Feeds

eBlaster spyware has Achilles heel

Well designed, yet easily defeated

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

Review Few applications illustrate the dual nature of consumer technology as both constructive and destructive better than computer spyware. While it has a legitimate use by parents monitoring their children's on-line comings and goings, it has equal potential to violate the privacy of adults both at home and on the job.

So when SpecterSoft invited El Reg to evaluate its recent eBlaster 3.0, a spyware program which the company markets to concerned parents and nosey bosses, I was eager to give it a go, particularly with a mind to seeing how difficult it would be to defeat.

The eBlaster software leaves little to the imagination. It "lets you know exactly what your employees or family members are doing on the Internet, even if you are thousands of miles away. eBlaster records their e-mails, chats, instant messages, Web sites visited and keystrokes typed -- and then automatically sends this recorded information to your own email address," the company explains.

There is also a very controversial Trojan element, enabling users to infect other machines remotely:

"If you are not able to physically go to the computer on which you wish to install eBlaster, you may benefit from our Remote Install Add-On, which allows you to e-mail the eBlaster program to the recipient's e-mail address. Perfect for parents with kids away at school or employers with remote offices."

SpecterSoft urges users not to install the software on a machine they don't own and further recommends alerting users to the fact that their sessions will be monitored. During installation a little prompt appears requiring one to choose "Yes" to a pledge that the software won't be abused.

I tested it on a recently-patched Win-XP Pro installation. Before installing eBlaster I made a backup copy of the registry so I could track changes there. Once I'd installed it I immediately made a fresh copy of the registry and then compared the two files using a trial version of BeyondCompare by Scooter Software, a file comparison utility.

Registry changes were fairly subtle, with no obvious "spyware" entries. The average user would probably never spot anything suspicious. The first thing that stood out was a new reference to nvrcr32.dll, a file located in C:\WINDOWS\system32\. This is associated with the eBlaster installation, and a quick search of the local hard disk (with system files and hidden files included from the 'More Advanced Options' dialog) will reveal it on infected machines.

Another file eBlaster drops on the target machine is mssecrmd.exe, located in C:\WINDOWS\system32\, not immediately mentioned in the registry but easily found with a search of the local drive.

It is easy to prevent eBlaster from sending e-mail alerts if one is using a firewall product with egress filtering like ZoneAlarm (the native Win-XP 'firewall' does not have this feature), and denying Internet access to explorer.exe. However, this is only a partial solution since the person using eBlaster can check the activity reports whenever they have physical access to the infected machine.

Otherwise the program is quite stealthy. The default hotkey for accessing eBlaster configuration is Alt+Ctrl+Shift+T, but this can be changed by the owner. Of course a careless person might not bother to change it, so if you get a password prompt when you enter Alt+Ctrl+Shift+T, you can be pretty sure you have spyware. The default location for eBlaster log files, C:\WINDOWS\system32\iase\, can also be changed.

Activity reports sent via e-mail are automatically given a dummy return address so the spy won't accidentally forward a report to the person being monitored. Obviously, the reports don't turn up in the victim's 'sent mail' directory.

The eBlaster kit, priced at about US $100, is well designed and would be difficult for the average Windows user to detect and defeat. It leaves few traces, and those it does leave are innocuous. Standard anti-virus software ignores it though there is commercial software to defeat it like SpyCop available, but I haven't tested it. The personal edition costs about US $50.

As for eBlaster's core consumer base, one would imagine that suspicious spouses contemplating divorce might make up that category. We note that it is advertised at InfidelityToday.com, right beside a test kit for identifying semen stains on a woman's knickers. Somehow the two seem to fit together quite naturally. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.