![]() Here is a screenshot of the initial communication upon booting the system (between 192.168.214.1 192.168.214.134 on port 443): When in doubt simply booting a copy of the machine in question in a controlled network environment (no Internet access!) would yield some instant communications that would tip you off. The program will periodically send activity reports to that IP address based on how its been configured. Although you cannot easily see the contents, an initial or periodic communication to that IP address would be excellent indication that eBlaster is installed. This network traffic is sent via TCP port 443 in an SSL wrapper. NetRange: 209.61.133.192 - 209.61.133.223Īfter the DNS request, there is an initial posting of data to the remote server, most likely for licensing validity. This IP address is registered by a company named: That domain currently resolves to the IP address of "209.61.133.199". That domain has the following registration information: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Winoscmd\: "Comivjob"įrom a network perspective, upon initially booting the machine, a DNS request is made to a domain of "". HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\" Here is an example from one of the installations: A random GUID is generated and placed in the HKLM\Softwae\Classes\CLSID key. The eBlaster software itself is all coontrolled by several. The above method is the simplest manner to locate active logs generated from eBlaster, as well as fragments in unallocated, MFT records and $LogFile. ![]() A simple GREP search of "#/#/#:#:#:" would find this logfile, regardless of it's name, with minimal false positive hits. The timestamp format is always "hh:mm:ss:". The datestamp format is always "mm/dd/yyyy". Some of the lines above have been word-wrapped by the blog, but normally each line in this text file will begin with the datestamp then the timestamp. 12:56:00: (SHR,EXPLORER) PacketProcessorEB::CreatePacketXML: Sending settings to server. ![]() 12:56:00: (EBR,EXPLORER) IPC Message pump started. 12:56:00: (EBR,EXPLORER) Windows XP Home Edition Service Pack 1 () 12:56:00: (EBR,EXPLORER) Start Monitor - User lance on REG-OIPK81M2WC8 12:56:00: (AGT,EXPLORER) Initializing process for file C:\WINDOWS\explorer.exe Recording App 1 Blocking App 1 The log file has some very predictable text can easily be detected using a grep search: The log file is a simple ASII text file and commonly had a. The file is always in the root of the randomly generated folder under "\windows\system32". One of the easiest ways to "detect" whether eBlaster has been installed, is to attempt to locate a simple text logfile that is created by the program. dll files dropped into the "\windows\system32" folder. Each installation I performed, caused all of these files and folders to get random names. The eighth file is in the subfolder named "canunsec" seen above. The image below is an example of a folder randomly named "subitvox" under the "\windows\system32" folder: dll's or files with misleading file extensions. ![]() There are eight files installed into this folder during the installation, of which one is an executable (admin control panel), while the rest or either. In all of my testing the software always installs some of the required files into a randomly named subfolder located in the "\windows\system32" folder. The eBlaster program uses some random folder/file naming techniques to make it a little more difficult to detect or locate. Installation of eBlaster is fairly simple and merely requires a registration key and an email address to where the activity reports will be sent. and then to send a report of that activity via email: The main function of the program is to record all user activity such as screenshots, emails, instant messages, etc. The following is some basic oberservations of a forensic analysis of a computer with eBlaster installed.ĮBlaster can be installed remotely (SpectorPro cannot) by preconfiguring it with all the necessary options and then sent or given to someone to be installed. The software is frequently changed so it remains undetectable by common anti-virus software. The main differences between the two is eBlaster is designed for remote installations and reports of activity to be delivered by email, whereas SpectorPro is designed for someone who has physical access to the monitored computer to review the reports.ĮBlater and Spector Pro are very powerful. They also make a product named Spector Pro, which is very similar. EBlaster is computer monitoring software offered by SpectorSoft. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |