Guest Blog Post by: Paul Henry, vNet Security
The case (sanitized) was rather straightforward:
In a recent divorce case a client was concerned that a great deal of information had been presented by opposing council regarding his/her web surfing habits, chat conversations and information contained only within personal emails that were not sent to opposing councils client. The client was convinced that the only way the information could have been obtained was if spy software had been installed on his/her laptop by their spouse – the spouse had easy unobstructed access to the laptop.
The client’s attorney provided the laptop in question and requested it be analyzed in the most cost effective manner as possible to determine if any spy ware had been installed on the laptop. A forensics image of the laptop was created and it was brought back to the lab for processing.
Having worked with spy software detection in the past on both PC’s and cell phones I have a collection of strings and registry locations / keys I search for that allows me make a reasonable determination if (or if not) spy software is installed. In some cases URL’s associated with the spy software vendor can be found embedded within .exe and .dll files as well as in unallocated space, shadow volumes, and hiberfiles etc. Hence a comprehensive search for URLS / Internet Activity with IEF would be the most cost effective approach.
Now that was fast!
The first hit was found less then 10 minutes in to the search (Figure 1)
The hit was a URL embedded within an executable file “artugdx.exe”. While the search continued I started FTK Imager to examine the image to validate the hit (Figure 2).
The examination with FTK Imager validated the finding within IEF. I then exported the file “artugdx.exe” from FTK Imager and submitted the file to www.virus total.com for analysis. The VirusTotal analysis showed that 8 out of 46 AV products detected the file as Spectorsoft eBlaster spy software (Figure 3). It is important to note that Spectorsoft typically names the files randomly hence simply searching for a file name would be a bad approach – searching for embedded strings is much more effective.
A few details about Spectorsoft eBlaster
The software once installed can be configured to record literally all user behavior on the device it is installed on. It can send scheduled reports or alert immediately on given activity. It records: email sent & received, website visits, chat conversations, online searches, keystrokes, Facebook and other social media interactions, files uploaded and downloaded, program activity, user activity and much more – see (Figure 4)
The software is advertised as being stealthy and does not show up in the system try, task list or under the Windows Programs folder (Figure 5) and (Figure 6). However as demonstrated by IEF its use of un-obfuscated strings within its executable files renders it easily and quickly detectable when using the right tool – IEF.
It should be noted that in some states the installation of spy software such as Spectorsoft eBlaster without notification of all parties that might use the device that the software is installed upon is a wiretap violation and felony. As an example in Florida there have been civil cases where it was concluded that “because the spyware installed by the wife intercepted the electronic communication contemporaneously with transmission, copied it and routed the copy to a file in the computer’s hard drive, the electronic communications were intercepted in violation of the Florida Act.” (http://news.cnet.com/2100-1030_3-5577979.html)
The details provided in using IEF even before the scan was fully completed along with the verification of the finding by FTK Imager and subsequent analysis of the file “artugdx.exe” by Virus Total allowed me to quickly determine with a reasonable level of certainty that Spectorsoft eBlaster spy software had in fact been installed on the laptop. The client and council were notified of the finding and were given the option to have additional analysis performed to determine specifically “who” was receiving the reports from the spy software. They decided that, as they would not be pursuing civil litigation regarding the installation of the spyware that simply having proof that it was in fact installed on the laptop at all met with their needs (motion to suppress illegally obtained evidence) and further analysis would not be necessary.