Over the past few years, a relatively new computing phenomenon has gained momentum: the spread of “spyware.” Though most people are aware of spyware, the research community has spent little effort to understand its nature, how widespread it is, and the risks it presents. This paper is a first attempt to do so. We first discuss background material on spyware, including the various types of spyware programs, their methods of transmission, and their run-time behavior. By examining four widespread programs (Gator, Cydoor, SaveNow, and eZula), we present a detailed analysis of their behavior, from which we derive signatures that can be used to detect their presence on remote computers through passive network monitoring. Using these signatures, we quantify the spread of these programs among hosts within the University of Washington by analyzing a week-long trace of network activity. This trace was gathered from August 26th to September 1st, 2003. From this trace, we show that: (1) these four programs affect approximately 5.1% of active hosts on campus, (2) many computers that contain spyware have more than one spyware program running on them concurrently, and (3) 69% of organizations within the university contain at least one host running spyware. We conclude by discussing security implications of spyware and specific vulnerabilities we found within versions of two of these spyware programs.
[1]
Beng-Hong Lim,et al.
Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor
,
2001,
USENIX Annual Technical Conference, General Track.
[2]
Marianne Shaw,et al.
Scale and performance in the Denali isolation kernel
,
2002,
OSDI '02.
[3]
Stefan Savage,et al.
Understanding Availability
,
2003,
IPTPS.
[4]
Vern Paxson,et al.
How to Own the Internet in Your Spare Time
,
2002,
USENIX Security Symposium.
[5]
Stephanie Forrest,et al.
A sense of self for Unix processes
,
1996,
Proceedings 1996 IEEE Symposium on Security and Privacy.
[6]
Vern Paxson,et al.
Bro: a system for detecting network intruders in real-time
,
1998,
Comput. Networks.
[7]
Peter Druschel,et al.
Resource containers: a new facility for resource management in server systems
,
1999,
OSDI '99.
[8]
Stefan Savage,et al.
Inside the Slammer Worm
,
2003,
IEEE Secur. Priv..
[9]
Ian Goldberg,et al.
A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker )
,
1996
.
[10]
David Moore,et al.
Code-Red: a case study on the spread and victims of an internet worm
,
2002,
IMW '02.