In only a couple of years we computer users have learned a lot about online threats. There is no need to explain what “spyware” means — we all know it. Or do we?
If software collects information without users’ knowledge and transmits it, such a program is usually automatically labeled “spyware” no matter how valuable this information is. It can be either relatively innocuous code for gathering users’ browsing habits — or extremely dangerous software created specially for unsolicited monitoring and committing cybercrime like identity theft, or espionage.
In the classification from SpyAudit they the latter are called System Monitors. Here belong such programs as keyloggers and more advanced keylogger-based programs, which can intercept not only keystrokes, but also capture text from application windows and clipboard contents, make screenshots – in other words, everything you do. This is particular kind of software specially created for stealing valuable information.
“There has been a recent wave of system monitoring tools disguised as email attachments or free software products.”, experts warn. (see http://www.earthlink.net/spyaudit/press/) Keyloggers can be hidden in viruses or even slip into a PC while a user visits some website.
We users have become smarter and try to protect our data. Loads of programs are created to counteract spy software. Why data stealing is flourishing then? Unfortunately, the “means of defense” are, as it often happens, half a step behind “means of offense”.
Generally speaking, most anti-spyware works like that: it scans the operating system in search for suspicious bits of code. Should the program find any, it compares these suspicious pieces with bits of code (they are called signatures), which belong to already detected and “caught” spy programs. Signatures are kept in so-called signature base — the inseparable part of any anti-spy program. The more signatures it contains, the more spyware such program will detect, so your PC will be protected more effectively. As long as you update your anti-spy software regularly and the system doesn’t come across some unknown spyware product, everything is going to be all right.
The problem is that some keyloggers are written to be used only once. These “tailor-made”, or should we say, “custom-made”, keyloggers are extremely dangerous, because they will never be detected with existing anti-spy software which uses signature bases.
Keylogging software is relatively simple and not too difficult to compile. Even an average computer programmer can write a simple keylogger in a couple of days. More sophisticated one will take longer to make, of course, but not too long. Hackers often compile source code of several keyloggers (it’s easy to find them in the Web–for those who know where to look for) — and get a brand-new one with an unknown signature even faster. If a keylogger can be installed remotely without the victim’s knowledge, it gives the hacker great possibility to steal any information he pleases.
However, now most anti-virus and anti-spyware vendors proclaim that along with signature bases they apply heuristic algorithms for detecting spyware. It means that their products now can catch more “spies” than their signature bases contain. To verify it experts from Information Security Center Ltd recently carried out a simple test.
The testing simulated a situation when a thief applies a custom-made keylogger compiled from source code freely available (!) from the Internet. The testers did what a thief with a bit of programming skills can easily do: they took source code from the Internet and compiled 9 keyloggers. Then these “test spies” were used for checking whether world-known anti-spyware will detect anything. The results turned out to be shocking: 28 out of 44 anti-virus and anti-spy software products couldn’t do anything — they detected none. 10 products managed only 1 spy out of 9; 5 programs caught only 2 out of 9. The only product that blocked all the 9 spies was a dedicated anti-keylogging solution based solely on heuristic algorithms with no signature base.
To read more about this testing visit [http://bezpeka.com/en/lib/antispy/art2869.html]
Not to use signature base analysis at all is a relatively new trend in software development. This approach is rather promising; it means that such a dedicated anti-keylogging product –it already exists–can counteract even custom-made spies.