2005-04-14
Spyware overviewSpyware is a categorical term given to applications and software that log information about a user's online habits and report back to the software's creators. The effects of these programs range from unwanted pop-up ads and browser hijacking to more dangerous security breaches, which include the theft of personal information, keystroke logging, changing dialup ISP numbers to expensive toll numbers, and installing backdoors on a system that leave it open for hackers.Spyware usually gets into the computer through banner ad-based software where the user is enticed to install the software for free. Other sources of spyware include instant messaging, various peer-to-peer applications, popular download managers, online gaming, many porn/crack sites, and more. Note that most, but not all, spyware is targeted exclusively at Microsoft's Internet Explorer web browser. Users of modern Web browser alternatives, such as Mozilla's Firefox and Apple's Safari, are generally not affected by spyware at all. The most recent delivery methods used by malicious spyware require no permission or interaction with the users at all. Dubbed as "drive-by downloads," [ref 1] the spyware application is delivered to the user without his knowledge simply when he visits a particular website, opens some zipped files, or clicks on a malicious pop-up ad that contains some active content such as ActiveX, Java Applets, and so on. Spyware can also be hidden in image files or in some cases has been shipped along with the drivers that come with a new hardware device. Spying techniquesDepending upon the nature of the information gathered, each piece of spyware may function differently. Some spyware applications simply gather information about a user's surfing habits, purely for marketing purposes, while others are far more malicious. In any case, the spyware attempts to uniquely identify the information sent across a network by using a unique identifier, such as a cookie on the user's hard disk or a Globally Unique Identifier (GUID). [ref 2] The spyware then sends the logs directly to a remote user or a sever that is collecting this information. The collected information typically includes the infected user's hostname, IP address, and GUID, along with various login names, passwords and other keystrokes.Types of keyloggersAs mentioned, keyloggers are applications that monitor a user's keystrokes and then send this information back to the malicious user. This can happen via email or to a malicious user's server somewhere on the Internet. These logs can then be used to collect email and online banking usernames and passwords from unsuspecting users or even capture source code being developed in software firms.While keyloggers have been around for a long time, the growth of spyware over the last few years means they warrant renewed attention. In particular, this is due to the relative ease at which a computer can become infected -- a user simply has to visit the wrong website to become infected. Keyloggers can be one of three types:
Analyzing a keyloggerThere are many different keyloggers available, including the Blazing Tools Perfect Keylogger [ref 3], Spector [ref 4], Invisible Keylogger Stealth [ref 5], and Keysnatch [ref 6]. Most of these have more or less the same set of features and way of functioning. Therefore, we will focus on one particular tool in our examples, the one from Blazing Tools.The Blazing Tools Perfect Keylogger will be analyzed in this paper because it has been found hidden in so many Trojans on the Internet. It's a good example of a common hook-type keylogger. Although Blazing Tools markets its products to IT administrators and parents, the presence of their keylogger in many Trojans illustrates how people can package legal code and use it for malicious activities. The following features of the "Perfect Keylogger" are of use to anyone trying to spy on an unsuspecting user:
This keylogger was installed on a test PC. The following capture, with the help of a tool such as SNAPPER [ref 7], shows the changes in the files after installing the keylogger, as shown below in Figure 1.
With the help of a free anti-spyware application such as Microsoft Antispyware [ref 8], the registry entries made by the keylogger as well as its DLLs and EXEs can be seen below in Figure 2.
The keylogger also runs as a background process which can be seen with the help of a tool such as SysInternals' Process Explorer [ref 9], as shown below in Figure 3.
This same keylogger was next installed on a different test PC through another program's installer and then configured to send keystrokes captured in an email to a test email-id. Ironically, the program used for this example was Spybot Search & Destroy [ref 10], a legitimate freeware tool that does a good job of detecting spyware. This is a good example of how other legitimate applications can also be used to install spyware, unbeknownst to the reader. The procedure as described above is the Remote Installation feature. The information sent by email was then captured with the help of a network sniffer. For ease-of-use, Ethereal [ref 11] and the corresponding TCP stream is shown below in Figure 4 and Figure 5.
Since the content of this email is base64 encoded, the actual output can be seen only after decoding it with a base64 decoder. After passing the output through a base64 decoder, the part of the output of significance is shown as follows:
|