Professional Documents
Culture Documents
CHAPTER 1
INTRODUCTION
In its most simple form, spyware is software designed to collect information from computer
system users without their knowledge.So any software that is surreptitiously installed on a user’s
computer and monitors user’s activity and reports back to a third party on that behavior would be
classified under this.
Spyware is used by cyber criminals with the aim to track and sell your internet usage data,
capture your credit card or bank account information, or steal your personal identity. They will
either sell it to willing third party buyers ,or blackmail you with that information and try to extort
money from you.Spyware poses a significant threat to modern computing,and that is proved by
the numbers.
According to a global survey conducted, A total of 978 million people in 20 countries were
affected by cybercrime in the past year. And globally the victims of cybercrimes have lost a
staggering 172 Billion dollars.So clearly spyware poses a more than significant risk to all of us.
Now looking at the types of spyware,there are 3 major ways we can categorize it into:
1. Adware
2. Keyloggers
3. Trojans
Adware: This type of spyware tracks your browser history and downloads, with the intent of
predicting what products or services you’re interested in. The adware will display advertisements
for the same or related products or services to entice you to click or make a purchase. Adware is
used for marketing purposes and can significantly slow down your computer.
Keyloggers: This type of spyware can capture just about everything you do on your computer.
System monitors can record all keystrokes, emails, chat-room dialogs, websites visited, and
programs run. System monitors are often disguised as freeware. These are more dangerous than
Adwares because keyloggers track your keyboard,so they could easily get access to your email id
and passwords.
Trojans: This kind of malicious software disguises itself as legitimate software. For example,
Trojans may appear to be a Java or Flash Player update upon download. Trojan malware is
controlled by third parties. It can be used to access sensitive information such as Social Security
numbers and credit card information.Trojans are the most dangerous of the lot because their
functionality is actively controlled by third party users and they could do whatever damage they
see fit to your system.
The simplest and basic way to prevent spyware from affecting your system is to keep our
operating systems up to date,There should be a trusted Anti Virus software which keeps scanning
in the background and stays on the lookout for spyware.Avoid downloading content from any
sketchy websites,and delete any suspicious looking email attachments.
A spyware rarely operates alone on a computer; an affected machine usually has multiple
infections. Users frequently notice unwanted behavior and degradation of system performance. A
spyware infestation can create significant unwanted CPU activity, disk usage, and network
traffic. Stability issues, such as applications freezing, failure to boot, and system-wide crashes
are also common. Spyware, which interferes with networking software commonly causes
difficulty connecting to the Internet.
In some infections, the spyware is not even evident. Users assume in those situations that the
performance issues relate to faulty hardware, Windows installation problems, or another
malware infection. Some owners of badly infected systems resort to contacting technical support
experts, or even buying a new computer because the existing system "has become too slow".
Badly infected systems may require a clean reinstallation of all their software in order to return
to full functionality.
Some types of spyware disable software firewalls and antivirus software, and reduce browser
security settings, which opens the system to further opportunistic infections. Some spyware
disables or even removes competing spyware programs, on the grounds that more spyware-
related annoyances increase the likelihood that users will take action to remove the programs.
Keyloggers are sometimes part of malware packages downloaded onto computers without the
owners' knowledge. Some keylogger software is freely available on the internet, while others are
commercial or private applications. Most keyloggers allow not only keyboard keystrokes to be
captured, they also are often capable of collecting screen captures from the computer.
Individual users can also install firewalls from a variety of companies. These monitor the flow of
information going to and from a networked computer and provide protection against spyware
and malware. Some users install a large hosts file which prevents the user's computer from
connecting to known spyware-related web addresses. Spyware may get installed via certain
shareware programs offered for download. Downloading programs only from reputable sources
can provide some protection from this source of attack.
CHAPTER 2
Dept. of CSE, SJBIT Page 3
Spyware 2020-21
LITERATURE SURVEY
CHAPTER 3
Dept. of CSE, SJBIT Page 5
Spyware 2020-21
PROBLEM STATEMENT
The first major concern with spyware is that it jeopardises our personal information.Stealing of
information like credit card number or PAN card number could lead to dubious transactions in
our name and potentially expose us to the crosshairs of authorities.
The second major issue pertains to the device itself,since spywares run in the background
completely unabated,they consume a large portion of our computing power,and potentially even
change system settings ,so this could cause our computer to slow down or in worse case cause
overheating issues which eventually leads to system degradation and damage.
The presence of a large amount of adware could cause our search results to be
manipulated,because as we know that adware tracks our search history and downloads,it will
intentionally bring up pop ups regarding the same and disrupt our overall browsing experience.
Log and test tracking system is proposed to pre-empt any attempt of spyware entering and
accessing our system.
CHAPTER 4
METHODOLOGY
A process called hooking is deployed. Now we know that spyware tries to hide its critical APIs,
that it uses to call the kernel modules and to modify the system objects.Our proposed method
considers the interaction of the malware to the OS to recognize the kind of spyware.
CHAPTER 5
Dept. of CSE, SJBIT Page 7
Spyware 2020-21
IMPLEMENTATION
Process called hooking will be deployed.We know that spyware tries to hide its critical
APIs, that it uses to call the kernel modules and to modify the system objects.Our
proposed method considers the interaction of the malware to the OS to recognize the kind
of spyware.
● First the phishing page lures users to download any app that appears to be of
legitimate functionality,After the user clicks on the download link, the download
link is modified into an archive file that contains the application and along with it
also hosts the spyware files.
● Then when the file is installed into the system ,the spyware files are also
embedded within the asset directory and they are installed in a virtual
environment when the application is installed.
● So a few seconds after the application has been installed in the system the
spyware in the background will start functioning and will start to collect basic
device information like IMEI number, phone number, system details and all the
other details that you have stored in your system.
● All the communication between the spyware and the host third parties is
encrypted by RSA and sent through http.
● This spyware will store all the data collected in a local database and once the
predetermined command is pushed the spyware will gather all the logs and
convert them into a JSON object format before sending it back to the hosting
server.
● The third party controlling the server will now use this information to harm the
victim.
To detect the presence of spyware in a system a process called hooking is used. Now since it is
known that spyware tries to hide its critical APIs, that it uses to call the kernel modules and to
modify the system objects.Our proposed method considers the interaction of the malware to the
OS to recognize the kind of spyware.
SSDT is an array of function pointers to important system service routines. The reason why
kernel drivers are being used is to avoid limitations of User Access Control in user space and
nullify defensive equipment of the spyware.Now that we know spywares will manipulate the
API's in the system,we need to monitor API's for any discrepancies.
Compare the original address of each available API key with the current available API keys. If
there is any variation between the original API keys and the current keys it would mean that
there is the existence of spyware in the system.
Calculate the original address of each api and compare it to the values at the startup time,and as i
had said if there exists some disreparency it would mean the spyware exists in system.
Dept. of CSE, SJBIT Page 9
Spyware 2020-21
Virtualization
Whenever the user tries to install any software that he/she downloaded from the internet, there
arises a pop-up asking whether the software has to be tested before installing it on the user’s
system. If the user gives a test and install, then the installation url is redirected into the virtual
machine. For the creation of the emulated virtual machine, the configuration file is called to
know about the configuration of the user’s system. After getting the configuration, the virtual
machine is created.Virtualisation is the process of creating a software-based version of a
computer, with dedicated amounts of CPU, memory and storage which is "borrowed" from a
physical host computer.it basically allows us to run applications independently from the
underlying host system.
The application is first installed on a virtual machine.then a list of all packages installed with the
application is received. The packages and application folders are parsed, to check whether it
contains any spyware extensions. If it contains any spyware extensions, then a message is
generated.It is tested for the presence of keylogger and info-stealer spyware. A report is
generated based on the test result. The report is then sent to the user’s system. Based on the
report the user decides whether the application can be installed in the host machine. After
sending the report to the user, destroy the virtual machine.
Log file
A log file is a file that records either events that occur in an operating system or other software
runs, or messages between different users of communication software.All the messages are
written in a single log file. In this case a log file is created by the keylogger.It stores all the keys
pressed, along with the mouse events.
The virtual machine detects the process id of the attacker, from the process id the process being
sent by the attacker is identified.
CHAPTER 6
CONCLUSION
I would like to conclude by saying that Spyware no doubt represents a serious threat to users’
control over their computers and their Internet connections.Subsequent development of spyware
technologies in combination with a continuous increase in its distribution will affect system and
network capacity. A disastrous situation may occur if a network is seriously overloaded with it.
As discussed We should be able to mitigate the threat of spyware to our systems but we should
also remember that Spywares are constantly evolving so the threat of it will always be present
and we must keep updating our systems and security to protect ourselves from this threat.
Dept. of CSE, SJBIT Page 13
Spyware 2020-21
REFERENCES
[1]Narasima Mallikarjunan.K.,M.E,“Detection of Spyware in Software Using Virtual
Environment:”,DOI: 10.1109/ICOEI.2019.8862547
[3]Mahesh V and Dr. Sumithra K A,”Detection and Prediction of Spyware for user
Applications by interdisciplinary approach”,DOI:10.1109/CISPSSE49931.2020.9212222
Routines”,DOI: 10.1109/ACCESS.2018.2884964