INTERHACK  


Spector Professional Review and Commentary

Matt Curtin

May 7, 2002

This document is also available in PDF.


1 Introduction

Spectorsoft Corp. publishes a product known as Spector Professional Edition for Windows. It's advertised as ``Internet Monitoring and Surveillance'' software, which is more commonly known as ``Spyware''.

A quick look at Spector Pro revealed several key issues:

The bottom line is Spector Pro can completely compromise the privacy of a nontechnical user. Competent professionals looking for Spector Pro's presence should have no difficulty finding the software.


2 Detailed Discussion

A cursory examination of a Windows 2000 Professional workstation with Spector Pro 3.1 confirmed some claims of the software and yielded some fairly interesting discoveries.


2.1 Stealth Mode Effectiveness

Effectiveness of the system's Stealth Mode depends on obfuscation. Users who do not know what processes to expect on a process listing, or believe that programs must be ``visible'' to be running, stand no chance of determining that Spector Pro is active. No indication of Spector Pro (or Spectorsoft) is found in the process listing, host registry, or visible files.

A particular key combination (apparently ``Control-Alt-Shift-S'' by default) on the keyboard will bring up Spector Pro's splash screen and a password dialog box. A user who happens across the correct key combination would find that the software is running.

The ability for Spector Pro to hide is dependent upon its running. If the disk on which it is installed is examined with another operating system, for example, files invisible to Windows users would be clearly visible, though perhaps still not obviously named.


2.2 Exploits Lack of Trusted Computing Base

Information security practitioners have long used the concept of a Trusted Computing Base (TCB) to define the collection of components used to enforce a security policy. The TCB's ability to enforce policy depends on the correctness of implementation. Windows operating systems largely fail to adhere to sound security design principles. Furthermore, the complete lack of trustworthy audit mechanisms makes it impossible to verify in any reasonably secure manner what is and isn't happening on the machine.

Spector Pro takes advantage of this lack of security in Windows, effectively turning what should be the TCB against the user, recording his activity and making it impossible for him to audit the computer's activity.

For this reason, examination of a machine with Spector Pro enabled is best done not with the machine booted normally, but by looking at the disk under another operating system that will not be running the Spector Pro software.


2.3 Spector Pro Requires Network Connectivity

Interestingly, Spector Pro will require network connectivity for it to operate. Alerts that it sends to the person monitoring the system's use, as well as other data regarding the activity, are routed through Spectorsoft. As is true with the rest of the system, the network activity is heavily obfuscated.

2.3.1 Uploads to Spectorsoft

In our quick assessment, we identified that even without specifying an address to which alerts should be directed, Spector Pro was uploading data to Spectorsoft.

We found that among the normal network traffic, our test machine was making TCP connections to the host u2a1376gf-43ty-245b.com [209.61.191.54]. The domain in question is registered to none other than Spectorsoft.

SpectorSoft Corp. (U2A1376GF43TY245B-DOM)
   333 17TH ST
   VERO BEACH, FL 32960-5670
   US

   Domain Name: U2A1376GF-43TY-245B.COM

Clearly, use of the domain U2A1376GF-43TY-245B.COM is simply an obfuscation technique, hoping to foil the casual observer.

2.3.2 Obfuscated Sessions

In addition to obfuscation in the domain name, Spector Pro uses an obfuscated binary protocol for the interaction with Spectorsoft. Figure 1 shows the data, in hexadecimal form, that are uploaded to Spectorsoft.

Figure 1: Initial Message to Spectorsoft
00000000  01 00 00 00 0c 01 00 00  00 00 02 00 44 4c 61 33
00000010  bd bd 3a 8d bc ce bf fd  84 ce 37 05 6f bb 95 25
00000020  9c 33 57 0e f7 6d 91 60  f5 d0 f2 f9 70 99 cf 97
00000030  21 24 69 04 5b 84 32 74  66 55 5c 04 66 83 71 84
00000040  b9 8f 10 bf da f1 26 61  f7 c9 3f 60 bc f2 45 f6
00000050  18 d9 e6 82 27 37 38 a4  14 ed bb 2e c7 19 4e ff
00000060  f6 b3 fe c3 54 7d 03 6f  67 51 3f a8 65 ee bf 0c
00000070  e8 5a a0 ae a3 8e 98 26  5f 6c 3b 76 ae f8 57 49
00000080  74 33 c7 c3 c2 0c 50 aa  5f 0d 17 2a fe b7 d9 b8
00000090  de 23 c8 26 41 d0 c6 19  41 17 44 72 15 70 33 8b
000000A0  47 3a a1 aa 04 92 70 c2  6c 94 af 71 ed 9d 4e f7
000000B0  14 da 6f 2a 47 ff 8a 97  80 11 d0 e8 18 bb 9f 70
000000C0  0a cc f7 ce 11 58 31 c7  43 dc d2 25 99 63 bb e0
000000D0  7e 4f d1 c0 3e fc 50 c8  1d 4a e1 0d 3f 70 e4 4b
000000E0  e0 c1 36 e8 c2 14 88 5c  2b 6e fa 22 19 3d 8d 3f
000000F0  a0 1f 1a 66 94 e5 fc 73  47 ca b7 a7 11 38 4b fc
00000100  93 af 29 96 10 1b 03 6a  2a fd e5 20 

Additional data are in the session after the initial message from client to server. Further, toward the end of the session, the message length becomes significantly shorter, suggesting that there is some kind of interactive protocol, rather than simple data uploads and downloads.

The end result is that neither the user of the machine being monitored nor the person who installed the software can be sure of just what is being uploaded to Spectorsoft. Furthermore, in our test, there was no obvious need for Spector Pro to communicate with Spectorsoft, which suggests that there is more to the communication channel than what's needed to provide the ``alert'' functionality.

So the question is, ``Does Spectorsoft spy on the spies who use Spector Pro?''

2.3.3 Network-Based Defense Mechanisms

Because Spector Pro requires network connectivity to perform its work, network connectivity is its Achilles' Heel. Several technologies could be employed to detect the presence of Spector Pro.

Network Intrusion Detection Systems
These systems could simply be on the lookout for connectivity from their client machines to TCP port 16771. Additionally, they could be on the lookout for DNS queries for the zone U2A1376GF-43TY-245B.COM.
Application-Layer Firewalls
Because these systems will not be able to pass traffic for protocols they do not understand, application-layer firewalls will prevent Spector Pro from operating correctly. (We have not investigated whether Spector Pro can work with firewalls, which it could do by encapsulating the data in HTTP requests. If it does, however, such firewalls could be configured to look for connections to the obfuscated hostname.)


3 Conclusions

Quick assessment of Spector Pro shows that it is effective spyware, giving typical non-technical users little chance to protect their privacy. As with all such technology, however, this is essentially an arms race. Once users become more sophisticated, perhaps by employing some techniques described here, they will regain the upper hand. Such a shift in the balance will no doubt result in greater obfuscation in Spector Pro, which will result in greater sophistication of privacy-sensitive users. Whoever has the greatest invested, as a combination of skill and time, will win, until someone invests more.

Ethical considerations here are myriad. Besides the basic questions of who may spy on whom and for what purposes, a basic issue comes into play with regard to the technique employed. Namely, this technique requires that some data, which are obfuscated and therefore difficult or impossible to audit, are uploaded to Spectorsoft. Email alerts are routed through Spectorsoft.

Parents that monitor their children's activity with this software will also be giving Spectorsoft a clear view of what their children are doing. Employers that monitor their employees with this software will also be giving Spectorsoft a clear view of what their employees are doing. Proprietary and otherwise sensitive data are certain to fall into Spectorsoft's hands. We thus raise the question, ``Who is Spectorsoft, and why should you trust them to keep your secrets?''


4 Acknowledgments

Paul Graves of Interhack was instrumental in the completion of this analysis. Roger McCoy of WBNS-10TV (Columbus, Ohio) provided the impetus for this investigation and commentary.

About this document ...

This document was generated using the LaTeX2HTML translator Version 99.2beta8 (1.46)

Copyright © 1993, 1994, 1995, 1996, Nikos Drakos, Computer Based Learning Unit, University of Leeds.
Copyright © 1997, 1998, 1999, Ross Moore, Mathematics Department, Macquarie University, Sydney.

The command line arguments were:
latex2html -split 0 -no_navigation -show_section_numbers spector.tex

The translation was initiated by Matt Curtin on 2002-05-07


corporate | research | news | people | projects | publications | services | feedback | legal

Matt Curtin 2002-05-07