Chasing the Keystroke Capturers

The address in question is supposedly used by a perfectly legal piece of software called eBlaster, which the company SpectorSoft markets as a way to keep track of what your spouse or children are doing online. Operating in stealth mode, the software tracks every single keystroke entered into a computer, from instant messages to passwords, and records every e-mail sent and received and website visited. Then, it sends all the data to an IP address, where it is anonymously relayed to whomever has installed the software. (Or rather, it is anonymously relayed to whomever has caused the software to be installedone of SpectorSofts points of pride is that eBlaster can be hidden in an e-mail attachment so the user installs it unknowingly. The company only half-heartedly points out that if you do this without the computer owners permission, you could be breaking the law.)

In short, eBlaster is the creepy kind of technology that sells more tickets to The Matrix Reloaded than its lissome leads. No surprise then that in the case described, it was being used by a criminal to monitor the e-mail activity of an unnamed companys executives.

Even more disturbing, however, was McCarthy and Friedbergs advice for how CIOs and CSOs could make sure the software wasnt installed on any of their companys PCs: by checking their system logs for the aforementioned IP address, which they indicated should not have any legitimate traffic. That would be about as efficient as checking for computer viruses one e-mail at a time.

The fact is that eBlaster is just one of a growing number of keystroke capturing programs, sometimes known as keyloggers and more broadly dubbed as spyware. Some are marketed to parents, spouses, employers and investigators for allegedly legitimate purposes; others are not sold so much as traded by hackers or passed on through computer viruses like Fizzer. These are incredibly powerful programs. In April, a former Boston College student pleaded guilty to installing keystroke capturing software on more than 100 campus computers and using it to steal personal information about 4,000 students, faculty and staff.

Judging by the reaction of the audience, monitoring for this kind of stealthware is next to impossible. The products are designed to operate invisiblythats the whole pointand once installed are unlikely to trigger alerts from firewalls or intrusion detection systems. They just sit there, whispering your secrets. While the anti-virus vendors attempt to locate some of them, in large part because of viruses like Fizzer, they dont consider it their business to monitor for the likes of eBlaster.

And so, a cottage industry has quietly sprouted in response. With names like Pest Patrol, SpyGuard and Spysweeper, these emerging products aim to root out keystroke capturing software and other stealthware, like the mini-programs advertisers use surreptitiously to track Web usage. But these defensive products are far from perfect.

One person next to me griped that he runs several of them on his PC at work and just thanks his lucky stars he isnt in charge of the network. Not only are the products not designed to work across an enterprise, they all detect different thingsthats why he uses several of them rather than just one to protect against the latest threats. Why, he wondered out loud, couldnt these vendors act more like anti-virus vendors? Then, no matter which product you chose, you could be reasonably assured that it would catch everything.

Clearly, theres a missed opportunity here. The emerging anti-stealthware vendors are still too immature to really solve the problem. Meanwhile, the anti-virus vendorsestablished companies that actually have the means to share information about new threats and get fixes pushed out to the marketplaceare leaving their customers exposed to a whole set of malicious code.

Maybe you should write down that IP address after all. Its 64.49.213.134.

Postscript: Several readers have pointed out that if you type this IP address into a web browser, you get routed to Microsoft. But, as Agent McCarthy explained to me while I was reporting the column, if you look in the American Registry for Internet Numbers (www.arin.net), you’ll see that the IP address is actually registered to Rackspace, which is SpectorSoft’s ISP. The site has been configured to redirect your browser to Microsoftthe owner of a website can do whatever it wants in its own spaceapparently in an effort to conceal the fact that this IP address is for eBlaster’s service and get snoopers like us off their track. Sneaky, huh?