Paper by Daniel Medeiros Nunes de Castro, Eric Lin, John Aycock, and Mea Wang
Presented @ Eicar 2010
Abstract: Typical strategy for adware authors is to install their software on as many machines as possible and, for each affected machine, display advertisements to the user(s) of that computer. In this paper we present a different model: typhoid adware. Typhoid adware is more covert, displaying advertisements on computers that do not have the adware installed.
We prove that this is a viable adware model with three proof-of-concept implementations and discuss possible defenses, for which we have two
proof-of-concept implementations.
How it works:
Let’s say you are in a coffee shop enjoying a tall cappuccino and using the wireless service provided to you for free by the café . Normaly, the traffic to and from the Internet passes through the access point. Let’s further suppose that I’m infected with a new piece of adware (probably got it from p2p file sharing websites or sites that provide cracks and serial numbers). This new and brilliant piece of adware will convince the other people’s laptops standing in the coffee shop to communicate through my computer rather than directly with the access point. Once it manages to do so, each time they access a webpage, my adware will instert advertisments in their page before delivering them to their computers. On the other hand, the adware will not do anything on my PC, so I’ll never know I’m infected so basically I’m just the carrier. Hence… the name of typhoid adware.
Obviously this type of attack falls in the category of “man-in-the-middle” type of attacks, but the article further describes more specific details. (btw, The article is very well written. I really enjoyed reading it, especially with the cool history lessons regarding typhoid fever).
The first step is to convince the other computers that you are the access point. The process is described in the paper, but you can find a short description of the process also on wikipedia http://en.wikipedia.org/wiki/ARP_spoofing
Setup: ARP spoofing to intercept and hijack connections – arpspoof program from the package dsniff. Simple HTTP proxy implementations (using a Python app – TinyProxy) where you can add the content modification feature. All the HTTP traffic is redirected (traffic using port 80/TCP) to a local port, used by the modified proxy server. Redirection was done by defining rules for Network Access Translation (NAT) in the malicious node, using Netfilter and the iptables package on Linux kernels.
Further on, the paper describes three proof-of-concept implementations:
1. intercept and modify HTML code before serving it to the victim (endless possibilities of what you can do here)
2. Video modification (requires you to download the entire video first)
3. Streaming Video modification (niceeee)
The article ends with a list of possible solutions like heuristic analysis of ARP packets, static IP-to-MAC mapping tables, the adoption of IPv6, ARP spoofing detection included in Firewall software and even the introduction of a new setting in the network configuration called Internet café.
And that’s about it. Good lecture!
