Tracking software?

Discussion in 'other security issues & news' started by meneer, May 28, 2003.

Thread Status:
Not open for further replies.
  1. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    This article on zdnet http://news.zdnet.co.uk/story/0,,t269-s2135251,00.html leads to the question if this kind of tooling is usefull.
    ZDnet points to Softex http://www.softexinc.com/securitydownpage.asp

    Doing a search on tracking tools gives plenty of other options:
    PC PhoneHome Pro™ http://www.pcphonehome.com/events.html
    http://www.absolute-protect.com/index.htm
    I love this message on their site
    :D :rolleyes:

    http://www.protectyourlaptop.com/ztracegold.htm
    http://www.webdetect.com/products/WDCTS/tracking-home.htm

    This software installs in a 'hidden' system partition and when a pc connects to the internet sends an e-mail to the owner. The software is not removeable, so when a laptop is stolen, this software is still active and the e-mail should lead to the location where the stolen laptop connected to the internet...

    Does anyone have any experience with this kind of protection?
     
  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi meneer,

    very interesting tools! :D This information here seems vital to me as well:

    PC PhoneHome ProTM Highly Resistant to Removal by Reformatting The Computers' Harddrive:

    With the computer properly configured, PC PhoneHome Pro™ is capable of surviving a thief's attempt to "clean" the computer harddrive and wipe safety or security software by reformatting the harddrive using the "format" or "fdisk" commands. PC PhoneHome™ will stay resident and continue to "PhoneHome" the next time the computer makes an Internet connection.

    "For example, PC PhoneHome™ makes it possible for a businessman who has his computer stolen in an airport in Paris, London, Buenos Aries, Johannesburg, Moscow or even Bejing to recover it even if he lives in New York," said Moran. "International boundaries or clever thieves that wipe the harddrives of stolen computers are not even a speed-bump for PC PhoneHome™ Pro."


    Have to look at it more closely! ;)

    Regards,

    Patrice
     
  3. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Phoenix and Softex claim that their tools is not even vulnerable to removal of the harddisk or flashing the bios :cool:

    But: does it work as proposed?
    And: the stealth mail function: does it work regardless of any firewall software?
    And....
     
  4. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Meneer,

    I will have a closer look at it. You can download a trial version on some sites. I will test it thoroughly because I'm using a laptop and I'm a business man. So I am really interested in that! I will test it during the next days. ;)

    Regards,

    Patrice

    P.S. Do you think that a thief installs a firewall as the first thing? No, not at all, first he will connect to the interent, to see if it works... :D
     
  5. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Correct, but suppose they boot the computer and suppose there's no password protection for logging on, then any firewall software that's already installed might block all untrusted internet connections (well if that's the case, you'd probably already have created a rule to permit this kind of stealth mail :p ).
    But then again, perhaps a windows firewall cannot detect stealth mail :eek:
     
  6. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi meneer,

    I was talking about a fresh installation of Windows. That's what thieves normally do with your computer. They aren't interested in your data, just in your computer.

    Here's what I know so far:

    TheftGuard: Very bad documentation, I won't buy/install that. :(

    PC PhoneHome: Very good documentation and you can download a Trial! :D

    Absolute Protect: Very good documentation and you can download a Trial! :D

    zTrach Gold: Documentation not overhelming, not possible to download a Trial :(

    Web Detect: Very good documentation but not possible to download a Trial unfortunately :doubt:

    This means, I will test PC PhoneHome and Absolute Protect on my system. Web Detect seems to be good as well (it also the most expensive), but unfortunately you cannot test it. I will look at it later. ;)

    Regards,

    Patrice
     
  7. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Patrice,

    I'm looking forward to your tests :D . I'll try to get some results too (can't promiss anything, though.

    Is there anybody else who knows about these tools?
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Interesting.
    Saw some more pages with tips and products.
    http://www.stolenlaptop.com/
    http://www.computrace.com/public/main/default.asp
    http://www.worldsecuritycorp.com/Order_Computrace.htm
     
  9. controler

    controler Guest

    the software can't stop you from formatting, even if they use the same principal as the forenzics people use to reget data. you can wipe the disk first and use partition magic to repartition it , then reformat/u
     
  10. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi all,

    o.k., here are the first results of the test. I was testing Absolute Protect first:

    http://www.absolute-protect.com/

    Here's how it works:

    When you install the software, you will be asked where to install the software (directory) and to enter a description for the program to hide it in the computer's memory. Look at the first screenshot to understand it a little bit better. I will give suggestions to that later on:
     

    Attached Files:

  11. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    After that, the software is installed and running in the background. For sure it is started every time when Windows starts. This means, that an exe File (in this case PR2003.exe) will be started and running in the background. This means, that a sandbox utility and a firewall will find out about it. As you see Look'n'Stop was able to detect the program:
     

    Attached Files:

  12. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    But be aware, that the assumption is, that someone steals your computer (laptop), deletes everything on it and installs a new and fresh Windows on it. The process and the program won't be deleted according to the developers (I won't check that!).

    If you open Task Manager you will see, that a program is running all the time (svchost -compare it to the first screenshot):
     

    Attached Files:

  13. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    So, now I explain how it works. Imagine that the thief has stolen your laptop and has installed a new Windows on it. As soon as he connects the computer to the internet (I'm sure that he will do that :D), the program will send out a signal to the server. I checked out the online reports of this server, they are very accurate. Like that you can trace him down with the help of your local police.

    Possibilities of detection of the program by the thief:

    If the thief looks at all processes which are running in the background, he will see, that there is a program running he doesn't know (in this case C:\Programme\Protect\PR2003.exe). That's why you have to hide it in a better way than I did. Imagine, would you get suspicious if the path would be C:\Windows\system32\restore.exe or something similar like that? You have to do the same trojan writers do.

    If the thief installs a firewall or something similar like that he will see, that a process will connect to the internet. But honestly, you won't install a firewall first. First of all you connect to the internet to check if everything is working fine, after that you will do all the updates,... And therefore the program will have sent out the ping already.

    If the thief opens Task Manager, he will see, that a program is running (in my case svchost). Again you need to hide that in a better way like Windows Restore or whatever! Like that he won't get suspicious that fast.

    Most important to know is, that you just need one signal from him to trace him down! I'm pretty sure, that he won't find out about this program from the beginning. Only after a while. But until then you already have some signals from him! :D

    Best regards,

    Patrice
     
  14. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    O.K. here we go with the next test. Secondly I tested PC PhoneHome:

    http://www.pcphonehome.com/

    As you will see, this software has a different approach than the first one. It uses email to send a signal out of the computer. During installation you have to enter the following data:
     

    Attached Files:

  15. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    After a restart, the software didn't send out the information unfortunately... I don't know why it didn't work. Perhaps I have set something wrong. Until now I didn't receive any message from this software. I tried to change the configuration I made, but I realized very soon, that there's no command you can start up the program... Nor can you uninstall it from your computer. Neither on the site of PC PhoneHome nor in the attached Help File is any info concerning configuration or uninstalling. Pretty bad tough! So I had to contact the support of the company. Right now I'm waiting for an answer. :(

    Nevertheless I have some additional information about the program. One process is started and running in the background all the time. Its name is Tskman.exe. Another process is started at Startup as well, but I'm not yet sure if it belongs to the program. It's called DsKey.exe. Both processes are situated in the C:\Windows\system32 folder. If you start Task Manager, there's no application which is shown. So you can't find out about this process like that. But if you look at the processes running in the background you surely find out about it. But as I said in another post, it's quite difficult to know that it's not belonging to a Windows process. ;)

    Hope I can give you additional information about this software soon!

    Regards,

    Patrice
     
  16. controler

    controler Guest

    I have tested a few keyloggers and they use your POP e-mail account.
    Here is the deal as I have stated before.
    Even if you do not have your e-mail client loaded but have allowed the
    connection of your e-mail through your firewall, the keylogger still sends the mail without your knowledge. The firewall does not kick in because you have allowed your e-mail client via firewall BUT
    the interesting thing I found was , with Norton AV set to monitor incomming and outgoing e-mail, the norton splash screen still kicked up telling me mail was being sent. A nice hook ey?

    con
     
  17. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Even if the developer manages to have the program still work after a format, does it still work if the hard drive is replaced? I would guess not unless it stored its information somewhere else..

    They should take a leaf out of trojan and virus writer's books, have their program loaded into a standard process, like svchost, if the theif wants to connect to the net he needs to allow svchost (for dns requests) which then allows the program an OUT on port 53.

    -Jason-
     
  18. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi controler & Jason,

    I once tested keyloggers as well. I made the same experience as you, controler, the Norton splash screen was still popping up. :D Nevertheless I didn't like the approach (email) of PC PhoneHome that much. But this is my personal opinion. Which one do you like better?

    Jason, I fully agree to what you said. They still need to do some improvements to hide their software. If you replace the hard drive (well, but I don't think so for a laptop), you won't get a signal. But if your hard drive is put into another computer then you would receive a signal. Like that you could trace the thief as well I guess. ;)

    Regards,

    Patrice
     
  19. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Nice testing, Patrice, I'll be following your trail with great interest :)
     
  20. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi meneer,

    here are some updates: I still don't have any answer of the support of PC PhoneHome. :( I don't like that, a software stands and falls with its support. Next to that I was writing the support team of Web Detect, because I would like to test their software as well. Unfortunately they don't have a trial and I have the feeling that they are the market leader in this area... Perhaps I'm wrong. Nevertheless they answered me within two hours (!) and told me that they submitted my question to their headquarters in Paris. O.K., for such a nice and fast answer I can wait a little bit longer. The managers & developers in France are on holiday until Monday as I know (official holiday). ;)

    Best regards,

    Patrice
     
  21. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hello all,

    Here is some useful and interesting information about AbsoluteProtect. According to its support, the software will be deleted by proper use of FDisk or Partition Magic. It can survive if you perform formatting under Windows environment (like "My computer -> disk D: ->format). Their statement on their homepage "Additionally, in many cases Absolute Protect will survive hard disk formatting." is therefore a Marketing issue. But at least they have a very fast and honest support! :D

    Unfortunately the support PC PhoneHome never gave me an answer. Because of that I can't recommend their product at all and I deinstalled it from my hard disk.

    Last but not least I'm in contact with the support of WebDetect. Again it's a very fast and honest support. Until now it seems, that this software withstands FDisk formatting. But I haven't tested it until now. I'm trying to get an evaluation copy of it.

    Best regards,

    Patrice
     
  22. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Seems like some tough testing is about to begin ;)
    If you want me to help you by stealing your laptop, just let me know :D
     
Loading...
Thread Status:
Not open for further replies.