Typhoid Adware – a new model for the adware threat
Typical adware infects a computer and then displays pop-up after pop-up after pop-up. It has one weakness. After the 786th pop-up you begin to suspect you’ve been infected and can take some remedial steps.
Now Daniel Medeiros Nunes de Castro, Eric Lin, John Aycock, and Mea Wang of the Department of Computer Science, University of Calgary have published a paper describing an alternative model; which they call Typhoid Adware. In this model, the adware displays the pop-ups not on the infected computer, but on any that it can reach via unencrypted wi-fi. The threat is therefore to unprotected gatherings: internet cafés, possibly campuses, wi-fi enabled offices…
The name is taken from the case of Mary Mallon:
In the beginning of the 20th century, a cook named Mary Mallon was infected with a highly contagious disease called typhoid fever, but she did not have the symptoms and at first she did not even know she was infected. Later, when informed that she was infecting others with typhoid, she refused to believe health authorities and she ended up infecting an estimated 47 people in total, some of whom died [10, 23]. This true story may seem far removed from the realm of malicious software, but that is not the case – it is a new model for adware.
The paper goes on to suggest a couple of possible defenses:
We propose the introduction of an “Internet Café” setting for network configuration. The DHCP protocol specifies that, once an IP address is assigned, the DHCP server sends an Acknowledge message, which may contain the router (or default gateway) information for the client’s network, more likely the actual access point’s address. Using that information, our special setting would gather the MAC address of that router and automatically set it in the static IP-to-MAC mapping table at the client’s machine. By doing this, even if a malicious node is able to send fake ARP messages to the router, the ARP spoofing process would fail as the potential victim would not accept the malicious MAC address as being the router’s.
In order to avoid content modification, we suggest some strategies to be implemented both in the video file and in the video player. We note that other formats, like Matroska , have support for these types of strategy, so they are clearly implementable.