Introduction to Spyware: It’s Not All Bad News

For your eyes only! 👀 🕵️‍♀️ Spyware is a program that is surreptitiously installed on a machine, monitors user behavior and transmits this information to a malicious third party entity. Spyware differs from computer viruses:

• A virus installed directly into machines can perform an unauthorized transaction process, such as modifying or leaking certain data.
• Spyware, on the other hand, harvests user behavior information without the approval or knowledge of the victim.

Spyware is different from the monitoring tools installed by a business organization to monitor user performance on the machine and track user activity for auditing purposes. Adware, keyloggers and Trojan Horses are some examples of spyware programs.

Let’s get some intel on spyware. (It isn’t all as it seems...)

Why spyware is used

At best, spyware programs consume internet bandwidth and computing resources on the installed machines. These applications may be designed to:

• Deliver targeted advertisements
• Serve as browser helper objects
• Redirect users to desired web pages

At worst, a spyware application is a critical security threat designed to access sensitive user information including login credentials and paths to sensitive data assets.

(Learn about information security or check out these must-attend security events.)

Spyware types & threat potential

Let’s review the different classes of spyware and understand how to protect your privacy against a spyware attack:

Cookies and email tracking

These are a form of passive spyware models that do not require installation (running code) into your machines but use the existing tracking functionality of your web browsers. Cookies store the state of a browser session that is retrieved from a backend server. Since multiple websites are cached and delivered from the same data center and search engine providers, these websites can retrieve user information from these cookies and serve targeted ads.

Similarly, an email may contain HTML code that points to a remote server. The code can contain a unique identifier associated with the user — in the form of a URL link to an image, for example. Websites can use this identifier to validate and send personalized advertisements to the associated email account.

Adware

Adware is typically installed on the host machine and is bundled with other software. The permission is granted as part of the End User License Agreement (EULA) and therefore marketed as part of the sold software suite.

In reality, these applications are designed specifically to track user behavior and transfer this information to unauthorized third-parties. In other cases, social engineering exploits and phishing attacks may be used to install adware on a host machine. Adware is commonly used to serve:

• Annoying pop up ads
• Website redirection
• In some cases, denial of service attacks

Trojan spyware

These are the active spyware applications installed as a Remote Administration Trojan (RAT) as a packaged product that users would unknowingly accept when downloading a peer-to-peer sharing file. The key difference from an adware installation is that the victim remains unaware of the Trojan installation, since no EULA agreement or fine print specifies its existence.

Trojans serve no legitimate functionality for the user and exploit vulnerabilities in the operating system and web browsers to extract user information and serve ads, redirect websites and transfer sensitive user information to malicious third parties.

Keyloggers

Keystroke loggers can serve a legitimate business purpose of tracking employee behavior on a company laptop, especially when remote work is involved. The surveillance technology may be installed on all company devices including smartphones to:

• Track possible unauthorized activities
• Audit requirements
• Generate post-incident forensics reports

In other cases, the malicious third parties may install keyloggers to steal login credentials and keystroke behavior of the victim. Keylogger tools capture the length, sequence, velocity and time of the keys used by a user. Combined with hijacked network traffic, hackers can map the keystrokes to the login credentials for different websites and login portals. 

Browser hijackers

This spyware socially engineers user behavior to unknowingly change browser settings that enable third parties to change default search results and redirect websites to deliver additional advertisements. A user may be manipulated to press a simple OK or Allow button, which changes the default browser settings to push notifications, track user location or change the search engine.

Another form of browser hijacking system was the Browser Helper Object (BHO) supported by Internet Explorer. Infected BHO were used as keyloggers that captured search strings and login credentials as well as affected browser performance causing slowdown and crashes.

Protecting against spyware

In order to protect your systems against spyware applications, the following best practices can help:

• Look for spyware symptoms. Do you experience a sharp increase in ad delivery following a software installation or browsing session?
• Read the fine print. At least carefully look at the software components during the installation process. Do you see a browser plugin or additional tool that you did not sign up for?
• Look out for website redirects, pop up and banner ads. Do you see too many ads and website redirections?

If the answer to these questions is yes, it’s possible that your recent web browsing, software installation or email attachment download may have packaged and installed spyware tools on your machine.

What is Splunk?

This posting does not necessarily represent Splunk's position, strategies or opinion.