by Rik Farrow
As soon as I mention that I work in computer security, most people want me to help them with some problem with Microsoft Windows. But occasionally, someone does have a true security issue, and what I heard recently really got my attention--especially when I was asked a very similar questions a week later via email.
In both cases, women had complained to me that someone was reading their email, and using information gleaned from the email to harass them. At first, I suggested using anti-viral software, as some viruses include a keystroke logger as part of their payload. But as soon as I began to dig deeper, I discovered that there is an entire PC market segment devoted to keystroke logging, or spyware, as it is generically known.
Keystroke logging has security implications that go far beyond harassment. In the summer of 2000, someone used a keystroke logger to capture the username and password of a Microsoft employee, leading to an electronic invasion of Microsoft's Redmond campus. Keystroke loggers can target passwords, and they fall into the same category as network sniffers. And, like sniffing networks, keystroke loggers violate the same laws that prohibit wiretapping of realtime communications.
Keystroke logging has legitimate purposes. There have been software packages around as long as there have been window interfaces that will capture not only the keys pressed, but also the use of the mouse, so that a series of user operations could be recorded. An end user might use this record to create a macro, so that a particular operation could be repeated. Software developers could use a similar record to test or benchmark their software using a repeatable set of user actions.
Everytime you press a key, or combination of keys, using a computer keyboard, you actually send out a code over a serial connection to your computer. The receipt of this code generates an interrupt, telling the operating system that a key has been pressed (or released). The operating system will soon collect the code, convert it to a letter, digit, or special character, and deliver it to the application that currently is connected to the keyboard. Windowing systems determine the connected application based on which window is the current focus, usually indicated by changing the window's border color after the user has moved the mouse to within a window, and left-clicked there.
Not only are there many steps in the deceptively simple process of capturing a pressed key, but each of these steps provides the potential for being intercepted. A device could capture the keypress within a "bugged" keyboard, via its serial connection to the computer, within the device driver or the read system call that is part of the operating system, within the windowing system, and at the application itself. The most useful method for someone attempting to collect passwords, or eavesdrop, is to work within the windowing system. Keystrokes captured at points before the windowing system do not come with the identity of application that has the current focus. An eavesdropper, especially one interested in passwords, has a much greater interest in keystrokes typed at the beginning of a telnet session, or a login dialog box. Although you don't see the characters of your password displayed when you type them in, keystroke loggers certainly do.
Keystroke loggers exist for both X Window and the Windows systems. X Window, a system of windowing software developed in the mid-80's as part of the MIT Project Athena, was designed to work over networks, making it possible to have local text and graphic output from a remote system. But a related design decision also allows an attacker to connect to an X Window user's desktop, and not only capture keystrokes, but also any window event, such as mouse movements and button presses. If you search, you can find an exploit named xkey that displays information about keys pressed--but does not identify the application associated with those events. X Window uses a window id number to label each event, and the xkey exploit does not bother attempting to map that to an application.
You can control access to X Window servers with a firewall that blocks access to port 6000/tcp, and through X Window's own access control mechanisms (see Resources). Neither of these methods will protect you against a trojan that is running as the local user who starts the X Window server. You can check common places for starting trojans on UNIX/Linux systems, which are the startup files for shells, X, and other applications found in the user's home directory with a name that begins with a dot.
The world of Microsoft Windows has a very different background. Instead of being designed for network operations, Microsoft built Windows to interact with a user sitting at a PC's console. Microsoft programmers also focused a lot more on programmer friendliness, so that the Windows API makes it simple not only to capture keystrokes, but also to identify the application that is reading those keystrokes. This programmer friendliness has been a boon for people writing keystroke loggers.
The BadTrans.B virus, that appeared in August 2001, included a keystroke logger that gets installed as a service. This logger focuses upon RAS (Remote Access Service) and other places where usernames and passwords will be entered, and sends the collected information off to an email anonymizer. Other trojans send email notification off to the instigator, including the Internet address of the victim, so that the attacker can connect to a backdoor for command access or for downloading collected passwords (see Resources).
Today, keystroke loggers are known as spyware, and spyware and spyware detectors have become one of the biggest PC software sectors. One site (www.spywareguide.com) listed 223 spyware products. One company selling a product that detects spyware claims there are over 360 products in existence. Another spyware detector vendor (Aluria) suggests that over 85% of PC now have spyware installed. When you consider that every system that includes Windows Media Player reports to Microsoft whenever a CD gets played, that 85% value sounds conservative.
Spyware gets installed on systems in many ways. I have focused on attacks, such as trojans including keystroke loggers. But many people may install spyware on their own systems along with other free software. Some file sharing services, like Kazaa, include permission to install a type of spyware as part of their End User License Agreement (EULA). Some "free" services operate by collecting information about your Web browsing habits, to better target you for advertising and spam.
I do not review, or promote products in this column (vendors please take note!), but the resource section does include two sites that have links to spyware detectors. Your anti-virus software can also detect and delete some forms of spyware--those that get transmitted with viruses or installed as trojan software. Personal firewalls that only permit IP traffic from permitted applications can also prevent most spyware from sending out its purloined information.
And, like Windows trojans, spyware must modify your Windows system so that it can be restarted after every reboot. The same registry keys and configuration files commonly used by trojans are also used by spyware. Examples include the Run, RunOnce, and RunServices keys in the registry and the WIN.INI file (lines beginning with 'run=' or 'load='). Every Windows system includes some applications that are supposed to be started with every reboot, or every login (like systray), so simply finding an application associated with one of these keys, configuration files, or even in your Startup folder, is not grounds for deciding that your system has been trojanned. But you can at least list many of the applications started by Windows by using a free program from SysInternals named autoruns (http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml). If you notice additions to this list the next time you check, your system may have had a trojan or spyware installed.
As I became more aware of just how common spyware has become, it struck me that the use of spyware must be illegal. Legislatures have written wiretapping laws to codify the expectation of privacy that people in many countries expect to have. Spyware intercepts realtime electronic communications placing it squarely in the same category as a tap on someone's telephone line. Installing spyware on your ex's computer may not only be unethical, but illegal as well.
I contacted the US Department of Justice, and received answers to my legal concerns. My instinct was right, but as is often the case, nothing is straightforward.
In the US, the unauthorized use of spyware is a felony, a violation of federal law. So how is it that Microsoft or Kazaa can install spyware on your system? The quickest way to get authorized is to notify the intended victim and get his or her consent. Many businesses do this with phone calls by playing a recording: "This phone call may be monitored for quality assurance." In the world of computers, this may be done with logon banners or through employees signing a statenent that they have read and accepted company policy.
Microsoft and other vendors include a clause in the EULA that says, essentially, by using this product you agree to be monitored in some fashion.
I also asked if a parent could install spyware to monitor a child within his or her custody. So far, courts have allowed parents to track their own children's Internet usage.
But the guy who has decided to spy on his girlfriend's email or chatroom activities has definitely crossed the line. If this has happened to you, I suggest you don't make a federal case out of it. Buy and install some anti-spyware software, and tell your ex to bug off. If he (or she) is insistent, get a restraining order.
Spyware can also be used for industrial espionage, as well as for the "traditional" reason: capturing usernames and passwords. The use of spyware involves not only your privacy, but the security of your networks as well.
Microsoft's Messenger Service
As if spam were not annoying enough, some people have started writing trojans that send a broadcast message the the Microsoft NT Messenger Service. The service pops up a dialog box which you must close before you can do anything else. Adding insult to injury, some of these messages actually advertise software that will stop the annoyances.
It turns out that most Windows NT, 2000 and XP users never use the messenger service, and can safely turn it off. Just follow the instructions found in the Resource link for Lawrence Berkeley Labs (lbl.gov). You can also sniff the network for UDP packets sent to port 138 with the destination address set to the local broadcast address. The source address of the packet will identify the system infected with the trojan sending out the broadcasts. It is possible that the trojan is sending directed broadcasts, where a router expands the directed broadcast into a local one. In this case, only the low order bits of the destination address will be set to ones, for example, 202.157.11.255 represents a directed broadcast sent to the 202.157.11.0/24 network.
Keep track of the amount of time you spend disabling the Messenger Service and/or tracking down the trojan broadcasting advertising. Your legal counsel just might be able to sue the advertiser, whose contact info will appear in the messages, for damages.
University of Texas page about infections by Badtrans: http://www.utexas.edu/cc/ds/infobase/alerts/badtrans.php
Texas A&M University notice about keystroke loggers: http://itim.tamu.edu/htmlfs/keystrokelogging.shtml
The MIME auto-exec bug in Internet Explorer, March 2001, still being
used by viruses today:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Sites focusing on providing information about spyware: http://www.spywareinfo.com/ and http://www.spywareguide.com/
Free program that list applications that will automatically be
restarted by Windows systems:
http://www.sysinternals.com/ntw2k/source/misc.shtml#autoruns
Old (but still correct) information about protecting X Window servers: http://ciac.llnl.gov/ciac/documents/ciac2316.html
Instructions for disabling the Messenger Service: http://www.lbl.gov/ICSD/Security/systems/windows.html#popup