As above I have started a degree project and have to decided to do some research on spyware i.e understanding how it works programming tools used to create them ???? ... as a part of the project firewalls and anti-virus will be tested.Im thinking about creating a simple virus/ware to understand how they work and understand why they target certain areas of the OS.
Any help would be great Sourec code ,papers etc.!
P.S Platforms are Xp pro.
Re: Spyware programming..
13 years 10 months ago #5815
Hmm.. let me see if I can dance round this fairly sensitive topic.
First and foremost..
What is your programming background ? Which languages are you familiar with ?
I'm taking it you're not familiar with programming since you asked what programming tools are used to create spyware...
There are no tools.. they're just written in some or the other language.. Since most malware is written by socially inept morons with too much free time and little programming knowledge.. they're written in higher level languages.. usually they copy-paste them together in Visual Basic.
Most spyware relies on deception more than any great coding to embed itself and disable security mechanisms...
Disabling firewalls and anti-virus is usually fairly trivial.. a list of the executable image names of popular products will be checked against processes in memory, they will be killed if possible, or they will be killed on the disk. Or maybe their startup entries will be deleted so they will never come up after the next reboot.
Keylogging is usually done through a simple hook to the keyboard.. unfortunately not that easy to detect (someone correct me on this if I'm wrong)...
What else do they do ? Worms will propagate by including their own SMTP server to mail themselves around... and scan other portions of the network..
The algorithm used by worms for scanning usually shows how (in)competent a virus writer is.. if its a simple sequential scan of the IP address space, you've got a horribly inefficient worm that will not spread very quickly since each worm will rescan already infected regions...
Random scanning is almost as bad.. it shows that the virus writer didnt have the brains to write the scanning module.. so he threw in a rand() or 4...
There is a very good paper on the subject of worm propogation algorithms. Worth a read for every security researcher (and a waste of time for every marketing lowlife who wants to code spyware to get his ads seen).