| Related sites for http://www.interhack.net/pubs/spector/ |
| StellarHost Leases dedicated servers and offers shared hosting packages. | | Sunserver_Networks Offers web and graphics design, maintenance and hosting. Located in Minnesota, United States. | | Portrait_Displays,_Inc_ Visual enhancement software products for computer displays. Pivot software will rotate the computer display from landscape to portrait position. Liquid View software improves the legibility of the Win | | INetAlertView Webcam security program for the home or business. Detects motion and records videos which are viewable over the Internet. Free 30 day trial download. | | RackMountPlus Rack mount cases, systems and servers. | | Open_Source_Firewall_for_Windows First open source firewall for windows. Includes binaries and sources code. For Windows 2000 and later. | | Data-Flo Offering paper to Word or PDF, Quark to HTML, paper to XML, and legacy conversions. | | Java_Pro_Magazine Includes articles from print magazine, newsletter registration, as well as source code from articles. | | Mahogany Cross-platform mail client, formerly known as M; available for Unix/X11 and, in a preview version, for MS Windows. Full support for MIME, SMTP, POP3, IMAP, NNTP, X-Faces and several different mail fol | | Nanyang_Technological_University School of Computer Engineering. | | PC_Rams_Computer_Club Information about this club based in West Palm Beach, Florida. Includes software reviews by club members. | | Oracle_Development_Tools_User_Group Oracle user group focused on Oracle's development tools and technologies. | | Solid_Data_Systems A provider of intelligent solid state storage file caching appliances, which improve the performance of transaction intensive applications. | | Wallpapers_-_Allankintz_com Collection of Penn State campus wallpapers, up to size 1280x960. | | Net4Domains_com Offers registration of common domain extensions. | | DIY_DataRecovery Offers shareware and freeware data recovery utilities. Recover files from corrupt FAT16 and FAT32 volumes, rebuild MBR and partition table information from scratch. | | Izlenim_Site_Monitor A tool for Windows that keeps an eye on websites to see if they are accessible on the net. When a site goes down, you can choose to be alerted with an audible alarm, E-Mail or ICQ Pager. | | ZoomYrShop Customizable software that doesn't require html or programming language to use. Can be integrated with any payment system. | | Indicium_Web_Design Offers design, hosting, consultancy, search engine optimisation, e-commerce solutions and domain registration. Based in Scotland. | | Web_Impact Specializing in Internet strategy, web development, technology implementation, and online marketing. Based in Toronto, Ontario, Canada. |
|
Spector Professional Review and Commentary  Spector Professional Review and CommentaryMatt CurtinMay 7, 2002This document is also available in PDF.1 IntroductionSpectorsoft Corp. publishes a product known as Spector ProfessionalEdition for Windows. It's advertised as ``Internet Monitoring andSurveillance'' software, which is more commonly known as ``Spyware''.A quick look at Spector Pro revealed several key issues:The software's ``stealth mode'' is sufficiently obfuscated that typical users will have no idea that the software is active.Because the software runs on the user's computer itself, the computer cannot be trusted. Any attempts to determine what is happening while the system is booted and running normally can be foiled by the software.The software requires network connectivity to operate. This means that watching online activity from a trusted machine (including firewalls, proxies, and network intrusion detection systems) will yield evidence of Spector Pro being in use.The bottom line is Spector Pro can completely compromise the privacyof a nontechnical user. Competent professionals looking for SpectorPro's presence should have no difficulty finding the software.2 Detailed DiscussionA cursory examination of a Windows 2000 Professional workstation withSpector Pro 3.1 confirmed some claims of the software and yielded somefairly interesting discoveries.2.1 Stealth Mode EffectivenessEffectiveness of the system's Stealth Mode depends on obfuscation.Users who do not know what processes to expect on a process listing,or believe that programs must be ``visible'' to be running, stand nochance of determining that Spector Pro is active. No indication ofSpector Pro (or Spectorsoft) is found in the process listing, hostregistry, or visible files.A particular key combination (apparently ``Control-Alt-Shift-S'' bydefault) on the keyboard will bring up Spector Pro's splash screen anda password dialog box. A user who happens across the correct keycombination would find that the software is running.The ability for Spector Pro to hide is dependent upon its running. Ifthe disk on which it is installed is examined with another operatingsystem, for example, files invisible to Windows users would be clearlyvisible, though perhaps still not obviously named.2.2 Exploits Lack of Trusted Computing BaseInformation security practitioners have long used the concept of aTrusted Computing Base (TCB) to define the collection of componentsused to enforce a security policy. The TCB's ability to enforcepolicy depends on the correctness of implementation. Windowsoperating systems largely fail to adhere to sound security designprinciples. Furthermore, the complete lack of trustworthy auditmechanisms makes it impossible to verify in any reasonably securemanner what is and isn't happening on the machine.Spector Pro takes advantage of this lack of security in Windows,effectively turning what should be the TCB against the user, recordinghis activity and making it impossible for him to audit the computer'sactivity.For this reason, examination of a machine with Spector Pro enabled isbest done not with the machine booted normally, but by looking at thedisk under another operating system that will not be running theSpector Pro software.2.3 Spector Pro Requires Network ConnectivityInterestingly, Spector Pro will require network connectivity for it tooperate. Alerts that it sends to the person monitoring the system'suse, as well as other data regarding the activity, are routed throughSpectorsoft. As is true with the rest of the system, the networkactivity is heavily obfuscated.2.3.1 Uploads to SpectorsoftIn our quick assessment, we identified that even without specifying anaddress to which alerts should be directed, Spector Pro was uploadingdata to Spectorsoft.We found that among the normal network traffic, our test machine wasmaking TCP connections to the host u2a1376gf-43ty-245b.com[209.61.191.54]. The domain in question is registered to none otherthan Spectorsoft.SpectorSoft Corp. (U2A1376GF43TY245B-DOM) 333 17TH ST VERO BEACH, FL 32960-5670 US Domain Name: U2A1376GF-43TY-245B.COMClearly, use of the domain U2A1376GF-43TY-245B.COM is simply anobfuscation technique, hoping to foil the casual observer.2.3.2 Obfuscated SessionsIn addition to obfuscation in the domain name, Spector Pro uses anobfuscated binary protocol for the interaction with Spectorsoft.Figure 1 shows the data, in hexadecimal form, that areuploaded to Spectorsoft.Figure 1:Initial Message to Spectorsoft00000000 01 00 00 00 0c 01 00 00 00 00 02 00 44 4c 61 3300000010 bd bd 3a 8d bc ce bf fd 84 ce 37 05 6f bb 95 2500000020 9c 33 57 0e f7 6d 91 60 f5 d0 f2 f9 70 99 cf 9700000030 21 24 69 04 5b 84 32 74 66 55 5c 04 66 83 71 8400000040 b9 8f 10 bf da f1 26 61 f7 c9 3f 60 bc f2 45 f600000050 18 d9 e6 82 27 37 38 a4 14 ed bb 2e c7 19 4e ff00000060 f6 b3 fe c3 54 7d 03 6f 67 51 3f a8 65 ee bf 0c00000070 e8 5a a0 ae a3 8e 98 26 5f 6c 3b 76 ae f8 57 4900000080 74 33 c7 c3 c2 0c 50 aa 5f 0d 17 2a fe b7 d9 b800000090 de 23 c8 26 41 d0 c6 19 41 17 44 72 15 70 33 8b000000A0 47 3a a1 aa 04 92 70 c2 6c 94 af 71 ed 9d 4e f7000000B0 14 da 6f 2a 47 ff 8a 97 80 11 d0 e8 18 bb 9f 70000000C0 0a cc f7 ce 11 58 31 c7 43 dc d2 25 99 63 bb e0000000D0 7e 4f d1 c0 3e fc 50 c8 1d 4a e1 0d 3f 70 e4 4b000000E0 e0 c1 36 e8 c2 14 88 5c 2b 6e fa 22 19 3d 8d 3f000000F0 a0 1f 1a 66 94 e5 fc 73 47 ca b7 a7 11 38 4b fc00000100 93 af 29 96 10 1b 03 6a 2a fd e5 20 Additional data are in the session after the initial message fromclient to server. Further, toward the end of the session, the messagelength becomes significantly shorter, suggesting that there is somekind of interactive protocol, rather than simple data uploads anddownloads.The end result is that neither the user of the machine being monitorednor the person who installed the software can be sure of just what isbeing uploaded to Spectorsoft. Furthermore, in our test, there was noobvious need for Spector Pro to communicate with Spectorsoft, whichsuggests that there is more to the communication channel than what'sneeded to provide the ``alert'' functionality.So the question is, ``Does Spectorsoft spy on the spies who useSpector Pro?''2.3.3 Network-Based Defense MechanismsBecause Spector Pro requires network connectivity to perform its work,network connectivity is its Achilles' Heel. Several technologiescould be employed to detect the presence of Spector Pro.Network Intrusion Detection SystemsThese systems could simply be on the lookout for connectivity from their client machines to TCP port 16771. Additionally, they could be on the lookout for DNS queries for the zone U2A1376GF-43TY-245B.COM.Application-Layer FirewallsBecause these systems will not be able to pass traffic for protocols they do not understand, application-layer firewalls will prevent Spector Pro from operating correctly. (We have not investigated whether Spector Pro can work with firewalls, which it could do by encapsulating the data in HTTP requests. If it does, however, such firewalls could be configured to look for connections to the obfuscated hostname.)3 ConclusionsQuick assessment of Spector Pro shows that it is effective spyware,giving typical non-technical users little chance to protect theirprivacy. As with all such technology, however, this is essentially anarms race. Once users become more sophisticated, perhaps by employingsome techniques described here, they will regain the upper hand. Sucha shift in the balance will no doubt result in greater obfuscation inSpector Pro, which will result in greater sophistication ofprivacy-sensitive users. Whoever has the greatest invested, as acombination of skill and time, will win, until someone invests more.Ethical considerations here are myriad. Besides the basic questionsof who may spy on whom and for what purposes, a basic issue comes intoplay with regard to the technique employed. Namely, this techniquerequires that some data, which are obfuscated and therefore difficultor impossible to audit, are uploaded to Spectorsoft. Email alerts arerouted through Spectorsoft.Parents that monitor their children's activity with this software willalso be giving Spectorsoft a clear view of what their children aredoing. Employers that monitor their employees with this software willalso be giving Spectorsoft a clear view of what their employees aredoing. Proprietary and otherwise sensitive data are certain to fallinto Spectorsoft's hands. We thus raise the question, ``Who isSpectorsoft, and why should you trust them to keep your secrets?''4 AcknowledgmentsPaul Graves of Interhack was instrumental in the completion of thisanalysis. Roger McCoy of WBNS-10TV (Columbus, Ohio) provided theimpetus for this investigation and commentary.About this document ... This document was generated using theLaTeX2HTML translator Version 99.2beta8 (1.46)Copyright © 1993, 1994, 1995, 1996,Nikos Drakos, Computer Based Learning Unit, University of Leeds.Copyright © 1997, 1998, 1999,Ross Moore, Mathematics Department, Macquarie University, Sydney.The command line arguments were: latex2html -split 0 -no_navigation -show_section_numbers spector.texThe translation was initiated by Matt Curtin on 2002-05-07 corporate | research | news | people | projects | publications | services | feedback | legal Matt Curtin2002-05-07 |
|
