Appendix A: A Web Bug Experiment
- Aim
The aim of this experiment is trying to simulate the process of collecting the “user browsing habits” using web bug and tracking cookie.
- Experiment Environment
Operating System: Windows XP
Web Server: Apache Tomcat 5.5
Web Browser: Mozilla FireFox 1.5.07
Programming Language: Java (JSP, Servlet)
Database: Microsoft Access
- Experiment Preparations
Modification of Hosts File
The following lines need be added in Windows\system32\drivers\etc\hosts:
127.0.0.1 www.spyware.com
127.0.0.1 www.localhost.com
127.0.0.1 www.test1.com
127.0.0.1 www.test2.com
Clear all the cookies
Clear all the existing cookies of FireFox to make it easy to view the testing cookie.
Create a Microsoft Access database
Create a visitors Microsoft Access database file and a table named visitor. The visitor table has two fields: userid and times. Userid is for storing user unique id created from GUID, and times field is used to remember the times visitor access the web sites.
Create a ODBC
Create a new ODBC System Data Source Name – spywareDB using Microsoft Access Driver.
- Web Pages Roadmap
Webbug.html on www.test1.com and www.test2.com contains a web bug (<img src=”http://www.spyware.com/web/setcookie” width=1 height=1 border=0>) which actually points to a servlet located in the www.spyware.com. When the servlet receive a request, it will set a new cookie if cookie is not existed. The times of visits will be recorded in the visitor table based on the userid kept in the cookie.
- Parts of Source Code
Webbug.html
<html>
<head><script language=”JavaScript” type=”text/javascript” src=”refercookie.js”> </script></head>
<title>
Web bug and Tranking Cookie
</title>
<body>
<h1>Web bug inside</h1>
<img src=”http://www.spyware.com/web/setcookie”
width=1 height=1 border=0>
<script language=”JavaScript”>
<!–//start hiding
if(cookieContent != ” && cookieContent != -1 && cookieContent != “undefined” && cDateRef != “No cookie”){
document.write(‘On the date: ‘ +cDateRef + “<br>”);
document.write(“you clicked a link to this site from: ” + cRefer + “<br \/><br \/>”);
document.write(“This was the first occassion on which you were known to have visited this site by clicking on a link from another site.”);
}
else document.write(“Unfortunately, there is no cookie set for your initial referral to this site to show you.”);
//end hiding–>
</script>
<noscript>
Unfortunately, you do not have JavaScript enabled in your
browser, so there is no example to show you.
</noscript>
</br>
</br>
<a href=”cookie1.html” onClick=”top.location.href=’cookie1.html?content=’ + cookieContent; return false”>Click me</a>
</body></html>
setcookie.java
package trackingcookie;
import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;
import java.util.*;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.Statement;
import java.sql.ResultSet;
import java.sql.SQLException;
public class setcookie extends HttpServlet {
//Initialize global variables
public void init() throws ServletException {
}
//Process the HTTP Get request
public void doGet(HttpServletRequest request, HttpServletResponse response) throws
ServletException, IOException {
Cookie[] cookies = request.getCookies();
String userid = null;
if (cookies != null) {
try {
userid =
ServletUtilities.getCookieValue(cookies, “userid”, null);
}catch (java.lang.NullPointerException ex) {
// ServeletUtilies is from http://www.apl.jhu.edu/~hall/java/Servlet-Tutorial/hall/ServletUtilities.java
}
}
try {
// Load the Driver
Class.forName(“sun.jdbc.odbc.JdbcOdbcDriver”);
// Connect to the database
Connection connection
= DriverManager.getConnection(“jdbc:odbc:spywareDB”);
// Create and send statement
Statement statement = connection.createStatement();
String updateCMD = null;
if (userid == null) {
// RandomGUID from http://javaexchange.com/aboutRandomGUID.html
RandomGUID myguid = new RandomGUID(false);
userid = myguid.toString();
// LongLivedCookie is from http://www.apl.jhu.edu/~hall/java/Servlet-Tutorial/hall/LongLivedCookie.java
LongLivedCookie cookie = new LongLivedCookie(“userid”, userid);
response.addCookie(cookie);
updateCMD = “insert into visitor values (‘” + userid + “‘, 1)”;
}
else {
updateCMD = “Update visitor set times = times + 1 where userid = ‘” +
userid + “‘”;
}
System.out.println(“User ” + userid + ” is viewing the page”);
/* store the visitor information into datase*/
int rowsDone = statement.executeUpdate(updateCMD);
connection.close();
} catch (ClassNotFoundException cnfe) {
System.err.println(cnfe);
} catch (SQLException ex) {
System.err.println(ex);
} catch (Exception er) {
er.printStackTrace();
}
}
//Process the HTTP Post request
public void doPost(HttpServletRequest request, HttpServletResponse response) throws
ServletException, IOException {
doGet(request, response);
}
//Clean up resources
public void destroy() {
}
}
References
^ Bangeman, Eric. 2004. Australian police given green light to use spyware. http://arstechnica.com/news.ars/post/20041213-4460.html (accessed August 15, 2006).
^ Birdman. 2006. The Evolution of Windows Spyware Techniques By Birdman. http://cpc.tanet.edu.tw/~pk46/upload/The%20Evolution%20of%20Windows%20Spyware%20Techniques.pdf (accessed September 30, 2006).
^ Bleeping Computer. 2004. Understanding Spyware, Browser Hijackers, and Dialers. http://www.bleepingcomputer.com/tutorials/tutorial41.html (accessed August 15, 2006).
^ Butler, Peter. 2006. Anti-spyware legislation snag. http://blogs.download.com/Spyware-Hunt/post.php?p=920 (accessed September 19, 2006).
^ CA. 2006. Angelfire Tracking Cookie. http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453078612 (accessed August 30, 2006).
^ Comms Business. 2005. Spyware menace costing businesses millions! http://www.commsbusiness.co.uk/News_Article_JS1.cfm?NewsID=17&YearViewed=2005&Newsmonth=1&EndDay=15&StartDay=1&NoNews=0 (accessed September 10, 2006).
^ Cash4Toolbar.com. 2006. Our Program. http://cash4toolbar.com/our_program.php (accessed September 17, 2006).
^ Ducklin, Paul. 2006. Learning lessons about computer security. Information Age, 6(4): 22.
^ Edelman, Ben. 2005. What Hope for Federal Anti-Spyware Legislation? http://www.benedelman.org/news/011905-1.html (accessed September 19, 2006).
^ Edelman, Ben. 2005. State Spyware Legislation. http://www.benedelman.org/spyware/legislation/ (accessed September 19, 2006).
^ Elgin, Ben and Brian Grow. 2006. THE PLOT TO HIJACK YOUR COMPUTER. Business Week, Issue 3993. (accessed August 14, 2006, from EBSCOhost: Academic Search Elite databse).
^ Free Software Foundation. 2006. Digital Restrictions Management and Treacherous Computing. https://www.fsf.org/campaigns/drm.html (accessed September 28, 2006).
^ Gibson, Steve. 2005. OptOut: Tell Unwelcome Spyware to Pack its Bags! http://www.grc.com/optout.htm (accessed September 05, 2006).
^ Gormley, Michael. 2005. Major advertisers caught in spyware net. http://www.usatoday.com/tech/news/computersecurity/2005-06-25-companies-spyware_x.htm (accessed October 03, 2006).
^ Gutner, Toddi. 2004. What’s Lurking In Your PC? http://www.businessweek.com/magazine/content/04_40/b3902115_mz070.htm?chan=sb (accessed September 10, 2006).
^ Harrison, Adam. 2006. Examining defects in the Firefox code base. http://www.g2zero.com/2006/09/examining_defects_in_the_firef.html (accessed October 01, 2006).
^ Levin, Jonathan. 2005. The Dark Side of Winsock. http://2005.recon.cx/recon2005/papers/Jonathan_Levin/The%20Dark%20Side%20of%20Winsock.pdf (accessed October 01, 2006).
^ Hcward. 2005. Spyware Timeline. http://www.unc.edu/courses/2005spring/law/357c/001/projects/hcward/background.timeline.html (accessed September 05, 2006).
^ Hines, Matt. 2005. Intermix hit with spyware suit. http://news.com.com/Intermix+hit+with+spyware+suit/2100-7348_3-5688609.html (accessed September 20, 2006).
^ Hines, Matt . 2005. Research: Spyware industry worth billions. http://www.zdnet.com.au/news/security/soa/Research_Spyware_industry_worth_billions/0,130061744,139190474,00.htm (accessed September 14, 2006).
^ Keizer, Gregg. 2005. Russians Use Affiliate Model To Spread Spyware, Adware. http://www.informationweek.com/story/showArticle.jhtml?articleID=163700819 (accessed September 17, 2006).
^ Klang, Mathias. Spyware – the ethics of covert software . Ethics and Information Technology, 193-202, Volume 6, Number 3 / September, 2004. http://www.springerlink.com/content/l4u4h7k4n7p5r1u2/fulltext.pdf (accessed August 30, 2006)
^ Kalvass, Jeffrey and Arjun Singh. 2004. Spyware: Covert Information Gathering Technical and Ethical Aspects. http://www.ischool.berkeley.edu/~jeff/Documents/SPY.pdf (accessed September 18, 2006).
^ Krebs, Brian. 2006. Hacked Ad Seen on MySpace Served Spyware to a Million. http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad_served_adware_to_mo.html (accessed September 10, 2006).
^ Lininger, Rachael and Russell Dean Vines. 2005. Phishing: Cutting the Identity Theft Line. Indianapolis, Indiana: Wiley publishing, Inc.
^ Lawton, George. 2002. Invasive Software:Who’s Inside Your Computer? Computer, Volume 35, Issue 7, July 2002 Page(s):15 – 18. http://ieeexplore.ieee.org.ezp02.library.qut.edu.au/iel5/2/21883/01016895.pdf?tp=&arnumber=1016895&isnumber=21883 (accessed August 14, 2006, from IEEE Xplore databse).
^ Maslog-Levis, Kristyn. 2005. Government slams proposed spyware legislation. http://www.zdnet.com.au/news/communications/soa/Government_slams_proposed_spyware_legislation/0,130061791,139192359,00.htm (accessed September 19, 2006).
^ McCullagh, Declan. 2005. Newsmaker: Spying on the spyware makers. http://news.com.com/Spying+on+the+spyware+makers/2008-1012_3-5694455.html?tag=nl (accessed September 14, 2006).
^ McFedries, Paul. 2005. The Spyware Nightmare. http://www.spectrum.ieee.org/aug05/1689 (accessed August 30, 2006).
^ Mossberg, Walter. 2005. Tracking cookies crumble privacy. http://heraldnet.com/stories/05/07/19/100bus_mossberg001.cfm (accessed August 30, 2006).
^ MOTION, Inc. 2006. Chapter 2: HISTORY OF SPYWAR. http://www.pcsecuritynews.com/spyware_history.html (accessed September 04, 2006).
^ Naraine, Ryan. 2004. Spyware: The Next Real Threat. http://www.eweek.com/article2/0,1759,1738207,00.asp?kc=ewnws121004dtx1k0000599 (accessed September 10, 2006).
^ Office of the Attorney General of Washington State. 2006. McKenna Announces Oregon Man to Pay Under Washington Spyware Law. http://www.atg.wa.gov/releases/2006/rel_First_Spyware_Case_041806.html (accessed September 19, 2006).
^ Perry, David. 2004. Beyond Virus, Trojan and Worm: New Threats and Appropriate Responses. http://www.aavar.org/2004web/AVAR2004/Presentations/pc02.ppt (accessed September 13, 2006).
^ RelicMan. 2005. “Did “Elf Bowling” ever contain spyware? http://msgboard.snopes.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=38;t=000738;p=1 (accessed September 05, 2006).
^ Schwartz, Ari. 2005. Testimony of Ari Schwartz, Associate Director Center for Democracy and Technology before The Senate Committee on Commerce, Science , and Transportation on “Spyware”. http://www.cdt.org/testimony/20050511schwartzspyware.pdf#search=%22Ari%20%20Schwartz%20%20%E2%80%9Cmany%20million%20dollar%20industry%E2%80%9D%22 (accessed August 30, 2006).
^ Schwartz, Ari. 2006. Spyware Everywhere. http://www.affiliatesummit.com/AriSchwartz-AS011006.pdf#search=%22AriSchwartz-AS011006.pdf%22 (accessed August 30, 2006).
^ Smith, Steve. 2005. The Gentle Art of Spy Hunting. Computer Power User, September 2005, Vol.5, Issue 9, Page(s) 81-83. http://www.computerpoweruser.com/Editorial/article.asp?article=articles/archive/c0509/46c09/46c09.asp&guid= (accessed August 30, 2006).
^ Sunbelt Software. 2004. Spyware: The ultimate uninvited guest. http://www.sunbelt-software.com/CounterSpy/docs/battling_spyware_1.pdf#search=%22%22adware%20network%22%22 (accessed September 11, 2006).
^ Turner, Suzi. 2005. Spyware tricks part II: follow the money trail. http://blogs.zdnet.com/Spyware/?p=659 (accessed September 17, 2006).
^ US-CERT. 2005. Spyware. http://www.us-cert.gov/reading_room/spywarehome_0905.pdf (accessed September 08, 2006).
^ Wikipedia. 2006. Rootkit. http://en.wikipedia.org/wiki/Rootkit (accessed September 28, 2006).
^ Wikipedia. 2006. Spyware. http://en.wikipedia.org/wiki/Spyware (accessed September 04, 2006).
^ Wilson Sonsini Goodrich & Rosati. 2005. New York Attorney General Eliot Spitzer Wages War on “Spyware” While Legislative Proposals Abound. http://www.wsgr.com/wsgr/Display.aspx?SectionName=publications/PDFSearch/clientalert_spitzer_wages_war_on_spyware.htm (accessed September 21, 2006).
Be First to Comment