Register now for SANS Cyber Defense Initiative 2016 and save $400.

Top 15 Malicious Spyware Actions

Spyware authors have ramped up their malicious code to invade users' privacy at unprecedented levels. The following list describes some of the most malicious activities of today's spyware, illustrating the need for solid antispyware defenses.

Changing network settings: To prevent signature updates for antivirus and antispyware tools, some spyware alters the infected machine's network settings. This type of attack could edit the infected machine's hosts file, apply outbound IP filters or alter the system's DNS server so that all names are resolved by an attacker-controlled DNS server.

Disabling antivirus and antispyware tools: To prevent disinfection, some spyware disables antivirus and antispyware tools to lengthen the time the attacker can control the victim machine.

Turning off the Microsoft Security Center and/or Automatic Updates: Some spyware disables the Microsoft Security Center because its warnings about an inactive firewall or antivirus program could alert the user. Also, a few spyware specimens disable automatic updates to prevent the installation of patches.

Installing rogue certificates: Web browsers are configured by default to trust a small number of certificate authorities to vouch for SSL certificates from Web sites and code-signing certificates for software distribution firms. Some spyware extends the browser's trust by adding the attacker's own SSL and/or code-signing certificate to the browser's trusted store.

Cascading file droppers: Once an attacker gets one spyware program installed on a machine, that sentinel program can grab other programs on a periodic basis, with each new program, in turn, grabbing others in a cascade. By spreading this cascade over several days, the attackers can stay ahead of antispyware signatures.

Keystroke Logging: Some spyware grabs keystrokes from the machine when a user visits a financial services or e-commerce Web site. To address this threat, some organizations use virtual keyboards, where an image of a keyboard on a screen prompts the user to click on-screen buttons to enter a password. Attackers have responded by using malicious code that grabs small screenshots around the mouse pointer to capture the user's password even with a virtual keyboard.

URL monitoring, form scraping, and screen scraping: Some spyware monitors all of the URLs a user visits. When sensitive sites are accessed, this spyware grabs a copy of all form elements submitted to the site, in an attempt to gather account and authentication information, a technique called form scraping. Screen scraping spyware grabs a screen image with sensitive data on it.

Turning on the microphone and/or camera: Some malicious code can turn on a microphone or even a video camera attached to a system, thereby substantially invading the users' privacy.

Pretending to be an antispyware or antivirus tool: Some particularly nefarious spyware pretends to be an antispyware, antivirus or other security tool. These programs tell the user that they are defending against attack, while actually attacking the user, in a classic Trojan horse scenario.

Editing search results: A few spyware specimens locally edit the results of a user's search, injecting ads into the search pages. The user thinks the ads came from the search engine itself, unaware that they are generated by locally installed spyware.

Acting as a spam relay: Some malicious code turns the victim machine into an e-mail spam relay, so an attacker can spew millions of messages through a group of controlled systems. Blacklisting and tracking down the attacker become far more difficult with an onslaught of spam-relay systems.

Planting a rootkit or otherwise altering the system to prevent removal: The most pernicious spyware alters the operating system in very subtle yet powerful ways to prevent its detection and removal. Uninstalling some spyware is so onerous that users are sometimes faced with complete reinstallation of their operating system and applications.

Installing a bot for attacker remote control: Some spyware comes bundled with a bot, a tool attackers user for remote control of large numbers of systems, in ranges from tens of thousands to millions of infected systems.

Intercepting sensitive documents and exfiltrating them, or encrypting them for ransom: Some targeted spyware, especially that associated with spear phishing attacks, is designed to steal sensitive documents from a specific organization. Other variants encrypt the data, letting the attacker offer the decryption key in exchange for a ransom payment.

Planting a sniffer: A few spyware specimens include sniffers to grab network traffic, including user IDs and passwords from other systems near the infected machine.

Ed Skoudis
SANS Instructor and Senior Security Analyst with Intelguardians