How can you find out what your child or employee is doing on the computer? What sites does he visit, with whom does he communicate, what and to whom does he write?
To do this, there are spyware - a special kind of software that collects information about all its actions unnoticed by the user. A spy program for a computer will solve this problem.
Spyware for a computer should not be confused with a Trojan: the first is absolutely legitimate and is installed with the knowledge of the administrator, the second gets on the PC illegally and carries out hidden malicious activities.
Although malicious programs can also be used by legitimate tracking programs.
Spy applications are most often installed by business leaders and system administrators to control employees, parents to spy on children, jealous spouses, etc. At the same time, the “victim” may know that she is being monitored, but most often she does not.
Overview and comparison of five popular spyware
NeoSpy
NeoSpy is a universal keyboard, screen and user actions spyware. NeoSpy works invisibly and can hide its presence during installation.
The user who installs the program has the opportunity to choose one of two installation modes - administrator and hidden. In the first mode, the program is installed openly - it creates a shortcut on the desktop and a folder in the Program Files directory, in the second it is hidden.
Program processes do not appear in Windows Task Manager and third-party task managers.
The functionality of NeoSpy is quite wide and the program can be used both as home tracking and in offices to control employees.
The spy program is distributed in three versions under a shareware license. The price is 820-1990 rubles, but it can also work for free (even in hidden mode) with restrictions when viewing reports.
What can NeoSpy do:
- monitor the keyboard;
- monitor site visits;
- show the user's screen in real time via the Internet from another computer or from a tablet;
- take screenshots of the screen and save pictures from the webcam;
- control system events (turning on, turning off, downtime in the computer, connecting removable media);
- intercept the contents of the clipboard;
- Monitor the use of Internet messengers, record Skype calls;
- intercept data sent for printing and copied to external media;
- keep statistics of work at the computer;
- send laptop coordinates (calculated over Wi-Fi).
Thanks to the Russian-language interface, a wide range of functions, correct keyboard interception and a mode of operation completely hidden in the system, NeoSpy gets the maximum rating when choosing user control software.
Real Spy Monitor
The next spy is Real Spy Monitor. This English-language program not only has tracking functions, but can also block certain actions on the computer. Therefore, it is often used as a means of parental control.
For each account in the settings of Real Spy Monitor, you can create your own policy of prohibitions, for example, to visit certain sites.
Unfortunately, due to the lack of an English-language interface, it is more difficult to figure out how Real Spy Monitor works, despite the graphic thumbnails for the buttons.
The program is also paid. The license costs from $39.95.
Features of Real Spy Monitor:
- interception of keystrokes, clipboard contents, system events, websites, instant messengers, mail;
- work in semi-hidden mode (without an active window, but with the display of the process in the task manager);
- work with multiple accounts;
- selective autostart for different accounts.
In general, many users like Real Spy Monitor, among the shortcomings they note the high cost, the lack of a Russian-language interface and the display of the process in the task manager.
Actual Spy
Developers position Actual Spy as a keylogger (keylogger), although the program can do more than just record keystrokes.
It controls the contents of the clipboard, takes screenshots, monitors website visits, and other things that are included in the main set of spies we have reviewed.
When installed, Actual Spy creates a shortcut in the Start menu, so it can be seen by the user. The launch also occurs openly - to hide the program window, you must press certain keys.
Opportunities Actual Spy is not much different from the capabilities of competitors. Among the shortcomings, users noted that it correctly records keystrokes only in the English layout.
SpyGo
SpyGo is a spy kit for home use. It can also be used in offices to control employees.
To start monitoring, just click the "Start" button in SpyGo.
SpyGo is distributed under a shareware license and costs 990-2990 rubles, depending on the set of functions.
In trial versions, the duration of monitoring is limited to 20 minutes per day, and sending reports to e-mail and via FTP is not available.
Main features of SpyGo:
- keystroke monitoring;
- recording of all actions on the computer (launching programs, operations with files, etc.);
- control of visits to web resources (history, search queries, frequently visited sites, duration of stay on the site);
- recording what is happening on the screen;
- saving the contents of the clipboard;
- listening to the environment (if you have a microphone);
- monitoring of system events (time to turn on and off the computer, downtime, connecting flash drives, disks, etc.).
Important! The disadvantages of SpyGo, according to users, include the fact that it does not support all versions of Windows, often throws errors when sending reports, and is quite easily unmasked.
snitch
Snitch - the name of this program is translated as "snitch", and it is very unfriendly towards the user. Snitch spies on computer activity. It works hidden, does not require complex settings and has little effect on system performance.
The program is released in a single version.
Snitch Features and Features:
- monitoring of the keyboard, clipboard, system events, web surfing and communication in instant messengers;
- compilation of summary reports and schedules of controlled events;
- undemanding to the network configuration;
- protection against unauthorized termination of the program process;
- monitoring is carried out even in the absence of access to the network.
Of the shortcomings, you can notice conflicts with antiviruses
How to detect a spy on a computer?
Finding spyware on a computer that does not show itself in any way is difficult, but possible.
So, despite the legitimacy, the applications we have considered can recognize special antiviruses,"sharpened" for the search for spyware (trojans with espionage function), so we recommend adding the installed program to the exclusion list of such antiviruses.
And if you don't need to remove the spy, but only need to mask your actions from it, you can use anti-spyware tools that, despite actively spying on you, will prevent interception of keyboard events and screenshots.
Then your correspondence and passwords will not fall into the wrong hands.
Elite Keylogger records all passwords typed on the computer, while remaining completely invisible to users! You can intercept passwords, documents, emails, chat messages and more.
Passwords
Elite Keylogger works in low-level driver mode and starts before Windows, which allows you to find out passwords and logins. Please note that the Mac version cannot record OS X login passwords.
Recording chats and mail
Elite Keylogger for Windows records chats and instant messages from many different clients including MSN, AOL, ICQ, AIM, GTalk, Skype. Elite Keylogger for Mac can record Skype, Viber, iChat/Messages and Adium messages and outgoing emails from both sides.
Network keylogger
Elite Keylogger is the ideal solution for remote computer monitoring. You only need to install it once - and the reports will be sent to you by e-mail, or uploaded to an FTP server. This makes this utility ideal for companies that require employee monitoring of computers. This application is completely invisible and cannot be detected by anti-virus or anti-spyware software (if properly installed).
Best site hijacking
Elite Keylogger is one of the best spyware because of its ability to record website visits on ALL popular browsers. It completely captures website addresses in Internet Explorer, Firefox, Safari, Opera, Google Chrome and other browsers. Each website address is logged, along with a time stamp, so you can easily track your kids' internet activity to make sure they're safe.
Friendly interface
They are so easy to use. Installation is quick and painless even for beginners. For those who need it, Elite Keylogger provides more advanced options such as remote installation or pre-configuration. Just install and you can set up and activate it in minutes. Just specify how you would like to receive logs - and you won't even need to touch the spyware's administrator interface anymore, because now it will do everything automatically!
Lots of reporting options
Elite Keylogger provides many reporting options. They can be sent to you by email, uploaded to FTP, transferred to another computer on the local network, or secretly copied to a USB drive. There are no restrictions on the size of the logs to be transferred.
Keyspy is a program that reads the keys pressed and saves them to a file. In the future, you can view what the person at the computer wrote, what messages he typed and what passwords he entered. Another name for a keylogger is a keylogger, from the English "keylogger", which literally means "recording buttons".
In NeoSpy, the keylogger function is enabled by default; in this mode, the program records text, hotkey combinations and passwords typed on the keyboard. The keylogger settings are managed in the "Tracking settings" - "Logging" - "Keyboard" menu. You can choose one of two program modes: standard and alternative. It is recommended in 99% of cases to use the default mode, but in case of a conflict with your antivirus software, you can enable the alternative mode.
Setting up a keylogger
The keyboard log is always recorded in full format, including service keys. An example of such a log can be seen in the illustration. While viewing the report, you can turn off the display of non-printing characters and view the log as plain text, more accessible for free reading.
Keylogger example
To simplify the work with reports, the typed passwords are highlighted in the list of pressed keys. Thus, you can find out the passwords of your child and, if necessary, protect him from unwanted acquaintances. If the NeoSpy program is used in an enterprise to control employees, then the collection of personal data and correspondence is prohibited in the legislation of most countries, so this option must be disabled, or the employee must be notified in writing about control by management and the inadmissibility of using a computer in an organization for personal correspondence.
The hacker world can be roughly divided into three groups of attackers:
1) "Skids" (script kiddies) - kids, novice hackers who collect known pieces of code and utilities and use them to create some kind of simple malware.
2) "Byuers" - not clean-handed entrepreneurs, teenagers and other thrill-seekers. They buy services for writing such software on the Internet, collect various private information with its help, and possibly resell it.
3) "Black Hat Coders" - programming gurus and architecture experts. They write code in a notebook and develop new exploits from scratch.
Can someone with good programming skills be the last one? I don't think you'll start creating something like a regin (link) after visiting a few DEFCON sessions. On the other hand, I believe that the information security officer should master some of the concepts on which malware is built.
Why do security personnel need these dubious skills?
Know your enemy. As we discussed on the Inside Out blog, you need to think like an intruder to stop him. I'm an information security specialist at Varonis and in my experience, you will be stronger in this craft if you understand what moves an intruder will make. So I decided to start a series of posts about the details behind malware and different families of hacking tools. Once you understand how easy it is to create undetectable software, you may want to rethink your enterprise's security policies. Now in more detail.
For this informal "hacking 101" class, you need a little knowledge of programming (C# and java) and a basic understanding of the Windows architecture. Keep in mind that in reality, malware is written in C/C++/Delphi so as not to depend on frameworks.
Keylogger
A keylogger is software or some physical device that can intercept and remember keystrokes on a compromised machine. This can be thought of as a digital trap for every keystroke on the keyboard.
Often this function is implemented in other, more complex software, such as Trojans (Remote Access Trojans RATS), which ensure the delivery of intercepted data back to the attacker. There are also hardware keyloggers, but they are less common. require direct physical access to the machine.
However, creating the basic functions of a keylogger is fairly easy to program. A WARNING. If you want to try any of the following, make sure you have the permissions and don't harm the existing environment, but it's best to do it all on a standalone VM. Further, this code will not be optimized, I will just show you the lines of code that can accomplish the task, this is not the most elegant or optimal way. And finally, I will not talk about how to make a keylogger resistant to reboots or try to make it completely undetectable thanks to special programming techniques, as well as about protection against deletion, even if it is discovered.
To connect to a keyboard, you just need to use 2 lines in C#:
1. 2. 3. public static extern int GetAsyncKeyState(Int32 i);
You can read more about the GetAsyncKeyState function on MSDN:
For understanding: this function determines whether a key was pressed or released at the time of the call and whether it was pressed after the previous call. Now we constantly call this function to receive data from the keyboard:
1. while (true) 2. ( 3. Thread.Sleep(100); 4. for (Int32 i = 0; i< 255; i++) 5. { 6. int state = GetAsyncKeyState(i); 7. if (state == 1 || state == -32767) 8. { 9. Console.WriteLine((Keys)i); 10. 11. } 12. } 13. }
What's going on here? This loop will poll every 100ms for each key to determine its state. If one of them is pressed (or has been pressed), a message about this will be printed to the console. In real life, this data is buffered and sent to the attacker.
Smart Keylogger
Wait, does it make sense to try to remove all the information in a row from all applications?
The code above pulls raw keyboard input from any window and input field that currently has focus. If your goal is credit card numbers and passwords, then this approach is not very effective. For real-world scenarios, when such keyloggers are executed on hundreds or thousands of machines, the subsequent data parsing can become very long and, as a result, become meaningless. valuable information for the cracker may be out of date by that time.
Let's say I want to get my Facebook or Gmail credentials to sell likes. Then a new idea is to activate keylogging only when the browser window is active and the page title contains the word Gmail or facebook. Using this method, I increase the chances of obtaining credentials.
Second version of the code:
1. while (true) 2. ( 3. IntPtr handle = GetForegroundWindow(); 4. if (GetWindowText(handle, buff, chars) > 0) 5. ( 6. string line = buff.ToString(); 7. if (line.Contains("Gmail")|| line.Contains("Facebook - Log In or Sign Up ")) 8. ( 9. //test keyboard 10. ) 11. ) 12. Thread.Sleep(100); 13. )
This snippet will detect the active window every 100ms. This is done using the GetForegroundWindow function (more information on MSDN). The title of the page is stored in the variable buff, if it contains gmail or facebook, then the keyboard scan snippet is called.
This ensures that the keyboard is only scanned when a browser window is open on facebook and gmail sites.
An even smarter keylogger
Let's assume that an attacker was able to get the data with a code similar to ours. Let's also assume that it is ambitious enough to infect tens or hundreds of thousands of machines. The result: a huge file with gigabytes of text, in which the necessary information still needs to be found. It's time to get acquainted with regular expressions or regex. This is something like a mini-language for compiling certain patterns and scanning text to match the given patterns. You can find out more here.
To simplify, I will immediately give ready-made expressions that match login names and passwords:
1. //Looking for a postal address 2. ^[\w!#$%&"*+\-/=?\^_`(|)~]+(\.[\w!#$%&"*+ \-/=?\^_`(|)~]+)*@((([\-\w]+\.)+(2,4))|(((1,3)\.)( 3)(1,3)))$ 3. 4. 5. //Looking for password 6. (?=^.(6,)$)(?=.*\d)(?=.*)
These expressions are here as a hint of what can be done using them. With regular expressions, you can search (and not find!) any constructs that have a specific and unchanging format, such as passport numbers, credit cards, accounts, and even passwords.
Indeed, regular expressions are not the most readable kind of code, but they are one of the programmer's best friends when it comes to text parsing tasks. Java, C#, JavaScript, and other popular languages already have ready-made functions into which you can pass ordinary regular expressions.
For C# it looks like this:
1. Regex re = new Regex(@"^[\w!#$%&"*+\-/=?\^_`(|)~]+(\.[\w!#$%&"* +\-/=?\^_`(|)~]+)*@((([\-\w]+\.)+(2,4))|(((1,3)\.) (3)(1,3)))$"); 2. Regex re2 = new Regex(@"(?=^.(6,)$)(?=.*\d)(?=.*)"); 3.string email = " [email protected]"; 4. string pass = "abcde3FG"; 5. Match result = re.Match(email); 6. Match result2 = re2.Match(pass);
Where the first expression (re) will match any email, and the second (re2) any alphanumeric construct greater than 6 characters.
Free and completely undetectable
In my example, I used Visual Studio - you can use your favorite environment - to create such a keylogger in 30 minutes.
If I were a real attacker, then I would target some real target (banking sites, social networks, etc.) and modify the code to match these targets. Of course, also, I would run an email phishing campaign with our program, disguised as a regular account or other attachment.
One question remains: will such software really be undetected by security software?
I compiled my code and checked the exe file on the Virustotal site. This is a web tool that calculates the hash of the file you have uploaded and looks it up in a database of known viruses. Surprise! Naturally, nothing was found.
This is the main point! You can always change code and evolve, always being a few steps ahead of threat scanners. If you are able to write your own code it is almost guaranteed to be undetectable. On this page you can read the full analysis.
The main purpose of this article is to show that using only antiviruses you will not be able to fully ensure the security of the enterprise. A deeper assessment of the actions of all users and even services is needed in order to identify potentially malicious actions.
In the next article, I will show how to make a truly undetectable version of such software.
To check the security of entered passwords through KeePass, I decided to write a simple keylogger with additional data capture from the clipboard. The whole code took several lines in FreePascal.
Passwords, without additional security measures and proper KeePass configuration, turned out to be quite vulnerable.
The keylogger code is placed in a Timer loop that is updated every 10 ms. Modules used: Windows and ClipBrd.
//Compare the current state of the keys for f:= 0 to 255 do if a[f]<>GetAsyncKeyState(f) then begin //Key Release Response if KeePass.Checked and (GetAsyncKeyState(f) = 0) then Memo1.Caption:= Memo1.Caption + chr(f); //Reaction to keypress if not KeePass.Checked and (GetAsyncKeyState(f)<>0) then Memo1.Caption:= Memo1.Caption + chr(f); end; //Save the current state of the keys to an array for f:= 0 to 255 do a[f] := GetAsyncKeyState(f); //Record on change in clipboard if s<>Clipboard.AsText then begin s:= Clipboard.AsText; Memo2.Caption:= Memo2.Caption + s + " "; end;
The Simple Logger program looks like this:
In the -Keyboard- window, keys are displayed without regard to case and input language. The character whose number is equal to the key code is displayed: chr(f). It is possible to modify the program to correctly display all characters, but this is not required for the present study.
The -Clipboard- window is copied when the contents of the clipboard change.
Weaknesses of KeePass and their elimination
1. Entering the main password
By default, the main password in KeePass is entered without protected mode, so it is easily determined in Simple Logger. This is the most critical place in safety, because. here we get access to the entire password database at once.To fix the problem, you need to enable the Security setting "Enter the master password in protected mode (similar to UAC in Windows Vista and higher)". This mode does not allow the logger to access the keyboard. In addition, it is impossible to take a screenshot in it to determine the location of the Key file.
This mode is enabled only when the main password is entered. The protection of other passwords will be discussed further.
2. Clipboard
Simple Logger responds to clipboard changes 100 times per second. Thus, hitting the password in the buffer and then deleting it after a few seconds does not provide protection in this case.To resolve this issue, you can use Autodial.
3. Autodial
The response to KeePass autodial is a key press, not a key press. This allows you to get protection from some keyloggers. To bypass this, Simple Logger has an additional setting: "KeePass Auto-Type". If it is enabled, then the logger is triggered by pressing a key.When autodialing via KeePass: MyLoginName LongPassword123
An entry will appear in Simple Logger:
Simple Logger does not take into account keyboard shortcuts in any way. As you can see, the Shift key is displayed as a special character (similar to "+") and "?". Shift is released both before and after the capital letter. However, this is enough to understand the password.
To solve this problem, you can use the setting in KeePass "Double complication of autodial". In this case, KeePass will enter part of the password from the keyboard, and part through the clipboard, mixing the values. This allows you to bypass some keyloggers.
Simple Logger will react to Double complication of autotype as follows:
- Paste from clipboard "Ctrl + V" displayed as "V◄?";
- Left arrow - "%" (key code and symbol #37);
- Right arrow - """ (key code and symbol #39).
From a keylogger that is “sharpened” for KeePass, additional protection tools can help.
4. Additional protections
Some software packages have features such as:- Protection of data input from the hardware keyboard;
- Protected Browser.
When using a secure browser, it was not possible to access the clipboard and keyboard using Simple Logger. In addition, it was not possible to take screenshots.
Instead of a conclusion
After looking at how our employees use KeePass, I found that some:- do not use UAC;
- do not use autodialer, just copying passwords through the clipboard;
- leave the program open when leaving the workplace;
- use the default settings without configuring the security policy.
I tested the latest version of KeePass 2.36 on Windows 8.1. To be fair, this issue is not just a KeePass issue. There are many other password keepers with greater or lesser degree of security, but this is a topic for another study.
Links
- Simple Logger on GitHub
// Who cares, you can find an exe file in the "SimpleLogger_for_Win64.7z" archive. The program does not allow for full-fledged keylogging, it is intended for security research and informational purposes.
Browser plugin
As user dartraiden pointed out, one can use the module KeePassHttp with browser add-on PassIFox or ChromeIPass. This plugin (according to the developer) provides secure exposure of KeePass records over HTTP.This bundle allows you to automatically fill in the login and password in the browser when KeePass is unlocked. Simple Logger does not react in any way in this case.
The weak point of ChromeIPass is the generation of a new password. it is copied through the clipboard and visible on the screen. In this case, it is better to generate a new password in KeePass itself.
Creating a new master password
As arthur_veber noted:When changing the master password, as well as when creating a new one, safe mode is not applied.
In this case, Simple Logger intercepts the master password entered into KeePass.
The virtual on-screen keyboard from a well-known manufacturer does not help either, which, like KeePass autodial, works on an event for pressing a key.
It's hard to give advice here. Probably, developers should pay attention to this problem.
Other means of attack
As user qw1 was the first to point out, if the system on which KeePass is installed is compromised, other means of attack besides the keylogger can be used. In this case, the list of actions to counter the attack will depend on the specific situation.Unfortunately, it is impossible to cover in one article all the security measures that are necessary for storing passwords.
