Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: commercially spy software

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 11 Aug 2003 16:31:41 +1200
Ferdi Öztürk <Ferdi.Oeztuerk () wincor-nixdorf com> wrote:


Hope, that's not an old topic for full-disc. I've played around a little
with these commercial products, which firms use for keylogging, process
tracing, screenshots  etc. - Antivirus (Norton, Mcaffee) doesn't seem to
care about these special spy software, e. g. "eBlaster" on windows os
(2000, 98, xp).

Since there was no port in use, the program was invisible to me. The spy
software producers call it "stealth mode".

Ok, your opinions?


You are right that, in general, traditional AV products will not detect 
such "commercial spyware", at least so long as it is not renamed, 
repackaged or otherwise modified from its normal commercial form.  In 
part you can "thank" the folk behind the NetBus RAT for this -- with 
the release of the shareware version of NetBus Pro they complained that 
the virus scanners of major AV companies such as Symantec and NAI (aka 
McAfee) detecting their "product" were, in fact, anti-competitive 
practices as those developers also had competing "remote access" and/or 
"remote administration" products...

This minefield is one of the reasons why grown ups tend to prefer to 
decide for themselves what code is "appropriate" to run on the systems 
they are responsible for, and thus by exclusion, what code is not 
appropriate.  Thus, rather than relying on the commercially oriented 
(and thus liable to be swayed by the possible legal damages threatened 
by a suitably lawyered "opponent") decisions of other "big businesses", 
whose interests will necessarily never align particularly well with 
their customers (if nothing else, they want to maximize the money they 
make off of you whereas you would prefer to minimize your costs), 
pressure should be mounting for a new kind of security product -- real-
time integrity management of "executable" code.  There are a few 
(partial) solutions available already, but apparently there are not 
enough grown ups in the market to make this a viable alternative (yet).

I expect this situation to change.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: