Spyware – Appendix, References

Appendix A: A Web Bug Experiment

 

  1. Aim

The aim of this experiment is trying to simulate the process of collecting the “user browsing habits” using web bug and tracking cookie.

 

  1. Experiment Environment

Operating System: Windows XP

Web Server: Apache Tomcat 5.5

Web Browser: Mozilla FireFox 1.5.07

Programming Language: Java (JSP, Servlet)

Database: Microsoft Access

 

  1. Experiment Preparations

 

Modification of Hosts File

The following lines need be added in Windows\system32\drivers\etc\hosts:

127.0.0.1 www.spyware.com

127.0.0.1 www.localhost.com

127.0.0.1 www.test1.com

127.0.0.1 www.test2.com

 

Clear all the cookies

Clear all the existing cookies of FireFox to make it easy to view the testing cookie.

 

Create a Microsoft Access database

Create a visitors Microsoft Access database file and a table named visitor. The visitor table has two fields: userid and times. Userid is for storing user unique id created from GUID, and times field is used to remember the times visitor access the web sites.

 

Create a ODBC

Create a new ODBC System Data Source Name – spywareDB using Microsoft Access Driver.

 

  1. Web Pages Roadmap

Webbug.html on www.test1.com and www.test2.com contains a web bug (<img src=”http://www.spyware.com/web/setcookie” width=1 height=1 border=0>) which actually points to a servlet located in the www.spyware.com. When the servlet receive a request, it will set a new cookie if cookie is not existed. The times of visits will be recorded in the visitor table based on the userid kept in the cookie.

 

  1. Parts of Source Code

 

Webbug.html

 

<html>

<head><script language=”JavaScript” type=”text/javascript” src=”refercookie.js”> </script></head>

<title>

Web bug and Tranking Cookie

</title>

<body>

<h1>Web bug inside</h1>

<img src=”http://www.spyware.com/web/setcookie”

width=1 height=1 border=0>

 

<script language=”JavaScript”>

<!–//start hiding

if(cookieContent != ” && cookieContent != -1 && cookieContent != “undefined” && cDateRef != “No cookie”){

document.write(‘On the date: ‘ +cDateRef + “<br>”);

document.write(“you clicked a link to this site from: ” + cRefer + “<br \/><br \/>”);

document.write(“This was the first occassion on which you were known to have visited this site by clicking on a link from another site.”);

}

else document.write(“Unfortunately, there is no cookie set for your initial referral to this site to show you.”);

//end hiding–>

</script>

<noscript>

Unfortunately, you do not have JavaScript enabled in your

browser, so there is no example to show you.

</noscript>

</br>

</br>

<a href=”cookie1.html” onClick=”top.location.href=’cookie1.html?content=’ + cookieContent; return false”>Click me</a>

</body></html>

 

setcookie.java

 

package trackingcookie;

 

import javax.servlet.*;

import javax.servlet.http.*;

import java.io.*;

import java.util.*;

import java.sql.Connection;

import java.sql.DriverManager;

import java.sql.Statement;

import java.sql.ResultSet;

import java.sql.SQLException;

 

public class setcookie extends HttpServlet {

//Initialize global variables

public void init() throws ServletException {

}

//Process the HTTP Get request

public void doGet(HttpServletRequest request, HttpServletResponse response) throws

ServletException, IOException {

Cookie[] cookies = request.getCookies();

String userid = null;

if (cookies != null) {

try {

userid =

ServletUtilities.getCookieValue(cookies, “userid”, null);

}catch (java.lang.NullPointerException ex) {

// ServeletUtilies is from http://www.apl.jhu.edu/~hall/java/Servlet-Tutorial/hall/ServletUtilities.java

}

}

try {

// Load the Driver

Class.forName(“sun.jdbc.odbc.JdbcOdbcDriver”);

// Connect to the database

Connection connection

= DriverManager.getConnection(“jdbc:odbc:spywareDB”);

// Create and send statement

Statement statement = connection.createStatement();

String updateCMD = null;

if (userid == null) {

// RandomGUID from http://javaexchange.com/aboutRandomGUID.html

RandomGUID myguid = new RandomGUID(false);

userid = myguid.toString();

// LongLivedCookie is from http://www.apl.jhu.edu/~hall/java/Servlet-Tutorial/hall/LongLivedCookie.java

LongLivedCookie cookie = new LongLivedCookie(“userid”, userid);

response.addCookie(cookie);

updateCMD = “insert into visitor values (‘” + userid + “‘, 1)”;

}

else {

updateCMD = “Update visitor set times = times + 1 where userid = ‘” +

userid + “‘”;

}

System.out.println(“User ” + userid + ” is viewing the page”);

/* store the visitor information into datase*/

int rowsDone = statement.executeUpdate(updateCMD);

connection.close();

} catch (ClassNotFoundException cnfe) {

System.err.println(cnfe);

} catch (SQLException ex) {

System.err.println(ex);

} catch (Exception er) {

er.printStackTrace();

}

}

//Process the HTTP Post request

public void doPost(HttpServletRequest request, HttpServletResponse response) throws

ServletException, IOException {

doGet(request, response);

}

//Clean up resources

public void destroy() {

}

}

 

References

 

^ Bangeman, Eric. 2004. Australian police given green light to use spyware. http://arstechnica.com/news.ars/post/20041213-4460.html (accessed August 15, 2006).

 

^ Birdman. 2006. The Evolution of Windows Spyware Techniques By Birdman. http://cpc.tanet.edu.tw/~pk46/upload/The%20Evolution%20of%20Windows%20Spyware%20Techniques.pdf (accessed September 30, 2006).

 

^ Bleeping Computer. 2004. Understanding Spyware, Browser Hijackers, and Dialers. http://www.bleepingcomputer.com/tutorials/tutorial41.html (accessed August 15, 2006).

 

^ Butler, Peter. 2006. Anti-spyware legislation snag. http://blogs.download.com/Spyware-Hunt/post.php?p=920 (accessed September 19, 2006).

 

^ CA. 2006. Angelfire Tracking Cookie. http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453078612 (accessed August 30, 2006).

 

^ Comms Business. 2005. Spyware menace costing businesses millions! http://www.commsbusiness.co.uk/News_Article_JS1.cfm?NewsID=17&YearViewed=2005&Newsmonth=1&EndDay=15&StartDay=1&NoNews=0 (accessed September 10, 2006).

 

^ Cash4Toolbar.com. 2006. Our Program. http://cash4toolbar.com/our_program.php (accessed September 17, 2006).

 

^ Ducklin, Paul. 2006. Learning lessons about computer security. Information Age, 6(4): 22.

 

^ Edelman, Ben. 2005. What Hope for Federal Anti-Spyware Legislation? http://www.benedelman.org/news/011905-1.html (accessed September 19, 2006).

 

^ Edelman, Ben. 2005. State Spyware Legislation. http://www.benedelman.org/spyware/legislation/ (accessed September 19, 2006).

 

^ Elgin, Ben and Brian Grow. 2006. THE PLOT TO HIJACK YOUR COMPUTER. Business Week, Issue 3993. (accessed August 14, 2006, from EBSCOhost: Academic Search Elite databse).

 

^ Free Software Foundation. 2006. Digital Restrictions Management and Treacherous Computing. https://www.fsf.org/campaigns/drm.html (accessed September 28, 2006).

 

^ Gibson, Steve. 2005. OptOut: Tell Unwelcome Spyware to Pack its Bags! http://www.grc.com/optout.htm (accessed September 05, 2006).

 

^ Gormley, Michael. 2005. Major advertisers caught in spyware net. http://www.usatoday.com/tech/news/computersecurity/2005-06-25-companies-spyware_x.htm (accessed October 03, 2006).

 

^ Gutner, Toddi. 2004. What’s Lurking In Your PC? http://www.businessweek.com/magazine/content/04_40/b3902115_mz070.htm?chan=sb (accessed September 10, 2006).

 

^ Harrison, Adam. 2006. Examining defects in the Firefox code base. http://www.g2zero.com/2006/09/examining_defects_in_the_firef.html (accessed October 01, 2006).

 

^ Levin, Jonathan. 2005. The Dark Side of Winsock. http://2005.recon.cx/recon2005/papers/Jonathan_Levin/The%20Dark%20Side%20of%20Winsock.pdf (accessed October 01, 2006).

 

^ Hcward. 2005. Spyware Timeline. http://www.unc.edu/courses/2005spring/law/357c/001/projects/hcward/background.timeline.html (accessed September 05, 2006).

 

^ Hines, Matt. 2005. Intermix hit with spyware suit. http://news.com.com/Intermix+hit+with+spyware+suit/2100-7348_3-5688609.html (accessed September 20, 2006).

 

^ Hines, Matt . 2005. Research: Spyware industry worth billions. http://www.zdnet.com.au/news/security/soa/Research_Spyware_industry_worth_billions/0,130061744,139190474,00.htm (accessed September 14, 2006).

 

^ Keizer, Gregg. 2005. Russians Use Affiliate Model To Spread Spyware, Adware. http://www.informationweek.com/story/showArticle.jhtml?articleID=163700819 (accessed September 17, 2006).

 

^ Klang, Mathias. Spyware – the ethics of covert software . Ethics and Information Technology, 193-202, Volume 6, Number 3 / September, 2004. http://www.springerlink.com/content/l4u4h7k4n7p5r1u2/fulltext.pdf (accessed August 30, 2006)

 

^ Kalvass, Jeffrey and Arjun Singh. 2004. Spyware: Covert Information Gathering Technical and Ethical Aspects. http://www.ischool.berkeley.edu/~jeff/Documents/SPY.pdf (accessed September 18, 2006).

 

^ Krebs, Brian. 2006. Hacked Ad Seen on MySpace Served Spyware to a Million. http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad_served_adware_to_mo.html (accessed September 10, 2006).

 

^ Lininger, Rachael and Russell Dean Vines. 2005. Phishing: Cutting the Identity Theft Line. Indianapolis, Indiana: Wiley publishing, Inc.

 

^ Lawton, George. 2002. Invasive Software:Who’s Inside Your Computer? Computer, Volume 35, Issue 7, July 2002 Page(s):15 – 18. http://ieeexplore.ieee.org.ezp02.library.qut.edu.au/iel5/2/21883/01016895.pdf?tp=&arnumber=1016895&isnumber=21883 (accessed August 14, 2006, from IEEE Xplore databse).

 

^ Maslog-Levis, Kristyn. 2005. Government slams proposed spyware legislation. http://www.zdnet.com.au/news/communications/soa/Government_slams_proposed_spyware_legislation/0,130061791,139192359,00.htm (accessed September 19, 2006).

 

^ McCullagh, Declan. 2005. Newsmaker: Spying on the spyware makers. http://news.com.com/Spying+on+the+spyware+makers/2008-1012_3-5694455.html?tag=nl (accessed September 14, 2006).

 

^ McFedries, Paul. 2005. The Spyware Nightmare. http://www.spectrum.ieee.org/aug05/1689 (accessed August 30, 2006).

 

^ Mossberg, Walter. 2005. Tracking cookies crumble privacy. http://heraldnet.com/stories/05/07/19/100bus_mossberg001.cfm (accessed August 30, 2006).

 

^ MOTION, Inc. 2006. Chapter 2: HISTORY OF SPYWAR. http://www.pcsecuritynews.com/spyware_history.html (accessed September 04, 2006).

 

^ Naraine, Ryan. 2004. Spyware: The Next Real Threat. http://www.eweek.com/article2/0,1759,1738207,00.asp?kc=ewnws121004dtx1k0000599 (accessed September 10, 2006).

 

^ Office of the Attorney General of Washington State. 2006. McKenna Announces Oregon Man to Pay Under Washington Spyware Law. http://www.atg.wa.gov/releases/2006/rel_First_Spyware_Case_041806.html (accessed September 19, 2006).

 

^ Perry, David. 2004. Beyond Virus, Trojan and Worm: New Threats and Appropriate Responses. http://www.aavar.org/2004web/AVAR2004/Presentations/pc02.ppt (accessed September 13, 2006).

 

^ RelicMan. 2005. “Did “Elf Bowling” ever contain spyware? http://msgboard.snopes.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=38;t=000738;p=1 (accessed September 05, 2006).

 

^ Schwartz, Ari. 2005. Testimony of Ari Schwartz, Associate Director Center for Democracy and Technology before The Senate Committee on Commerce, Science , and Transportation on “Spyware”. http://www.cdt.org/testimony/20050511schwartzspyware.pdf#search=%22Ari%20%20Schwartz%20%20%E2%80%9Cmany%20million%20dollar%20industry%E2%80%9D%22 (accessed August 30, 2006).

 

^ Schwartz, Ari. 2006. Spyware Everywhere. http://www.affiliatesummit.com/AriSchwartz-AS011006.pdf#search=%22AriSchwartz-AS011006.pdf%22 (accessed August 30, 2006).

 

^ Smith, Steve. 2005. The Gentle Art of Spy Hunting. Computer Power User, September 2005, Vol.5, Issue 9, Page(s) 81-83. http://www.computerpoweruser.com/Editorial/article.asp?article=articles/archive/c0509/46c09/46c09.asp&guid= (accessed August 30, 2006).

 

^ Sunbelt Software. 2004. Spyware: The ultimate uninvited guest. http://www.sunbelt-software.com/CounterSpy/docs/battling_spyware_1.pdf#search=%22%22adware%20network%22%22 (accessed September 11, 2006).

 

^ Turner, Suzi. 2005. Spyware tricks part II: follow the money trail. http://blogs.zdnet.com/Spyware/?p=659 (accessed September 17, 2006).

 

^ US-CERT. 2005. Spyware. http://www.us-cert.gov/reading_room/spywarehome_0905.pdf (accessed September 08, 2006).

 

^ Wikipedia. 2006. Rootkit. http://en.wikipedia.org/wiki/Rootkit (accessed September 28, 2006).

 

^ Wikipedia. 2006. Spyware. http://en.wikipedia.org/wiki/Spyware (accessed September 04, 2006).

 

^ Wilson Sonsini Goodrich & Rosati. 2005. New York Attorney General Eliot Spitzer Wages War on “Spyware” While Legislative Proposals Abound. http://www.wsgr.com/wsgr/Display.aspx?SectionName=publications/PDFSearch/clientalert_spitzer_wages_war_on_spyware.htm (accessed September 21, 2006).

 

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *