[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] commercially spy software

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] commercially spy software
From: Nick FitzGerald <nick@virus-l.demon.co.uk>
Date: Mon, 11 Aug 2003 16:31:41 +1200

Ferdi Öztürk <Ferdi.Oeztuerk@wincor-nixdorf.com> wrote:

> Hope, that's not an old topic for full-disc. I've played around a little
> with these commercial products, which firms use for keylogging, process
> tracing, screenshots  etc. - Antivirus (Norton, Mcaffee) doesn't seem to
> care about these special spy software, e. g. "eBlaster" on windows os
> (2000, 98, xp).
> 
> Since there was no port in use, the program was invisible to me. The spy
> software producers call it "stealth mode".
> 
> Ok, your opinions?

You are right that, in general, traditional AV products will not detect 
such "commercial spyware", at least so long as it is not renamed, 
repackaged or otherwise modified from its normal commercial form.  In 
part you can "thank" the folk behind the NetBus RAT for this -- with 
the release of the shareware version of NetBus Pro they complained that 
the virus scanners of major AV companies such as Symantec and NAI (aka 
McAfee) detecting their "product" were, in fact, anti-competitive 
practices as those developers also had competing "remote access" and/or 
"remote administration" products...

This minefield is one of the reasons why grown ups tend to prefer to 
decide for themselves what code is "appropriate" to run on the systems 
they are responsible for, and thus by exclusion, what code is not 
appropriate.  Thus, rather than relying on the commercially oriented 
(and thus liable to be swayed by the possible legal damages threatened 
by a suitably lawyered "opponent") decisions of other "big businesses", 
whose interests will necessarily never align particularly well with 
their customers (if nothing else, they want to maximize the money they 
make off of you whereas you would prefer to minimize your costs), 
pressure should be mounting for a new kind of security product -- real-
time integrity management of "executable" code.  There are a few 
(partial) solutions available already, but apparently there are not 
enough grown ups in the market to make this a viable alternative (yet).

I expect this situation to change.

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] commercially spy software
  - From: Ferdi Öztürk <Ferdi.Oeztuerk@wincor-nixdorf.com>

Prev by Date: Re: [Full-Disclosure] Cox is blocking port 135 - off topic
Next by Date: [Full-Disclosure] FreeBSD Security Advisory FreeBSD-SA-03:09.signal
Prev by thread: RE: [Full-Disclosure] commercially spy software
Next by thread: [Full-Disclosure] Administrivia: Upcoming Outage Reminder
Index(es):
- Date
- Thread