• United States



sarah d_scalet
Senior Editor

Chasing the Keystroke Capturers

Jun 19, 20035 mins
CSO and CISOData and Information Security

JUNE 19, 2003

Last week, as Secret Service agent Kent McCarthy and attorney Eric Friedberg closed a presentation they were giving to members of the New York Electronic Crimes Task Force, they flashed an IP address on the screen before taking questions from the audience. Right away, a hand shot up near the front of the auditorium, but the speaker didnt want clarification of their case study. He wanted them to put the IP address back up, so that he could write it down.

The address in question is supposedly used by a perfectly legal piece of software called eBlaster, which the company SpectorSoft markets as a way to keep track of what your spouse or children are doing online. Operating in stealth mode, the software tracks every single keystroke entered into a computer, from instant messages to passwords, and records every e-mail sent and received and website visited. Then, it sends all the data to an IP address, where it is anonymously relayed to whomever has installed the software. (Or rather, it is anonymously relayed to whomever has caused the software to be installedone of SpectorSofts points of pride is that eBlaster can be hidden in an e-mail attachment so the user installs it unknowingly. The company only half-heartedly points out that if you do this without the computer owners permission, you could be breaking the law.)

In short, eBlaster is the creepy kind of technology that sells more tickets to The Matrix Reloaded than its lissome leads. No surprise then that in the case described, it was being used by a criminal to monitor the e-mail activity of an unnamed companys executives.

Even more disturbing, however, was McCarthy and Friedbergs advice for how CIOs and CSOs could make sure the software wasnt installed on any of their companys PCs: by checking their system logs for the aforementioned IP address, which they indicated should not have any legitimate traffic. That would be about as efficient as checking for computer viruses one e-mail at a time.

The fact is that eBlaster is just one of a growing number of keystroke capturing programs, sometimes known as keyloggers and more broadly dubbed as spyware. Some are marketed to parents, spouses, employers and investigators for allegedly legitimate purposes; others are not sold so much as traded by hackers or passed on through computer viruses like Fizzer. These are incredibly powerful programs. In April, a former Boston College student pleaded guilty to installing keystroke capturing software on more than 100 campus computers and using it to steal personal information about 4,000 students, faculty and staff.

Judging by the reaction of the audience, monitoring for this kind of stealthware is next to impossible. The products are designed to operate invisiblythats the whole pointand once installed are unlikely to trigger alerts from firewalls or intrusion detection systems. They just sit there, whispering your secrets. While the anti-virus vendors attempt to locate some of them, in large part because of viruses like Fizzer, they dont consider it their business to monitor for the likes of eBlaster.

And so, a cottage industry has quietly sprouted in response. With names like Pest Patrol, SpyGuard and Spysweeper, these emerging products aim to root out keystroke capturing software and other stealthware, like the mini-programs advertisers use surreptitiously to track Web usage. But these defensive products are far from perfect.

One person next to me griped that he runs several of them on his PC at work and just thanks his lucky stars he isnt in charge of the network. Not only are the products not designed to work across an enterprise, they all detect different thingsthats why he uses several of them rather than just one to protect against the latest threats. Why, he wondered out loud, couldnt these vendors act more like anti-virus vendors? Then, no matter which product you chose, you could be reasonably assured that it would catch everything.

Clearly, theres a missed opportunity here. The emerging anti-stealthware vendors are still too immature to really solve the problem. Meanwhile, the anti-virus vendorsestablished companies that actually have the means to share information about new threats and get fixes pushed out to the marketplaceare leaving their customers exposed to a whole set of malicious code.

Maybe you should write down that IP address after all. Its

Postscript: Several readers have pointed out that if you type this IP address into a web browser, you get routed to Microsoft. But, as Agent McCarthy explained to me while I was reporting the column, if you look in the American Registry for Internet Numbers (, you’ll see that the IP address is actually registered to Rackspace, which is SpectorSoft’s ISP. The site has been configured to redirect your browser to Microsoftthe owner of a website can do whatever it wants in its own spaceapparently in an effort to conceal the fact that this IP address is for eBlaster’s service and get snoopers like us off their track. Sneaky, huh?