Feeds

eBlaster spyware has Achilles heel

Well designed, yet easily defeated

  • alert
  • submit to reddit

SANS - Survey on application security programs

Review Few applications illustrate the dual nature of consumer technology as both constructive and destructive better than computer spyware. While it has a legitimate use by parents monitoring their children's on-line comings and goings, it has equal potential to violate the privacy of adults both at home and on the job.

So when SpecterSoft invited El Reg to evaluate its recent eBlaster 3.0, a spyware program which the company markets to concerned parents and nosey bosses, I was eager to give it a go, particularly with a mind to seeing how difficult it would be to defeat.

The eBlaster software leaves little to the imagination. It "lets you know exactly what your employees or family members are doing on the Internet, even if you are thousands of miles away. eBlaster records their e-mails, chats, instant messages, Web sites visited and keystrokes typed -- and then automatically sends this recorded information to your own email address," the company explains.

There is also a very controversial Trojan element, enabling users to infect other machines remotely:

"If you are not able to physically go to the computer on which you wish to install eBlaster, you may benefit from our Remote Install Add-On, which allows you to e-mail the eBlaster program to the recipient's e-mail address. Perfect for parents with kids away at school or employers with remote offices."

SpecterSoft urges users not to install the software on a machine they don't own and further recommends alerting users to the fact that their sessions will be monitored. During installation a little prompt appears requiring one to choose "Yes" to a pledge that the software won't be abused.

I tested it on a recently-patched Win-XP Pro installation. Before installing eBlaster I made a backup copy of the registry so I could track changes there. Once I'd installed it I immediately made a fresh copy of the registry and then compared the two files using a trial version of BeyondCompare by Scooter Software, a file comparison utility.

Registry changes were fairly subtle, with no obvious "spyware" entries. The average user would probably never spot anything suspicious. The first thing that stood out was a new reference to nvrcr32.dll, a file located in C:\WINDOWS\system32\. This is associated with the eBlaster installation, and a quick search of the local hard disk (with system files and hidden files included from the 'More Advanced Options' dialog) will reveal it on infected machines.

Another file eBlaster drops on the target machine is mssecrmd.exe, located in C:\WINDOWS\system32\, not immediately mentioned in the registry but easily found with a search of the local drive.

It is easy to prevent eBlaster from sending e-mail alerts if one is using a firewall product with egress filtering like ZoneAlarm (the native Win-XP 'firewall' does not have this feature), and denying Internet access to explorer.exe. However, this is only a partial solution since the person using eBlaster can check the activity reports whenever they have physical access to the infected machine.

Otherwise the program is quite stealthy. The default hotkey for accessing eBlaster configuration is Alt+Ctrl+Shift+T, but this can be changed by the owner. Of course a careless person might not bother to change it, so if you get a password prompt when you enter Alt+Ctrl+Shift+T, you can be pretty sure you have spyware. The default location for eBlaster log files, C:\WINDOWS\system32\iase\, can also be changed.

Activity reports sent via e-mail are automatically given a dummy return address so the spy won't accidentally forward a report to the person being monitored. Obviously, the reports don't turn up in the victim's 'sent mail' directory.

The eBlaster kit, priced at about US $100, is well designed and would be difficult for the average Windows user to detect and defeat. It leaves few traces, and those it does leave are innocuous. Standard anti-virus software ignores it though there is commercial software to defeat it like SpyCop available, but I haven't tested it. The personal edition costs about US $50.

As for eBlaster's core consumer base, one would imagine that suspicious spouses contemplating divorce might make up that category. We note that it is advertised at InfidelityToday.com, right beside a test kit for identifying semen stains on a woman's knickers. Somehow the two seem to fit together quite naturally. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.