Layered Service Provider

From Wikipedia, the free encyclopedia

A Layered Service Provider is part of the Microsoft Windows Winsock 2 interface. It allows features to be added to the network protocols without replacing ws2_32.dll.

LSP technology is often used (exploited) by spyware and adware vendors. For example, WebHancer inserts itself as an LSP in the network stack and forwards all of the user's traffic to an unauthorized external site, where it is data-mined to find the user's special interests to bombard him/her with targeted advertisements, as well as spam e-mail. If Webhancer is removed, the computer may be left without a working network connection, should the LSP fails to unregister properly, which is a common grief.

LSP is a DLL that has to be registered using a special LSP registrant which instructs Winsock 2 the loading order of the LSPs (there can be more than one LSP installed) and which protocols to intercept.

LSP works by intercepting Winsock 2 commands before they are processed by ws2_32.dll, the LSP can modify the commands, drop a command, or just log the data which makes LSP a powerful tool for: Network filters, Network intercepters, spyware and adware, and stream based sniffers.

There are two kinds of LSP: IFS and non IFS LSP. Currently most LSPs on the market are non IFS. The difference between the two LSPs is that non IFS LSP modifies the socket handle to a non valid windows IFS handle and therefore the LSP must implement all Winsock 2 methods. IFS LSP, on the other hand, preserves the socket handle, which allows the LSP to implement only the functions it wants to intercept.

[edit] References

• http://www.microsoft.com/msj/0599/LayeredService/LayeredService.aspx

[edit] External links

• New PowerPoint Trojan installs itself as LSP

• Komodia's Inc. free LSP resources and repacked version of Microsoft's LSP sample