Feeds

eBlaster spyware has Achilles heel

Well designed, yet easily defeated

  • alert
  • submit to reddit

Boost IT visibility and business value

Review Few applications illustrate the dual nature of consumer technology as both constructive and destructive better than computer spyware. While it has a legitimate use by parents monitoring their children's on-line comings and goings, it has equal potential to violate the privacy of adults both at home and on the job.

So when SpecterSoft invited El Reg to evaluate its recent eBlaster 3.0, a spyware program which the company markets to concerned parents and nosey bosses, I was eager to give it a go, particularly with a mind to seeing how difficult it would be to defeat.

The eBlaster software leaves little to the imagination. It "lets you know exactly what your employees or family members are doing on the Internet, even if you are thousands of miles away. eBlaster records their e-mails, chats, instant messages, Web sites visited and keystrokes typed -- and then automatically sends this recorded information to your own email address," the company explains.

There is also a very controversial Trojan element, enabling users to infect other machines remotely:

"If you are not able to physically go to the computer on which you wish to install eBlaster, you may benefit from our Remote Install Add-On, which allows you to e-mail the eBlaster program to the recipient's e-mail address. Perfect for parents with kids away at school or employers with remote offices."

SpecterSoft urges users not to install the software on a machine they don't own and further recommends alerting users to the fact that their sessions will be monitored. During installation a little prompt appears requiring one to choose "Yes" to a pledge that the software won't be abused.

I tested it on a recently-patched Win-XP Pro installation. Before installing eBlaster I made a backup copy of the registry so I could track changes there. Once I'd installed it I immediately made a fresh copy of the registry and then compared the two files using a trial version of BeyondCompare by Scooter Software, a file comparison utility.

Registry changes were fairly subtle, with no obvious "spyware" entries. The average user would probably never spot anything suspicious. The first thing that stood out was a new reference to nvrcr32.dll, a file located in C:\WINDOWS\system32\. This is associated with the eBlaster installation, and a quick search of the local hard disk (with system files and hidden files included from the 'More Advanced Options' dialog) will reveal it on infected machines.

Another file eBlaster drops on the target machine is mssecrmd.exe, located in C:\WINDOWS\system32\, not immediately mentioned in the registry but easily found with a search of the local drive.

It is easy to prevent eBlaster from sending e-mail alerts if one is using a firewall product with egress filtering like ZoneAlarm (the native Win-XP 'firewall' does not have this feature), and denying Internet access to explorer.exe. However, this is only a partial solution since the person using eBlaster can check the activity reports whenever they have physical access to the infected machine.

Otherwise the program is quite stealthy. The default hotkey for accessing eBlaster configuration is Alt+Ctrl+Shift+T, but this can be changed by the owner. Of course a careless person might not bother to change it, so if you get a password prompt when you enter Alt+Ctrl+Shift+T, you can be pretty sure you have spyware. The default location for eBlaster log files, C:\WINDOWS\system32\iase\, can also be changed.

Activity reports sent via e-mail are automatically given a dummy return address so the spy won't accidentally forward a report to the person being monitored. Obviously, the reports don't turn up in the victim's 'sent mail' directory.

The eBlaster kit, priced at about US $100, is well designed and would be difficult for the average Windows user to detect and defeat. It leaves few traces, and those it does leave are innocuous. Standard anti-virus software ignores it though there is commercial software to defeat it like SpyCop available, but I haven't tested it. The personal edition costs about US $50.

As for eBlaster's core consumer base, one would imagine that suspicious spouses contemplating divorce might make up that category. We note that it is advertised at InfidelityToday.com, right beside a test kit for identifying semen stains on a woman's knickers. Somehow the two seem to fit together quite naturally. ®

Gartner critical capabilities for enterprise endpoint backup

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?