[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 991
  • Last Modified:

Looking for suggestions: detecting spy software on a computer

I cannot give much detail on the specifics of the issue that I am dealing with for various reasons, but it involves a person who is convinced that someone close to them has been spying on them using their own computer's webcam.  I have scanned the machine thoroughly and checked it for spyware, malware and the like, as it was infected when it came into my possession.  None of the "standard" tools for removing spyware, viruses and the like came up with anything other than a keylogger.
I haven't cleaned the PCs because I want them to remain "as-is" should they need them in their current state later - but I need to either verify their claim or show proof that will put them at ease in regards to being spied upon using their own webcam and/or online accounts.  I've been researching software that does this sort of thing and what I'm concerned about is that the software is obfuscated and hard to detect via normal means.  Most of the tools that I have read about advertise this.  the question is: how do I find these programs that are supposed to remain hidden?  I've got to figure out if this is paranoia or a legitimate concern.
It should be noted that I am very experienced in the hardware/software aspects of PCs, both hardware and software related (I own a PC repair and support business)...while I've worked with many different situations in the past, this is my first experience in this particular area and I'd like to make sure it's a job done right.  I'd rather ask the question and get a "nothing can be done" or "you're doing it wrong" than never ask and miss something because I was overconfident.
7 Solutions
I would watch the processes that are running in taskmanager and verify that they are all legit. Install a good firewall. I have a "possibly" similar client that is always sure someone is spying on them - checking their email, using their webcam, etc. Do your best, make sure there are no rogue processes running, recommend good security practices is all you can do.
Read up on "rootkits."   They are typically how software runs without showing up in the task manager, etc.  Obtain, and run, malware detector/removal tools that are specifically intended to go after rootkits, like "rootkit revealer," and, assuming you're dealing with a Windows-based machine, Microsoft's Microsoft Safety Scanner, here:  http://www.microsoft.com/security/scanner/en-us/default.aspx

Both are free.
Step #1:  It sounds like you're interested in preserving the machine in its current state in case it's later needed as evidence. With that in mind, you should not be exploring the machine AT ALL, but rather a forensic image of the machine. The more the machine gets tinkered with, the more argument you give a potential legal adversary for tossing the evidence. You can download FTK Imager from www.accessdata.com/downloads free of charge to create the forensic image but to do it right the original drive needs to be immediately protected from further writes by you. To accomplish this you could use the trial version of SafeBlock (30-day full functionality) and connect the original drive to your imaging machine via a USB adapter. With all that said, if the machine is up and running right now, you might want to use a tool to grab a snapshot of all running processes, etc., before you shut it down for the last time. A little time in Google will yield plenty of tools to do this.

Once that's done, you can create a virtual machine tied to the forensic image and explore to your heart's content. What I've done with this kind of surveillanceware before is use a tool to capture the VM's network traffic. If someone is spying remotely, then that VM will try to "phone home." That traffic can be captured and analyzed. This approach is a lot of work but with some of the well hidden and hard-to-detect malware out there, it's the only reliable approach I've found.
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

One of the best tools for this will be "Process Explorer".
Read about it here:

It will do a great job of showing you graphically everything that is running on the system.

If this were a situation likely to end up in court, a true forensics analysis - with specialized technicians and applications would be the way to go.

For the situation you're describing, I would go with Process Explorer as a start.

It should also be noted that virtually all of the scanners (Malwarebytes, HijackThis, etc) can be configured to "Identify Only" - with no action being taken - if you are comfortable using those.
"None of the "standard" tools for removing spyware, viruses and the like came up with anything other than a keylogger."

They think it's using their web cam and a keylogger is found, I think that's proof enough that there is a keylogger installed unless it's a hardware one which of course you would've checked that first.
Some keyloggers can be set to take screenshots every X mins and X s.
It's normal that none of the usual tools will find a keylogger because that's how these tools(keyloggers) are designed, though there are some tools that are able to see their tracks or some of their files or their logs.

Tools like Process Explorer(as younghv already mentioned), TCPView etc can help find out.
Check out this article "Have I Been Hacked?"

Also if you're not aware yet, there is a good scanner "IceSword" which should be easy for advanced users to use.
It's one of the most powerful tools for dealing with rootkits and very good for detecting keyloggers.
It scans the processes, startup, port, Win32 Services, shows the SSDT function etc.
Taking note of the Process Path of any entries that are Type WH_KEYBOARD can tell you the presence of keyloggers.
Keyloggers can also be under Types:
Can you monitor the switch or firewall that this machine is using? Use a packet sniffer to see what is actually going in and out.
As mentioned by ewkelly, packet sniffing can be accomplished with this free application:
You'll see the Sophos lead guy using Wireshark here:
and there are loads of other tutorials and guides available that would halp you use it for your own current needs.

AutoRuns by SysInternals/Microsoft is a great way of listing just about every process that runs from boot:

The online "Shields Up" by Steve Gibson probes your system for open ports and allows you to look up the ports' specific roles, history, and security issues:

As has been clearly stated above though, IF any criminal or civil action is going to be pursued regarding this allegation, then the computer MUST be preserved without further tinkering and inspected by a a qualified person whose findings will be admissible as evidence.
I think it goes without saying.  Obviously you won't want to alert the alleged perpetrator.  If the computer is being monitored remotely, it may be quite easy for that person to clean up and disconnect, leaving you with perhaps some traces of activity but no hard proof.

Any logging utility that captures screen activity as still screenshots or video could easily capture activity of the utilities above being run, and thereby alert the person thought to be "spying" of the fact that suspicions have been raised.

In that respect, although it's not necessarily a reliable indicator of anything, it would be wise to first consider a number of factors such as the perceived technical expertise of the "suspect", whether that person may easily have had one-time or ongoing technical advice from another party, and how much is at stake if that person digs up enough dirt to damage your client's reputation or character.

There are a LOT of perfectly legal "child safety monitoring" software titles around that can be used inappropriately by someone with only intermediate knowledge.  Paying for the "pro" version usually hides enough runtime activity to hide its presence from most "normal" users.  Such software has to be set up and configured on that machine though.  A few years ago a friend's AV software intercepted an attempt from a malicious website to install this software on his computer:

There is legit software around to easily make your computer act as a webcam server, and all someone needs to view live footage is the IP Address and Port number entered as a URL in any browser.

You can set up a VNC Server on a computer and, with some configurations, make it run in the background without having to accept a connection initiated from a computer running a VNC Viewer.  That is something you might be able to utilise if gaining access to the computer in question to monitor changes is not possible.  A few scripts run quickly and silently at intervals to generate your own reports could be quickly picked up by you over a brief VNC connection.

There's lots that you could do if this was just some kind of petty matromonial argument, but I think you need professional forensic intervention here.
btanExec ConsultantCommented:
It is never easily to analyse an infected machine because they would already be at a "lower level" (e.g. system kernel) which prevent you from seeing what you had expected but maybe revealed some smokescreen like keylogger that would be in user mode level etc (there is kernel mode one too). Some initial thoughts

a) Rootkit is one of the category that facilitate all its subsequent "gang member" like backdoor, keylogger, screenscraper, remote access tool, etc to exploit and siphon out the recon information and data. They would still be at the intelligence gathering stage. But sometimes it is easily to detect rootkits if there is a clean state and we do a image comparison of the additional to detect attack surface but this route is typically harder as the original state is never kept. Nonetheless, below are some tools.

@ http://www.gmer.net/ 

b) The intent (or timeline) if established will be helpful especially knowing what your customer line of work is and it can help you streamline to answer - why tap the video camera - does not seems to be identity theft, trying to steal some biometric facial info for authentication, detecting motion for presence so that they can launch other activities that can trigger user suspicions....use of storage device can be another area but we can leave it out (first) unless the "investigation" surface nothing useful as leads

c) Below is quick one page timeline analysis list  to detect any early anomalous e.g. drive by download in web surfing, brute force login, huge download from the web, loss of internet activities though user is using it, etc

@ http://www.forensicfocus.com/timeline-analysis-one-page-guide

d) I will suppose all other security log are also checked as in standard AV log (event viewer), firewall/IDS (daily log check). Just to make sure you got more information where possible, but understand customer will not reveal more, more for their internal incident response processes... also do recognised the patching level of the common vulnerable application such as MS Office and Adobe Reader - they may not be at the latest version and that is the weak point for entry (will be more surprise if the version is quite far from latest ...)

@ http://www.online-tech-tips.com/computer-tips/how-to-detect-computer-email-monitoring-or-spying-software/
@ http://technet.microsoft.com/en-us/library/dd632947.aspx

Then again, for such analysis, it is always best to have a clean image to start off either using FTK or DD for the raw image. You can then work on it w/o worrying tampering "as-is" state. But then again, there is one area which the malware cannot hide easily is the RAM memory which is live and where all evil rampage can be hiding in. Suggest

a) doing a memory dump before the cloning (assume if it is still running not shutdown) and looking out the standard forensic artefacts to establish some timeline. Audit Viewer highlights any process in red that has an injected DLL.

@ http://computer-forensics.sans.org/blog/2010/11/08/digital-forensics-howto-memory-analysis-mandiant-memoryze/
> More for malware analysis if found it @ http://www.mandiant.com/products/free_software/red_curtain

b) retrieving past Microsoft memory crash dump (due to 'Blue screen' which user only saw auto-reboot though they just logoff and not reboot). Hopefully there is complete dump type for more details or it may be empty

@ http://support.microsoft.com/kb/315263
@ http://technet.microsoft.com/en-us/library/cc750081.aspx
@ http://www.moonsols.com/products/

c) check out restore points using Mandiant Restore point analyser to sieve out any past snapshot of its earliest infection (since they  would need to install some sort of driver type for high stealthiness)
@ http://www.mandiant.com/products/research/mandiant_restore_point_analyzer/

Hope it is not lengthy though
Great links breadtan. Very useful for me too.

jkeck3, I'm really curious about something you said, and I'm not sure if you can explain WHY the affected person has formed the suspicion that their own webcam is being used:
"a person who is convinced that someone close to them has been spying on them using their own computer's webcam."

Either something very specific has sparked that suspicion, or else you have a client who has a justified paranoia about privacy and has latched onto the most obvious thing in his/her mind that could be used to compromise privacy.

Are you able to divulge anything that would steer this towards or away from specifically the webcam as the "eyes and ears"?
jkeck3Author Commented:
Frustrating is one word to describe this...

Many great approaches to this, and I attempted all of them (sorry, off-site installs were taking up all of my time here lately while working on this in the evenings).  In the end, I guess they weren't terribly interested in fonding out the truth, or something changed on their end.  It was requested that we wipe and reload three of their laptops and secure them as best we can.

I personally believe, after talking with the client, that this was about 95% paranoia.

For the record, I had already tried process explorer, Malwarebytes, rootkit detection, etc.

I had implemented the suggestions here (including imaging the disk) but in the end we just wound up cleaning the machines and starting over at the customer's request.

BillDL hit the nail on the head here with his guess - it was a "post-matrimonial" situation, as best I can determine.  My guess is that one person had access to the other person's accounts, which could or could not have been facilitated by the keylogger.  The keylogger was most likely tied to the viruses that were on the machine, but as I said, they simply changed the game in mid-stride so I'll never truly know.  Answers selected for all steps beyond what I had already tried.
jkeck3Author Commented:
Great suggestions, very helpful!  Thanks to everyone in helping me try to track this down.
Thank you jkeck3.  I'm kind of glad that you were able to offload the responsibility of this one. My comment about this possibly being a "petty matrimonial argument" was based in part on a similar situation I have been interrogated about every night at work for several weeks, and has driven me nuts!!  One of my staff is blaming a paranoic new partner for spying on him by searching every dating site to see if he still appears on any, while the reality is that he is equally or more paranoid than her and is constantly trying to check up on his new partner's facebook activities.  Additionally he believes that his ex-partner is jealous of this idyllic new partnership and is "stalking" his every online activity waiting for an opportunity to break them up.  I think there were also other potential "stalkers" mentioned also, but I kind of lost track of the conspiracy details.  Of course, I'm the one being asked how he can hide all of his activity and find out how they are spying on him.   I finally told him last night to "stop using the f@*ng computer and get a real life with his new partner instead of letting everyone know his every move via facebook and farmville!!!" ;-)

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now