Homepage > Catalog > Computer Science - Applied

Spyware development and analysis

Name: Spyware development and analysis
Price: 47.95 EUR
Availability: InStock
Author: Matthias Wellmeyer
ISBN: 978-3-640-88819-1

Bachelor Thesis, 2011

82 Pages, Grade: 1,3

Matthias Wellmeyer (Author)

Excerpt

1 Introduction
1.1 Computer relevance today
1.2 Audio and Video impact
1.3 Laws and regulations
1.4 Related work and motivation

2 Basics
2.1 OSI reference model
2.2 Correlation of malware
2.2.1 Trojan
2.2.2 Adware
2.2.3 Virus
2.2.4 Spyware
2.2.5 Worm
2.2.6 Other
2.3 Penetration test
2.4 Operating System
2.5 Antivirus software
2.6 Firewall
2.6.1 Firewall types
2.6.2 Network Firewall
2.6.3 Personal Firewall

3 Demonstrator / prototype
3.1 Basics
3.2 Operating systems and work environment
3.3 DirectShow
3.3.1 Filter
3.3.2 Filter graph
3.3.3 Control, create and manage filter graph
3.3.4 Capture Graph
3.3.5 Filters for prototype
3.4 Data transmission
3.4.1 Initialization and socket creation
3.4.2 Send data
3.4.3 Close connection
3.4.4 Further capabilities
3.5 Firewall
3.5.1 Windows XP firewall
3.5.2 Freeware firewalls
3.5.3 Other possibilities
3.6 Virus detection

4 Conclusion
4.1 Operating System
4.2 Virus detection
4.3 Firewall
4.4 Demonstrator
4.5 Final remark and personal impression

5 Affidavit

References

List of Figures

1.1 Increase in first time feature Malware [76]
1.2 Computer equipment in European companies number of employees, who work on a PC, 2008 [9]
1.3 Computer equipment in European companies showing number of computer in private household, 2008 [9]
1.4 Procedure of the prototype

2.1 Exponential increase of infected nodes [11]
2.2 Operating system in layers [72]
2.3 Market share operating systems (July, 2010)[53]
2.4 Detailed market share Microsoft and Apple (July, 2010)[53]
2.5 TCP three way handshake [64]
2.6 Firewall between LAN and WAN [70]

3.1 Procedure on victim’s system
3.2 Procedure on attacker’s system
3.3 Visual overview of the Common Language Infrastructure (CLI) [71]
3.4 The relationship between an application, DirectShow components and supported hardware and software components. [28]
3.5 Filter graph for ”play a file” example. [22]
3.6 Three tasks that any DirectShow application must perform. [35]
3.7 Capture Graph Builder and the ICaptureGraphBuilder2 interface. [23] .
3.8 Enumerating Devices by using the System Device Enumerator [46]
3.9 Filter graph for prototype
3.10 Transmission between victim and attacker
3.11 Windows XP firewall - allowed programs and services
3.12 ZoneAlarm alert for WebCam application
3.13 Allowed applications in default configuration
3.14 Multiple instances of svchost.exe
3.15 Registry entry for svchost.exe services
3.16 Instances of svchost.exe
3.17 An additional instance of svchost.exe executed by the signed in user victim
3.18 Overall structure of prototype
3.19 “Internal Rule” from Ashampoo - FireWall FREE 1.20 is not erasable or editable
3.20 Default rules for Ashampoo - FireWall FREE 1.20
3.21 Default rules for Ashampoo - FireWall PRO 1.14
3.22 Ashampoo process list recognize the initiated svchost.exe as a system process
3.23 Sygate default screen and settings
3.24 Sygate “Ask” dialog
3.25 Sygate dialog at start up - Windows online update
3.26 Sygate traffic history
3.27 Sygate traffic log as a diagram (timeframe 15 minutes)
3.28 Markel share anti virussoftware |58|

4.1 Alert while starting up prototype
4.2 Add an application to autostart

List of Tables

2.1 Most prevalent malware category in 2009 [59]
2.2 Other categories [59]

3.1 parameters used in Listing 3.30
3.2 Detected Eicar test file
3.3 Merged scan result by Virustotal and Jotti’s malware scan

Listings

2.1 Sample compression virus [15]

3.1 CoCreateInstance Function [26]
3.2 Create Filter Graph Manager [29]
3.3 IUnknown::QueryInterface Method [39]
3.4 Add IMediaControl and IMediaEvent [29]
3.5 Run the filter graph [29]
3.6 Waits for the filter graph to render all available data. [29]
3.7 Build the filter graph for file playback [29]
3.8 IGraphBuilder::RenderFile Method [33]
3.9 Create Capture Graph example [23]
3.10 ICaptureGraphBuilder2::RenderStream Method [30]
3.11 call to build long chains [24]
3.12 Create System Device Enumerator instance. [43]
3.13 ICreateDevEnum::CreateClassEnumerator Method [31]
3.14 Specify the device category as a “video capture devices” [43]
3.15 IMoniker::BindToObject Method [34]
3.16 Select first device and bind moniker to filter object [43]
3.17 IFilterGraph::AddFilter Method [32]
3.18 Create and add Sample Grabber filter [45]
3.19 ISampleGrabber::SetMediaType Method [38]
3.20 Accepted media type by demonstrator
3.21 ISampleGrabber::SetBufferSamples Method [37]
3.22 ISampleGrabber::GetCurrentBuffer Method [36]
3.23 Grab a Sample (complete example)
3.24 Create Null Renderer filter [45]
3.25 Concatenate filters and render stream
3.26 WSAStartup Function [48]
3.27 MAKEWORD Macro [40]
3.28 Complete initialization
3.29 socket Function
3.30 Used socket call
3.31 sendto Function [44]
3.32 recvfrom Function [41]
3.33 Data transfer sender
3.34 Data transfer receiver
3.35 closesocket Function [25]
3.36 WSACleanup call [47]

1 Introduction

This thesis intends to show the security risk of multimedia capable computers which are connected to a network. From the increasing use of computers and high speed Internet, the threat becomes bigger and bigger. Not only business, but private households become the target of hacker attacks as well. Governments are also interested in possibilities to observe other computers, but their laws and regulations are not completely clarified.

This and some events recently give an impetus for this topic. A important aspect is the implementation of a runnable prototype, which shows the possibilities for a hidden observation.

1.1 Computer relevance today

Today computer systems have became more important than ever before. There is not a way to work in a hugely successful company without a computer. The ATIS^[1] defines a computer as follows:

A device that accepts data, processes the data in accordance with a stored program, generates results, and usually consists of input, output, storage, arithmetic, logic, and control units. A functional unit that can perform substantial computation, including numerous arithmetic operations or logic operations, without human intervention during a run. [4]

This definition shows that a computer can calculate or generate a lot of output with minimal human input, much faster than humans and without errors.

There are many disadvantages to digital data processing. Companies store information on digital volumes and feel secure about the data. The past has shown that there have been many attacks against companies in order to get their sensitive data.

A report from the ADVANCE for Health Information Professionals^[2] magazine demonstrates that hacker attacks nearly doubled in the fourth quarter of 2009.

SecureWorks, Inc., a leading global provider of information security services protecting 2,700 clients worldwide, reported today that attempted hacker attacks launched at its healthcare clients doubled in the fourth quarter of 2009.

[1]

Another report of an IT security magazine^[3] has shown that the number of zero day feature malware has been growing at almost exponential rate since 2001 (see Figure 1.1) [76]. At the beginning of 2010 there was an attack against the US Military Contractors. In this case, malicious PDF files were e-mailed to US defense contractors. Also, the “Aurora”

Abbildung in dieser Leseprobe nicht enthalten

Figure 1.1: Increase in first time feature Malware [76]

attacks against Google and others happened in December 2009 [14].

Statistics from the BITKOM^[4] (Figure 1.2) have shown that in 2008 more than 50% of German employees work on computer systems. Therefore network security should be the top concern of both large and small companies. The risk of an attack from a hacker is always there and can lead to bankruptcy of the company. Not only in business, more than 80% of Germans in private household have a computer (Figure 1.3). A survey from the Branch Association also shows that more than 75% have an Internet connection [54].

1.2 Audio and Video impact

The constantly growing broadband Internet gives the opportunity for audio and video transmission. Private households and business use the technology to save money or to see the person they are talking to. Nowadays nearly every IM^[5] tool (i.e. ICQ^[6], Windows Live Messenger, Skype) is able to initiate video calls. The only things needed are a webcam and microphone, which is integrated in most new notebooks.

New data from TeleGeography show that the growth of international telephone traffic has slowed, while Skype’s growth has accelerated. The past 25 years, the international call volume has grown approximately 15% each year, but in the last two years it slowed and grew only with 8%. During that timeframe Skype increased the international traffic (between two Skype users) by more than 50%. TeleGeography analyst Stephan Beckert said that “Skype is the largest provider of cross border communications in the world, by far” [65].

Abbildung in dieser Leseprobe nicht enthalten

Figure 1.2: Computer equipment in European companies number of employees, who work on a PC, 2008 [9]

Abbildung in dieser Leseprobe nicht enthalten

Figure 1.3: Computer equipment in European companies showing number of computer in private household, 2008 [9]

The video telephony (not only Skype) was also used by companies during the ban on flying in April and May of 2010. An ash cloud from Iceland stopped the air traffic in large parts of Europe and managers were forced to use video conferences instead of face-to-face meetings. Lots of providers use this opportunity to advertise their video conference systems (i.e Adobes connect web conference software) [16].

But there is a very important further point: the security. Everybody who wants to initiate a video call needs an Internet connection and is therefore prone for hacker attacks. Companies especially should consider the risk and pay attention to their security.

1.3 Laws and regulations

In March 2005 the former Bundesinnenminister (Federal Minister of Interior), Otto Schily, requested by the President of the Bundesamtes für Verfassungsschutz (Federal Office for the Protection of the Constitution), Heinz Fromm, to create an opportunity to spy on suspicious computers for protection of human beings (i.e. by terror attacks). Consequently Otto Shily enacted a regulation for covered online search of suspects computer [21].

Until two years later, in August 22, 2007, there was published a questionnaire with informations about the work of the BKA (Bundeskriminalamt - Federal Criminal Police Office), concerning the online search.

This document says that “online search” is a global term for online review and online surveillance and contains “the covert search using electronic means to process-relevant content in information systems, that are not in direct physical access are the safety authorities, but are accessible via a communications network” [7]. A few months later the Bundesinnenminister claimed a fast introduction of permitted “online search”:

Bei der Terrorbekämpfung spieden nicht nur die Fähigkeiten unserer Sicherheitsbehörden eine Rolle, sondern auch der Faktor Zeit. Wir brauchen gute Instrumente - und wir brauchen sie schnell.

In fighting against terrorism is not only the capability of our security agencies important, but also the time factor. We need good tools - and we need them fast.

Bild am Sonntag, October 14, 2007

But this is in conflict with the constitution of the Federal Republic of Germany, which guarantees citizens the fundamental right to decide themselves about the usage of their own personal data. §1 BDSG (Bundesdatenschutzgesetz - German FDPA Federal Data Protection Act).

§1 BDSG - Purpose and scope of the law

Protect every individual so that he is not disadvantaged in his personal rights through the handling of his personal data.

Similar passages paraphrasing the “right to informational self-determination” can be found in the Data Protection acts of the federal states [5].

The Bundesverfassungsgericht (Federal Constitutional Court) agreed at February 28, 2008 [10], that the secret infiltration of an information technology system by means of which the use of the system can be monitored and its storage media can be read is unconstitutional. Since 2009, the BKA is allowed to perform secret online searches.

The Bundestag adopted the required law at the end of 2007 in §20k of the BKAG (Bundeskriminalamtgesetz - Federal Criminal Law). This gives the opportunity for covert intervention in information technology systems [8]. This law says that the Federal Criminal Police is allowed, only if a special reason is given, to intervene in the information technology systems used by the affected person without their knowledge. Special reasons are:

- Danger to limb, life or liberty of a person.
- Risk of such goods to the community, which menace the foundations or the stock of the state or the basis of the existence of the affected people.

1.4 Related work and motivation

It is almost impossible to function in a modern society without a computer system. Nearly everywhere is a computer or similar devices. They have become essential in a business meeting in order to present new ideas. But one should always consider whether a connection to the network is necessary. If there is no network connection, no one can remotely penetrate the computer to listen or watch the meeting. In some cases, top secret issues are discussed and others should not be listening. There is still a risk. Somebody could have manipulated the computer to record ambient sounds and comments and/or make pictures by using the victim’s webcam.

Beginning of 2010, one high school in Pennsylvania allegedly spied on their students. According to the superintendent’s website, they offered laptops to enhance the opportunities for ongoing collaboration and to ensure that all students had 24/7 access to school-based resources. A spokesman for the school said that administrators would only remotely access a laptop if it were reported to be lost, stolen or missing. The problem is no one can really control how often they access these computers [55]

Another point is VoiceOver IP (VoIP). Those people who live far apart from each other often use video telephony via Skype (see chapter 1.2). But now the Spiegel reported about a hacker from the US who has hacked the Skype encryption and will present it in December 2010 at the Congress of the Chaos Computer Clubs in Berlin. This creates the possibility for sending spam or listen to other calls. The fact that the hacker will present this security vulnerability in December should give the company time enough to fix the problem [62].

Another case happened in July 2010, a computer criminal from the Rhineland could have seen more than 150 girls in their private rooms. The member of the BvD^[7], Thomas Floss, had done volunteer educational work about data protection in schools. A few days later two schoolgirls raised concerns about their webcams to him. The following investigation

Abbildung in dieser Leseprobe nicht enthalten

Figure 1.4: Procedure of the prototype revealed that the computers were infected by sypware [57].

Such scenarios can also happen in companies, and so everybody should consider whether it is necessary to carry a network connected device. This is true not only for notebooks, but also for cell phones and other technical equipment.

The discussion about the online search, the previous events and to show the risk of these technical devices give me the motivation for this thesis. It contains a prototype, which captures the signal from a webcam by using a Windows API^[8] and sends it to another Computer. The complete procedure of the prototype is shown in Figure 1.4.

2 Basics

Before beginning with details about the demonstrator, the reader need some background about network protocols (especially the Internet Protocol), malware and security software. The Internet Protocol (IP) is a widespread network protocol, which builds the base for the Internet and represents the network layer of the theoretical OSI reference model^[9]. The word malware has become a popular buzzword for all kinds of malicious code and contains lots of subcategories. The created prototype belongs to a subcategory which is called spyware and should work even with antivirus and circumvent a firewall system. To reach that goal the following chapter strive to introduce knowledge about that software.

2.1 OSI reference model

The OSI reference model is only a theoretical model for communications and computer network protocols. It is based on seven layers [67]:

1. Physical Layer

The Physical Layer of the OSI model is responsible for bit-level transmission between network nodes. The Physical Layer defines items such as: connector types, cable types, voltages, and pin-outs.

2. Data Link Layer

The Data Link Layer of the OSI model is responsible for communications between adjacent network nodes. Hubs and switches operate at the Data Link Layer.

3. Network Layer

The Network Layer of the OSI model is responsible for establishing paths for data transfer through the network. Routers operate at the Network Layer.

4. Transport Layer

The Transport Layer of the OSI model is responsible for delivering messages between networked hosts. The Transport Layer should be responsible for fragmentation and reassembly.

5. Session Layer

The Session Layer of the OSI model is responsible for establishing process-to-process commnunications between networked hosts.

6. Presentation Layer

The Presentation Layer of the OSI model is responsible for defining the syntax which two network hosts use to communicate. Encryption and compression should be Presentation Layer functions.

7. Application Layer

The Application Layer of the OSI model is responsible for providing end-user services, such as file transfers, electronic messaging, e-mail, virtual terminal access, and network management. This is the layer with which the user interacts.

This model has an exact purpose for each layer. In contrast, the IP model does not have this strict layer classifications, which makes it more efficient. But the disadvantage is, that each service needs their own network protocol. The IP model consists of four layers:

1. Link Layer

The Link Layer is the lowest layer in the Internet Protocol Suite and is often described as a combination of Physical Layer (layer 1) and Data Link Layer (layer 2) of the OSI reference model.

2. Internet Layer

The basic functions of the Internet Layer is relaying and routing packets and in addition it provides error detection and diagnostic capability.

3. Transport Layer

The Transport Layer establish a point-to-point connection and is responsible for delivering data to the appropriate application.

4. Presentation Layer

The Presentation Layer includes all protocols that cooperate with applications which uses the network for data exchange.

2.2 Correlation of malware

Malware is a generic term for malicious software. It is composed of malicious code and software. The definiton by NIST^[10] is as follows:

Malware, also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. [52]

This definition says that malware does not need to crash or abuse a system. However, the fact that such software takes some resources like cpu load, memory usage or hard disk space from a computer, it is quite enough to call it malware.

Most of the malware corrupts your system and that is one of the reasons for the hidden operation of this software. There are a lot of different categories that are used by malware. Some of these categories are described later on.

The “Threat Predictions” from McAfee expects, that target attacks are on the rise. Aimed

Table 2.1: Most prevalent malware category in 2009 [59]

Abbildung in dieser Leseprobe nicht enthalten

attacks against individual users, corporations, and government institutions become more and more successful. A popular attack vector is an email with an attachment or a link to a website [19].

Table 2.1 shows that the most prevalent category of malware in 2009 have been the Trojan (66%). The second one was the Adware which includes rogueware^[11] or fake antiviruses. However, malware does not exist only for computer systems, an article in “Scientific American”^[12] shows that malware for mobile phones has grown continuously since 2004. [51]

2.2.1 Trojan

Trojan is short for “Trojan horse”. Trojans are designed to modify target systems to get remote access on the computer system.

A definition of a Trojan horse by the SANS^[13] Institute, which was established in 1989 as a cooperative research and education organization, is:

A Trojan horse is a destructive tool that operates under the guise of a valuable or entertaining program. Trojan horses can be viruses or remote control programs that provide complete access to a victim’s computer. [61]

The software got its name from proximately 1,200 BC. The town Troja seemed to be a insurmountable castle. But a devious idea came and some of the best warriors, covert in a huge wooden horse given as a “gift”, infiltrated the castle and opened the doors for an army of many other warriors. This is a comparison with a probably secured computer system. Somebody who gets access to the system (software via eMail) can open the way for other attackers.

The first known “Trojan horse” (in the wild) was found in 1975 for the Univac 1108^[14] and was hidden in the game “Pervading Animal”. [74]

2.2.2 Adware

Adware is a composition of advertising and software. It is software which has advertising in it which is not hidden. It automatically plays, displays, or downloads advertisements to a computer when the software is being used or installed.

Some adware is also known as shareware^[15], which is advertisement for a proprietary software with limited functionality with hopes that the software will be bought.

The pricing works that you either buy additional software (full version or add-ons) or you must see the advertisements to use the product.

Some types of adware may include spyware, which is described in chapter 2.2.4 - Spyware.

2.2.3 Virus

Before Fred Cohen defined the term computer virus in 1984 some people have published their related work about self-reproducing automata:

- 1966 - John von Neumann -Theory of self-reproducing automata- [17]
- 1972 - Veith Risak -Selbstreproduzierende Automaten mit minimaler Informationsübertragung (Self-reproducing automata with minimal information exchange)- [69]
- 1980 - Jürgen Kraus -Selbstreproduktion bei Programmen (Self-reproduction of programs)-

[18]

Fred Cohen defines a computer virus as a program that can infect other programs by modifying them to include a possibly evolved copy of itself. Every program that gets infected may also act as a virus and thus the infection grows.

But this definition is only a infection and a replication of itself. There is no talk of damage code or other malicious intentions. Some lines below is the explanation of the Simple Virus ’V’. The Virus ’V’ checks if some triggering condition is true, and does damage [15].

A sample compression virus could be written as follows:

Listing 2.1: Sample compression virus [15]

Abbildung in dieser Leseprobe nicht enthalten

Some virus classification by target includes the following categories: [75]

- Boot sector infector: Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus.
- File infector: Infects files that the operating system or shell consider to be executable.
- Macro virus: Infects files with macro code that is interpreted by an application

Another classification by concealment strategy includes categories like: [75]
- Encrypted virus: A typical approach is as follows: A portion of the virus creates a random encryption key and encrypts the remainder of the virus. The key is stored with the virus. When an infected program is invoked, the virus uses the stored random key to decrypt the virus. When the virus replicates, a different random key is selected. Because the bulk of the virus is encrypted with a different key for each instance, there is no constant bit pattern to observe.
- Stealth virus: A form of virus explicitly designed to hide itself from detection by antivirus software. Thus, the entire virus, not just payload is hidden.
- Polymorphic virus: A virus that mutates with every infection, making detection by its “signature” impossible.
- Metamorphic virus: As with a polymorphic virus, a metamorphic virus mutates with every infection. The difference is that a metamorphic virus rewrites itself completely at each iteration, increasing the difficulty of detection. Metamorphic viruses may change their behavior as well as their appearance.

2.2.4 Spyware

Spyware is a type of malware and in some cases also a type of adware (chapter 2.2.2 - Adware). McAfee describes spyware as a software that transmits personal information to a third party without the user’s knowledge or consent [20], but that is not the only effect of spyware. Spyware can install additional software, redirecting Web browser activity or/and change computer settings as well.

The recent term spyware was first described by Steve Gibson in early 2000.

Spyware is any software which employs a user’s Internet connection in the background (the so-called ’backchannel’) without their knowledge or explicit permission. [63]

The description was only valid in the beginning of the spyware evolution. Later the ACS^[16] split the term spyware in two different groups. The low level definition is similar to Steve Gibson’s original one:

In its narrow sense, Spyware is a term for tracking software deployed without adequate notice, consent, or control for the user. [73]

They also provide a wider definition, which is more abstract:

Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

- Material changes that affect their user experience, privacy, or system security;
- Use of their system resources, including what programs are installed on their computers; and/or
- Collection, use, and distribution of their personal or other sensitive information.

[66]

This fact shows the difficulty with defining spyware.

2.2.5 Worm

The main difference between a worm and a virus is that a worm runs independently because it self propagates to other computer on a network (An effective method is emails).

One of the most popular worms is the “I-love-you” worm from 2000, which distributed itself in a email with the subject “ILOVEYOU”. With its exponential growth the number of infected nodes after ten iterations grew to more than 1,000 nodes (every node infect two additional nodes, Figure 2.1). This brings the IETF^[17] (R. Shirey) to the following definition:

A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. [60]

2.2.6 Other

The other 0.65 % includes the categories from Table 2.2

Abbildung in dieser Leseprobe nicht enthalten

Figure 2.1: Exponential increase of infected nodes [11]

Table 2.2: Other categories [59]

Abbildung in dieser Leseprobe nicht enthalten

2.3 Penetration test

There are many possible ways to attack a computer. In most cases a penetration test is performed ahead of the actual attack. The following penetration test is broken into a three-step process [3]:

- Network enumeration
- Vulnerability analysis
- Exploitation

Before trying to gain unauthorized access to a network there are a lot of outstanding questions concerning the network. A Network enumeration which means to discover as much as possible about the target network and systems should help. This contains the network topology, list of live hosts, kind of traffic (i.e. TCP, UDP, IPX) and all other informations which can be used to identify potential security vulnerabilities. This could be done via Internet research. A “whois” query can give information about IP address and owner, address of the target and list of domain name servers that provide the target network’s host name and IP address mapping. Normally the DNS18 does not support zone transfer requests from unauthorized hosts, but if it does, it can offer a lot of information about the network. In most cases the machine name indicates the function of the machine and give hints to the internal network structure. The command line tool traceroute19 or tracert20 can be used to prove this assumption and bring up some additional architecture in the unfamiliar network. It can also help to identify the routers, firewalls, load-balancing devices and hosts that are on separate segments which may have a special purpose.

The second step is the vulnerability analysis (also known as vulnerability scanning). This process identifies all potential avenues of attacks. Therefore the identification of open ports, operation system and running applications is useful.

To get all this information, a port scanner can be used. It checks all 65535 ports and tries to indicate the active service on the port, for example, while examining the banner. Advanced port scanners can also detect the running operation system by analyzing the response from the victim. Every operating system has its own implementation of the TCP stack. The RFCs21 govern how the TCP stack should respond but there are some differences in details. This result can be combined with open ports on the system (SSH deamon is typical for UNIX), which gives an additional hint to the operation system.

Once the list of applications is known an Internet research determine possible vulnerabilities. Websites like Packetstorm^[22] or SecurityFocus^[23] offer comfortable and quick search for

Abbildung in dieser Leseprobe nicht enthalten

Figure 2.2: Operating system in layers [72]

exploits and how to patch the vulnerabilities.

Some scanners will give suggestions for exploits. These exploits can be checked on the named websites and sometimes vulnerabilities do not match with the detected software release. These errors are named with “false positives”.

The main activity in the last step, the exploitation is to attempt to compromise the network by using one of the vulnerability from the previous step and gain root or administrator level access to the system. The examination of the potential security vulnerability orders the vulnerability by likelihood of success and is followed by performing the exploit. Popular targets because of prone are Microsoft IIS^[24] or NFS^[25].

2.4 Operating System

The operating system is a set of system software, that is the basis for managing the computer hardware and software. It can operate with many applications, services and different hardware platforms. With that functionality it serves as the layer which connects the application programs and the computer hardware (see Figure 2.2), even if the application code is usually executed by the hardware and not by the operating system.

According to a survey, performed by Net Applications^[26] (July, 2010) all Microsoft products have a total market share of more than 90%, followed by Mac OS (5,06%) and Linux (0,93%). Figure 2.3 shows the distribution of all operating systems. A detailed analysis of Windows and Mac shows a comfortable lead for Windows XP with 61,87%. Both newer Windows versions (Windows 7 and Windows Vista) together have less than 30% (see Fig- ure 2.4) which makes Windows XP a popular target for hacker attacks.

Abbildung in dieser Leseprobe nicht enthalten

Figure 2.3: Market share operating systems (July, 2010)[53]

This statistics leads to the decision to adjust this prototype for the most common operating system, Windows XP. In addition to drivers and office software come still several security software like an antivirus and/or a firewall. There are many different manufacturers on the market that sometimes offer their software for free. The following two chapters details antivirus software and firewalls.

2.5 Antivirus software

Antivirus (or anti-virus) software is used to prevent, detect, and remove known malware. The typical detection operates with a signature based detection. This traditional method is very effective against well-known malware. For a successful malware identification the vendor must provide the signatures and the antivirus software must make regular updates to get the new signatures. This makes the signature based detection fast and effective, but it is useless against brand new malware.

Because of growing malware (see chapter 1.1 - Computer relevance today) some sophisticated antivirus software have heuristic analysis to identify malware. This software has the ability to detect different variants/mutations of an existing or completely new malware (i.e. by means of certain command sequences). But because of the complex technique to detect this kind of malware, there is a large quantity of false positives.

In addition, there are also different scan types like

- On access scanner / realtime scanner

[...]

^[1] Alliance for Telecommunications Industry Solutions

^[2] http://health-information.advanceweb.com

^[3] http://www.securitymanager.de

^[4] Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e.V.

^[5] Instant Messaging

^[6] derived by “I seek you”

^[7] Berufsverband der Datenschutzbeauftragten - Professional Association of Data Protection

^[8] Application Programming Interface

^[9] Open System Interconnection Reference Model