May 7, 2002
This document is also available in PDF.
Spectorsoft Corp. publishes a product known as Spector Professional Edition for Windows. It's advertised as ``Internet Monitoring and Surveillance'' software, which is more commonly known as ``Spyware''.
A quick look at Spector Pro revealed several key issues:
The bottom line is Spector Pro can completely compromise the privacy of a nontechnical user. Competent professionals looking for Spector Pro's presence should have no difficulty finding the software.
A cursory examination of a Windows 2000 Professional workstation with Spector Pro 3.1 confirmed some claims of the software and yielded some fairly interesting discoveries.
Effectiveness of the system's Stealth Mode depends on obfuscation. Users who do not know what processes to expect on a process listing, or believe that programs must be ``visible'' to be running, stand no chance of determining that Spector Pro is active. No indication of Spector Pro (or Spectorsoft) is found in the process listing, host registry, or visible files.
A particular key combination (apparently ``Control-Alt-Shift-S'' by default) on the keyboard will bring up Spector Pro's splash screen and a password dialog box. A user who happens across the correct key combination would find that the software is running.
The ability for Spector Pro to hide is dependent upon its running. If the disk on which it is installed is examined with another operating system, for example, files invisible to Windows users would be clearly visible, though perhaps still not obviously named.
Information security practitioners have long used the concept of a Trusted Computing Base (TCB) to define the collection of components used to enforce a security policy. The TCB's ability to enforce policy depends on the correctness of implementation. Windows operating systems largely fail to adhere to sound security design principles. Furthermore, the complete lack of trustworthy audit mechanisms makes it impossible to verify in any reasonably secure manner what is and isn't happening on the machine.
Spector Pro takes advantage of this lack of security in Windows, effectively turning what should be the TCB against the user, recording his activity and making it impossible for him to audit the computer's activity.
For this reason, examination of a machine with Spector Pro enabled is best done not with the machine booted normally, but by looking at the disk under another operating system that will not be running the Spector Pro software.
Interestingly, Spector Pro will require network connectivity for it to operate. Alerts that it sends to the person monitoring the system's use, as well as other data regarding the activity, are routed through Spectorsoft. As is true with the rest of the system, the network activity is heavily obfuscated.
In our quick assessment, we identified that even without specifying an address to which alerts should be directed, Spector Pro was uploading data to Spectorsoft.
We found that among the normal network traffic, our test machine was making TCP connections to the host u2a1376gf-43ty-245b.com [22.214.171.124]. The domain in question is registered to none other than Spectorsoft.
SpectorSoft Corp. (U2A1376GF43TY245B-DOM) 333 17TH ST VERO BEACH, FL 32960-5670 US Domain Name: U2A1376GF-43TY-245B.COM
Clearly, use of the domain U2A1376GF-43TY-245B.COM is simply an obfuscation technique, hoping to foil the casual observer.
In addition to obfuscation in the domain name, Spector Pro uses an obfuscated binary protocol for the interaction with Spectorsoft. Figure 1 shows the data, in hexadecimal form, that are uploaded to Spectorsoft.
00000000 01 00 00 00 0c 01 00 00 00 00 02 00 44 4c 61 33 00000010 bd bd 3a 8d bc ce bf fd 84 ce 37 05 6f bb 95 25 00000020 9c 33 57 0e f7 6d 91 60 f5 d0 f2 f9 70 99 cf 97 00000030 21 24 69 04 5b 84 32 74 66 55 5c 04 66 83 71 84 00000040 b9 8f 10 bf da f1 26 61 f7 c9 3f 60 bc f2 45 f6 00000050 18 d9 e6 82 27 37 38 a4 14 ed bb 2e c7 19 4e ff 00000060 f6 b3 fe c3 54 7d 03 6f 67 51 3f a8 65 ee bf 0c 00000070 e8 5a a0 ae a3 8e 98 26 5f 6c 3b 76 ae f8 57 49 00000080 74 33 c7 c3 c2 0c 50 aa 5f 0d 17 2a fe b7 d9 b8 00000090 de 23 c8 26 41 d0 c6 19 41 17 44 72 15 70 33 8b 000000A0 47 3a a1 aa 04 92 70 c2 6c 94 af 71 ed 9d 4e f7 000000B0 14 da 6f 2a 47 ff 8a 97 80 11 d0 e8 18 bb 9f 70 000000C0 0a cc f7 ce 11 58 31 c7 43 dc d2 25 99 63 bb e0 000000D0 7e 4f d1 c0 3e fc 50 c8 1d 4a e1 0d 3f 70 e4 4b 000000E0 e0 c1 36 e8 c2 14 88 5c 2b 6e fa 22 19 3d 8d 3f 000000F0 a0 1f 1a 66 94 e5 fc 73 47 ca b7 a7 11 38 4b fc 00000100 93 af 29 96 10 1b 03 6a 2a fd e5 20
Additional data are in the session after the initial message from client to server. Further, toward the end of the session, the message length becomes significantly shorter, suggesting that there is some kind of interactive protocol, rather than simple data uploads and downloads.
The end result is that neither the user of the machine being monitored nor the person who installed the software can be sure of just what is being uploaded to Spectorsoft. Furthermore, in our test, there was no obvious need for Spector Pro to communicate with Spectorsoft, which suggests that there is more to the communication channel than what's needed to provide the ``alert'' functionality.
So the question is, ``Does Spectorsoft spy on the spies who use Spector Pro?''
Because Spector Pro requires network connectivity to perform its work, network connectivity is its Achilles' Heel. Several technologies could be employed to detect the presence of Spector Pro.
Quick assessment of Spector Pro shows that it is effective spyware, giving typical non-technical users little chance to protect their privacy. As with all such technology, however, this is essentially an arms race. Once users become more sophisticated, perhaps by employing some techniques described here, they will regain the upper hand. Such a shift in the balance will no doubt result in greater obfuscation in Spector Pro, which will result in greater sophistication of privacy-sensitive users. Whoever has the greatest invested, as a combination of skill and time, will win, until someone invests more.
Ethical considerations here are myriad. Besides the basic questions of who may spy on whom and for what purposes, a basic issue comes into play with regard to the technique employed. Namely, this technique requires that some data, which are obfuscated and therefore difficult or impossible to audit, are uploaded to Spectorsoft. Email alerts are routed through Spectorsoft.
Parents that monitor their children's activity with this software will also be giving Spectorsoft a clear view of what their children are doing. Employers that monitor their employees with this software will also be giving Spectorsoft a clear view of what their employees are doing. Proprietary and otherwise sensitive data are certain to fall into Spectorsoft's hands. We thus raise the question, ``Who is Spectorsoft, and why should you trust them to keep your secrets?''
Paul Graves of Interhack was instrumental in the completion of this analysis. Roger McCoy of WBNS-10TV (Columbus, Ohio) provided the impetus for this investigation and commentary.
This document was generated using the LaTeX2HTML translator Version 99.2beta8 (1.46)
Copyright © 1993, 1994, 1995, 1996,
Computer Based Learning Unit, University of Leeds.
Copyright © 1997, 1998, 1999, Ross Moore, Mathematics Department, Macquarie University, Sydney.
The command line arguments were:
latex2html -split 0 -no_navigation -show_section_numbers spector.tex
The translation was initiated by Matt Curtin on 2002-05-07