically selects the nearest peer who has the file the user is searching for it lists all the files available even if the users are offline. These offline files can also be scheduled for download and the user can leave the application running. As soon as the user is online, it will start downloading the selected music files. AudioGalaxy is distributed with a number of spyware elements from VX2, Aureate, DoubleClick, Webcelerator, Bonzibuddy, Copernic 2001 Basic, Hotbar, Gator, OfferCompanion and Eacceleration. Among these, VX2 can cause the maximum damage to the user. The origin of this spyware is unknown [5]. It installs a single program called VX2.dll that collects and transmits information [5]. This program uses all the loopholes of the Microsoft operating system and embeds itself deeply into the system files. It becomes active when the user launches the software for the first time or when the spyware is triggered remotely. As soon as it is activated, it collects information from various sources within the system and transmits the information to its remote server [5]. First of all, the VX2 spyware program will search the whole Windows operating system directory to find a file named oeminfo.ini [5]. This file contains the information about the system such as the vendor, serial number, the processor and its speed, system configuration and sometimes the user name. It also collects the full name and e-mail address of the user from the outlook setup, a complete list of installed software from add/remove programs and other information such as browser name, operating system and its version, user language identification, time zone from different sources [5]. VX2 spyware also collects information related to the web surfing behavior of the user and distributes the information to its remote server to create a user profile. Once the profile is created it allocates memory on the user machine to download and store the pop-up advertisements based on the user profile. These pop-up advertisements are triggered whenever the user is browsing the web pretending as if they are coming from the web site the user is surfing at that time [5]. It also collects information from the online forms the user fills in, any search queries the user enters into search engines and even the information entered into SSL encrypted forms [5].
2005-04-26/27 However, the privacy policy states that the VX2 software is bundled with a special program that does not allow to collect any sensitive information like credit card details, bank account numbers and passwords. This special program is very badly coded and it ignores to collect the information from the forms only if the fields are named "pwd", "pas" or "pin" and for the credit card numbers and bank account numbers it only checks if the user entered values match the standard format [5]. Therefore the users may lose sensitive personal information to third parties and could result in direct financial damage to the user. The VX2 software also includes a program for automatically updating the VX2 spyware. It may also install any additional third-party programs, which are of its own interest. It also saves the cookie in the Windows registry to identify the user across different sessions [5].
Among the other spyware the AudioGalaxy carries, DoubleClick and Aureate are installed with the AudioGalaxy installation file and the user has no chance to opt-out both of these spyware elements [8]. Webcelerator installs the other spyware elements if the user accepts to install it. Aureate and DoubleClick creates tray icons that will increase the startup time of the operating system [8]. Aureate is an adware that stores advertisements on the user machine and triggers them at appropriate times. It displays full sized ads and sometimes flash banners that take sufficient amount of memory and load. It also has a history of crashing the browser and the user may need to restart the system. DoubleClick is also a tracking cookie that transmits information about the user web surfing behavior and other non-identifiable personal information. It uses this information and serve advertisements to the user [8].
BonziBuddy, when installed pops up a cartoon often to say that it helps in finding information the user is searching for. This buddy embeds itself into system files and its very difficult to remove [8]. A piece of this software stays on the user machine even after removing it. It then downloads the remaining part and starts all over again. Sometimes the users may even need to re-install the whole operating system to get rid of it. Webcelerator also collects information about the web surfing behavior of user and uses according to their needs [8]. Copernic 2001 Basic is a simple search utility that claims to enhance the web searching by the users [8]. Hotbar often installs advertisements on the toolbar. It collects information about the user web surfing behavior and also collects information the user enters into the search fields. Gator spyware uses cookies and asks the user if it can remember the username, passwords and other information while the user is using online forms and logins [8]. This could be harmful if it assists in remembering the credit card information or other sensitive information. OfferCompanion works with Gator which is a tracking cookie. It collects and transmits user web surfing behavior information to Gator servers. Eacceleration is installed with Webcelerator that downloads various spyware elements automatically once the Webcelerator is on the users machine [8].
HUT T-110.551 Seminar on Internetworking
4.6
IMesh
IMesh is one among the popular P2P file-sharing applications. IMesh developed its own proprietary peer-to-peer network protocol. The latest version of IMesh supports FastTrack, Gnutella and eDonkey networks to search and download the files. The most important features among the other common features of IMesh are it allows the resuming of file downloads between sessions and also allows download from multiple sources. IMesh P2P software carries a number of spyware elements such as Ezula Toptext, CommonName, New.net, FlashTrack, Sidestep, Netpal, Favoriteman, Bonzibuddy, GAIN, Cydoor, IMesh Ads Support, Hotbar, SaveNow, Gator, OffersCompanion and MySearch Bar. A single version of IMesh may not contain all the mentioned spyware but the spyware contents differ from version to version. The user can also opt-out some of the spyware elements while installing by taking few precautions. IMesh Ads Support is only pure adware in the sense that it only display ads while the user is using the IMesh software[8]. Ezula Toptext comes in different flavors and with different names by time. It runs irrespective of whether the IMesh software is running or not. It embeds advertising links to the web sites the user visits by picking the most common words from the website. The links added to the web pages relates to their advertisers. These advertising links inserted by Ezula Toptext may look like a part of the web page displayed. The links turn into yellow color when the user moves the mouse over it. Thus for a novice user, these links may look like the part of a web page itself and the user gets hijacked to a different site by clicking the link[11]. CommonName spyware installs a toolbar and a search textbox into Internet Explorer containing links to its advertisers. Whenever the user enters something into the address bar in the Internet Explorer or enters strings into search engines such as Google, Yahoo, MSN etc. it will hijack the users request by re-directing to one of their advertisers. It consumes approximately 16 Mb of memory space[8]. SideStep falls into browser helper object category. It embeds itself into the Internet Explorer toolbar component and collects information about the user web surfing habits. It installs a file named Sbcie028 and registers with regsvr32. It works by tracking the user web surfing behavior. For example when the user visits a travel site, it adds a travel menu and a tool to the toolbar containing its travel advertising partner sites. Cydoor installs a CD_CLINT.dll file. Once the software is activated it connects to its own server to get a list of their advertiser server list. The Cydoor element now collects information such as e-mail addresses if supplied by the user while registering, demographic information such as age, sex, gender, country etc and the user web surfing behavior and then transmits this information to one or more servers depending on the contracts with those advertisers [6]. It then allocates memory on the user machine, downloads and stores the advertisements and triggers them while the user is surfing the web[5]. It also has an auto-update software functionality that can download new elements, which could be problematic to the user. It also uses cookies and allocates an ID to the user
2005-04-26/27 to identify the user across different sessions [6].
4.7
Results
We have classified the spyware found in various P2P applications into different categories based on the threat they might pose to the user. The (Table 1) shows different spywares and their threat levels associated with various P2P softwares. Further the spywares mentioned in this paper may not come bundled with all versions of their respective P2P software but depends on the version. Though Adware is the most common form of spyware in all the P2P programs, there are spyware elements that are more privacy intrusive that could result in considerable and sometimes severe damage to the users or their organizations. They are categorized as Trojan Horses and Browser helper Objects and Remote installers based on their behaviour (Sec. 3.2) (Sec. 3.5) (Sec. 3.7). One of the spyware elements that was more privacy intrusive was VX2 that came bundled with AudioGalaxy for a short time. This particular spyware element can do everything a spyware can do and can result in maximum possible damage to the user (Sec. 4.5) [5]. This can be categorized essentially into all the categories of spyware based on its behaviour. Cydoor can also be considered moderately privacy intrusive based on the data it collects at various points while the user is using its parent P2P software [6]. There were also instances of spyware elements that tamper with system files [13]. Though here the Kazaa is using this technique to provide simply ads, the technique if maliciously used could result in severe damage to the users or organizations. The programs often cheat the users making them think that the events occur according to user requests. For example there are Browser Helper Objects that redirect the user requests to a different site before reaching their destination address. And again though they are using this technique mainly to collect user web surfing information, they can cause severe damage if they also collect personal information such as credit card details, passwords etc. Kazaa was also found guilty in a controversy where its BDE spyware component is using the unused processing power in its network processing tasks [22]. The spyware communities also take advantage of the user tolerance at reading their license agreements and privacy statements. Further the EULA’s do not specify exactly what information is collected and transmitted to other parties and the way they use that information. For example the Cydoor element that comes bundled with Kazaa and IMesh often asks the user to fill in forms while getting updates or while attending online surveys and use this information to build a user profile [6]. They often present a EULA to the end user before accepting, but many users simply accept it without reading. Whereas the GAIN Publishing simply say in their EULA that they do not collect any personal identifiable information, in the same EULA they clearly specified that they will collect the users first name along with city and zip code [12]. That forms a pretty identifiable information and the privacy of the user is compromised.
HUT T-110.551 Seminar on Internetworking
5 Discussion To explore the spyware and its effects in various P2P applications has been the active subject of academic research and anti-spyware organizations. The result was that many studies have found spyware components, at least adware in all of the popular P2P applications [1] [2] [8]. In the paper presented by Boldt et al. in NORDSEC 2004 [1] some practical experiments have been conducted in their labs to identify and analyze spyware components, their behaviour in various P2P file-sharing programs [1]. The experiments were carried out on various versions of P2P applications that were released between January and May 2004. The experiments were carried out on five popular P2P application programs viz. Kazaa, Limewire, Morpheus, IMesh and BearShare.[1] These experiments were based on the state preservation of the computer systems. They also captured the network data that has been transmitted and associated the traffic to their respective elements. Also the system performance was monitored to find the load, bandwidth, storage and other implications. They found that Kazaa and IMesh were carrying eight spyware elements each while Morpheus was carrying five, LimeWire four and BearShare two. Most of these spyware elements were categorized as Adware and Spybots or Browser Helper Objects while some others carrying downloaders [1].They also found that it was very hard to uninstall some of the spyware elements they have found [1]. There were also numerous spyware elements that are very difficult to uninstall. Even after removing, a piece of software stays on the user machine and keep doing their business as usual if ever noticed by the user [1]. Examples in this category are n-Case ( Pad lookups) and n-Case Interstitial Ad Delivery, ETraffic, BonziBuddy etc. Our research confirms all the earlier findings through EULA analysis and various other sources. However it has also been found from various sources that there exists more privacy intrusive spyware elements other than simple adware and browser helper objects. They have the potential to cause maximum damage to the users or their organizations. We have also observed from various researches that the spyware elements they found in different P2P softwares differ by their name and also sometimes behaviour.
6 Conclusions A lot of free software is bad for the security of the user computer particularly, peer-to-peer programs like Kazaa, Morpheus, LimeWire, IMesh, AudioGalaxy, BearShare and other P2P programs. These programs often install additional unwanted spyware programs that spy on the user computers and use the collected information for their own business purposes. These spyware components are often difficult to remove and remain on the user computer even after the user uninstalls its parent P2P software. They also take sufficient amount of user time, memory, load and bandwidth and degrades the performance of a system or network. Therefore the users should be extra careful and must read the End User License Agreement before installing any free P2P program.
2005-04-26/27 The organizations such as companies and universities should strictly prohibit the use of any freeware that carries spyware. Recently some of these P2P software companies promised no spyware commitment but since there is no single definition of spyware, it is hard to believe from the users perspective. Therefore they should not be trusted as such since they have the capability to severely damage the assets of users and their organizations. Acknowledgements I am greatful to my tutor, Ronja Addams-Moring for her expert assistance in writing a scientific paper, for constructive reviews and advices on this paper in the duration of this course. I am thankful to Roger Munn for his assistance in English writing. I am also greatful to the organizers and sponsors of Internetworking seminar who provided the framework that made this work possible.
References [1] Martin Boldt, Bengt Carlsson and Andreas Jacobsson. Exploring Spyware Effects, In Proceedings of NORDSEC, Helsinki, 3-5 November, 2004. [2] Martin Boldt, Johan Wieslander. Investigating Spyware in Peer-to-Peer tools, Masters Thesis, 2003, http://psi.bth.se/mbo/masters.thesis.pdf, referenced: 10-April-2005. [3] Michael Mc. Cardle. How Spyware Fits into Defence in Depth, In GIAC Security Essentials Certification (GSEC), The SANS (SysAdmin, Audit, Network, Security) Institute, http://www.sans.org/rr/whitepapers/malicious/905.php, referenced: 19-March-2005. [4] Lester D.Cheveallier. Spyware and Network Security, In GIAC Security Essentials Certification (GSEC), The SANS (SysAdmin, Audit, Network, Security) Institure, referenced: 05-April-2005. [5] Counter Exploitation, Adware, Spyware and other unwanted malware - and how to remove them, http://www.cexx.org, referenced: 10-April-2005. [6] Cydoor Technologies Ltd. Cydoor Desktop Media, 2004, http://www.cydoor.com/Cydoor/Company/CompanyPri vacy.htm, referenced: 01-April-2005. [7] doxdesk. http://www.doxdesk.com/parasite/IPInsight.html, referenced: 01-April-2005. [8] Academic Technology Service. Duke University, Spyware, http://www.oit.duke.edu/ats/support/spyware/index.html, referenced: 14-March-2005. [9] Declan Dunn. ClickZ Network, http://www.clickz.com/experts/archives/aff_mkt/aff_mkt /article.php/1476031, referenced: 09-March-2005.
HUT T-110.551 Seminar on Internetworking [10] eTrust. PestPatrol-Pest Encyclopedia, P2P, http://research.pestpatrol.com/search/ browse.aspx?cat=P2P, referenced: 15-April-2005. [11] Benny Evangelista. Mystery links, http://www.sfgate.com/cgi-bin/article.cgi?file=/ chronicle/archive/2001/07/30/BU231339.DTLtype=tech, referenced: 14-March-2005. [12] Claria Corporation, GAIN Publishing. Privacy Statement, 2004, http://www.gainpublishing.com/help/psdocs/kmd/priva cy-help51.html, referenced: 01-April-2005. [13] Mike Healan. Kazaa tampers with system file, http://www.spywareinfo.com/articles/kazaa/ referenced: 12-April-2005. [14] Andreas Jacobsson, Martin Boldt and Bengt Carlsson. Privacy-Invasive Software in File-Sharing Tools, In Proceedings of International Information Security Workshops, Toulouse, 22-27 August, 2004. [15] Kassen. http://www.geek.com/news/geeknews/2002jan /gee20020104009587.htm, referenced: 18-March2005 [16] Networks. Sharman Networks Privacy Statement, http://www.kazaa.com/us/privacy/privacy.htm referenced: 14-April-2005. [17] Streamcast Networks Inc. Morpheus 4.8, http://www.morpheus.com, referenced: 02-April2005. [18] PalTalk. http://www.paltalk.com/paltalk2/Privacy.htm, referenced: 06-April-2005. [19] Rich. Adware report, http://www.adwarereport.com/mt/archives/000030.html, referenced: 15-March-2005 [20] David Saurino. Adware and Spyware: A Growing Privacy and Security Problem, In GIAC Security Essentials Certification (GSEC), The SANS (SysAdmin, Audit, Network, Security) Institute, http://www.giac.org/practical/GSEC/ David_Saurino_GSEC.pdf, referenced: 05-April2005. [21] Brian J. Smith. Defending againest spyware invasion, In GIAC Security Essentials Certification (GSEC), The SANS (SysAdmin, Audit, Network, Security) Institute, http://www.giac.org/practical/GSEC/Brian_Smith_GS EC.pdf, referenced: 16-March-2005 [22] Sunbelt Spyware Research Center, http://research.sunbelt-software.com/ threat_library_list.cfm?category=P2P, referenced: 10-April-2005. [23] Kevin Townsend. The hidden threat to corporate security, http://research.pestpatrol.com/KnowledgeBase/ Whitepapers/CorporateSecurity.asp, referenced: 02April-2005.
2005-04-26/27 [24] Websense Inc, Emerging threats: Peer-to-Peer file sharing, http://www.websense.com/products/resources/wp/ EmergingThreats_P2P.pdf. referenced: 30-March2005. [25] Johan Wieslander, Martin Boldt and Bengt Carlsson. Investigating Spyware on the Internet, In Proceedings of NORDSEC, Gjovik, 15-17 October, 2003.
HUT T-110.551 Seminar on Internetworking
Table 1: Spywares associated with P2P and their threat levels Spyware Category(Sec. 3) GAIN AdServer Adware, Data miner Cydoor Adware, Remote installer New.net BHO WebHancer Adware Ezula Toptext Adware, BHO OnFlow Adware VX2 Adware, BHO,remote installer,key logger,data miner Aureate Adware Webcelerator Adware, Remote Installer Bonzibuddy Adware Copernic 2001 basic Adware Hotbar Adware, BHO Gator and OfferCompanion Adware EAcceleration Adware CommonName Adware FlashTrack Adware Sidestep BHO Netpal BHO ClickTillUWin Trojan Horse Favoriteman Adware SaveNow Adware MySearch Bar BHO
2005-04-26/27
Threat(Sec. 3) Minimum Moderate Moderate Moderate Moderate Minimum Maximum Minimum Moderate Minimum Minimum Moderate Minimum Minimum Minimum Minimum Moderate Moderate Moderate Minimum Moderate Moderate
P2P Spyware Carriers Kazaa, IMesh Kazaa, IMesh, LimeWire Kazaa, BearShare Kazaa Kazaa,IMesh, LimeWire Kazaa AudioGalaxy AudioGalaxy, LimeWire AudioGalaxy AudioGalaxy, IMesh AudioGalaxy AudioGalaxy AudioGalaxy, IMesh, Kazaa Kazaa IMesh IMesh IMesh IMesh LimeWire IMesh IMesh, BearShare IMesh
