5
I had some software created for me by a coder overseas. I'm a little suspicious since the software is executable. I started thinking about the possibility that they could have binded a key logger to the application they made for me or any kind of software with malicious intent. How can I find out?
11
For reference, when you have someone create a custom program for you, you should insist on getting the source code -- all of it, in a state where you (or someone you trust) can recompile it with the proper tools. That's the only way to be anywhere close to certain of what any binary exe does, short of learning assembler language.
cHao
Posted 2010-05-05T21:23:31.677
Reputation: 642
5
If you contracted with them to have it done, your best bet is to get the source. If you paid for it, your contract should read this way, anyway. Then you just inspect the code yourself before you use it.
If there's no way to get source, it really comes down to a trust issue. If you don't trust them, you probably should find an alternative solution. And, for the love of all that's FSM, DON'T release a product based upon that code. Remember, depending upon where you are and who your customers are, YOU can end up shouldering the liability for any damage that system does.
Sniggerfardimungus
Posted 2010-05-05T21:23:31.677
Reputation: 241
3
Can't believe no one has mentioned this yet: Run a virus scanner, it is not easy to fool their heuristics.
Aside from that, demand the source code and (have someone) check it over.
BlueRaja - Danny Pflughoeft
Posted 2010-05-05T21:23:31.677
Reputation: 7 183
1
You should have contracted to get the source code and built it yourself after auditing the source code.
jeffamaphone
Posted 2010-05-05T21:23:31.677
Reputation: 389
0
Here are a few ideas:
Make sure you have a good anti-virus running.
DanJ
Posted 2010-05-05T21:23:31.677
Reputation: 491
2If you don't trust it, I'd favor running it in a VM without any network access - that way, your machine isn't at risk, and there's no chance it can call home with any useful information. – SqlRyan – 2010-05-05T21:32:20.890
2
A black-box analysis is never sufficient examination of a system. Unless you like three-kiloton explosions: http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage. (The malicious logic was designed to evade testing and only come out of its sleeper status when it was in full operation.)
– None – 2010-05-05T21:35:20.3900
What language was the code written in? If it was written in .NET, for example, you could Reflector to disassemble and take a look at what the code actually does.
Aaron
Posted 2010-05-05T21:23:31.677
Reputation: 864
1You could try hooking up a packet sniffer, and see if the program is sending TCP or UDP packets. Beyond that, I would say that it's important to have a trustworthy relationship with your overseas partners. – Robert Harvey – 2010-05-05T21:29:14.900
@closers: If you are contracting someone overseas to write software for you, how is this SuperUser related? – Robert Harvey – 2010-05-05T21:30:02.953
1It's asking how to tell whether there is a key logger in a piece of software, which isn't a programming question. The fact that the software was written for the OP by contract is mostly irrelevant. – David Z – 2010-05-05T21:33:00.810
What sort of software? – David Thornley – 2010-05-05T21:37:52.440