Background
Earlier this week the Federal Trade Commission issued a temporary restraining order against CyberSpy Software, LLC to stop the sale of RemoteSpy keylogger. In the vendor’s own words: ‘RemoteSpy can easily record websites visited, keystrokes typed, internet comversations[sic], email logging, documents opened, and so much more.’ The FTC’s stated reasons for issuing the order include: (1) deployed remotely by someone other than the owner or authorized user of a computer; (2) installed without the knowledge and consent of the owner or authorized user; and (3) used to surreptitiously collect and disclose personal information.*
In my own previous analysis, RemoteSpy acts(ed) as both a service and software provider. CyberSpy hosts servers that the keylogging software routinely connects with to upload covertly collected data. The attacker can remotely login to an account where all the data will be stored and viewable. RemoteSpy can be installed remotely by the attacker -- silently and unbeknownst to the victim. The software runs quietly in the background making no obvious appearance to the victim, collecting user data like passwords and the data stated by the author, above. This type of software has been detected by anti-spyware products, like CA Anti-Spyware, for well over 10 years.
Too little. Too late?
Does this mean the end of commercial spyware? Hardly. When I first read the subject line to the FTC’s press release, ‘Court Orders Halt to Sale of Spyware’, I was pretty excited. Unfortunately, this restraining order is only temporary and limited to one particular piece of software -- the RemoteSpy keylogger. I would guess CyberSpy is working with their lawyers to launch an appeal.
Even if this restraining order sticks and is made permanent, there is a plethora of other keyloggers available on the market, many for free -- will the FTC expand this restraining order? CA Anti-Spyware detects well over 1000 different keyloggers including Invisible Keylogger, Activity Monitor, and EBlaster. Take a look at this screenshot of a webpage for Realtime-Spy keylogger:
Some of the features include ‘remote installation’, ‘logging multiple machines’, and ‘log all keystrokes’. Sound much different than the criteria the FTC lists as reason for the restraining order against CyberSpy?
The FTC listed remote installation as the first criteria for issuing the restraining order. RemoteSpy may have used particularly aggressive techniques for installation, but based on my own experience, many keyloggers allow for remote installation. To get a sense of this for yourself, conduct a web search with the keywords keylogger+remote+installation. I did this with Google and over 100,000 results were returned (obviously, not all these links are download pages for keyloggers with remote installation capabilities, but it reflects the availability). Furthermore, remote installation is a moot point when keyloggers can be installed manually on publicly available computers, say in libraries and coffee shops.
The FTC lists surreptitious data collection as the third criteria for the restraining order. Keyloggers exist primarily for the purpose of surreptitious data collection (searching “keylogger” returns close to 1 million webpages, many offering free keyloggers and trial versions). Are these keyloggers next on the list? In my analysis, RemoteSpy is not substantively different.
In the FTC’s press release, they indicate that one of the problem’s with CyberSpy was how they advertised and presented RemoteSpy, as if CyberSpy was encouraging consumers to spy. What about keyloggers that are advertised slightly differently, say, as a means to keep tabs on a child? Will these be targeted by the FTC?
What now?
My intention with this blog is not to show approval or disapproval of the FTC’s decision to issue a restraining order against CyberSpy’s sale of RemoteSpy. I just think it is very narrow in scope, relative to the much broader problem. I am curious what is next on the agenda and where the line will be drawn? The line between good and bad software is a messy one and strict criteria need to be published and publicly available. Most of all, these criteria need to be evenly applied. CA Anti-Spyware systematically analyzes commercial software against the CA Anti-Spyware Scorecard, found here. I believe that if the FTC evenly applies the criteria they state as reasons for restraining the sale of RemoteSpy, hundreds, possibly thousands of other readily available keyloggers will need to be targeted and restrained from sale and distribution. The anti-spyware industry has been detecting and removing keyloggers for over ten years and will continue to do so. Is RemoteSpy the first step, for the FTC, on a long road of catching up with private industry?
Reference:
* http://ftc.gov/opa/2008/11/cyberspy.shtm
** http://epic.org/