I originally published this blog at http://community.ca.com/blogs/securityadvisor
November 21 2008, 11:56 AM by Benjamin Googins
Background Earlier this week the Federal Trade Commission issued a temporary restraining order against CyberSpy Software, LLC to stop the sale of RemoteSpy keylogger. In the vendor’s own words: ‘RemoteSpy can easily record websites visited, keystrokes typed, internet comversations[sic], email logging, documents opened, and so much more.’ The FTC’s stated reasons for issuing the order include: (1) deployed remotely by someone other than the owner or authorized user of a computer; (2) installed without the knowledge and consent of the owner or authorized user; and (3) used to surreptitiously collect and disclose personal information.*
In my own previous analysis, RemoteSpy acts(ed) as both a service and software provider. CyberSpy hosts servers that the keylogging software routinely connects with to upload covertly collected data. The attacker can remotely login to an account where all the data will be stored and viewable. RemoteSpy can be installed remotely by the attacker — silently and unbeknownst to the victim. The software runs quietly in the background making no obvious appearance to the victim, collecting user data like passwords and the data stated by the author, above. This type of software has been detected by anti-spyware products, like CA Anti-Spyware, for well over 10 years.
Too little. Too late? Does this mean the end of commercial spyware? Hardly. When I first read the subject line to the FTC’s press release, ‘Court Orders Halt to Sale of Spyware’, I was pretty excited. Unfortunately, this restraining order is only temporary and limited to one particular piece of software — the RemoteSpy keylogger. I would guess CyberSpy is working with their lawyers to launch an appeal.
Even if this restraining order sticks and is made permanent, there is a plethora of other keyloggers available on the market, many for free — will the FTC expand this restraining order? CA Anti-Spyware detects well over 1000 different keyloggers including Invisible Keylogger, Activity Monitor, and EBlaster. Take a look at this screenshot of a webpage for Realtime-Spy keylogger:
Some of the features include ‘remote installation’, ‘logging multiple machines’, and ‘log all keystrokes’. Sound much different than the criteria the FTC lists as reason for the restraining order against CyberSpy?
The FTC listed remote installation as the first criteria for issuing the restraining order. RemoteSpy may have used particularly aggressive techniques for installation, but based on my own experience, many keyloggers allow for remote installation. To get a sense of this for yourself, conduct a web search with the keywords keylogger+remote+installation. I did this with Google and over 100,000 results were returned (obviously, not all these links are download pages for keyloggers with remote installation capabilities, but it reflects the availability). Furthermore, remote installation is a moot point when keyloggers can be installed manually on publicly available computers, say in libraries and coffee shops.
The FTC lists surreptitious data collection as the third criteria for the restraining order. Keyloggers exist primarily for the purpose of surreptitious data collection (searching “keylogger” returns close to 1 million webpages, many offering free keyloggers and trial versions). Are these keyloggers next on the list? In my analysis, RemoteSpy is not substantively different.
In the FTC’s press release, they indicate that one of the problem’s with CyberSpy was how they advertised and presented RemoteSpy, as if CyberSpy was encouraging consumers to spy. What about keyloggers that are advertised slightly differently, say, as a means to keep tabs on a child? Will these be targeted by the FTC?
What now? My intention with this blog is not to show approval or disapproval of the FTC’s decision to issue a restraining order against CyberSpy’s sale of RemoteSpy. I just think it is very narrow in scope, relative to the much broader problem. I am curious what is next on the agenda and where the line will be drawn? The line between good and bad software is a messy one and strict criteria need to be published and publicly available. Most of all, these criteria need to be evenly applied. CA Anti-Spyware systematically analyzes commercial software against the CA Anti-Spyware Scorecard, found here. I believe that if the FTC evenly applies the criteria they state as reasons for restraining the sale of RemoteSpy, hundreds, possibly thousands of other readily available keyloggers will need to be targeted and restrained from sale and distribution. The anti-spyware industry has been detecting and removing keyloggers for over ten years and will continue to do so. Is RemoteSpy the first step, for the FTC, on a long road of catching up with private industry?
By: Benjamin Googins
Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..
Nice write-up. It seems the FTC is focused on RemoteSpy so much because they deem that its potential abuse outweighs its positive uses. RemoteSpy’s marketing efforts of ‘spy on anyone from anywhere’ combined with a complete stealth installation make it an easy target. The Realtime-Spy software you mentioned above, according to the maker’s website at spytech-web.com, states that it requires the person running the remote installer to agree to install the monitoring software (with the ability to cancel install), thus removing its potential to be abused. This is probably the direction the FTC is trying to force other remotely installable keyloggers into. Posted by: Anonymous, December 1, 2008 3:39 PM
Hi Anonymous, smart comment. I agree. It would make sense that anytime the FTC is looking to crack down on a particular abuse, they focus on the “lowest hanging fruit” (ie, worst actors). If restraining order sticks and the FTC pursues the case with sucess, I see no reason why they shouldn’t, out of even application of the law, begin pursuing some “slightly higher hanging fruit”, like the example I mention in this blog. Posted by: Benjamin Googins, December 2, 2008 1:20 AM
Dear Mr. Googins,
Your article concerning our commercial keylogger product RemoteSpy has been referenced at our blog: http://www.remotespy.com/blog
We wholly agree that if the FTC really wanted to make some changes in the market, why not work with the whole industry or open the subject up for debate?
On November 25th, the U.S. District Court denied a proposed ban of RemoteSpy. In favor of fair reporting, please see our press release at: www.prweb.com/…/prweb1706254.htm
Concerning Anonymous’ comment about Realtime-Spy, this product has only just recently added an install notice, surely in response to the FTC’s actions. Posted by: Remote Spy Software, December 7, 2008 12:09 AM