Feeds

eBlaster spyware has Achilles heel

Well designed, yet easily defeated

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Review Few applications illustrate the dual nature of consumer technology as both constructive and destructive better than computer spyware. While it has a legitimate use by parents monitoring their children's on-line comings and goings, it has equal potential to violate the privacy of adults both at home and on the job.

So when SpecterSoft invited El Reg to evaluate its recent eBlaster 3.0, a spyware program which the company markets to concerned parents and nosey bosses, I was eager to give it a go, particularly with a mind to seeing how difficult it would be to defeat.

The eBlaster software leaves little to the imagination. It "lets you know exactly what your employees or family members are doing on the Internet, even if you are thousands of miles away. eBlaster records their e-mails, chats, instant messages, Web sites visited and keystrokes typed -- and then automatically sends this recorded information to your own email address," the company explains.

There is also a very controversial Trojan element, enabling users to infect other machines remotely:

"If you are not able to physically go to the computer on which you wish to install eBlaster, you may benefit from our Remote Install Add-On, which allows you to e-mail the eBlaster program to the recipient's e-mail address. Perfect for parents with kids away at school or employers with remote offices."

SpecterSoft urges users not to install the software on a machine they don't own and further recommends alerting users to the fact that their sessions will be monitored. During installation a little prompt appears requiring one to choose "Yes" to a pledge that the software won't be abused.

I tested it on a recently-patched Win-XP Pro installation. Before installing eBlaster I made a backup copy of the registry so I could track changes there. Once I'd installed it I immediately made a fresh copy of the registry and then compared the two files using a trial version of BeyondCompare by Scooter Software, a file comparison utility.

Registry changes were fairly subtle, with no obvious "spyware" entries. The average user would probably never spot anything suspicious. The first thing that stood out was a new reference to nvrcr32.dll, a file located in C:\WINDOWS\system32\. This is associated with the eBlaster installation, and a quick search of the local hard disk (with system files and hidden files included from the 'More Advanced Options' dialog) will reveal it on infected machines.

Another file eBlaster drops on the target machine is mssecrmd.exe, located in C:\WINDOWS\system32\, not immediately mentioned in the registry but easily found with a search of the local drive.

It is easy to prevent eBlaster from sending e-mail alerts if one is using a firewall product with egress filtering like ZoneAlarm (the native Win-XP 'firewall' does not have this feature), and denying Internet access to explorer.exe. However, this is only a partial solution since the person using eBlaster can check the activity reports whenever they have physical access to the infected machine.

Otherwise the program is quite stealthy. The default hotkey for accessing eBlaster configuration is Alt+Ctrl+Shift+T, but this can be changed by the owner. Of course a careless person might not bother to change it, so if you get a password prompt when you enter Alt+Ctrl+Shift+T, you can be pretty sure you have spyware. The default location for eBlaster log files, C:\WINDOWS\system32\iase\, can also be changed.

Activity reports sent via e-mail are automatically given a dummy return address so the spy won't accidentally forward a report to the person being monitored. Obviously, the reports don't turn up in the victim's 'sent mail' directory.

The eBlaster kit, priced at about US $100, is well designed and would be difficult for the average Windows user to detect and defeat. It leaves few traces, and those it does leave are innocuous. Standard anti-virus software ignores it though there is commercial software to defeat it like SpyCop available, but I haven't tested it. The personal edition costs about US $50.

As for eBlaster's core consumer base, one would imagine that suspicious spouses contemplating divorce might make up that category. We note that it is advertised at InfidelityToday.com, right beside a test kit for identifying semen stains on a woman's knickers. Somehow the two seem to fit together quite naturally. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.