Is Your PC Watching You?

Countering Snoopware: What You Can Do

The best counterespionage tactic, obviously, is to refrain from conducting sensitive business or pleasure on equipment that other people can access. And never use company equipment for unauthorized activities. The courts have ruled, quite clearly, that employees do not have absolute privacy rights in their use of such equipment.

While not required to do so, honorable businesses will tell employees their policies on monitoring. But snoopware is available now to anyone willing to pay for it, including those with devious motives.

Although the snoopware available on the market today is specifically designed to go undetected by the PC's user, several methods can help you determine whether you are being surreptitiously monitored:

1. Check your computer's system folder for changes. All of the programs we evaluated make substantial alterations there. One good way to monitor the situation is to regularly use a backup program that generates a report detailing files that have changed.

Any unexplained changes in the system folder, particularly changes that involve .dll and .exe files, are cause for suspicion.

2. Look for alterations in the Registry. These are harder to spot than system folder changes, but you can use a Registry-editing tool--such as Registry Tool, by the company of the same name--to track changes and compare the reports it produces over time.

3. Watch out for odd file names that have the "hidden" property checked. Snoopware programs typically use deceptive file names and activate the "hidden" file property feature. Good backup programs see through this. To inspect manually, enable the Show All Files option, under the View tab in the Folder Options dialog box; this is accessible under the View menu in the Windows desktop or in Windows Explorer. Look around the drive, especially in the system folder, for files with faded icons. Be careful: Important, legitimate system files are often hidden to prevent accidental and disastrous erasure.

One last headache for privacy sleuths: The snoopware that you're trying to detect may be recording your detection efforts.

Here are the discoveries we made while evaluating the various products. Note that many programs allow the installer to change some of the file names involved, and that software developers are likely to change the names between versions deliberately to make lists like this obselete.

Spector

Spector 2.1 adds several files to the C:\Windows\System directory, including mswnsrvx.cnt, mswnsrvx.exe, mswnsrvx.hlp, shmswnmp.dll, and shmswnrc.dll (all of these are hidden files).

The easiest way to determine whether you are under surveillance by Spector is to check for the C:\Windows\System\WebExt directory, which contains files with names like "4F0BF6D8.TPS." There may also be a master log file called "_MSFILEA.TXT", which shows when each capture file starts. The WebExt directory isn't hidden, but it can be changed to another name to make it harder to detect.

EBlaster

The major EBlaster program file is the 468KB URLMKPL.DLL, in the Windows/System folder. Also added are msskfzwin.dll, msskfzwin.ocx, and winmsskfzwin.drv.

EBlaster must send e-mail outbound to report on you. Severing your network connection will cause reporting to be delayed.

Insight

Detecting an installation of Insight is pretty easy. The standard installation procedure leaves an entry in the Install/Uninstall control panel labeled "INSIGHT Client." Insight also uses several .dll files that all start with the characters isgt, including isgtCBHO.dll, isgtCLHK.dll, and isgtCLNT.exe. The default is to place them in the C:\isgt directory, although a wily administrator can easily conceal them elsewhere, like in the systems folder.

If your only concern is Web surfing security, an obvious countermeasure to being snooped is to use Netscape, which does not report the page being visited. However, this may itself be seen as suspicious behavior.

I came up with a simple hack for spoofing this program: Make a copy of Netscape.exe and rename it to something like "WinWord.exe" (put the duplicate in the same directory that Netscape.exe was in). Launch that duplicate, rather than Netscape.exe. This spoofs the monitor into thinking you are word processing instead of surfing.

Be careful though--in a place of employement it is common to use multiple layers of monitoring, so an employer might catch you at the firewall even if you fool the monitor by renaming Netscape.

Insight, like the TravelEyes GPS system, requires management to regularly run the reports and to cross-check them against other records, such as attendance records or vehicle odometers. Otherwise it is relatively easy to deceive them by renaming your browser or shielding the antenna.

WinWhatWhere

WinWhatWhere includes instructions for changing the name of the executable files involved. This makes it harder to detect the program by doing simple directory investigation. When unmodified, the files to look for are Windows/System/aa81232.exe, Windows/System/sem.exe, W3i.exe, W3ihist.exe, and W3isetup.exe. The data is captured in a file with a name like "zw83.dat" ("zw81.dat," "zw82.dat," and so on). I could not find a provision for changing the capture file naming, although that may be possible.

Some Final Points

Antivirus protection is always recommended. There are a variety of espionage tools circulating in the hacker underground, including a well-known one called "Back Orifice." An antivirus program will prevent such a tool from being inserted covertly via e-mail or the execution of infected software.

A good way to figure out what a cryptic .dll or .exe file name means is to type it into a search engine and go look at the links that come back.

If you wish to practice deception, buy a copy of the snoopware program for yourself and experiment with it on a machine entirely under your control. After you have figured it out in safety, you can try fooling your adversary.

Finally, it is always wise to "play dumb and act smart." If your adversary underestimates you, they are less likely to resort to sophisticated deceptions such as changing file names, and the job of protecting your privacy is easier.