Wide Information Flow For Malware And Crime

Published Date: 02 Nov 2017

Abstract - It is likely that about one out of many large companies systematically monitor the computer, internet, or email use of its usersn employees. There are over hundrades different products available today that will let organizations see what their users do at work on their "personal" computers, in their email, and on the internet. 

But what do such numbers really mean? What does company monitoring of user/employe email, internet, and computer usage actually look like? What sorts of things can an organization/company see users do at their computers, and what sorts of computer activities are currently invisible to workplace monitoring? This admittedly document attempts to propose, as concretely as possible what "Informational Flow" on internet and computer usage looks like: its extent, the key concepts involved, and the forces driving its adoption.

Keywords: Email monitoring, Internet monitoring, Computer monitoring, Chats/IM monitoring, Network monitoring, Document monitoring, Web site monitoring, Productivity monitoring.

A study found that 20 million users in the US, or about 1/3 of the online workforce (that is, those users with regular internet access at work), have their web surfing or e-mail monitored. Globally, the figure is about 28 million, or about 1/4 of the global online workforce[1].

Why capture?

Monitor work flow: 29.2% 

Investigate theft: 29.2% 

Investigate espionage: 21.5% 

Review performance: 9.2% 

Prevent harassment: 6.2% 

Seek missing data: 3.1% 

Seek illegal software: 3.1% 

Prevent personal use: 3.1%

II OVERVIEW OF KEY LOGGING

The keyboard is the primary aim for key loggers to retrieve user input from because it is the most common user interface with a computer. Although both hardware and software key loggers exist, software key loggers are the dominant form and thus are main point in this paper. For Completeness, this paragraph mentions hardware key loggers as they do pose a significant security threat[2]. A common example of a hardware key logger is a" ghost" device that may be physically attached to a target machine to extract and store keystrokes on persistent storage within the device. A basic concept behind key loggers and similar malware is their pattern of attack. Most malware infections follow a fairly standard attack pattern that involves the sequential order of development, distribution and infection, and execution stages[3]. The initial stage is vital to the process as any malware that is not yet implemented cannot be used by an attacker .Machine to extract and store keystrokes on persistent storage within the same device.t there are four distinct approaches to malware placement on the Internet for distribution:

1) Advertisements. These provide a common hosting place for malware. As advertisements often tend to be redirections chained together, it is possible for the third parties to inject the location of malicious content into one of the nodes in the chain.

2) Third-party widgets. As with advertisements, widgets are fundamentally embedded links, often to an external JavaScript function or similar entities that can be redirected to dangerous locations.

3) User contributed content. Here a typical web user physically uploads content to a public location. If the web master does an inadequate job of checking content legality and validity via appropriate sanitization techniques, malicious content placement may occur.

4) Web server security mechanisms. These mechanisms also play an important role as they can impede malware placement on web sites by controlling server content such as HTML, JavaScript, PHP (or other scripting languages and applications), and database contents. Therefore, an attacker who gains control of these security mechanisms has the ability to completely control the content on the web server and use it to his advantage.

III DESIGN AND IMPLEMENTATION

Key logger design and implementation strategies are based upon several factors: the infecting medium, the type of target machine, the lifetime of the key logger, and the level of stealth and footprint left on the machine while active. Infection mechanisms depend on the form of the key logger. High-level key loggers executing in the user-mode of an operating system are implemented using a variation of user mode hooks[4]. Low-level kernel-mode key loggers are typically implemented as root ware, a combination of both root kits and spyware that employ another variation of hooking. Implementing key loggers as device drivers is another common approach to gain privileged access to the kernel to intercept I/O data[5]. Using this approach, root ware developers can layer their drivers on top of the device driver stack and intercept I/O requests that pass between the keyboard device and kernel in order to extract keystroke data that maps to specific ASCII characters. This layered driver approach as implemented on a Windows operating system is depicted in Figure 1.

Figure 1: Layered device driver interception of I/O data.

ENHANCEMENT OF KEYLOGGING:

CLIENT-SERVER-BASED INTERCEPTION

All available user-monitoring products are essentially programs that report on (and in some cases constrain) how you use other programs. Having installed an user-monitoring program, an organization can -- depending on the type of program -- see how much time users (individually and/or in aggregate) spend playing Solitaire, or what web sites they visit, or even read email messages that they typed but then deleted and didn't send. The organization may also be able to prevent users from visiting certain web sites, or from sending or receiving certain emails[6].

KEYSTROKE LOGGING (KEY LOGGING)

Keystroke logging, also known as key logging, is the capture of typed characters/number . The data captured can include document content, passwords, user ID’s, and other potentially sensitive bits of information. The program logs all keystrokes (aka Keystroke Logging) along with the name of the application in which the keystrokes were entered. It also notes the window captions and all URLs visited with a web browser. This allows you to review all the text written by your employ/user, whether it was created with a text editor, e-mail client or an on-line text control on a web page[7]. You can view all the pages visited by your employ/user and the passwords for all their on-line accounts. For easier monitoring, you can also turn on automatic screenshot capture.

HOW KEY LOGGERS WORK

Keyloggers are hardware or software tools that capture characters/number sent from the keyboard to an attached computer.

Quality assurance testers analyzing sources of system errors;

Developers and analysts studying user interaction with systems[8];

Employee monitoring; and

Law enforcement or private investigators looking for evidence of an ongoing

crime or inappropriate behavior.

Other detection methods include:

Scan local drives for log.txt or other log file names associated with known keyloggers;

Implement solutions that detect unauthorized file transfers via FTP or other protocols;

Scan content sent via email or other authorized means looking for sensitive information;

Detect encrypted files transmitted to questionable destinations.

IV LOGGING AND MONITORING

From monitoring you can detect hacking attempts, virus or worm infections and propagation, configuration problems, exploits, hardware problems and many others. Monitoring is an important factor to maintain stability for the network. Information security focuses on ensuring confidentiality, integrity and availability,accountability. From network monitoring you can detect attempts to access forbidden information or resources such as unauthorized access, which in turn ensure confidentiality [9] . You can detect attempts to change or alter information such as file modification, which ensure integrity. And you can detect any kind of problems that can affect the availability of the information such as DOS or DDOS attack [10].

The main goal of this project is to give an idea about some of the benefits that anyone can get from the complete monitoring of the network . Using both of logging for almost all the devices and the different types of network monitoring tools including bandwidth monitoring, packet sniffing and IDSs.

COMPUTER SECURITY AND LOG MANAGEMENT

A log is a record of the events occurring within an organization’s systems and networks. Logs are composed of log entries; each entry contains information related to a specific event that has occurred within a system or network[11]. Logs were used primarily for troubleshooting problems, but logs now serve many functions within most organizations, such as optimizing system and network performance, recording the actions of users, and providing data useful for investigating malicious activity.

The widespread deployment of networked servers, workstations, and other computing devices, and the ever-increasing number of threats against networks and systems, the number, volume, and variety of computer security logs has increased greatly. This has created the need for computer security log management, which is the process for generating, transmitting, storing, analyzing, and disposing of computer security log data.

THE BASICS OF COMPUTER SECURITY LOGS

Logs can contain a wide variety of information on the events occurring within systems and networks[12] . This section describes the following categories of logs of particular interest:

Security software logs primarily contain computer security-related information.

Operating system logs and application logs typically contain a variety of information, including computer security-related data.

BENEFITS & FEATURES OF OUR APPROACH

As storage is now cheaper and processors faster, "recording everything" becomes a realistic possibility, which

we will try to accomplish. 

A "universal inbox" (all company documents are delivered as email or email attachments) would make it possible to record all company workflow. 

"Convergence" of all office devices may provide a single "integrated" site for monitoring. 

A LIST OF ACCOUNTABILITY FEATURES:

Key Strokes Typed at any place

Programs opened

Title of documents, videos, music, etc opened

Websites visited

Online duration & uptime

PC-wise and user wise analysis

Notification of harmful PCs on the network

Control of Network Usage

Prevention of Information Leak From Organization

WHO MAY NEED THIS?

Hospitals

Banks

IT Organizations

Institutions & Universities

Call Centers

Internet Business Organizations

Government Bodies

V PROPOSED ALGORITHM

Signature based keylogger. These are applications that typically identify a keylogger based on the files or DLLs that it installs, and the registry entries that it makes. Although it successfully identifies known keyloggers, it fails to identify a keylogger whose signature is not stored in its database. Some anti-spyware applications use this approach, with varying degrees of success. Most of the anti-virus softwares detect Keylogger application based on this approach.

Hook based keyloggers. A hook process in Windows uses the function SetWindowsHookEx(), the same function that hook based keyloggers use. This is used to monitor the system for certain types of events, for instance a keypress/mouse-click — however, hook based anti-keyloggers block this passing of control from one hook procedure to another. This results in the keylogging software generating no logs at all of the keystroke capture. Although hook based anti-keyloggers are better than signature based anti-keyloggers, note that they still are incapable of stopping kernel-based keyloggers.

VI CONCLUSION

Software that can not only monitor every keystroke and action performed at a PC but also be used as legally binding evidence of wrong-doing has been unveiled. Worries about cyber-crime and sabotage have prompted many employers to consider monitoring employees. They have joined forces to create a system which can monitor computer activity, store it and retrieve disputed files within minutes… "People need to recognize that you are using a PC as a representative of a company and that employers have a legal requirement to store data.

Website monitoring service can check HTTP pages, HTTPS, SNMP, FTP, SMTP, POP3, IMAP, DNS, SSH, TELNET, SSL, TCP, ping and a range of other ports with great variety of check intervals from every 4 hours to every one minute.

Typically, most network monitoring services test your server anywhere between once-per hour to once-per-minute. Features:

Protect intellectual property and business secrets

Prevent and stop sabotage and data theft

Prevent Internet/email abuse

Reduce workplace slackers

Improve efficiency and productivity

VI REFERENCE

[1] S. Sagiroglu and G. Canbek, "Keyloggers," IEEE Technology and Society Magazine, vol. 28, no. 3, pp. 10 –17, fall 2009.

[2] ThinkGeek.com, "Spy keylogger," 2010 (accessed May 8, 2010), http://www.thinkgeek.com/gadgets/security/c49f/.

[3] T. Olzak, "Keystroke logging (keylogging)," Adventures in Security, April 2008 (accessed May 8, 2010),http://adventuresinsecurity.com/ images/Keystroke_Logging.pdf.

[4] S. Shah, "Browser exploits - attacks and defense," London, 2008(accessed May 8, 2010), http://eusecwest.com/esw08/esw08-shah.pdf.

[5] G. Hoglund and J. Butler, Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, 2005.

[6] ] P. Mell, K. Kent, and J. Nusbaum, "Guide to malware incident prevention and handling," National Institute of Standards and Technology, Gaithersburg, MD, Tech. Rep. 800-83, November 2005.

[7] B. Whitty, "The ethics of key loggers," Article on Technibble.com, June 2007 (accessed May 8, 2010),

http://www.technibble.com/the-ethics-of-key-loggers/.

[8] C. Wood and R. K. Raj, "Sample keylogging programming projects," 2010 (accessed May 8, 2010), http://www.cs.rit.edu/~rkr/ keylogger2010.

[9] Bauer, Michael D., Chapter 10 (System Log Management and Monitoring) of Building Secure Servers with LINUX, O’Reilly, 2002.

[10] Babbin, Jacob et al, Security Log Management: Identifying Patterns in the Chaos, Syngress, 2006

[11] Stout, Kent, "Central Logging with a Twist of COTS in a Solaris Environment.", SANS Institute, March 2002, URL: http://www.sans.org/rr/papers/52/540.pdf

[12] Mendez, William, "Windows NT/2000 Event Logs.", SANS Institute, April 2002, URL: http://www.sans.org/rr/papers/67/290.pdf

*****