Spy Review

This is the first of a three-part article that discusses how covert computer surveillance software works. I’ve discussed hardware keyloggers on Spy Review a few times now, so this article focuses on the technical aspects of software-based computer surveillance.

Part 1 features the terms used and the structure of surveillance software. Part 2 focuses on more technical aspects such as covert installation techniques. Part 3 features cloaking techniques and avoiding detection. I also hope to dispel a few myths and open a few eyes with these articles.

Some common terms

Here are some common terms used in the computer world that I need to explain to help me explain some concepts in this article.

• spyware - this is software that secretly gathers information about a user whilst they use the internet. This information is normally used for advertising purposes.

  It would be understandable, yet wrong, to think this is the term used to describe software used for spying. Spyware refers to unwanted software that gathers information about you, but on a large scale, rather than specifically targeted at an individual.

• computer virus - this is a piece of code that when introduced into a system, it replicates into a range of files within that computer. It’s common for a virus to cause damage. The emphasis of a virus is that it does not spread over network on its own, traditionally viruses are spread by swapping files on discs.
• computer worm - this is a piece of code that replicates across computer systems and connected networks, infecting a target computer.
• a trojan, or trojan horse - this is a program that is hidden inside a useful software application, usually to create a backdoor directly into the target computer. Trojans typically do not replicate like viruses or worms.
• backdoor - a way into the system that is not the normal or intended route, often with a higher level of access compared to what would exist if the normal route into the system is taken. This might be in the form of a software program introduced into a system, or this might be as a result of modifying the system in some way.
• malware - a term to describe any software that does something to damage or corrupt a system (from the French, mal- = bad). Therefore viruses, worms and trojans are examples of malware.

Sadly, these terms are used interchangeably, resulting in confusing and incorrect understanding of this area of computer security. However, each of these terms are used to describe a specific type of behaviour. Some malware contains elements of trojans, backdoors and worms, resulting in software that spreads opening backdoors (backdoor element) into computers across networks (worm element), potentially masking itself as another computer program (trojan element) to aid infection.

These articles will be primarily concerned with backdoors into a system, where the software then gives the ’spy’ the opportunity to watch the target and their activities. Backdoors can be introduced in the form of trojan software, which will be covered in part 2.

What information can be recorded?

Virtually everything stored on a computer can be ’seen’ by surveillance software. Here’s a list of things that can be stolen using the right piece of software:

• Files - anything stored on the hard drive, as well as any files on discs that are currently in the computer (CDs, DVDs, memory cards, USB dongles, etc) can be accessed by surveillance software. Even network-connected drives can be accessed with little effort.
• Screenshots of what you see on the monitor - everything that you see on the desktop can be captured using code that performs a screen capture. This image is stored as a file and retrieved at a later date.
• Anything typed on the keyboard - anything you type on the computer (whilst it is switched on and whilst the operating system has booted) can be captured by software and stored as a text file. Again, this file can be retrieved at a later date.
• Images from a connected webcam - its shocking to know that if you have a webcam connected to your computer, images can be captured and saved to be retrieved at a later date. Some software has trouble accessing a webcam if its already in use by you. My suggestion is to unplug the webcam when you’re not using it!
• Web browsing history and instant messaging logs - since browsing histories and chat logs are stored on the hard drive in some way, then these can be retrieved by surveillance software without too much trouble.
• Passwords - using a combination of techniques, nearly all passwords on a computer can be captured. Passwords stored on the computer (such as using Firefox’s password storage tool) and those captured via the keylogger are particularly vulnerable.

  That’s why some online banks use drop down boxes or small boxes so that you can select randomly chosen characters from your password. This is so you don’t completely expose your password in any one session. It makes it harder for an attacker to reconstruct the whole password.

How can someone get the recorded information?

There are two main ways to retrieve the recorded information from a computer:

• Direct access - if you have physical access to a PC, such as your home or at a place you work, then you can retrieve this information at any time. Similarly, a warrant issued by law enforcement agencies for seizure of a computer gives them direct access to the data they need for evidence.
• Via the internet - the internet was designed for transferring files, and most surveillance software packages feature a tool to transfer recorded data to the ’spy’ via the internet. The most common techniques include uploading the files to an FTP server, emailing the data using SMTP and using a HTTP-based script to upload the data. Sometimes the surveillance program connects to its associated remote controller program and uploads the data directly. I’ll discuss the different methods of transferring files and the issues of firewalls in part 2.

What information do people look for?

The motivations for computer surveillance are wide and varied, from the perverse to being a matter of national security. Regardless of the motivation, information can be very powerful if leveraged correctly. My use of the word leverage was intentional, as it can be used in both blackmail (by the bad guys) and as evidence for prosecution (by the good guys).

• Information that depicts the target in a compromising and embarrassing situation lends itself to blackmail. These might be photos, webcam snapshots or conversations via email and instant messaging that the target does not want exposed in any way.
• Financial information can be used and sold by identity thieves, but can also be used as evidence of associations between individuals as used for criminal investigations.
• For individuals checking up on their children and partners, evidence of cheating, relationships and other bad influences are of interest. This might be via web browser history, as well as conversations by email and instant messaging programs.

  Increasingly, this kind of evidence is associated with divorces, but I imagine it becomes difficult to use the evidence in court if obtained by deceptive means. However, such evidence could be used to blackmail a partner into a quick divorce without going to court.

• Documents and resources that are used to educate the target on doing something illegal, as well as traces of doing something illegal online are all targeted by the law enforcement agencies. Web browsing histories, graphics files, document files (so Word Documents, PDFs, text files, HTML files, etc), and more. You often hear in the news about computers being seized for evidence, and its the files on those drives that are of most interest.

Conclusion

From reading this article, you now have a grounding in the basic terms used for malware and where these terms fit into the world of computer surveillance. I’ve explained the different types of data that are vulnerable on a computer and why these are useful to a ’spy’. I’ve touched on how the stored information is captured and retrieved. In part 2, we’ll explore how the software can be covertly installed on a computer.

Other articles in the Principles of Computer Surveillance series:

• Part 1 - Terms, Techniques and Motivations
• Part 2 - Covert Installation
• Part 3 - Stealth Techniques