Qu00l.net

Malwares


Here I present a very limited and very preliminary first reckoning of the state of what Fravia has called 'malwares'. Malware is a term attributed to Bruce Schnier, however Dan Farmer uses it in his paper 'Improving the Security of Your Site by Breaking Into it', which I believe predates Schneier's use.

Here's what Schneier had to say in his June 15, 1999 Crypto-Gram:

'Looking back from the future, 1999 will have been a pivotal year for malicious software: viruses, worms, and Trojan horses (collectively known as "malware"). It's not more malware; we've already seen thousands. It's not Internet malware; we've seen that before, too. But this is the first year we've seen malware that uses e-mail to propagate over the Internet and tunnel through firewalls. And it's a really big deal.'

And he's quite right about this, 1999 was a pivotal year for malwares. But he missed the real threat as it slid under his radar and tunneled through his firewall: Malwares are also trend of deception, datamining, destruction and privacy invasion fueled by vast amounts of dot.com venture capital (in order to have a 'viable buisness model' in a world of free information) designed only to snare unwitting and unawares persons who are using search engines, sharewares, commecrial software and as we shall see, anything and everything in between.


Types of malwares.


In my quest I have found malwares that fall into several broad, and often overlapping categories. These are, in no particular (well, alphabetical) order; adwares, censorwares, destroywares, spywares, trojanwares, and web-bug type of transient or persistant malwares.


Adwares

The doubleclick et al ongoing dataminig 'operation': For illustration I present an email converstion I read from the beginning of 2000. As (below) Chris Brenton puts it:
"If the government was doing this people would be freaked."

Of course the government is doing this also, and people are 'freaked'. More on that later.

Date: Wed, 09 Feb 2000 20:10:28 -0500
From: Chris Brenton 
To: firewalls@Lists.GNAC.NET
Cc: "fw-1-mailinglist@lists.us.checkpoint.com" 
Subject: How much info are you leaking?

Greetings all,

Back on 12/19/99 I posted a rather verbose message to the Firewalls list
on how a number of search engines are taking the search criteria you are
entering and submitting it back to DoubleClick. Basically what you see
is just after submitting your parameters to a search engine, your
browser connects to ad.doubleclick.net in order to send something
similar to the following:

http://ad.doubleclick.net/adl/site_you_searched.com/result_front;kw=Tell+me+about+rashes;cat=stext;ord=11996981

Where the "kw" string is your list of search parameters (key words?) and
"ord" (based on research by Adrian Colley) is a hex conversion of your
cookie ID. In other words, your ID and what you've been looking for gets
sent back to DoubleClick.

Based on this article:
http://news.cnet.com/news/0-1005-200-1531929.html?tag=st.ne.1002.tgif

this info may eventually get correlated with the rest of your personal
info. Kind of a "personality profile" if you will, similar to the modern
day credit report. Do a search on "evil hacker sites" and this gets
associated with your profile. Of course the problem is that if your five
year old searches for "pictures of naked monkeys" they may associate
these key words with your ID as well.

This has organizational security implication as well. For example how
much would your competitors pay to know what info you are searching for?
IMHO given the number of sites involved in this "info sharing" the
practice has become a few steps shy of placing a sniffer outside your
firewall.

As mentioned in that original post, I've setup a "DoubleClick honeypot"
to ID the sites that are submitting this info back to DoubleClick. The
list I have so far is:

aj.com
ajkids.com
altavista.digital.com
anywho.com
av.com
babycenter.com
boston.com
buy.com
corptech.com
drcoop.com
greatdomains.com
hoovers.com
imdb.com
infoseek.com
foodtv.com
redhat.com
remarq.com
rocketlinks.com
rtq.net
yellowpages.com

The two that really bug me are RedHat (happens from their search page,
not the main page) as you would expect them to be more sensitive to
these kinds of issues and drcoop.com as the site is for searching
medical info (I now know *way* too much about what ails my users ;).
Note that these are *not* just ad partners, these sites forward your
search info back to DoubleClick.

Since this is all outbound TCP/80 traffic, it burns right though most
firewalls. If you try and block all HTTP to DoubleClick, many browsers
choke and kick an error back to the user. The only real effective means
of killing this traffic is to proxy through JunkBusters or a honeypot
similar to my setup (detailed in my 12/19 post).

Just curious if there is anyone out there that can add/delete from the
above list. I'm also wondering _why_ they do it. Do this sites receive
some form of financial return for submitting this info? Why don't they
state what they are doing in their privacy statement?

I'm also wondering if people feel an ORBS kind of setup is in order.
It's really starting to trouble me just how much information is getting
reported back to a single agency under the guise of "target
advertising". If the government was doing this people would be freaked.

Thoughts?

All input appreciated,
Chris
--
**************************************
cbrenton@sover.net

Date: Wed, 09 Feb 2000 20:06:06 -0600
From: Eric 
To: firewalls@Lists.GNAC.NET
Subject: Re: How much info are you leaking?

I have ads.doubleclick.net (and many other similar sites) in my host file
as 127.0.0.1.  Not only does it keep my computer from giving them free
information, it also seems to make alta vista searches much faster since
it doesn't have to wait for responses from doubleclick.net.

Eric Johnson

Date: Wed, 9 Feb 2000 19:53:17 -0600
From: Jeff Bachtel 
To: firewalls@Lists.GNAC.NET
Subject: Re: How much info are you leaking?

Just a thought, but doublclick.net _does_ have an opt-out cookie you
can send to help keep information from being correlated to your
company. Combined with a single caching proxy server (ie squid) (hey,
you want to reduce the amount you transfer from the internet anyway),
it provides a certain degree of anonymity.

Having your web cache send
id=OPT_OUT
as part of the http cookie vars is left as an exercise for the reader
(or SA)

Date: Wed, 09 Feb 2000 23:34:00 -0500
From: Chris Brenton 
To: Jeff Bachtel 
Cc: firewalls@Lists.GNAC.NET
Subject: Re: How much info are you leaking?

Jeff Bachtel wrote:
>
> Just a thought, but doublclick.net _does_ have an opt-out cookie you
> can send to help keep information from being correlated to your
> company.

IMHO this takes care of the personal privacy issue but does not address
the corporate. The search criteria submission does not use cookies, so
even if you have this setting disabled you are going to submit info back
to DoubleClick. If you could get a look at a DoubleClick log entry on
one of the ad.doubleclick.net servers, it would look like this:

[Thu Feb  6 13:31:22 2000] [client 10.25.60.50]
/home/httpd/html/adi/altavista.digital.com/result_front;kw=Vanessa+Paradis;cat=stext;ord=25034863

Note the source IP is clearly identified. A quick whois can tie this
back to the source organization. So while you may be able to "opt out"
of the cookie setting, the info submission tied to your IP address still
takes place.

> Combined with a single caching proxy server (ie squid) (hey,

Your still passing cookies, your still tied to the organization's IP.
You are absolutely on the right track though. Add JunkBuster to the mix
as it can be tweaked to not forward this info.

> you want to reduce the amount you transfer from the internet anyway),
> it provides a certain degree of anonymity.

Actually, this is an annoying side effect of the whole ad thing. TTL
values are set so that you have to reload each time you hit the page.
This kills the efficiency of a proxy and thus sucks up additional
bandwidth. I've noticed my cache hit rating has slowly dropped over the
last year or so. :(

> The idea of a sort of ORBS is interesting (and may have merit). If,
> for instance, ads.doubleclick.net.relays.worbs.net returns a valid ip
> (loopback), then have your proxy server transparently handle traffic
> to that site.

Agreed. This is pretty much how I run my honeypot.

> However, and automated ORBS would be fairly difficult to
> implement, as verification of information relaying is not as easy as
> it is for open relays of email.

Agreed here as well. I've noticed many sites pass back a blank "kw="
string so its not like you can even key in on that. Still, it would be
nice to send a clear message that many Internet users take exception to
this kind of practice.

Thanks!
Chris

Date: Thu, 10 Feb 2000 10:47:49 +0000
From: Dorian Moore 
Cc: firewalls@Lists.GNAC.NET,
     "fw-1-mailinglist@lists.us.checkpoint.com" 
Subject: Re: How much info are you leaking?

I know this is flame bait.... but I'm not trying to start a flame war, I
just find this rather off topic for a 'firewalls' list... Although I'm a
fan of personal privacy, and of saving bandwidth, I do find it somewhat
ironic that this topic of 'tracability' is an issue on a forum concerned
in a large part about the security of computer systems against other
users, and who would be scared at the idea of someone trying to attack
them through an open system which is designed to hide the identity of
the surfer.

Yes, doubleclick or whatever company sending adverts is a pain in the
arse. Yes we all have to manage the bandwidth of all the users into our
network, yes we don't like being sold things, but this is a capatilist
society : moreso the internet has become so [a lot of that virtual
real-estate out there isn't worth a penny of the money that it's valued
at, IMHO], and part of that battle is against Doubleclick, Experian [who
traditionaly did that kind of analysis of information through such
things as your credit card spending habits, which a lot of people don't
even think about] for our privacy, but I think that you also should look
at it this way : doubleclick target you with adverts : brilliant, it
means I don't get adverts for stupid irrelevant things amidst the
content that I surf. The better of two evils in my opinion.

And I agree security and privacy can be construed as the same thing - if
someone was to break into my house without doing any damage, or removing
any property it would be an invasion of privacy but a breach of
security, teh same as if they did the same to my computer system - but
I've had a lot of problems with people posting incredibly rude and
malicious messages onto forums software we host, primarily through
things like anonimizer, cgicache, and privada : and I find that much
more troublesome than people holding the return IP address of my
organisation and information on what I, or my colleagues, search on
[even if it is 'how do I build nuclear bombs' or 'US government
conspiracy']. I'd rather be able to get more information on my
attackers, and have more available about me, than less - but then I feel
I've got nothing to hide : ultimately we live, we die ... if you have a
problem with what you do in between that's a philosophical issue and
definetly off topic.

Maybe people should undestand more the British progpaganda from the
second world war when they are using form based services on the web :
'Walls Have Ears' - are warning against eavsdropping and spying that is
still relevant today. I know of much more dangerous information analysis
going on outside of the internet than on it.

As I said, this is my opinion on the matter.... and my opinion isn't
worth much, I just thought some people might want to know they weren't
the only ones who may think like this [or am I the only one?]

Peace

d.

Date: Thu, 10 Feb 2000 08:20:53 -0500
From: Chris Brenton 
To: d@kleber.net
Cc: firewalls@Lists.GNAC.NET,
     "fw-1-mailinglist@lists.us.checkpoint.com" 
Subject: Re: How much info are you leaking?

Dorian Moore wrote:
>
> Yes, doubleclick or whatever company sending adverts is a pain in the
> arse. Yes we all have to manage the bandwidth of all the users into our
> network, yes we don't like being sold things, but this is a capatilist
> society :


This is the exact attitude I'm trying to get past. Its not about
bandwidth or advertising. Its about personal and organizational
information and the potential abuses of that information when its in the
hands of a corporate entity in our "capitalist society". Please don't
look at what DoubleClick is spoon feeding you, look at what they are
doing and draw your own conclusions.

> I've had a lot of problems with people posting incredibly rude and
> malicious messages onto forums software we host, primarily through
> things like anonimizer, cgicache, and privada :

Then don't accept them. As someone who works in security I certainly
don't feel we should all be anonymous. These are your resources to
manage as you see fit and you should be free to accept/deny/log what
ever you want. The latest series of attacks certainly shows that too
much anonymity can be a bad thing. This does not mean that having
someone else logging what you are doing without you knowledge is
necessarily a good or even useful thing.

Cheers,
Chris


Censorwares

Malware that censors. See Peacefire for a very complete exploration of censorwares.

Destroywares

Malware that deletes, modifies, destroys.


Spywares

Malware that spies on you.
Spywares make up the bulk of malwares that effect the internet, and are related to adwares, search engines, web-bugs, cookies, and anything else they can think of to get information on you to sell to others.

Interhack: "The Internet Privacy Project is an ongoing study of how systems on the Internet affect the privacy of the Internet population. From this page, we'll provide pointers to papers and advisories we release, as well as some of the tools that we develop in the process of our studies. "

Richard Smith, who coined the term 'web bug' has a number of papers and programs that discuss such malwares as M$ GUIDs, Real and more.

Dick Hazeleger's PDF list of 710(!!!) spywares.
Also here in HTML.

John Fitzsimons excellent list of other Spywares.

Another long list of spywares.


Web-bugs

And other HTML, java(script), graphic, cookie nasties.
Meantime a transient cache web-bug, which surfs right in through your proxy, firewall etc...

Cookie lores
from pir.org.

Web-Bug FAQ from R. Smith.


Trojanwares


PGP and Promis.


And of course I realise that I've nowhere near as yet spelunked the depraved deapths of the commercial fascist bastard minds who are creating these booby-traps for the unsuspecting lusers who happily download or buy or surf themselves into the gaping maw of the dark net.
Forseti+
October 23 02000.