Spy Software and Newest Protection Methods (Part 1)
The software and hardware devices intended for secret monitoring over PC users' activity, have been widely expanded recently. In the global web - Internet - it is possible to find many resources and documents devoted to various aspects of this problem (legal, technical, political etc.).
The special danger is presented by monitoring software products and hardware devices, which can be secretly installed (as a rule, remotely) without the knowledge of the owner (security administrator) of the automated system or without the knowledge of the owner of a particular personal computer. This category of monitoring products hereinafter in the article will be referred to as "spy programs" or " spy products".
Authorized monitoring software products are used by the security administrator of a computing system (information security service of the company or organization) for ensuring its accountability - the property of the computing system that allows fixing activity of the users and processes, usage of passive objects, and uniquely specifying users' identifiers, who involved in particular events and processes, with the purpose of preventing security policy violation and/or ensuring responsibility for particular actions. This property depending on quality of its realization, allows inspecting how employees comply with the established rules of safe operation on computers and security policy.
There is a vague line between monitoring products for ensuring accountability and spy products - this is the line between security management and security violation. The following special program functions as:
possibility of a preliminary configuration of the monitoring module (client, agent etc.) and obtaining of compiled executable file, which at installation does not display any messages and does not create windows on the screen;
built-in means of delivery and remote installation of the configured module on the user's computer;
make for transforming the product for monitoring and accountability into a spy product. And vice versa, the following requirements as:
possibility of installing and configuring the monitoring module only at the physical access to the user's computer;
indispensable condition of administration privileges for installing and configuring the program;
often make the product of little use for spy purposes and unauthorized application. With the exception of the cases when violator and administrator is one and the same person.
Let's note that legitimacy/illegality of using monitoring (and espionage) programs depends on the legislation of every particular country (or administrative unit), and on compliance with the rules of usage of these programs prescribed by the legislation.
What are monitoring programs used for?
By using them the specialist responsible for information security of the company can:
define (locate) all attempted cases of unauthorized access to confidential information with exact time report and the networked workstation where from this attempt has been performed;
define cases of unauthorized installation of software;
control possibility of using personal computers in non-working time and reveal the purpose of such usage;
define all cases of unauthorized usage of modems in a local area network by analyzing the facts of starting specialized applications;
define all cases of typing on the keyboard critical words and word combinations, preparing of any critical documents, transfer of which to the third persons will result in a material loss;
define the facts of non-purpose usage of personal computers;
receive reliable information on the basis of which the information security policy of the company will be developed;
control access to servers and personal computers;
control contacts of children when they are surfing the Internet;
conduct information audit;
explore and investigate computer incidents;
conduct scientific researches with respect to determination of accuracy, efficiency and adequacy of the staff response to external impact;
define loading of computer workplaces of the company;
restore critical information after failures of computer systems;
etc.
What are illegally installed monitoring programs, i.e. spy programs, used for?
Their usage allows the violator:
illegally intercepting another's information;
performing economic espionage;
performing political espionage;
obtaining unauthorized access to the "bank-client" systems;
obtaining unauthorized access to cryptographic systems of the personal computer user - to public and private keys, password phrases;
obtaining unauthorized access to authorization data of credit cards;
etc.
Spy Software present a serious danger to the security of individual and networked computer systems.
One of the most dangerous features of all spy software and hardware keyloggers is the registration of keystrokes made by the user, with the purpose of monitoring computer activity. When the user types a password and his credit cards details on the keyboard, at this moment his every keystroke might be recorded. Besides, modern spy software allows capturing the text from application windows and making snapshots (screenshots) of the screen and separate windows. In other words, the spy software can intercept the text from the document even if the user does not type it on the keyboard, but just opens and views the file.
Hereinafter we shall try to light a problem in more detail in order to define what the spy software is, if it can be used for secret information takeoff from the personal computer, and what means for protecting confidential/secret information stored on the hard disk of the personal computer from the circumscribed above threats exist today.
Software keyloggers designed for monitoring information entered by the user of the personal computer
Keylogging Programs (keyloggers, key loggers, keystroke loggers, key recorders, key trappers, key capture programs, etc.) belong to the group of tools that monitor PC user activity. Initially software products of this type were designed solely for recording key stroke information including the system keys, to the special log file (audit trail) being afterwards analyzed by the person who had installed this program. Log file can be sent within the network to the shared place, to the ftp server in the Internet, by e-mail etc. Above mentioned new software products perform many additional functions - they intercept information from the windows, capture mouse clicks, snapshots of the screen and active windows, record all received and sent emails, monitor file activity, monitor system register, monitor the printer queue, intercept sound from the microphone and video pictures from the web-camera connected to the computer, etc.
Keyloggers can be included in commercial, free and shareware programs, Trojan programs, viruses and Internet worms. As an example we can point to a recently much-talked-of epidemic of Mydoom worm with a keylogger inside. This epidemic gave rise to a great tide of publications revealing an urgency of the problem concerning spy software protection. Only few links are presented below:
MYDOOM - worst yet to come The Age ... So far, the damage is minimal. But the pre-eminent danger is that one virus strain has a keylogger.". Faulkner said it is possible ...
http://www.theage.com.au/articles/2004/01/29/1075088122616.html CI Host CEO Monitors Computer Virus Epidemic Effects: ... Yahoo News (press release) ... One in every dozen e-mails carries the virus. So far, the damage is minimal. But the preeminent danger is that one virus strain has a keylogger."...
http://biz.yahoo.com/prnews/040128/flw020_1.html MYDOOM virus delivers gloom Press of Atlantic City ... t over. Infected computers still will have a backdoor in them, as well as a key logger that records every keystroke. "A backdoor ...
http://www.pressofatlanticcity.com/news/newjersey/012804MYDOOM_J27.html SCO offers $250000 reward for arrest of Mydoom worm author ComputerWorld ... According to Symantec, the worm also installs a "key logger" that can capture anything that is entered, including passwords and credit card numbers, and will ...
http://www.computerworld.com/securitytopics/security/virus/story/0,10801,89470,00.html NEW, fast-spreading worm spells Doom InfoWorld ... The worm will install a "key logger" that can capture anything that is entered, including passwords and credit card numbers, Ruckman said...
http://www.infoworld.com/article/04/01/27/HNdoomworm_1.html NO move to stop email bounce messages yet, says Telecom Computerworld New Zealand ... Symantec also claims the worm will install a "key logger" that can capture anything that is entered, including passwords and credit card numbers. ...
http://www.computerworld.co.nz/news.nsf/UNID/23A51A1010B535FCCC256E280012F960?OpenDocument WEB virus beats defence Melbourne Herald Sun ... Anti-virus company Symantec warned the virus could install a "key logger" program on to computers, allowing hackers access to every keystroke, including...
http://www.heraldsun.news.com.au/common/story_page/0,5478,8513866%255E421,00.html GLOBAL Hauri Offers Quick Fix to the Latest Cyber Threat Market Wire (press release) ... spread by email. With the infections MyDoom also installs a key logger and backdoor server on the infected computer. A new feature ...
http://www.marketwire.com/mw/release_html_b1?release_id=62255 INVESTOR Scammed By Keylogger Spyware Emediawire (press release) ... computer. In reality what was in their download was a keylogger that captured & recorded the usernames and passwords to online accounts. ...
http://www.emediawire.com/releases/2004/1/emw100583.htm And this is not the only case. Many serious and mostly dangerous predecessors of Mydoom comprised keyloggers as well. Thus quite often for distribution of worms the widely known vulnerability IFrame of a browser Microsoft Internet Explorer was used which allowed starting an arbitrary code on the user's computer while viewing HTML document in a browser or mail client Outlook. Although it was patched as far back as 2001 (
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp), wide-ranging virus epidemics taken place not so long ago demonstrated once more that many users still work on obsolete systems without any updates or patches, ignoring periodic warnings of anti-virus companies. Moreover Microsoft Corp. regularly releases patches closing new vulnerabilities, which allow a violator executing arbitrary code on the user's computer.
There are some examples of well-known software keyloggers: Activity Logger, Boss Everyware, Ghost Keylogger, HookDump, IamBigBrother, Invisible KeyLogger Stealth, iOpus STARR, iSpyNOW, KeyCopy, KeyKeeper, KeyKey, KeyLog, KeySpy, Keystroke Reporter, PC Spy, Perfect Keylogger, ProBot, Realtime Spy, Spector Pro, SpyAgent, SpyBuddy, WinWhatWhere Investigator. For today there are hundreds of similar products distinguished from each other by functionality, convenience of operation, self-descriptiveness of the reports and logs, possibilities of invisibility and protection from detection/removing.
Below you can see Log-file analyzer appearance of Perfect Keylogger and Boss Everyware:
Hardware keyloggers designed for monitoring information entered by the user of the personal computer
Hardware keylogger device (keystroke recording device, hardware keylogger etc.) is a tiny hardware device that can be attached in between a keyboard and a computer or built into the keyboard case. It keeps a record of all keystrokes typed on the keyboard. The recording process is totally transparent to the end user. Keylogging hardware devices do not require any software on the victim's PC to be able to log all keystrokes. They may be covertly attached to the victim's PC by a colleague, cleaner, visitor, etc - the PC does not even need to be switched on when the keylogger is plugged in.
The keylogger may then be removed at a later time and its contents (recorded keystrokes) downloaded at the assailant's convenience. Nonvolatile memory size of such devices allow recording up to 10 million keystrokes. The photograph to the right illustrates the simplicity of attaching a keylogger to the victims PC. Such devices may have any appearance so that even an expert would not be able to spot them during the information audit.
The mostly known hardware keyloggers are KeyKatcher, KeyGhost, MicroGuard, Hardware KeyLogger, produced by Allen Concepts Inc., Amecisco, KeyGhost Ltd., MicroSpy Ltd.
Hardware keyloggers are divided into external and internal, with their distinctive features described below:
External hardware keyloggers Internal hardware keyloggers
External Hardware KeyLogger is connected between an ordinary PC keyboard and a computer, and records every keystroke. They need no batteries, they need no software installed, and they'll work on any PC. You can plug them into one computer to record and into another to play back, if you like.
The actual External Hardware Keylogger is an injection moulded to look exactly like PC equipment.
The hardest to spot (and disable) Internal Hardware Keyloggers, which have a hardware keylogger module built into the keyboard case.
The actual Internal Hardware Keylogger is an injection moulded to look exactly like a PC keyboard.
_to be continue ...