Spy Review

In part 1 of the Principles of Computer Surveillance guide, I discussed some of the common terms associated with computer surveillance. I explained terms such as spyware, a computer virus, a computer worm, Trojan horses, backdoors and malware. I discussed what information could be accessed by surveillance software, how the information is retrieved and the motivations for accessing information on a computer.

In part 2, I explain some of the ways in which surveillance software can be installed on a computer. If you have direct access to a computer, you can install the software onto the computer yourself. However, in this article, I am going to focus on how the software can be installed when you don’t have direct access to the computer. Essentially this is about packaging the software so that you can trick users into installing the surveillance software on their own computer without them realising.

Software Camouflage

Wouldn’t it be great if you could get the target to install the surveillance software on their own PC without them realising? If you can hide the surveillance package in a host program, and get them to run the host program, you can get the surveillance package to install in the background. The host program is a Trojan horse, since the surveillance package ‘inside’ the Trojan horse.

For now, we’ll assume that we can install the surveillance software if we can get the target to run the host program. We’ll cover how this works in practice later. So we need a program that the user will actually execute on their computer willingly. So we need to find a desirable program that the user wants to execute.

Traditionally, desirable programs include anything relating to expensive (and pirated) software, porn, software that plays downloaded (pirated) movies, animations that run on the desktop (like the stripper software), or any kind of joke program. Essentially anything that’s illegal, funny or porn related falls into this category. It’s very common for virus and worm writers to conceal their malware in such programs, and this is often how malware infections start out.

So we find a program that a target is likely to want to execute. Depending on the target will depend on what kind of files they will open without suspicion. We cannot use photos or movies, because they all depend on another program to load (i.e. Windows Media Player, Quicktime, iTunes, etc). We also have to ensure that the host program actually works; otherwise the target might get suspicious if nothing happens when they try to run it. The idea is simply misdirection. Occupy the target with the genuine program, and run our surveillance software behind the scenes.

A program is executable in its own right, and does not depend on another programs to execute. On windows, programs end in an .exe extension (things are different on a Mac or Linux). Once a program is executed, we can piggyback the execution of our program too. So on to the technical explanation of how this works.

Binding Programs Together

The most common way to run several programs at once is to use what’s known as a binder tool. A binder tool takes several programs and weaves them into a single program.

For example, if you have program A and B, the binder creates a program called X that will execute both program A and B when program X is executed. So we could execute A in the foreground (i.e. the host program) to occupy the target, and program B can run in the background to install the surveillance software.

A binder tool uses a special program called a stub to handle the execution. The stub is a program that knows how to extract the programs A and B, and then how to run each of them. This is how a binder tool creates program X:

1. The binder copies the stub.exe file into a new file, named programX.exe. When program X is executed, the stub.exe file will be executed first.
2. The binder adds some instructions to the newly created file that tells the stub what to do when program X is executed.
3. The binder then adds the programs programA.exe and programB.exe to the end of program X as blocks of data. These programs cannot be executed in this state, but the stub program can manipulate them.
4. The completed programX.exe is then sent to the target.

Now that the target has program X, this is what happens when they run program X:

1. The user runs programX.exe, and the stub program is the first program to jump into life. It reads the instructions the binder gave it about the programs it needs to run.
2. The stub needs to extract the programs A and B into separate files outside of program X so they can execute. So the stub creates programA.exe and programB.exe using the data appended to programX.exe
3. The stub then executes programA.exe, and this is the host program that the target was expecting.
4. The stub executes programB.exe in the background, which is our surveillance software. The user does not see this, and the operation completes silently.
5. The stub might tidy itself up too. It might delete the programX.exe and rename programA.exe to programX.exe. This means that the surveillance package is no longer contained in programX.exe, and so any repeated runs of programX.exe will not install the surveillance package.

Bear in mind that the first 3 steps happen so quickly that the user does not notice any delay. It appears to the user that only programA.exe is running, which is a great way to distract them whilst we do the covert installation.

You can consider a binder tool to be a bit like an installation program. An installation program extracts a number of files from a single file and puts them onto your computer. It’s just that a binder tool provides a way to do certain aspects covertly.

Security Vulnerabilities in Software

Software exploits and security vulnerabilities are part of a considerably complicated area of the security industry. The idea is to give yourself greater privileges or access to systems you shouldn’t have by exploiting weaknesses in badly written software.

For example, if you could manipulate a web browser to download a file from the web automatically, and then execute it on a target computer, then you could install the surveillance software easily. However, web browsers are designed not to allow that to happen, as it would otherwise represent a huge security hole. Sometimes problems are discovered with the web browser software that allows program code to be executed on a target computer without the user’s consent. This is called a security vulnerability.

Security vulnerabilities are usually fixed within days, especially for popular software such as email clients, web browsers and instant messaging software. If you wanted to install surveillance software on a target computer using security vulnerabilities, you need to know exactly what software a target is using, as well as being skilled enough to craft an exploit before the user updates their software to a more secure version.

Websites such as SecurityFocus offer a notification and analysis service to help system administrators protect their systems and users from emerging threats. If this is something you wish to read more about, SecurityFocus is a great start.

Conclusion

In practice, exploiting security vulnerabilities is very difficult to do. The Trojan horse approach is technically easier and more likely to be successful. The idea is to trick the user into installing the surveillance software themselves without them realising. The best way to do this is to hide the surveillance software in another program. A tool called a binder is used to construct a program containing the genuine program and surveillance program. The user is motivated to execute the host program, and therefore install our software too.

So that handles how to covertly install software on a target computer. In part 3, I’ll discuss ways in which the surveillance software keeps itself hidden on a computer to evade detection. I’ll also explain some of the ways the data is sent back to the operative doing the spying.

Other articles in the Principles of Computer Surveillance series:

• Part 1 - Terms, Techniques and Motivations
• Part 2 - Covert Installation
• Part 3 - Stealth Techniques