How Spyware Operates?

Spyware tracks online activity looking for web sites visited, financial data or identity data such as credit card numbers on screen or entered into form fields, browsing and online purchasing habits, and authentication credentials. When keywords of interest like names of banks, online payment systems, or pornographic web sites are observed, the spyware starts its data collection process.

Email Addresses
Email addresses can be harvested from an infected user’s computer and marketed for use in spam mailing lists. Common techniques for harvesting email addresses and other contact information includes enumerating email applications’ address books, monitoring incoming and outgoing network packets related to email, and scanning files on the system’s disks for strings that match the format of an email address.

Windows Protected Store
Windows contains a service called the Protected Store. Its purpose is to provide encrypted storage for sensitive data. The following are some examples of data that might be in the PStore:
•Outlook passwords
•passwords for web sites
•MSN Explorer passwords
•IE AutoComplete passwords
•IE AutoComplete fields
•digital certificates
Even though the PStore is encrypted, access to it is indirectly controlled by the data owner’s login credentials. Since most spyware runs under the security profile of the user who is logged on, spyware can harvest this information.

Clipboard Content
The system clipboard often contains sensitive information. Some common examples include product registration codes and user credentials that are copied and pasted into login forms. Other information that might be found in the system clipboard buffer includes sections of potentially sensitive data from recently modified documents or personal information about you or your associates that could be used in crimes related to identity theft.

The Keys You Press
Key logging is one of the first spyware techniques used to capture sensitive data from a system.Both hardware and software key loggers exist. Hardware devices usually slip inline between the keyboard cable and computer. Modern key logging hardware is small and unobtrusive and has even been hidden inside the physical keyboard casing, making it almost impossible to detect.One limitation of hardware-based keylogger units is the need for physical access to install and retrieve the device and its data. A more common alternative, and the type present in spyware, is the software key logger.Software key loggers capture keyboard events and record the keystroke data before it is sent to the intended application for processing. Like most other spyware capture technologies, software based keyloggers can turn their capture on or off based on keywords or events. For example,many keyloggers target instant messaging clients, email applications, and web browsers but might ignore other applications that don’t provide the kind of data the attacker is targeting for harvest.

Network Traffic
Network traffic is another valuable source of data. Data commonly extracted from network captures includes user names, passwords, email messages, and web content. In some cases, entire files can be extracted and reconstructed from the captured streams.