Spyware For The Masses

Snoops no longer need much technical savvy to steal personal information
from computers and mobile phones. The reason? Easy-to-use spyware is increasingly
becoming available online.

Recently released offerings include a kit that allows purchasers to
infect their Web sites with malicious software code that can automatically
install itself on computers that happen to visit the booby trapped site, and
software that can be installed on mobile phones to track all incoming and
outgoing calls and text messages.

Early last week researchers at Sophos, a security research firm based in
Abingdon, England, spotted the “WebAttacker” kit, an online tutorial and
guide to free shareware and spyware packages available on the Internet.

Offered on a Russian Web site, the tutorial explains how to lure victims
to Web sites containing spyware that can automatically install itself on
computers running the Windows operating system and using Microsoft’s
Internet Explorer browser. The exploits only install automatically if users
have neglected to apply Windows security patches and updates to their computer’s
software.

“This type of behavior is inviting the return of what we call
script-kiddies,” said Carole Theriault, senior security consultant at
Sophos, in a statement. “The more common cyber attacks become, the more of
these types of sites offering kits, databases of email addresses and [custom-built]
Trojans and spyware we will see. So as long as the money continues to flow,
there will be interested parties.”

The Russian spyware kit is available for sale directly from the site, and
the company offers technical support to buyers.

Mikko Hypponen, chief research director at F-Secure, a security firm based
in Helsinki, Finland, said that using the kit properly requires some
technical expertise, although users need not have programming knowledge.

But Hypponen said there are kits available on the Internet that are even
easier to use. One package, offered on a Web site that recently went off
line, included a video that explained how to “fine tune and configure” the
purchased exploit, according to the descriptive copy on the Web site where
the kit was for sale. The site’s copy claims that “It’s important to note
that our exploits are created especially for ordinary users, i.e. any kind
of user can adjust this exploit and use it effectively.”

Ken Dunham, director of the rapid response team at iDefense, a security
research firm based in Dulles, Virginia, said the use of spyware and adware
is a “rising threat,” with millions of illegal installations of such code
taking place in the past year.

While the lines separating the two are thin, adware is normally defined
as spyware that is installed with the user’s permission and consent. Spyware
monitors a user’s activities online and on infected computers, and then
relays that information via the Internet to whoever has deployed the snoopy
application.

Dunham said traditional anti-virus programs have been slow to respond to
such threats, giving adware and spyware the edge during the recent period of
growth. “The reality is that millions of consumers have ad/spyware on their
computer and don’t even realize it until it impacts performance on the
computer,” he said.

The JavaScript exploits included in the Russian kit identify the visiting
computer’s browser version and operating system, detect any installed
security patches and then launches the most appropriate exploit. Once active
on a computer the malicious software downloads a small program that attempts
to disable the computer’s firewall. It then installs the spyware.

Hypponen says that users of spyware kits are usually “data thieves and
small-scale industrial spies. State-sponsored spies and high-level
industrial espionage players don’t need to buy kits from the Web, they do
their own development.”

Other easy-to-use applications currently available online include
software that infects Symbian mobile phones and then records information
about the victim’s mobile call usage and text messages. “Flexispy,” offered
by a commercial software firm based in Thailand, sends the records to a
remote server that’s accessible to the person who planted the software on
the affected phone.

The company that offers the application bills itself as the world’s
“first mobile spy,” and says the application is a useful tool for catching a
cheating spouse, protecting children and tracking one’s own communications.
Wannabe snoops need to have physical access to the phone to install the
software.

In other spyware-for-hire news, on Tuesday an Israeli court ruled that
Ruth and Michael Haephrati would be fined two million shekels (approximately
$423,200) for developing and selling spyware.

The couple have already been sentenced to four and two
years in jail respectively for offering the spyware to private
investigators who allegedly used it to spy on their clients’ business
competitors. Nine of the investigators have also been indicted.

Court papers indicate that the software was created by Michael Haephrati
as a “joke,” intended to be used against members of his ex-wife’s family.
His new wife later decided to sell the malicious program.

The couple was arrested at their London home in May 2005 and extradited
to Israel at the beginning of this year.

“Hackers for hire have converged with traditional criminals to offer a
suite of services,” said Dunham. “You can pay hackers for exploits or to
hack into a site. We’ve even seen full time jobs offered by Russians to hire
experts to help them develop exploits and DDoS capabilities.

“We believe that corporate espionage is under-reported and a growing
issue in a highly competitive market.”

News Around the Web