Summary of Anti-keyloggers

Discussion in 'other anti-malware software' started by toploader, Aug 24, 2005.

Thread Status:
Not open for further replies.
  1. lupus

    lupus Registered Member

    Joined:
    Apr 4, 2005
    Posts:
    22
    I use a Knoppix CD to carry out any sensitive (i.e. money) task, this way i don't have to worry about keyloggers and anti-keyloggers software. I *will not* bet my savings on Windows security software, as good as it may be. A bootdisk is the only way to go as far as i am concerned.
     
  2. controler

    controler Guest

  3. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    Just as a brief update on this thread - I've gotten the analysis of MUK and Elite returned; Detection for this class of keylogger will be released in a service update to OA as soon as practical.

    Not overly concerned about MUK as a new attack method. While it can get keystrokes sure enough, you can defeat it by simply typing quickly :D

    Either way, we'll add it to OA ASAP so that anything using the Elite or MUK technique to nab keystrokes will be alerted similarly to how we alert on hooking based keyloggers.


    Mike
     
  4. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    thanks for the update - Mike :)
     
  5. DraGoNsLaYaZ22

    DraGoNsLaYaZ22 Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    9
    Does anyone know how well Microsoft AntiSpyware works against keyloggers?
     
  6. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    hi - if you look thru GQ's tests - here in this thread - i think you will find that it didn't perform very well at all when faced with kernel level loggers.
     
  7. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    i installed spy lantern on a test rig - got to admit it's good - i had the secret password and the secret sequence of keystrokes to uncloak it but nothing i did worked - it was completely invisible to everyone and everything - but was it really there? - who knows :D what do you do when you lose your invisible gizmo?

    "Spy Lantern Keylogger is the first totally invisible keylogger. So no one can determine that you are watching on him" (not even the watcher) :D

    this raises a question - some keyloggers can hide themselves from windows task manager - is there anything that will list all processes, invisible or not? - or is it possible to evade detection from the likes of "what's running" - "a2 hijackfree" "hijack this" - "sysinternals process explorer" etc - is there any system monitoring software that can detect the undetectable? (apart from specialised rootkit progs like UnHackMe and Ice Sword)
     
  8. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Had a chuckle at some of their statistics... "31% of people have had an online conversation that has led to real-time sex." I guess I must be talking in the wrong places... :D
     
  9. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    i wonder what % of that 31% got a virus download via their unprotected realtime gymnastics?
     
  10. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    No it's not :D

    Pete - try that test code I sent you yesterday and you'll see it detected.


    Mike
     
  11. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    good work Mike - the search goes on for the first truly undetectable keylogger.... is it possible? or does the fact it needs to execute mean it will always leave a footprint somewhere?

    can it be detected at download?
    can it be detected if it tries to execute?
    can it be detected if it runs as a script?
    can it be detected if it hides inside a trusted application? (for there is always the chance of misplaced trust)
     
  12. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    Hi Toploader,

    "Undetectable" is a great marketing term, just like it would be great if we say that Online Armor detects "All" keyloggers - but, it would clearly be false.

    What we're trying to do is find all of the ways that keystrokes can be captured. The next step - find a way to detect when a program is using that method of capture.

    This means that ANY keylogger program that uses a method we know about (and have detector code for) can be detected. This is what happened with Spy Lantern - you mentioned it; I installed it - OA in its current form did not detect the keylogging - but the proto code that Pete had a play with did.

    Once we finalise the current release of OA (still in beta testing) then this code will get brought into the main release. Any program using the same method as Elite, Spylantern or MUK would then be detectable with OA.

    Whether it's possible to create an undetectable keylogger depends on your definition of undetectable. Undetectable by my mum? Easy. Undetectable by any means - Impossible.

    For example, using a PE disk one could boot onto a known clean version of Windows, and scan the normal windows partition. Since by definition, no code from the potentially affected system is running - it cannot be hidden (although, it could hide in plain sight). This could in theory allow pretty anything to be detected, regardless of how it worked - assuming that the scanning code was 100% thorough. A BIG assumption.

    We use a handy technique with BartPE - make a bootable windows disk, include AV tools and use that for a quick clean on toasted machines for clients.

    As for hiding on the "live" version of windows - well... once an attacker is running code on your system, it's not your system any more.

    Hope that helps.


    Mike
     
  13. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    For now, I think IceSword leads the pack in terms of revealing "hidden" processes. Specialized, yes, but effective. It's one of the tools I use when I clean systems. Sysinternals' Process Explorer misses SpyLantern, while RootkitRevealer does not:

    Nick
     

    Attached Files:

    Last edited: Oct 5, 2005
  14. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    Interesting Nick... I think I will have to download that and have a play with it.

    Mike
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    This code that Mike is refering to is detecting some interesting things on my system. Fortunately I don't have any keyloggers. But it sure does portend some neat stuff coming with Online Armor. I have been thoroughly teased.

    Pete
     
  16. ------

    ------ Guest

    I think undetectable in most cases ,refers to after they are installed.
     
  17. -----

    ----- Guest

    Hmm if this is true OA is shaping up to becoming the best generic keylogger out there. Most antikeyloggers which boast generic detection basically stop at what PG does (detect global hooks), this is not enough!

    Hey Mike any plans to just market a seperate product for antikeylogging? I'm interested only in that.

    I read Peter's post that such code is leading to some false positives, which no doubt will be fixed in time.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    You misunderstood. Understand this is prototype code. It detected some legitimate hooking going on by a legiimate program. Thats all this is doing at this time. From what I saw the code Mike sent me simply is querying for hooks at this time. Therefore it would detect some keyloggers, but also other system activity. It is to premature to read anything into this. Big part of my look see was to see if the code was stable, and it is.

    Pete
     
  19. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    It's true. The initial name for OA was "BankSafe" - targetting at preventing phishing, keylogging and banking fraud. Keylogger detection and eradication is a feature we have highlighted to make significant enhancements to. OA's trusted apps list should help minimise false positives. The proto code Pete was playing with is simply the proof of concept detector.

    While there are no plans at this stage to take a separate anti-keylogger to market this could change in future. I'll just leave it there for now to avoid taking this thread OT - but watch this space. It's going to get interesting.

    Mike
     
  20. ------

    ------ Guest

    Yes Pete, probably even the least ignorant poster here knows that you are an important beta tester of OnlineArmor . I certainly didn't misunderstand, false positives are the risks that come with the territory when you are trying generic heuristical detections.

    Mike, Any idea when OA 1.2 will be out? Anytime within this month? I have some new ideas for tests for OA.
     
  21. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    Beta testing of the 1.1 service release is going well - hope to have that out in the wild early next week.

    Some 1.2 code has been written, but not a massive amount. I'd estimate that a 1.2 beta release is around 6 weeks away - maybe a little longer - too early to tell just yet.
     
  22. -----

    ----- Guest

    Huh I thought 1.1 is out already? What is "service" release?
     
  23. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    Like an MS Service Pack, except that it's more about adding minor tweaks, and a bit of re-engineering to cover potential problems rather than pure bugfixes - although, there are some of those too.

    The main changes are the Multilanguage GUI, and separation of the "Service" component from the "GUI" component. Other that that it's all minor tweaking.


    Mike
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi ------

    Many thanks for the promotion. Not sure exactly what an important beta tester is however. In case you wonder, I have paid for 2 licenses of Online Armor, so there is no material gain to me. I just like the product, like where it is going, and am impressed with the personel. Would invite you to register and tell us about yourself. ------ seems so impersonal.

    Pete
     
  25. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    i appreciate the effort Mike is putting in to create a first class product with OA - keyloggers and rootkits are an area that needs good defenceware.

    as a consumer i want a product that can detect the undetectable. at the moment i've no real way of knowing how good the available defenceware is.

    i've been impressed with the freebie winsonar - with protection enabled it kills any unknown processes immediately. how good it's detection methods are is another question. to be more specific it kills all unknown processes if it can find them - the question is what % of unknowns are evading detection. this was the case with spy lantern - i installed it but nothing in the system could detect it - so either spy lantern was there totally hidden or it had not installed correctly - the problem was i had no way of verifying this one way or the other cos i did not have a detector that could detect it and it didn't respond to it's decloaking commands.

    detecting commercial keyloggers should be relatively easy as one can get a copy of the product to play with - the hard part is detecting the bespoke or one off custom jobs which have never been analysed.

    the most common way a keylogger is going to get on the system is via a trojan download from the net. ideally the trojan should be detected when it tries to download or execute so the keylogger payload never gets installed in the first place. this is where so far i've found winsonar to be good. it blocks the start of all unknown processes (that it can detect) e.g exe dll and scripts.

    however if the trojan is downloaded in a "trusted" file that the user wants to execute then the user has to switch off winsonar protection or tell winsonar that the unknown is a trusted known - to allow the file to execute. and therefore the embedded trojan gets installed along with the rest.

    this is where we need a program that can detect the keylogger heuristically (because it may not have a known signature) when it's installed and working in stealth mode.

    i'm assuming that there is a finite number of ways in which a keylogger can function in Windows so in theory it should be possible to create defenceware that can detect all those methods (hooking being one for example) whether this will change significantly when Vista comes out i don't know.

    still it makes it fun trying to discover just how many alternative methods can be used.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.