• Total Posts: 43063
  • Total Topics: 16241
  • Online Today: 5247
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Spy Software and Newest Protection Methods  (Read 6489 times)

0 Members and 1 Guest are viewing this topic.


  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Spy Software and Newest Protection Methods
« on: 16. May 2007., 16:13:45 »
Spy Software and Newest Protection Methods (Part 1)

The software and hardware devices intended for secret monitoring over PC users' activity, have been widely expanded recently. In the global web - Internet - it is possible to find many resources and documents devoted to various aspects of this problem (legal, technical, political etc.).

The special danger is presented by monitoring software products and hardware devices, which can be secretly installed (as a rule, remotely) without the knowledge of the owner (security administrator) of the automated system or without the knowledge of the owner of a particular personal computer. This category of monitoring products hereinafter in the article will be referred to as "spy programs" or " spy products".

Authorized monitoring software products are used by the security administrator of a computing system (information security service of the company or organization) for ensuring its accountability - the property of the computing system that allows fixing activity of the users and processes, usage of passive objects, and uniquely specifying users' identifiers, who involved in particular events and processes, with the purpose of preventing security policy violation and/or ensuring responsibility for particular actions. This property depending on quality of its realization, allows inspecting how employees comply with the established rules of safe operation on computers and security policy.
There is a vague line between monitoring products for ensuring accountability and spy products - this is the line between security management and security violation. The following special program functions as:
possibility of a preliminary configuration of the monitoring module (client, agent etc.) and obtaining of compiled executable file, which at installation does not display any messages and does not create windows on the screen;
built-in means of delivery and remote installation of the configured module on the user's computer;
make for transforming the product for monitoring and accountability into a spy product. And vice versa, the following requirements as:
possibility of installing and configuring the monitoring module only at the physical access to the user's computer;
indispensable condition of administration privileges for installing and configuring the program;

often make the product of little use for spy purposes and unauthorized application. With the exception of the cases when violator and administrator is one and the same person.

Let's note that legitimacy/illegality of using monitoring (and espionage) programs depends on the legislation of every particular country (or administrative unit), and on compliance with the rules of usage of these programs prescribed by the legislation.

What are monitoring programs used for?

      By using them the specialist responsible for information security of the company can:
define (locate) all attempted cases of unauthorized access to confidential information with exact time report and the networked workstation where from this attempt has been performed;
define cases of unauthorized installation of software;
control possibility of using personal computers in non-working time and reveal the purpose of such usage;
define all cases of unauthorized usage of modems in a local area network by analyzing the facts of starting specialized applications;
define all cases of typing on the keyboard critical words and word combinations, preparing of any critical documents, transfer of which to the third persons will result in a material loss;
define the facts of non-purpose usage of personal computers;
receive reliable information on the basis of which the information security policy of the company will be developed;
control access to servers and personal computers;
control contacts of children when they are surfing the Internet;
conduct information audit;
explore and investigate computer incidents;
conduct scientific researches with respect to determination of accuracy, efficiency and adequacy of the staff response to external impact;
define loading of computer workplaces of the company;
restore critical information after failures of computer systems;
What are illegally installed monitoring programs, i.e. spy programs, used for?

Their usage allows the violator:
illegally intercepting another's information;
performing economic espionage;
performing political espionage;
obtaining unauthorized access to the "bank-client" systems;
obtaining unauthorized access to cryptographic systems of the personal computer user - to public and private keys, password phrases;
obtaining unauthorized access to authorization data of credit cards;

Spy Software present a serious danger to the security of individual and networked computer systems.

One of the most dangerous features of all spy software and hardware keyloggers is the registration of keystrokes made by the user, with the purpose of monitoring computer activity. When the user types a password and his credit cards details on the keyboard, at this moment his every keystroke might be recorded. Besides, modern spy software allows capturing the text from application windows and making snapshots (screenshots) of the screen and separate windows. In other words, the spy software can intercept the text from the document even if the user does not type it on the keyboard, but just opens and views the file.

Hereinafter we shall try to light a problem in more detail in order to define what the spy software is, if it can be used for secret information takeoff from the personal computer, and what means for protecting confidential/secret information stored on the hard disk of the personal computer from the circumscribed above threats exist today.

Software keyloggers designed for monitoring information entered by the user of the personal computer

Keylogging Programs (keyloggers, key loggers, keystroke loggers, key recorders, key trappers, key capture programs, etc.) belong to the group of tools that monitor PC user activity. Initially software products of this type were designed solely for recording key stroke information including the system keys, to the special log file (audit trail) being afterwards analyzed by the person who had installed this program. Log file can be sent within the network to the shared place, to the ftp server in the Internet, by e-mail etc. Above mentioned new software products perform many additional functions - they intercept information from the windows, capture mouse clicks, snapshots of the screen and active windows, record all received and sent emails, monitor file activity, monitor system register, monitor the printer queue, intercept sound from the microphone and video pictures from the web-camera connected to the computer, etc.

Keyloggers can be included in commercial, free and shareware programs, Trojan programs, viruses and Internet worms. As an example we can point to a recently much-talked-of epidemic of Mydoom worm with a keylogger inside. This epidemic gave rise to a great tide of publications revealing an urgency of the problem concerning spy software protection. Only few links are presented below:

MYDOOM - worst yet to come The Age ... So far, the damage is minimal. But the pre-eminent danger is that one virus strain has a keylogger.". Faulkner said it is possible ...

CI Host CEO Monitors Computer Virus Epidemic Effects: ... Yahoo News (press release) ... One in every dozen e-mails carries the virus. So far, the damage is minimal. But the preeminent danger is that one virus strain has a keylogger."...

MYDOOM virus delivers gloom Press of Atlantic City ... t over. Infected computers still will have a backdoor in them, as well as a key logger that records every keystroke. "A backdoor ...

SCO offers $250000 reward for arrest of Mydoom worm author ComputerWorld ... According to Symantec, the worm also installs a "key logger" that can capture anything that is entered, including passwords and credit card numbers, and will ...,10801,89470,00.html

NEW, fast-spreading worm spells Doom InfoWorld ... The worm will install a "key logger" that can capture anything that is entered, including passwords and credit card numbers, Ruckman said...

NO move to stop email bounce messages yet, says Telecom Computerworld New Zealand ... Symantec also claims the worm will install a "key logger" that can capture anything that is entered, including passwords and credit card numbers. ...

WEB virus beats defence Melbourne Herald Sun ... Anti-virus company Symantec warned the virus could install a "key logger" program on to computers, allowing hackers access to every keystroke, including...,5478,8513866%255E421,00.html

GLOBAL Hauri Offers Quick Fix to the Latest Cyber Threat Market Wire (press release) ... spread by email. With the infections MyDoom also installs a key logger and backdoor server on the infected computer. A new feature ...

INVESTOR Scammed By Keylogger Spyware Emediawire (press release) ... computer. In reality what was in their download was a keylogger that captured & recorded the usernames and passwords to online accounts. ...

And this is not the only case. Many serious and mostly dangerous predecessors of Mydoom comprised keyloggers as well. Thus quite often for distribution of worms the widely known vulnerability IFrame of a browser Microsoft Internet Explorer was used which allowed starting an arbitrary code on the user's computer while viewing HTML document in a browser or mail client Outlook. Although it was patched as far back as 2001 (, wide-ranging virus epidemics taken place not so long ago demonstrated once more that many users still work on obsolete systems without any updates or patches, ignoring periodic warnings of anti-virus companies. Moreover Microsoft Corp. regularly releases patches closing new vulnerabilities, which allow a violator executing arbitrary code on the user's computer.

There are some examples of well-known software keyloggers: Activity Logger, Boss Everyware, Ghost Keylogger, HookDump, IamBigBrother, Invisible KeyLogger Stealth, iOpus STARR, iSpyNOW, KeyCopy, KeyKeeper, KeyKey, KeyLog, KeySpy, Keystroke Reporter, PC Spy, Perfect Keylogger, ProBot, Realtime Spy, Spector Pro, SpyAgent, SpyBuddy, WinWhatWhere Investigator. For today there are hundreds of similar products distinguished from each other by functionality, convenience of operation, self-descriptiveness of the reports and logs, possibilities of invisibility and protection from detection/removing.

Below you can see Log-file analyzer appearance of Perfect Keylogger and Boss Everyware:

Hardware keyloggers designed for monitoring information entered by the user of the personal computer

Hardware keylogger device (keystroke recording device, hardware keylogger etc.) is a tiny hardware device that can be attached in between a keyboard and a computer or built into the keyboard case. It keeps a record of all keystrokes typed on the keyboard. The recording process is totally transparent to the end user. Keylogging hardware devices do not require any software on the victim's PC to be able to log all keystrokes. They may be covertly attached to the victim's PC by a colleague, cleaner, visitor, etc - the PC does not even need to be switched on when the keylogger is plugged in.

The keylogger may then be removed at a later time and its contents (recorded keystrokes) downloaded at the assailant's convenience. Nonvolatile memory size of such devices allow recording up to 10 million keystrokes. The photograph to the right illustrates the simplicity of attaching a keylogger to the victims PC. Such devices may have any appearance so that even an expert would not be able to spot them during the information audit.

The mostly known hardware keyloggers are KeyKatcher, KeyGhost, MicroGuard, Hardware KeyLogger, produced by Allen Concepts Inc., Amecisco, KeyGhost Ltd., MicroSpy Ltd.

Hardware keyloggers are divided into external and internal, with their distinctive features described below:

External hardware keyloggers   Internal hardware keyloggers
External Hardware KeyLogger is connected between an ordinary PC keyboard and a computer, and records every keystroke. They need no batteries, they need no software installed, and they'll work on any PC. You can plug them into one computer to record and into another to play back, if you like.

The actual External Hardware Keylogger is an injection moulded to look exactly like PC equipment.   
The hardest to spot (and disable) Internal Hardware Keyloggers, which have a hardware keylogger module built into the keyboard case.

The actual Internal Hardware Keylogger is an injection moulded to look exactly like a PC keyboard.

_to be continue ...

Samker's Computer Forum -

Spy Software and Newest Protection Methods
« on: 16. May 2007., 16:13:45 »


  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Re: Spy Software and Newest Protection Methods
« Reply #1 on: 16. May 2007., 16:18:29 »
Spy Software and Newest Protection Methods (Part 2)

Counteraction methods to spy software

For spotting and disabling monitoring software products, which can be installed without the knowledge of a PC user, programs of various types are now used providing more or less effective protection exclusively against the KNOWN spy programs with the help of signature analysis. For effective operation of such programs it is necessary to receive a sample of the spy software, to pick out a signature and to include this signature into the base. After updating of the signature base the users of personal computers get a possibility to struggle with this kind of spy software. This is the main principle by which many known companies-manufacturers of the anti-virus software work.

But there is another group of spy software, which is most dangerous to any automated systems - UNKNOWN spy programs. They are divided into the programs of five types:
Spy software developed under the aegis of government organizations (e.g. Magic Lantern software, the project named Cyber Knight, USA)

Spy software which may be developed by producers of various operating systems and included into the OS kernel.

Spy software developed in a limited quantity (often in one or several copies) for solving a concrete task related to the theft of critical information from the user's computer (e.g. programs used by professional hackers). Such programs may represent a bit changed source codes of spy software taken from the Internet and compiled by the hacker thus changing the signature of the spy software.

Commercial, especially corporate software products which are rarely included into the signature base, and if they do, that's only for political reasons (e.g. software products of such well-known companies as WinWhatWhere Corporation, SpectorSoft Corporation, ExploreAnywhere Software LLC, Omniquad Ltd., etc.)

Spy software constituting the keylogging modules comprised in the virus programs. Before being included in the signature bases these modules are unknown. For example, world-wide known viruses caused much trouble last years: they comprised a module for keystroke capturing and sending obtained information to the Internet -
W32.Dumaru.Y@mm -
W32.Yaha.AB@mm -
W32.Bugbear.B@mm -
W32.HLLW.Fizzer@mm -
W32.Badtrans.B@mm -

Information about spy software of the first and third type as a rule (if there is no information leak) is not published anywhere and correspondingly their code cannot be included in the signature bases and thus they cannot be detected by any signature-based software products.

Information about spy software of the second type is not published anywhere. This code operates at the kernel level of the operating system and correspondingly it cannot be detected by any applications.

Information about spy software of the fourth type is rarely included in the signature bases as it conflicts with the law of many countries of the world. But even if such programs are included in the signature bases it's almost impossible to disable or all the more to remove them without destructing the operating system. They do not have their own processes but hide themselves in the system processes as threads; they can work only with a computer memory and not work with the hard disk; they have modes of integrity control and self-recovery after failures.

Information about spy software of the fifth type is included in the signature bases in several hours or days after the beginning of the corresponding virus attack. But there is enough time for assailants to steal PC users' confidential information and send it to the Internet to the specified address.

What can be opposed to the spy software by the personal computer user?

It is possible to solve this problem only by using a series of software products:
Software Product #1 - this is a product based on heuristic mechanisms of protection against spy programs, has been developed by experts who have great experience in the sphere anti-spy program fighting. It provides protection constantly and uses no signature bases.
Software Product #2 - this is anti-virus software product based on regularly updated signature bases.
Software Product #3 - this is a personal Firewall controlling access to the Internet from the personal computer on the basis of policies set by the user himself.

Such a sequence has been chosen with an ulterior motive.

Antivirus product responds to the penetration of a virus with a keylogging module inside when the information capturing has already taken place since the virus base has not been enlarged by new information yet and correspondingly was not updated at the user's computer.

Personal Firewall asks many questions and even well trained user can answer them incorrectly thus ill-configuring it. For example, some commercial monitoring programs use processes of program products with knowingly permitted access to the Internet (browsers, mail clients, etc.) As a rule the user must permit them accessing the Internet. And as the result: the information stolen at the inactivity of the anti-virus program will be quietly sent to the Internet to the address preliminary specified by the hacker (or some other person).

And only the product of the first type works silently, asking the user no needless questions and performs its task constantly in the background.

There is a great deal of software products based on constantly updating signature bases in the world (Kaspersky AntiVirus, Dr.Web, Panda Antivirus, Norton Antivirus and many others). And even more firewalls have been created world-wide (Norton Internet Security, BlackICE Defender, GuardianPro Firewall, Tiny Personal Firewall and many others). But the software products of the first type are represented by the only product having no analogues in the world. Its name is PrivacyKeyboard™.

PrivacyKeyboard™ blocks spy programs activity without any use of signature bases. It became possible due to the newly developed solutions and algorithms that allowed distinguishing spy program activities from those of any other application installed in the system.

PrivacyKeyboard™ comprise modules that ensure
keystroke capturing protection;
window text capturing protection;
desktop screenshoting protection;
active windows screenshoting protection.

For its own protection against external destructive effect of spy programs PrivacyKeyboard™ has a system of integrity control and other protective functions.

Counteraction methods to hardware keyloggers

Today there are only two methods of counteraction to hardware keyloggers when using standard personal computer:
physical search and removal of hardware keylogger;
use of virtual keyboards for entering especially important information (logins, passwords, access codes, credit card PIN codes, etc.)

Let's stop at the second point in more detail.

Software product PrivacyKeyboard™ comprises a protective module against hardware keyloggers represented by a virtual screen keyboard called by the user when needed.

Virtual keyboard layout is switched automatically at the changing of the main PC keyboard layout and supports all languages and layouts established now in the operating system Microsoft Windows 2000/XP.

Block scheme and brief description of the program functioning mechanism of PrivacyKeyboard™ are presented below:

Software keyloggers blocking module is always active providing constant and transparent on-the-fly protection from any types of software keyloggers. You can simply switch this mode ON/OFF by a single left mouse click on the PrivacyKeyboard™ icon in the system tray. When the Software keyloggers blocking module is ON, you can confidently type any sensitive information on the keyboard connected to your PC and feel certain that this information is safe from any keylogging programs. Live Software keyloggers blocking module will let you buck various types of keylogging programs possibly included in any commercial, shareware, freeware products, as well as in Trojan programs, viruses of very different operation principles and based on the modules of User or Kernel levels - dll, exe, sys and other, which create log-files in hard disk, memory, registry, network disk or may also transmit captured info to a pre-determined address through email, ftp, http etc.

Hardware keyloggers blocking module can be activated by the right mouse click on the PrivacyKeyboard&™ icon in the system tray and selecting the option Show Hardware keyloggers blocking module. The virtual on-screen keyboard will be displayed. When you make the Hardware keyloggers blocking module ON, the Software keyloggers blocking module is activated automatically, even if it has been switched OFF. The joint operation of the Software keyloggers blocking module and the Hardware keyloggers blocking module will keep your sensitive information safe from any keylogging programs and keylogging hardware devices known today. It is strongly recommended to use the virtual on-screen keyboard when entering critical confidential information (passwords, logins, PINs etc.).



  • SCF Member
  • **
  • Posts: 26
  • KARMA: 3
Re: Spy Software and Newest Protection Methods
« Reply #2 on: 15. October 2009., 19:39:49 »
very nice thanks for the information


  • SCF Advanced Member
  • ***
  • Posts: 213
  • KARMA: -5
Re: Spy Software and Newest Protection Methods
« Reply #3 on: 01. February 2011., 08:56:05 »
Thanks for sharing !!


  • SCF Member
  • **
  • Posts: 18
  • KARMA: 1
Re: Spy Software and Newest Protection Methods
« Reply #4 on: 13. April 2011., 11:05:08 »
Your information is good and helpful for me to know awsome knowledge .Thanks for sharing .

Samker's Computer Forum -

Re: Spy Software and Newest Protection Methods
« Reply #4 on: 13. April 2011., 11:05:08 »


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising