Make your own free website on Tripod.com
Modem Interception
Packet Sniffing
Keystroke Loggers
Remote Administration Tools

Modem Interception

  • Profile:
  • Data calls can be tapped almost like voice, although problems arise with certain high-speed transmission systems. When extra lengths of wire are added to a data line they will generate frequency specific faults, which can interfere with high-speed transmissions. DSL lines present a problem in that the voice stream must be combed out of the line in order to access data.


    High-speed modems can typically be surveilled with nothing more than a lineman's handset on monitor mode. To avoid loading the line any data intercept system must have a VERY high impedance.


    Once intercepted recreating the traffic presents several problems. If a data call has been recorded it can be played back through a 'black box' containing a modem IC that didn't listen for a handshaking tone. This device would allow blind-demodulation of the data. While this was a reasonably simple task when modems were running at 2400 baud and using frequency shift keying modulation, high-speed modems are somewhat less cooperative. Modern modems use variable-sized QAM modulation, error correction and compression, making home-brew demodulation systems next to impossible. A commercial demodulator like the Applied Signal Technologies 1520 Channel Processor or Model 113A Voice Channel Demodulator is now required to demodulate high-speed modem connections.



  • Detection:
  • Because the data connection must be intercepted, modem surveillance can be detected as per phone taps.



  • Countermeasures:

  • Encrypting modems will make intercepts useless, though you need an encrypting modem at each end.

    Packet Sniffing

  • Profile:
  • Because the average LAN is run on a shoestring budget, its traditional to have common links between computers (i.e. traffic between your machine and the printer will pass through every computer on the LAN). Because data is constantly passing through all computers, data can be monitored or intercepted over the LAN through the use of a packet sniffing program. Packet sniffers are programs that sift through all of the packet traffic. Sniffers are installed by compiling and executing code on a machine that puts the ethernet card into 'promiscuous mode', or by using a commercial software packages like SpyNet designed to debug network problems.

  • Detection:
  • Detection of promiscuous interfaces can be tricky, because techniques vary from one operating system to another. The Sniffer FAQ, published by Christopher Klaus, has detailed detection methods for most major operating systems. L0pht Heavy Industry's AntiSniff <http://www.l0pht.com/antisniff> provides a canned set of tests to detect NICs in promiscuous mode.



  • Countermeasures:
  • * Use active hubs, which route traffic only to the intended machine. These are expensive, but can be worthwhile.


    * Encrypted LAN traffic will obviously thwart sniffing attacks.



  • Further Resources:
  • Attrition.org hosts an excellent sniffer tutorial.


    Phrack Magazine published an article on defeating sniffers.

    Keystroke Loggers



  • Profile:
  • Keystroke loggers (also called keystroke recorders) are pieces of software that record all characters typed on a specific computer. Key logging is also often encorporated into remote administration tools. Keystroke recorders are typically used in a bid to steal passwords, spy on certain people, or as a biometric security system (by comparing the current typing patern to one on file). Most keystroke loggers run as an invisible process so they can't be detected by a simple check of the processes running.


    Hardware keyloggers are also available. Hardware loggers sit between the keyboard and CPU or in the keyboard itself, intercepting and storing all key strokes. Because they rely on storing all keystrokes in their own memory, hardware key loggers are restricted in the number of keys they can hold.


    Key loggers exist for every platform, either as 'administration utilities' (which cost money) or 'hacker tools' (which do not). Windows can play host to Ghost and Stealth Activity Monitor. Stealth Keyboard Interceptor is available for the NT/2000 platform. Popular Macintosh keyloggers include Life Insurance and Invisible Oasis.


    A fairly insidious breed of keystroke recorder exists for the Windows platform that exists as a VxD.



  • Detection:
  • Ctrl-Alt-Deleting in a Windows environment in a bid to detect keystroke loggers is usually futile. A registry monitor or process monitor would make an excellent tool for feretting out a keylogger. Startup files (AUTOEXEC.BAT, WIN.INI, SYS.INI and CONFIG.SYS) should be checked routinely for commands that start unknown programs.


    Macs face a whole different set of problems in locating keyloggers. As almost all Macintosh loggers exist as system extensions, they aren't considered running processes. Digging around with a copy of ResEdit looking for invisible files is an effective but wildly impractical solution to finding log software. A utility such as UtilityDog or Sherlock II could be used to locate all invisible files, but loggers can be renamed or masquarade as legitimate software.


    As some key loggers mail their logs periodically, monitoring outgoing mail connections (or even closing that port with a firewall) should prevent these loggers from fuctioning. This technique obviously won't work against a logger who's results are picked up by hand.



  • Countermeasures:
  • Remove a logger if one is found. Be careful with what you download and run anti-virus regularly.


  • Further Resources:
  • KeyGhost and Micro Spy both manufacture hardware key recorders.


    Remote Administration Tools

  • Profile:


  • Remote administration tools are programs that reside on a computer and allow the administrator to log in remotely, make changes, or monitor activity. In the wake of the much-hyped "Back Orifice" program, many people are beginning to realize that remote administration programs can be used for all but undetectable surveillance as well as standard administration tasks. Even computers that are nominally secure will often still have a legitimate remote administration client such as WinWhatWhere, Microsoft's System Management Server (both for Windows 9X/NT) or Timbuktu (MacOS) that could be subverted.


    The newer Back Orifice 2000 http://www.bo2k.com can bind to a host program through a utility called Silk Rope 2K or Saran Wrap (which hides BO2K in an existing Install Shield Wizard), making detection of BO2K even more difficult. While Back Orifice has gotten most of the press, there ane hundreds of remote administration trojans available. NetBus, Sub7 and Donald Dick provide similar functionality to Back Orifice.


    While the majority of remote administration programs are designed for Windows 9X and NT, Macintosh users are open to similar (though more low-key) threats through programs such as Remote Administration Extension available from Freak's Macintosh Security.



  • Detection:


  • Registry monitors (most RATs hit the registry routinely and hard) and process monitors make formidable tools for detecting and killing remote control suites in a Windows environment. Windows users should also check startup files (AUTOEXEC.BAT, WIN.INI, SYS.INI and CONFIG.SYS) routinely for commands that start unknown programs.


    Relying on automated detection systems is dangerous. Besides the numerous (and effective) techniques used to ellude them, some trojan detectors (notably BO Sniffer) are actually disguised trojan servers. The Trojan Defence Suite for Win9X/NT is the most versitile of the canned trojan detectors.


    Macintosh users can detect remote administration tools in a method similar to Windows users. A process listing application can be used to root out and end invisible tasks, and a copy of ResEdit used to nullify or delete the server.


    Watching the TCP streams of a particular computer (a common technique for automated interusion detectors) is of limited effectiveness. Most systems examine packet length to determine trojan packets, a technique arisen from Back Orifice sending packet length in an unencrypted header. Back Orifice 2000 has a plugin module that alters the stream in order to sneak past automated observation systems. Even if its not a supported option, its a minor chore to alter the port that a remote administration client connects to, thus making identification based on ports useless.




  • Countermeasures:


  • Proper firewalling will render any connection between a trojan server and client impossible.



  • Further Resources:


  • PC-Help hosts several excellent turtorials on the detection and removal of trojan programs.