Feeds

eBlaster spyware has Achilles heel

Well designed, yet easily defeated

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Review Few applications illustrate the dual nature of consumer technology as both constructive and destructive better than computer spyware. While it has a legitimate use by parents monitoring their children's on-line comings and goings, it has equal potential to violate the privacy of adults both at home and on the job.

So when SpecterSoft invited El Reg to evaluate its recent eBlaster 3.0, a spyware program which the company markets to concerned parents and nosey bosses, I was eager to give it a go, particularly with a mind to seeing how difficult it would be to defeat.

The eBlaster software leaves little to the imagination. It "lets you know exactly what your employees or family members are doing on the Internet, even if you are thousands of miles away. eBlaster records their e-mails, chats, instant messages, Web sites visited and keystrokes typed -- and then automatically sends this recorded information to your own email address," the company explains.

There is also a very controversial Trojan element, enabling users to infect other machines remotely:

"If you are not able to physically go to the computer on which you wish to install eBlaster, you may benefit from our Remote Install Add-On, which allows you to e-mail the eBlaster program to the recipient's e-mail address. Perfect for parents with kids away at school or employers with remote offices."

SpecterSoft urges users not to install the software on a machine they don't own and further recommends alerting users to the fact that their sessions will be monitored. During installation a little prompt appears requiring one to choose "Yes" to a pledge that the software won't be abused.

I tested it on a recently-patched Win-XP Pro installation. Before installing eBlaster I made a backup copy of the registry so I could track changes there. Once I'd installed it I immediately made a fresh copy of the registry and then compared the two files using a trial version of BeyondCompare by Scooter Software, a file comparison utility.

Registry changes were fairly subtle, with no obvious "spyware" entries. The average user would probably never spot anything suspicious. The first thing that stood out was a new reference to nvrcr32.dll, a file located in C:\WINDOWS\system32\. This is associated with the eBlaster installation, and a quick search of the local hard disk (with system files and hidden files included from the 'More Advanced Options' dialog) will reveal it on infected machines.

Another file eBlaster drops on the target machine is mssecrmd.exe, located in C:\WINDOWS\system32\, not immediately mentioned in the registry but easily found with a search of the local drive.

It is easy to prevent eBlaster from sending e-mail alerts if one is using a firewall product with egress filtering like ZoneAlarm (the native Win-XP 'firewall' does not have this feature), and denying Internet access to explorer.exe. However, this is only a partial solution since the person using eBlaster can check the activity reports whenever they have physical access to the infected machine.

Otherwise the program is quite stealthy. The default hotkey for accessing eBlaster configuration is Alt+Ctrl+Shift+T, but this can be changed by the owner. Of course a careless person might not bother to change it, so if you get a password prompt when you enter Alt+Ctrl+Shift+T, you can be pretty sure you have spyware. The default location for eBlaster log files, C:\WINDOWS\system32\iase\, can also be changed.

Activity reports sent via e-mail are automatically given a dummy return address so the spy won't accidentally forward a report to the person being monitored. Obviously, the reports don't turn up in the victim's 'sent mail' directory.

The eBlaster kit, priced at about US $100, is well designed and would be difficult for the average Windows user to detect and defeat. It leaves few traces, and those it does leave are innocuous. Standard anti-virus software ignores it though there is commercial software to defeat it like SpyCop available, but I haven't tested it. The personal edition costs about US $50.

As for eBlaster's core consumer base, one would imagine that suspicious spouses contemplating divorce might make up that category. We note that it is advertised at InfidelityToday.com, right beside a test kit for identifying semen stains on a woman's knickers. Somehow the two seem to fit together quite naturally. ®

Remote control for virtualized desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.