Spyware 2020-21

CHAPTER 1
INTRODUCTION
In its most simple form, spyware is software designed to collect information from computer
system users without their knowledge.So any software that is surreptitiously installed on a user’s
computer and monitors user’s activity and reports back to a third party on that behavior would be
classified under this.

Spyware is used by cyber criminals with the aim to track and sell your internet usage data,
capture your credit card or bank account information, or steal your personal identity. They will
either sell it to willing third party buyers ,or blackmail you with that information and try to extort
money from you.Spyware poses a significant threat to modern computing,and that is proved by
the numbers.

According to a global survey conducted, A total of 978 million people in 20 countries were
affected by cybercrime in the past year. And globally the victims of cybercrimes have lost a
staggering 172 Billion dollars.So clearly spyware poses a more than significant risk to all of us.

Now looking at the types of spyware,there are 3 major ways we can categorize it into:

1. Adware
2. Keyloggers
3. Trojans

Adware: This type of spyware tracks your browser history and downloads, with the intent of
predicting what products or services you’re interested in. The adware will display advertisements
for the same or related products or services to entice you to click or make a purchase. Adware is
used for marketing purposes and can significantly slow down your computer.

Dept. of CSE, SJBIT Page 1

Spyware 2020-21

Keyloggers: This type of spyware can capture just about everything you do on your computer.
System monitors can record all keystrokes, emails, chat-room dialogs, websites visited, and
programs run. System monitors are often disguised as freeware. These are more dangerous than
Adwares because keyloggers track your keyboard,so they could easily get access to your email id
and passwords.

Trojans: This kind of malicious software disguises itself as legitimate software. For example,
Trojans may appear to be a Java or Flash Player update upon download. Trojan malware is
controlled by third parties. It can be used to access sensitive information such as Social Security
numbers and credit card information.Trojans are the most dangerous of the lot because their
functionality is actively controlled by third party users and they could do whatever damage they
see fit to your system.

The simplest and basic way to prevent spyware from affecting your system is to keep our
operating systems up to date,There should be a trusted Anti Virus software which keeps scanning
in the background and stays on the lookout for spyware.Avoid downloading content from any
sketchy websites,and delete any suspicious looking email attachments.

A spyware rarely operates alone on a computer; an affected machine usually has multiple
infections. Users frequently notice unwanted behavior and degradation of system performance. A
spyware infestation can create significant unwanted CPU activity, disk usage, and network
traffic. Stability issues, such as applications freezing, failure to boot, and system-wide crashes
are also common. Spyware, which interferes with networking software commonly causes
difficulty connecting to the Internet.

In some infections, the spyware is not even evident. Users assume in those situations that the
performance issues relate to faulty hardware, Windows installation problems, or another
malware infection. Some owners of badly infected systems resort to contacting technical support
experts, or even buying a new computer because the existing system "has become too slow".
Badly infected systems may require a clean reinstallation of all their software in order to return
to full functionality.

Dept. of CSE, SJBIT Page 2

Spyware 2020-21

Some types of spyware disable software firewalls and antivirus software, and reduce browser
security settings, which opens the system to further opportunistic infections. Some spyware
disables or even removes competing spyware programs, on the grounds that more spyware-
related annoyances increase the likelihood that users will take action to remove the programs.

Keyloggers are sometimes part of malware packages downloaded onto computers without the
owners' knowledge. Some keylogger software is freely available on the internet, while others are
commercial or private applications. Most keyloggers allow not only keyboard keystrokes to be
captured, they also are often capable of collecting screen captures from the computer.

Individual users can also install firewalls from a variety of companies. These monitor the flow of
information going to and from a networked computer and provide protection against spyware
and malware. Some users install a large hosts file which prevents the user's computer from
connecting to known spyware-related web addresses. Spyware may get installed via certain
shareware programs offered for download. Downloading programs only from reputable sources
can provide some protection from this source of attack.

CHAPTER 2
Dept. of CSE, SJBIT Page 3
Spyware 2020-21

LITERATURE SURVEY

Detection and Prediction of Spyware for user Applications by interdisciplinary approach.

The authors Mahesh V and Dr. Sumithra K A here used a standard scalar first to standardize the
values and then feed it to an Artificial neural network to identify the malware.The experimental
results indicate that the approach is successful in achieving 99% accurate results.

Detection of spyware in software using a virtual environment.

Spyware is being combated before it is installed in our system.We do that by installing the
software on a virtual system first and we check the files for any spyware extensions,if there
exists any such extensions then we alert the user. In current iteration, semi-automation
spyware detection is proposed.

Elimination of spyware by intercepting kernel-level system routines.

The author proposes to eliminate spyware by intercepting kernel level calls because it is found
that spywares manipulates the api's in the system,we will be accessing system routines and
checking the api's for presence of spyware.

Exploring spyware effects.

In the next paper the author investigates the occurrence and impact of spyware programs found
in popular p2p applications.Based off of which they try to get a more general perspective of
spyware and its effects on networks and how the presence of spyware will decrease the utility of
belonging to a large virtual network.

Spyware:The ghost in the machine.

Authors Tom Stafford and Andrew Urbaczewski are assessing the types of spyware and the
commercial benefit behind spying on users. And evaluate the types of spyware and what drives
cyber criminals to create spyware and to spy on users

Dept. of CSE, SJBIT Page 4

Spyware
SL Author
1 Mahesh V and Dr.
Sumithra K A
2 Narasima
Mallikarjunan.K.,M.E
3 Danial Javeri,Mehdi
Hosseinzadeh and Amir
Masoud Rahmani
4 Martin Boldt,Bengt
Carlsson and Andreas
Jacobsson
5 Tom Stafford and
Andrew Urbaczewski
CHAPTER 3
Dept. of CSE, SJBIT
2020-21
Methods Outcome
Using artificial neural The experimental results
networks to monitor various indicate that the approach
information and detect is successful in achieving
spyware 99% accurate results.
Log and test approach is Solution for the early
implemented to combat detection of spyware is
spyware in the system. proposed. In current
iteration, semi-automation
spyware detection is
proposed.
Behaviour analysis of Proposed a method based
spyware to detect novel on dynamic behavior
patterns of spyware attacks. analysis to perform real
time action to confront
spyware through kernel-
level calls.
Investigating the occurrence Developed a method for
and impact of spyware found identifying and analysing
on P2P applications. spyware and it’s behavior
on host systems.
Assessing the types of Concluded that spyware is
spyware and the commercial a mechanism that poses
benefit behind spying on critical risks to users trying
users. to protect their personal
data for exploitation.
Page 5
Spyware 2020-21

PROBLEM STATEMENT
The first major concern with spyware is that it jeopardises our personal information.Stealing of
information like credit card number or PAN card number could lead to dubious transactions in
our name and potentially expose us to the crosshairs of authorities.

The second major issue pertains to the device itself,since spywares run in the background
completely unabated,they consume a large portion of our computing power,and potentially even
change system settings ,so this could cause our computer to slow down or in worse case cause
overheating issues which eventually leads to system degradation and damage.

The presence of a large amount of adware could cause our search results to be
manipulated,because as we know that adware tracks our search history and downloads,it will
intentionally bring up pop ups regarding the same and disrupt our overall browsing experience.

Log and test tracking system is proposed to pre-empt any attempt of spyware entering and
accessing our system.

CHAPTER 4

Dept. of CSE, SJBIT Page 6

Spyware 2020-21

METHODOLOGY

A process called hooking is deployed. Now we know that spyware tries to hide its critical APIs,
that it uses to call the kernel modules and to modify the system objects.Our proposed method
considers the interaction of the malware to the OS to recognize the kind of spyware.

● An application is installed on a virtual machine and It is tested for the presence of

keylogger
● In the Proposed algorithm the spyware is first installed and its location is received.
● An application with keylogger spyware is used in the analysis.
● When the application is executed, the spyware starts to monitor the keys pressed. The
keys pressed are logged and the letters are sent to the attacker's mail.
● If the mail is sent , the spyware is present.
● If the mail is not sent immediately then get the location of the application installed.
● The files and folders are analysed in the application and check whether it contains any
spyware extensions and check for the spyware notations like @symbol,sendto,mailed
then spyware is present.
● If the mail is not sent and if there are no extensions and notation , then there is no
spyware.

CHAPTER 5
Dept. of CSE, SJBIT Page 7
Spyware 2020-21

IMPLEMENTATION

Process called hooking will be deployed.We know that spyware tries to hide its critical
APIs, that it uses to call the kernel modules and to modify the system objects.Our
proposed method considers the interaction of the malware to the OS to recognize the kind
of spyware.

Spyware attack in progress

● First the phishing page lures users to download any app that appears to be of
legitimate functionality,After the user clicks on the download link, the download
link is modified into an archive file that contains the application and along with it
also hosts the spyware files.

Dept. of CSE, SJBIT Page 8

Spyware 2020-21

● Then when the file is installed into the system ,the spyware files are also
embedded within the asset directory and they are installed in a virtual
environment when the application is installed.
● So a few seconds after the application has been installed in the system the
spyware in the background will start functioning and will start to collect basic
device information like IMEI number, phone number, system details and all the
other details that you have stored in your system.
● All the communication between the spyware and the host third parties is
encrypted by RSA and sent through http.
● This spyware will store all the data collected in a local database and once the
predetermined command is pushed the spyware will gather all the logs and
convert them into a JSON object format before sending it back to the hosting
server.
● The third party controlling the server will now use this information to harm the
victim.

Detecting spyware by system kernels

To detect the presence of spyware in a system a process called hooking is used. Now since it is
known that spyware tries to hide its critical APIs, that it uses to call the kernel modules and to
modify the system objects.Our proposed method considers the interaction of the malware to the
OS to recognize the kind of spyware.

SSDT is an array of function pointers to important system service routines. The reason why
kernel drivers are being used is to avoid limitations of User Access Control in user space and
nullify defensive equipment of the spyware.Now that we know spywares will manipulate the
API's in the system,we need to monitor API's for any discrepancies.

Compare the original address of each available API key with the current available API keys. If
there is any variation between the original API keys and the current keys it would mean that
there is the existence of spyware in the system.

Calculate the original address of each api and compare it to the values at the startup time,and as i
had said if there exists some disreparency it would mean the spyware exists in system.
Dept. of CSE, SJBIT Page 9
Spyware 2020-21

Virtualization

Whenever the user tries to install any software that he/she downloaded from the internet, there
arises a pop-up asking whether the software has to be tested before installing it on the user’s
system. If the user gives a test and install, then the installation url is redirected into the virtual
machine. For the creation of the emulated virtual machine, the configuration file is called to
know about the configuration of the user’s system. After getting the configuration, the virtual
machine is created.Virtualisation is the process of creating a software-based version of a
computer, with dedicated amounts of CPU, memory and storage which is "borrowed" from a
physical host computer.it basically allows us to run applications independently from the
underlying host system.

The application is first installed on a virtual machine.then a list of all packages installed with the
application is received. The packages and application folders are parsed, to check whether it
contains any spyware extensions. If it contains any spyware extensions, then a message is
generated.It is tested for the presence of keylogger and info-stealer spyware. A report is
generated based on the test result. The report is then sent to the user’s system. Based on the
report the user decides whether the application can be installed in the host machine. After
sending the report to the user, destroy the virtual machine.

Dept. of CSE, SJBIT Page 10

Spyware 2020-21

Log file

Dept. of CSE, SJBIT Page 11

Spyware 2020-21

A log file is a file that records either events that occur in an operating system or other software
runs, or messages between different users of communication software.All the messages are
written in a single log file. In this case a log file is created by the keylogger.It stores all the keys
pressed, along with the mouse events.

Dept. of CSE, SJBIT Page 12

Spyware 2020-21

The virtual machine detects the process id of the attacker, from the process id the process being
sent by the attacker is identified.

CHAPTER 6

CONCLUSION
I would like to conclude by saying that Spyware no doubt represents a serious threat to users’
control over their computers and their Internet connections.Subsequent development of spyware
technologies in combination with a continuous increase in its distribution will affect system and
network capacity. A disastrous situation may occur if a network is seriously overloaded with it.

As discussed We should be able to mitigate the threat of spyware to our systems but we should
also remember that Spywares are constantly evolving so the threat of it will always be present
and we must keep updating our systems and security to protect ourselves from this threat.
Dept. of CSE, SJBIT Page 13
Spyware 2020-21

REFERENCES
[1]Narasima Mallikarjunan.K.,M.E,“Detection of Spyware in Software Using Virtual
Environment:”,DOI: 10.1109/ICOEI.2019.8862547

[2]Tom Stafford and Andrew Urbaczewski,”Spyware: The Ghost in the Machine.”

[3]Mahesh V and Dr. Sumithra K A,”Detection and Prediction of Spyware for user
Applications by interdisciplinary approach”,DOI:10.1109/CISPSSE49931.2020.9212222

[4]Martin Boldt ,Andreas Jacobsson and Bengt Carlsson,”Exploring Spyware Effects”

[5]Danial Javaheri,Mehdi Hosseinzadeh and Amir Masoud Rahmani,”Detection and

Elimination of Spyware and Ransomware by Intercepting Kernel-Level System
Dept. of CSE, SJBIT Page 14
Spyware 2020-21

Routines”,DOI: 10.1109/ACCESS.2018.2884964

Dept. of CSE, SJBIT Page 15