Spyware-appendices usually get in system by means of conditionally free-of-charge software, based on display of banners and advertising. Other sources include programs for an exchange of messages, various Peer-to-Peer the appendices, popular download-managers, the online-games plural porno-and hacker sites, and many other things. It is necessary to note, that basically spyware-appendices are directed against browser Microsoft Internet Explorer. Users of modern alternative web-browsers, type Mozilla Firefox or Apple Safari, basically are not subject absolutely not to influence spyware.

Last methods of introduction used by spyware-appendices, do not demand any interaction with the user. Known as " drive-by downloads " (download to a strike), spyware-appendices are delivered to a computer of the user without it is conducted, or at visiting the certain web-page, or at opening archived files, or by pressing the emerging window containing an active element of type ActiveX, Java Applet, etc. Spyware-modules can also contain in graphic files, and sometimes even in drivers for the new equipment.

Methods of espionage

Depending on the collected information, the spyware-appendix can function differently. One collect the information on habits of the user in a network the Internet for the marketing purposes, while other more artful. In any case the spyware-appendix tries to identify the information sent on a network, using the unique identifier, for example a file cookie, located on a computer of the user, or the global unique identifier. Then the spy sends broad gullies to the removed user or on a server collecting the information. This information usually includes a name of a host, the ip-address and GUID, and also logins, passwords and other important data.

Types of keyboard spies

As it was already mentioned, keyboard spies are the appendices watching pressing keys of the keyboard and sending this information to the ill-intentioned user. It can be carried out by mail or sending directly on a server located somewhere in a global network. This information can be then is used for gathering post or other requisites at nothing suspecting users, and can even for reception of initial texts of programs at software producers.

While keyboard spies there are long enough time, growth of their quantity recently demands new attention. In particular it is connected with ease from which the computer can be infected - the user needs to visit simply the certain web page.

Keyboard spies divide into three types:

Hardware keyboard spies.

These are the tiny built in devices located between the keyboard and a computer. Because of their small sizes they often remain not noticed long time, however they demand physical access to the equipment. These devices can write down hundreds the symbols entered from the keyboard, including post and bank requisites.

The Appendix with the intercepting mechanism
This type uses function Windows API SetWindowsHookEx () which watches messages on pressing keys of the keyboard. Usually the spyware-appendix consists of an exe-file initiating function of interception, and a dll-file operating functions of record of the information. The appendix causing SetWindowsHookEx (), can intercept even self-filled passwords.

This type of the keyboard spy is located at a level of a kernel and receives the information directly from the introduction device (usually keyboard). It replaces the basic software processing pressing of keys. It can be programmed to be invisible, using advantage of performance at loading system, prior to the beginning of performance of appendices of a level of the user. As the program is started at a level of a kernel, it cannot intercept self-filled passwords because this information is transferred at a level of appendices.

The Analysis of the keyboard spy

There is a plenty of keyboard spies, including The Blazing Tools Perfect Keylogger (http://www.blazingtools.com/bpk.html), Spector (http://www.spector.com), Invisible Keylogger Stealth (http://www.amecisco.com/iks2000.htm) and Keysnatch (http://www.fileheaven.com/Keysnatch/download/2975.htm). The majority of them are similar on the functionality and opportunities. Therefore in our examples we shall consider the keyboard spy from Blazing Tools.

We have decided to analyze The Blazing Tools Perfect Keylogger since it find in set of the Grecian horses. It is a good example of the keyboard spy with the intercepting mechanism. Though production Blazing Tools is directed on IT-managers and parents, the opportunity of use legal software in the ill-intentioned purposes shows presence of their product at many Grecian horses. Here the basic opportunities Perfect Keylogger'a involving ill-intentioned users:

The Latent mode

At this mode in the panel of problems there is no icon Perfect Keylogger'a and actually keyboard spy hided.

The Removed installation

The spy has an opportunity of association with other programs and sending by mail for installation on the removed computer in the latent mode. It then will send the symbols entered from the keyboard, pictures of the screen and the list of the visited sites on mail of the removed user or on FTP.

Reasonable renaming

This opportunity allows renaming all executed files and records of the register of the keyboard spy.

We have established the version of this keyboard spy on a test computer. By means of the program of type SNAPPER (http://www.users.globalnet.co.uk/ashwobla/snapper/) it is possible to see changes in file system after installation Perfect Keylogger.