Security Basics mailing list archives
Re: Spy Software
From: H Carvey <keydet89 () yahoo com>
Date: 12 Apr 2003 11:08:05 -0000
In-Reply-To: <005301c2ffb9$dcd4a030$6901a8c0@matrix>
The recorded data is saved in a
C:\winnt\system32\netext\ folder but no
exec. There is nothing unusual listed in Task Manager
that would lead me to
the application running in the background. Would
anyone happen to know how
exactly this application works.
I don't have a copy of the software to tell you exactly what's going on. However, a quick search on Google led to this: http://www.interhack.net/pubs/spector/ According to the above review, an obfuscation technique is used. Therefore, it may not be an obvious process...if you go to the SysInternals site, for example, and grab a copy of listdlls.exe and run it on your system, you'll get not only the DLLs associated w/ each process/PID, but the command line used to launch the process, as well. You'll likely find your suspicious process this way. The other possibility is, of course, API hooking, a la Greg Hoglund's rootkit techniques. As the review isn't specific, this could be a possibility, as well. I'd suggest that you find a copy of InControl5, and install it on a system, and then run the first phase. Then install this spy software, and then run the second phase of InControl. You'll see exactly what's installed or modified. Also, all of the reviews I found online indicate that this software opens a "backchannel" (gawd, how I hate it when techies make up terms) to a remote site. Most of the reviewer seem to have found the connection only after installing and running Spector Pro, yet none seems to have done any sort of analysis at all. This is just something to be aware of...
I believe a user would have the right to know what is running on their system, and I'm kinda
ticked off that Spector
Soft denys such information.
It doesn't sound at all as if the tech guys at SpectorSoft are denying anything...they simply aren't telling you. Also, I also believe that a user has the right to know what's running on their system - however, in your case, these aren't the user's systems at all, are they? The systems belong to the company. By extension, then, the company (ie, your boss) has the right to know what's going on on their systems. Harlan ------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-security-basics2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you. -------------------------------------------------------------------
Current thread:
- Spy Software Richard Pachito (Apr 11)
- Re: Spy Software Jeffrey S. Sims (Apr 12)
- RE: Spy Software Seth Connolly (Apr 12)
- <Possible follow-ups>
- RE: Spy Software Clark, Steve (Apr 12)
- RE: Spy Software CHRIS GRABENSTEIN (Apr 12)
- RE: Spy Software Michael Parker (Apr 12)
- RE: Spy Software Cirelli, Keith(LBS) (Apr 12)
- RE: Spy Software David Moisan (Apr 14)
- Re: Spy Software Jon Pastore (Apr 14)
- Re: Spy Software H Carvey (Apr 12)
- Re: Spy Software Mark Ng (Apr 14)
- Re: Spy Software Harlan Carvey (Apr 14)
- Re: Spy Software mobilejimbo (Apr 15)
- Re: Spy Software Mark Ng (Apr 16)
- Re: Spy Software mobilejimbo (Apr 16)
- RE: Spy Software D. Weiss (Apr 17)
- Re: Spy Software Mark Ng (Apr 14)