I saw something on the Rachael Ray show today that I think has some
serious potential for problems that I’m sure that the folks advocating
it have considered. It was something called "Snoopstick". It’s sold as a
means of checking up on children and what they’re doing on the Internet.
I don’t doubt for a second that some companies use this or similar
products to monitor employee Internet usage as well.

On the surface of it, this sounds like a righteous thing, keeping kids
safe from predators and so on. Make no mistake, this use of things like
this is understandable and legitimate. The problem is that it’s entirely
too easy to use something like this for malicious purposes as well.

All that needs to happen is for somebody to gain access to your computer
long enough to plug in the snoopstick’s USB key and install it’s
monitoring software. After that, the device doesn’t even need to be
connected to your computer because it can be monitored remotely. While
it’s one thing to keep an eye on your kids and who they’re in contact
with, but it can easily be another matter if somebody gets a few minutes
to install it. This raises the possibility of all sorts of snooping on
financial & personal information, identity theft and more.

With that thought in mind I did a few minutes of searching and found a Symantec
security response page about Snoopstick
.

Here’s what Symantec had to say about it:

Updated: 23 February 2007 11:49:09 PM
Type: Spyware
Risk
Impact: Medium
Systems Affected: Windows 2000, Windows 95, Windows
98, Windows Me, Windows NT, Windows XP

Spyware.SnoopStick is
installed via a usb key, when the following file is executed:
[USB
DRIVE LETTER]\setup\SnoopStick.exe

Once this thing is installed, the person controlling it can monitor web
surfing, instant message, and email activities. They can also block
access to websites or cut Internet access, cause whoever’s on the
computer to be logged off whether they want to or not or even shut the
target computer down completely.

To determine if it’s been installed, you can look for these files:

  • C:\Documents and Settings\All Users\Application
    Data\{67E71F41-70D9-4823-8EC0-78BC232B5E7A}\instance.dat
  • C:\Documents and Settings\All Users\Application
    Data\{67E71F41-70D9-4823-8EC0-78BC232B5E7A}\mia.dll
  • C:\Documents and Settings\All Users\Application
    Data\{67E71F41-70D9-4823-8EC0-78BC232B5E7A}\SnoopStick.dat
  • C:\Documents and Settings\All Users\Application
    Data\{67E71F41-70D9-4823-8EC0-78BC232B5E7A}\SnoopStick.exe
  • C:\Documents and Settings\All Users\Application
    Data\{67E71F41-70D9-4823-8EC0-78BC232B5E7A}\SnoopStick.msi
  • C:\Documents and Settings\All Users\Application
    Data\{67E71F41-70D9-4823-8EC0-78BC232B5E7A}\SnoopStick.par
  • C:\Documents and Settings\All Users\Application
    Data\{67E71F41-70D9-4823-8EC0-78BC232B5E7A}\SnoopStick.res
  • C:\WINDOWS\Installer\[RANDOM NUMBER].msi
  • %System%\logs\ClientSSFileUpdater.txt
  • %System%\logs\CSSSWDDbgLog.txt
  • %System%\logs\SSDbgLog.txt
  • %System%\logs\Web070221.log
  • %System%\mslspcg.exe
  • %System%\smdnn05.dll
  • %Windir%\CSSSUpd.exe
  • %Windir%\CSSSWD.exe
  • %Windir%\SSCRG.exe
  • %Windir%\SSDGT.exe
  • %Windir%\SSLS.exe
  • %Windir%\SSMsgr.exe

Note: on most computers %System% in a path will be C:\Windows\System
and
%Windir% will be C:\Windows

It also creates these registry keys that set up it’s services:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ChatRecMonSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSLOGSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WS2IFSL
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ChatRecMonSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSLOGSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\
    FA8950F240E56D941A25FD74A4AC2C8A
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\{2F0598AF-5E04-49D6-A152-DF474ACAC2A8}

If you find these files and registry keys, then I’d say it’s probable
that somebody has installed Snoopstick on your computer. Of course, If
you delete these files and registry keys this *should* disable this
little piece of spyware.

**Note: On Windows XP and higher It is likely that you will need
Administrator privileges in order to edit the registry and possibly to
delete the files. In any case, be very careful when editing the registry
because there is potential to do more harm than good. When in doubt,
consult a tech.

Technorati Tags: ,
,

Be Sociable, Share!
  • Twitter
  • Facebook
  • email
  • Google Reader
If you enjoyed this post, make sure you subscribe to my RSS feed!

Filed under: InternetLast DaysPrivacySecuritySoftwareTutorials

Like this post? Subscribe to my RSS feed and get loads more!