Computer Forensics, Malware Analysis & Digital Investigations: Basic eBlaster forensic analysis

eBlaster is computer monitoring software offered by SpectorSoft. They also make a product named Spector Pro, which is very similar. The main differences between the two is eBlaster is designed for remote installations and reports of activity to be delivered by email, whereas SpectorPro is designed for someone who has physical access to the monitored computer to review the reports.

eBlater and Spector Pro are very powerful. The software is frequently changed so it remains undetectable by common anti-virus software. The following is some basic oberservations of a forensic analysis of a computer with eBlaster installed.

eBlaster can be installed remotely (SpectorPro cannot) by preconfiguring it with all the necessary options and then sent or given to someone to be installed. The main function of the program is to record all user activity such as screenshots, emails, instant messages, etc. and then to send a report of that activity via email:

Installation of eBlaster is fairly simple and merely requires a registration key and an email address to where the activity reports will be sent.

The eBlaster program uses some random folder/file naming techniques to make it a little more difficult to detect or locate. In all of my testing the software always installs some of the required files into a randomly named subfolder located in the "\windows\system32" folder. There are eight files installed into this folder during the installation, of which one is an executable (admin control panel), while the rest or either .dll's or files with misleading file extensions. The image below is an example of a folder randomly named "subitvox" under the "\windows\system32" folder:

The eighth file is in the subfolder named "canunsec" seen above. Each installation I performed, caused all of these files and folders to get random names. Additionally, there are several .dll files dropped into the "\windows\system32" folder.

One of the easiest ways to "detect" whether eBlaster has been installed, is to attempt to locate a simple text logfile that is created by the program. The file is always in the root of the randomly generated folder under "\windows\system32". The log file is a simple ASII text file and commonly had a .dll file extension. The log file has some very predictable text can easily be detected using a grep search:

11/27/2008 12:56:00: (AGT,EXPLORER) Initializing process for file C:\WINDOWS\explorer.exe Recording App 1 Blocking App 1
11/27/2008 12:56:00: (EBR,EXPLORER)
11/27/2008 12:56:00: (EBR,EXPLORER) Start Monitor - User lance on REG-OIPK81M2WC8
11/27/2008 12:56:00: (EBR,EXPLORER) Build Number 3067. Serial Number 1234567890
11/27/2008 12:56:00: (EBR,EXPLORER) Windows XP Home Edition Service Pack 1 (5.1.2600)
11/27/2008 12:56:00: (EBR,EXPLORER) IPC Message pump started.
11/27/2008 12:56:00: (SHR,EXPLORER) PacketProcessorEB::CreatePacketXML: Sending settings to server.

Some of the lines above have been word-wrapped by the blog, but normally each line in this text file will begin with the datestamp then the timestamp. The datestamp format is always "mm/dd/yyyy". The timestamp format is always "hh:mm:ss:". A simple GREP search of "##/##/#### ##:##:##:" would find this logfile, regardless of it's name, with minimal false positive hits.

The above method is the simplest manner to locate active logs generated from eBlaster, as well as fragments in unallocated, MFT records and $LogFile.

The eBlaster software itself is all coontrolled by several .dlls that are loaded via the registry. A random GUID is generated and placed in the HKLM\Softwae\Classes\CLSID key. Here is an example from one of the installations:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E116682-4410-4969-B8FA-5C3CCAE78026}\ProgID\: "Winoscmd"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E116682-4410-4969-B8FA-5C3CCAE78026}\InprocServer32\: "C:\WINDOWS\System32\chmucfav.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E116682-4410-4969-B8FA-5C3CCAE78026}\InprocServer32\ThreadingModel: "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E116682-4410-4969-B8FA-5C3CCAE78026}\: "Comivjob"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE256AD1-14D6-428F-BAEE-59B158AFFA0F}\InprocServer32\: "C:\WINDOWS\System32\midexkey.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE256AD1-14D6-428F-BAEE-59B158AFFA0F}\InprocServer32\ThreadingModel: "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE256AD1-14D6-428F-BAEE-59B158AFFA0F}\: "sapiclan"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Winoscmd\CLSID\: "{7E116682-4410-4969-B8FA-5C3CCAE78026}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Winoscmd\: "Comivjob"

From a network perspective, upon initially booting the machine, a DNS request is made to a domain of "d2a1376gf-43ty-245a.com". That domain has the following registration information:

Registrant:
Spectorsoft Corp.
1555 Indian River Blvd
Bldg B-210
Vero Beach, FL 32960
U.S.

Registrar: DOTREGISTRAR
Domain Name: D2A1376GF-43TY-245A.COM
Created on: 23-MAY-07
Expires on: 23-MAY-09
Last Updated on: 10-APR-08

That domain currently resolves to the IP address of "209.61.133.199". This IP address is registered by a company named:

OrgName: Robust Technology
OrgID: ROBUST
Address: 12178 Fahr Park Lane
City: St Louis
StateProv: MO
PostalCode: 63146
Country: US

NetRange: 209.61.133.192 - 209.61.133.223
CIDR: 209.61.133.192/27
NetName: RSPC-22301-0007111720
NetHandle: NET-209-61-133-192-1
Parent: NET-209-61-128-0-1
NetType: Reassigned
Comment:
RegDate: 2000-07-12
Updated: 2000-07-12

After the DNS request, there is an initial posting of data to the remote server, most likely for licensing validity. This network traffic is sent via TCP port 443 in an SSL wrapper. Although you cannot easily see the contents, an initial or periodic communication to that IP address would be excellent indication that eBlaster is installed. The program will periodically send activity reports to that IP address based on how its been configured.

When in doubt simply booting a copy of the machine in question in a controlled network environment (no Internet access!) would yield some instant communications that would tip you off. Here is a screenshot of the initial communication upon booting the system (between 192.168.214.1 <> 192.168.214.134 on port 443):

The above testing wa done on the latest release of eBlaster as of 11/2008:

7 comments:

Anonymous Monday, 01 December, 2008: Been playing around with it too. I'm using a newer version 3071. Can't find the log file you speak of, I grepped all files under system32, even for "2008" or "explorer". Log file writing was enabled. Writing of the log files can be disabled from General Options -> Applications -> Advanced so not a sure fire way to detect this. File names and sizes vary after reinstalling so no luck there. It can be updated remotely too so hard to stop once it's installed...remember, only for family or employee monitoring.
Anonymous Monday, 08 December, 2008: Yeah, I'll bet the day the original post went on here about it, they eliminated that logfile from their product.

Think about it - you know they monitor for posts like this. It was quite foolish of the original poster to publicly post this.
Anonymous Monday, 08 December, 2008: Lance,

Did you notice if the MAC Dates were tied to the Kernel32.dll as they are with their other product? I found that the quickest method of identification of the files, by sorting on MAC Dates in a forensic software.

Don L.
Anonymous Tuesday, 09 December, 2008: The method of rebooting and watching for net traffic immediately after boot is probably the most reliable way to look for it, although, I'll bet they're using different ports now.

I'd also check the integrity of those randomly named files....they probably always have the same header and footer, regardless of their names.

I don't see how the MAC times will help you if the product was installed 6 months ago. You'll have mac times of files you won't know the names of. Maybe, I'm not understanding you, so if that doesn't make sense, I apologize.

If there was a way to protect this conversation, with a password request or something, I'd be happy to contribute much more to this..
Anonymous Monday, 29 December, 2008: One easier way I have found in the past to detect eBlaster, is to just try to reinstall eBlaster. Durring the process of reinstalling it will as you for a password. That is the previous password, not for you to set one up. If it asks for a password, then it is on the box.

Scott Moulton / Forensic Strategy Services, LLC
Anonymous Tuesday, 17 February, 2009: To determine installation date or as close as you can come. In the data folder ("canusec" in the illustration above) there may/should be an .ocx file that logs information about the monitoring process. It begins with the date that the machine was first run/restarted after the installation of the monitoring software.

Don L.
Derek Ellington Tuesday, 22 September, 2009: FYI, If you image the machine there are some ways to detect it by running an FTK or DT search index on the DD image. Searching for Eblaster, Spectorsoft or the suspected email address that the reports would go to are ways to locate it. In my experience parts of the emailed reports end up in the drivefreespace.

EnScript v6 Tutorial IV

Thursday, November 27, 2008

Basic eBlaster forensic analysis

7 comments:

Post a Comment

Search This Blog

Blog Archive

Label Cloud

Contact

Subscribe via email

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles