hit counter
« Spy Camera and DVR Hidden In A Belt Buckle
“Read the full article” Link Now Fixed »

Principles of Computer Surveillance - Part 3 - Stealth Techniques

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 5 out of 5)
Computer Surveillance - Keyboard Keylogger

This is the third and final part in the Principles of Computer Surveillance guides. In part 1 I explained some common terms associated with computer surveillance. In part 2 I discussed some of the ways in which computer surveillance software can be installed covertly on a computer. My focus was on ways of installing software when you don’t have direct access to the computer.

In part 3, I discuss some of the techniques used by surveillance software to covertly send data back to base without triggering a reaction from the firewall. I also discuss the principle of how surveillance software can completely mask itself from even the most advanced computer users. What’s shocking is that these techniques have been exploited by malware for years!

Sending Data Back to Base

The purpose of surveillance software is to capture useful information and then send it back to the person doing the “spying”. In part 1 I covered some of the motivations for monitoring a computer user such as identity theft, blackmail, checking up on family members and law enforcement. Assuming the surveillance software has located and captured some useful information, the software needs to send it back to the spy somehow.

Typically the software needs to send the data back over the Internet. The software will either try to send an email to the spy, send an HTTP request via the spy’s web server, upload the files to the spy’s online storage area, or send the data directly to the spy’s master surveillance program. All of these methods need to make a connection over the internet to another system to transfer the data to that system.

The idea is that the spy gets hold of that data one way or another. You would have thought that would be fairly easy, but there are a few obstacles these days that make it really difficult for a program to send data over the internet without attracting attention.

Most computers these days have some kind of internet protection software, such as a personal firewall. Personal firewall software products allow the user to control what programs are allowed to connect to the internet. Personal firewalls alert the user if a program makes an attempt to connect to the internet, and the user can intervene and block that attempt.

ZoneAlarm Program Alert
ZoneAlarm Alert - New program trying to access the Internet

If the firewall prompts the user for action, a novice user might not know any better and may just permit or deny the program to connect to the internet. A more experienced computer user would get suspicious of the program and try to determine what the program is doing. Therefore the surveillance software might attract attention and be discovered. The spy must ensure the software can access the internet so that they can get the useful information, and they definitely do not want the software to be discovered.

If the spy had physical access to the computer, they could just allow the surveillance program to access the internet themselves. However, there might be an issue if the spy updated the surveillance software remotely. All personal firewalls these days create a unique identifier for programs attempting to access the internet. If a program is changed, such as when it is upgraded, and tries to access the internet then the firewall will immediately detect that the program identifier is different. The firewall will then tell the user that the program has changed and will ask them if they will permit the program to access the internet. So this presents the same issue identified above.

ZoneAlarm Changed Program Alert
ZoneAlarm Alert - Change of program detected

If the spy renamed the surveillance program to the same name as a program that is allowed access to the internet, it still wouldn’t work. This is because of the program identifier as I mention above. So how can surveillance programs bypass personal firewalls?

Bypassing Firewalls with Process Injection

A technique that is often used by malware writers is to use process injection. This sounds complicated and it is, so I’ll focus on the principle rather than detail.

What if you could pretend to be a bit of software that you know is always allowed to connect to the internet? I would say that virtually every home computer using Microsoft Windows and is connected to the internet has a web browser installed that is actively used by the user. It’s a safe assumption that a user would have set their firewall software to allow their web browser to communicate with the internet. So if you could pretend to be the web browser program, you could send your data over the internet without attracting any attention whatsoever!

Process Injection Diagram

This is exactly what malware writers started doing around 2002, particularly when it came to trojan remote access tools. The idea was to execute the web browser as a normal or hidden process, copy the trojan program code into the process space of the web browser, and then execute the trojan code within the web browser process space. To every program in Windows (including the firewall), the trojan code actually was the web browser and therefore could do everything the web browser was allowed to do.

Writing code that can be copied to another process space and executed is a technically difficult challenge to overcome. Only a few skilled and knowledgeable programmers are able to understand such a technique, let alone write a program to do it.

Process injection is still used to some extent these days, but improvements in operating systems, firewall software and anti-virus heuristics means that the majority of malware using process injection fail. However, I am certain that there are variations of process injection that still work to this day.

The Invisibility Cloak - Rootkits

A way for surveillance software to avoid detection is to be invisible even to the most advanced of users. If the surveillance software is not visible in the registry (for settings and starting up when the computer starts), file explorer (for the program and its auxiliary files) or task manager (for the running program), then a user would assume it does not exist. A type of software called a rootkit can be used to make a surveillance program completely invisible to a user. Here’s a good definition of a rootkit from CompuKiss.com:

A rootkit is software that runs at the lowest level of the computer. It infiltrates the kernel of the computer. A rootkit is a technique that is often used by hackers and virus creators to hide the files they create.

Legitimate programs such as the process manager or file manager (e.g Task Manager or Windows Explorer on Microsoft Windows) normally make requests for information from the operating system (e.g. Microsoft Windows). These requests can be about file information, the registry and currently running processes (programs).

Rootkit Diagram
Diagram showing the rootkit filtering technique

These are the steps that a rootkit takes in order to hide some malware:

  1. A rootkit will set itself up to intercept requests from legitimate programs before the operating system gets them.
  2. The rootkit will then make the request to the operating system on behalf of the legitimate program.
  3. The operating system returns some information, which the rootkit examines.
  4. The rootkit removes any reference to the malware that it is hiding from the request, and send the filtered information to the legitimate program.
  5. The legitimate program doesn’t know any different, and therefore it receives and processes the filtered information as if it came from the operating system.

Essentially the rootkit is removing any information that would otherwise identify the malware to a user. It really is just like an invisibility cloak! Thankfully tools such at RootkitRevealer exist, which can detect files that seem to be using some kind of invisibility cloak.

Conclusion

So once the surveillance software has captured some critical data, getting the data back to base is far from being a trivial issue. Advanced techniques are needed to bypass a personal firewall so that the user is not alerted to the presence of the surveillance software. So that the user does not notice the surveillance software in a list of running programs or locate the program files, a rootkit tool is used to ‘cloak’ the software from view. Completely covert surveillance software is actually a really difficult thing to achieve!

So that brings my Principles of Computer Surveillance guide to an end. I hope that you’ve enjoyed the series and hopefully you’ve learnt something too!

Other articles in the Principles of Computer Surveillance series:

Top 5 Related Posts:

Check out the Spy Review Archives for all previous spy gadget articles!

Did you like this article? Want to find out more?
Or do you want to bookmark this article?
This article was posted on Monday, January 14th, 2008 at 11:26 am in Computer Surveillance.
 

Leave a Reply

google8ca7643fa22cc185.html