Spyware is a categorical term given to applications and software that log information about a user's online habits and report back to the software's creators. The effects of these programs range from unwanted pop-up ads and browser hijacking to more dangerous security breaches, which include the theft of personal information, keystroke logging, changing dialup ISP numbers to expensive toll numbers, and installing backdoors on a system that leave it open for hackers.
Spyware usually gets into the computer through banner ad-based software where the user is enticed to install the software for free. Other sources of spyware include instant messaging, various peer-to-peer applications, popular download managers, online gaming, many porn/crack sites, and more. Note that most, but not all, spyware is targeted exclusively at Microsoft's Internet Explorer web browser. Users of modern Web browser alternatives, such as Mozilla's Firefox and Apple's Safari, are generally not affected by spyware at all.
The most recent delivery methods used by malicious spyware require no permission or interaction with the users at all. Dubbed as "drive-by downloads," [ref 1] the spyware application is delivered to the user without his knowledge simply when he visits a particular website, opens some zipped files, or clicks on a malicious pop-up ad that contains some active content such as ActiveX, Java Applets, and so on. Spyware can also be hidden in image files or in some cases has been shipped along with the drivers that come with a new hardware device.
Spying techniquesDepending upon the nature of the information gathered, each piece of spyware may function differently. Some spyware applications simply gather information about a user's surfing habits, purely for marketing purposes, while others are far more malicious. In any case, the spyware attempts to uniquely identify the information sent across a network by using a unique identifier, such as a cookie on the user's hard disk or a Globally Unique Identifier (GUID). [ref 2] The spyware then sends the logs directly to a remote user or a sever that is collecting this information. The collected information typically includes the infected user's hostname, IP address, and GUID, along with various login names, passwords and other keystrokes.
Types of keyloggersAs mentioned, keyloggers are applications that monitor a user's keystrokes and then send this information back to the malicious user. This can happen via email or to a malicious user's server somewhere on the Internet. These logs can then be used to collect email and online banking usernames and passwords from unsuspecting users or even capture source code being developed in software firms.
While keyloggers have been around for a long time, the growth of spyware over the last few years means they warrant renewed attention. In particular, this is due to the relative ease at which a computer can become infected -- a user simply has to visit the wrong website to become infected.
Keyloggers can be one of three types:
Hardware Keyloggers. These are small inline devices placed between the keyboard and the computer. Because of their size they can often go undetected for long periods of time -- however, they of course require physical access to the machine. These hardware devices have the power to capture hundreds of keystrokes including banking and email username and passwords.
Software using a hooking mechanism. This type logging is accomplished by using the Windows function SetWindowsHookEx() that monitors all keystrokes. The spyware will typically come packaged as an executable file that initiates the hook function, plus a DLL file to handle the logging functions. An application that calls SetWindowsHookEx() is capable of capturing even autocomplete passwords.
Kernel/driver keyloggers. This type of keylogger is at the kernel level and receives data directly from the input device (typically, a keyboard). It replaces the core software for interpreting keystrokes. It can be programmed to be virtually undetectable by taking advantage of the fact that it is executed on boot, before any user-level applications start. Since the program runs at the kernel level, one disadvantage to this approach it that it fails to capture autocomplete passwords, as this information is passed in the application layer.
Analyzing a keyloggerThere are many different keyloggers available, including the Blazing Tools Perfect Keylogger [ref 3], Spector [ref 4], Invisible Keylogger Stealth [ref 5], and Keysnatch [ref 6]. Most of these have more or less the same set of features and way of functioning. Therefore, we will focus on one particular tool in our examples, the one from Blazing Tools.
The Blazing Tools Perfect Keylogger will be analyzed in this paper because it has been found hidden in so many Trojans on the Internet. It's a good example of a common hook-type keylogger. Although Blazing Tools markets its products to IT administrators and parents, the presence of their keylogger in many Trojans illustrates how people can package legal code and use it for malicious activities. The following features of the "Perfect Keylogger" are of use to anyone trying to spy on an unsuspecting user:
Stealth Mode. In this mode no icon is present in the taskbar and the keylogger is virtually hidden.
Remote Installation. The keylogger has a feature whereby it can attach to other programs and can be sent by e-mail to install on the remote PC in stealth mode. It will then send keystrokes, screenshots and websites visited to the attacker by e-mail or via FTP.
Smart Rename. This feature allows a user to rename all keylogger's executable files and registry entries.
Spyware usually gets into the computer through banner ad-based software where the user is enticed to install the software for free. Other sources of spyware include instant messaging, various peer-to-peer applications, popular download managers, online gaming, many porn/crack sites, and more. Note that most, but not all, spyware is targeted exclusively at Microsoft's Internet Explorer web browser. Users of modern Web browser alternatives, such as Mozilla's Firefox and Apple's Safari, are generally not affected by spyware at all.
The most recent delivery methods used by malicious spyware require no permission or interaction with the users at all. Dubbed as "drive-by downloads," [ref 1] the spyware application is delivered to the user without his knowledge simply when he visits a particular website, opens some zipped files, or clicks on a malicious pop-up ad that contains some active content such as ActiveX, Java Applets, and so on. Spyware can also be hidden in image files or in some cases has been shipped along with the drivers that come with a new hardware device.
Spying techniquesDepending upon the nature of the information gathered, each piece of spyware may function differently. Some spyware applications simply gather information about a user's surfing habits, purely for marketing purposes, while others are far more malicious. In any case, the spyware attempts to uniquely identify the information sent across a network by using a unique identifier, such as a cookie on the user's hard disk or a Globally Unique Identifier (GUID). [ref 2] The spyware then sends the logs directly to a remote user or a sever that is collecting this information. The collected information typically includes the infected user's hostname, IP address, and GUID, along with various login names, passwords and other keystrokes.
Types of keyloggersAs mentioned, keyloggers are applications that monitor a user's keystrokes and then send this information back to the malicious user. This can happen via email or to a malicious user's server somewhere on the Internet. These logs can then be used to collect email and online banking usernames and passwords from unsuspecting users or even capture source code being developed in software firms.
While keyloggers have been around for a long time, the growth of spyware over the last few years means they warrant renewed attention. In particular, this is due to the relative ease at which a computer can become infected -- a user simply has to visit the wrong website to become infected.
Keyloggers can be one of three types:
Hardware Keyloggers. These are small inline devices placed between the keyboard and the computer. Because of their size they can often go undetected for long periods of time -- however, they of course require physical access to the machine. These hardware devices have the power to capture hundreds of keystrokes including banking and email username and passwords.
Software using a hooking mechanism. This type logging is accomplished by using the Windows function SetWindowsHookEx() that monitors all keystrokes. The spyware will typically come packaged as an executable file that initiates the hook function, plus a DLL file to handle the logging functions. An application that calls SetWindowsHookEx() is capable of capturing even autocomplete passwords.
Kernel/driver keyloggers. This type of keylogger is at the kernel level and receives data directly from the input device (typically, a keyboard). It replaces the core software for interpreting keystrokes. It can be programmed to be virtually undetectable by taking advantage of the fact that it is executed on boot, before any user-level applications start. Since the program runs at the kernel level, one disadvantage to this approach it that it fails to capture autocomplete passwords, as this information is passed in the application layer.
Analyzing a keyloggerThere are many different keyloggers available, including the Blazing Tools Perfect Keylogger [ref 3], Spector [ref 4], Invisible Keylogger Stealth [ref 5], and Keysnatch [ref 6]. Most of these have more or less the same set of features and way of functioning. Therefore, we will focus on one particular tool in our examples, the one from Blazing Tools.
The Blazing Tools Perfect Keylogger will be analyzed in this paper because it has been found hidden in so many Trojans on the Internet. It's a good example of a common hook-type keylogger. Although Blazing Tools markets its products to IT administrators and parents, the presence of their keylogger in many Trojans illustrates how people can package legal code and use it for malicious activities. The following features of the "Perfect Keylogger" are of use to anyone trying to spy on an unsuspecting user:
Stealth Mode. In this mode no icon is present in the taskbar and the keylogger is virtually hidden.
Remote Installation. The keylogger has a feature whereby it can attach to other programs and can be sent by e-mail to install on the remote PC in stealth mode. It will then send keystrokes, screenshots and websites visited to the attacker by e-mail or via FTP.
Smart Rename. This feature allows a user to rename all keylogger's executable files and registry entries.
This keylogger was installed on a test PC. The following capture, with the help of a tool such as SNAPPER [ref 7], shows the changes in the files after installing the keylogger, as shown above in the Figure.
Similarly, the keylogger can be used to capture all types of passwords including passwords used for proxies, email accounts, and online banking applications. It can also capture programming code typed by a developer, instant messaging text, and the URLs of websites visited by the user.
New approachesWith the market being inundated with new anti-spyware products, spyware creators have now resorted to unorthodox methods of sustenance. One such example is the nasty ability of the spyware code to keep reinstalling itself. Although anti-spyware applications can remove the spyware's registry entry from one location, most of them are found lacking in cleaning hidden registry entries that try to have the software reinstalled on boot. Another approach is to make the spyware application load into memory very early in the boot process (before the Operating System loads user-level processes). In this case, when a user tries to uninstall the software with an anti-spyware application, the OS will not allow this as it tries to protect the integrity of a running program (spyware) that it doesn't control. [ref 12]
Detection and removalA spyware application is inherently very different in behavior and operation from a traditional virus or a worm, and therefore to most antivirus software, it may appear as a legitimate program. The fact is, virus signatures are very different from spyware signatures. Firewalls also are ineffective in dealing with them as spyware is either piggybacked with legitimate applications, hidden in a regular image file, or can occur as normal port 80 web traffic.
Therefore, the essence of any spyware prevention exercise is first to ensure the operating system is fully patched to known vulnerabilities. The best prevention, aside from switching to less vulnerable operating systems like Mac OS X and Linux, is to educate users that it is not safe to click on anything and everything found on the Web, and they must also install only what is needed. Freebies on the Internet, ones which are often typically advertised in pop-up banners, must be totally abstained from. Other methods of avoiding spyware are to ensure the browser used is configured securely, and to have at least one good spyware detection and removal tool installed. Microsoft Antispyware, Ad-Aware [ref 13], PestPatrol [ref 14], and Spy Sweeper [ref 15] are some of the free tools that help in detecting and removing spyware.
Please note that spyware is largely, but not exclusively, a problem with Microsoft's Internet Explorer. The user of more modern, feature-rich browsers such as Mozilla Firefox can virtually eliminate the spyware problem altogether. However, it is still the case that some websites are coded to only work with IE, and therefore switching to Firefox may not be a solution for 100% of a user's web surfing needs.
Preventing keystroke captureSince this article has looked at keyloggers, it was found worthwhile to include a section on how to avoid keystroke capture. Keyloggers, both hardware and software, are basically designed to capture what a user types on the keyboard. On the web application side, one method to avoid keystroke capture is to use a virtual keyboard for entering the username and password. A virtual keyboard is analogous to a graphical keypad where a user clicks on the characters rather than types them on the keyboard. This approach may not be practical for every user, for obvious reasons. However, it can be still be useful for very sensitive applications. Note however that even this approach is not completely secure, as some keyloggers are designed to capture screenshots on every mouse-click. Thus, the password of the user can still be found out when a virtual keyboard is used by looking at the screenshots and getting all the characters clicked corresponding to the mouse click. To avoid this, some virtual keyboards also have a feature that allows a user to enter a character by hovering the mouse cursor over a letter for a few seconds. Thus the user can enter the password without even clicking the mouse button.
New approachesWith the market being inundated with new anti-spyware products, spyware creators have now resorted to unorthodox methods of sustenance. One such example is the nasty ability of the spyware code to keep reinstalling itself. Although anti-spyware applications can remove the spyware's registry entry from one location, most of them are found lacking in cleaning hidden registry entries that try to have the software reinstalled on boot. Another approach is to make the spyware application load into memory very early in the boot process (before the Operating System loads user-level processes). In this case, when a user tries to uninstall the software with an anti-spyware application, the OS will not allow this as it tries to protect the integrity of a running program (spyware) that it doesn't control. [ref 12]
Detection and removalA spyware application is inherently very different in behavior and operation from a traditional virus or a worm, and therefore to most antivirus software, it may appear as a legitimate program. The fact is, virus signatures are very different from spyware signatures. Firewalls also are ineffective in dealing with them as spyware is either piggybacked with legitimate applications, hidden in a regular image file, or can occur as normal port 80 web traffic.
Therefore, the essence of any spyware prevention exercise is first to ensure the operating system is fully patched to known vulnerabilities. The best prevention, aside from switching to less vulnerable operating systems like Mac OS X and Linux, is to educate users that it is not safe to click on anything and everything found on the Web, and they must also install only what is needed. Freebies on the Internet, ones which are often typically advertised in pop-up banners, must be totally abstained from. Other methods of avoiding spyware are to ensure the browser used is configured securely, and to have at least one good spyware detection and removal tool installed. Microsoft Antispyware, Ad-Aware [ref 13], PestPatrol [ref 14], and Spy Sweeper [ref 15] are some of the free tools that help in detecting and removing spyware.
Please note that spyware is largely, but not exclusively, a problem with Microsoft's Internet Explorer. The user of more modern, feature-rich browsers such as Mozilla Firefox can virtually eliminate the spyware problem altogether. However, it is still the case that some websites are coded to only work with IE, and therefore switching to Firefox may not be a solution for 100% of a user's web surfing needs.
Preventing keystroke captureSince this article has looked at keyloggers, it was found worthwhile to include a section on how to avoid keystroke capture. Keyloggers, both hardware and software, are basically designed to capture what a user types on the keyboard. On the web application side, one method to avoid keystroke capture is to use a virtual keyboard for entering the username and password. A virtual keyboard is analogous to a graphical keypad where a user clicks on the characters rather than types them on the keyboard. This approach may not be practical for every user, for obvious reasons. However, it can be still be useful for very sensitive applications. Note however that even this approach is not completely secure, as some keyloggers are designed to capture screenshots on every mouse-click. Thus, the password of the user can still be found out when a virtual keyboard is used by looking at the screenshots and getting all the characters clicked corresponding to the mouse click. To avoid this, some virtual keyboards also have a feature that allows a user to enter a character by hovering the mouse cursor over a letter for a few seconds. Thus the user can enter the password without even clicking the mouse button.
Another method of avoiding keystroke capture is to ask the user to enter the characters of the password randomly. For example, an application can ask the user to enter the 1st, 3rd and 5th (odd placed) characters of the password and then the characters in the even places. However this sequence has to change every time or else anyone capturing the password can easily reconstruct the original password -- and additionally, the application must support this approach. The disadvantage of this method is that the keylogger still captures all the characters in the password and the malicious person can easily crack it by simply trying different combinations.
Anti-keylogging softwareTo prevent keyloggers on the desktop level two types of anti-keylogging software is available from various vendors:
Signature based anti-keylogger. These are applications that typically identify a keylogger based on the files or DLLs that it installs, and the registry entries that it makes. Although it successfully identifies known keyloggers, it fails to identify a keylogger whose signature is not stored in its database. Some anti-spyware applications use this approach, with varying degrees of success.
Hook based anti-keyloggers. A hook process in Windows uses the function SetWindowsHookEx(), the same function that hook based keyloggers use. This is used to monitor the system for certain types of events, for instance a keypress/mouse-click -- however, hook based anti-keyloggers block this passing of control from one hook procedure to another. This results in the keylogging software generating no logs at all of the keystroke capture. Although hook based anti-keyloggers are better than signature based anti-keyloggers, note that they still are incapable of stopping kernel-based keyloggers.
SummaryWith the vast proliferation of spyware in recent years, there has been a growing list of websites and malicious users trying to cash in by installing keyloggers and stealing personal information. Identity theft has become rampant.
The need of the hour is to be aware of such common practices in spyware, and recognize it for what it is: malicious code that should always be avoided. The first step in evaluating ways to combat spyware should be to consider an alternate Web browser, such as Firefox, Safari, Opera, and others. If this is not possible, then steps to detect, combat and remove keylogging spyware must always be taken.
Anti-keylogging softwareTo prevent keyloggers on the desktop level two types of anti-keylogging software is available from various vendors:
Signature based anti-keylogger. These are applications that typically identify a keylogger based on the files or DLLs that it installs, and the registry entries that it makes. Although it successfully identifies known keyloggers, it fails to identify a keylogger whose signature is not stored in its database. Some anti-spyware applications use this approach, with varying degrees of success.
Hook based anti-keyloggers. A hook process in Windows uses the function SetWindowsHookEx(), the same function that hook based keyloggers use. This is used to monitor the system for certain types of events, for instance a keypress/mouse-click -- however, hook based anti-keyloggers block this passing of control from one hook procedure to another. This results in the keylogging software generating no logs at all of the keystroke capture. Although hook based anti-keyloggers are better than signature based anti-keyloggers, note that they still are incapable of stopping kernel-based keyloggers.
SummaryWith the vast proliferation of spyware in recent years, there has been a growing list of websites and malicious users trying to cash in by installing keyloggers and stealing personal information. Identity theft has become rampant.
The need of the hour is to be aware of such common practices in spyware, and recognize it for what it is: malicious code that should always be avoided. The first step in evaluating ways to combat spyware should be to consider an alternate Web browser, such as Firefox, Safari, Opera, and others. If this is not possible, then steps to detect, combat and remove keylogging spyware must always be taken.
RSS Feed (xml)
No comments:
Post a Comment