Prevx SOL and KeySrambler versus Commercial Keyloggers

[PrevxHelp]

Quote:

Originally Posted by aigle

Ok, I have re-tested SOL on fresh snapshot of CTM. No security software installed, just a fresh XP SP2 with IE6, not fully patched though.

I just tested Advanced Keylogger and it was able to grab my login credentials on paypal login page( https). Prevx SOL did stop the screenshots though.

I will assume that Al in One Keylogger will be able to take screenshots too but I did not re-test it.

I tested this here as well (XP SP3 but shouldn't make a difference) and SafeOnline blocked everything. There are a number of factors which could be affecting it, from language settings to whatever CTM is doing behind-the-scenes. I can certainly investigate closer if wanted but on multiple PCs here, I've yet to see a single keystroke get stolen across English, British English, and Spanish keyboard configurations. Fundamentally "Advanced Keylogger" does nothing different than the Zemana leaktest or other leaktests.

Quote:

Originally Posted by moontan

i like the concept of KeyScrambler more than anti-loggers solutions (prevx, spyshelter, zemana etc) per se.

i'm not concerned much with screen capture because the most important part, the password, is always hidden with *****

Be aware that even though it may be protected from the initial entry, if there is a Man-in-the-Browser infection like Zeus, Caberp, Torpig, Silon, etc. on your PC, it will still be able to see credentials when they are sent across the network unless you use browser protection software.

[aigle]

Quote:

Originally Posted by PrevxHelp

I tested this here as well (XP SP3 but shouldn't make a difference) and SafeOnline blocked everything. There are a number of factors which could be affecting it, from language settings to whatever CTM is doing behind-the-scenes. I can certainly investigate closer if wanted but on multiple PCs here, I've yet to see a single keystroke get stolen across English, British English, and Spanish keyboard configurations. Fundamentally "Advanced Keylogger" does nothing different than the Zemana leaktest or other leaktests.

Ok, may be it,s CTM. Good to know that SOL is working perfect.

Prevx is great I must say.

[diceman]

Wouldn't running in a limited account while online prevent these key loggers from running and installing to begin with? Is a lot cheaper and easier too.

[Saraceno]

aigle, great testing anyway. Interesting to read your test and Joe's explanation of Prevx SafeOnline.

[aigle]

Thanks, just tested as I like Prevx a lot.

[aigle]

@PrevxHelp

Does Prevx SOL works Ok in VirtualBox as I tested it on Windows 7 in VBox and still a fail.

[aigle]

It,s weired. Another person have tested it on XP and windows 7 and has confirmed my finding. Prevx SOL is bypassed by two loggers( screenshots by one and keystrokes by the other).

Wish some one else could try it as well.

[CloneRanger]

Quote:

Originally Posted aigle

It,s weired. Another person have tested it on XP and windows 7 and has confirmed my finding. Prevx SOL is bypassed by two loggers( screenshots by one and keystrokes by the other).

I'm on XP

Quote:

Wish some one else could try it as well.

Which 2 out of the 3 are they ? Let me know and i'll do it

[Scoobs72]

Quote:

Originally Posted by diceman

Wouldn't running in a limited account while online prevent these key loggers from running and installing to begin with? Is a lot cheaper and easier too.

No. See http://www.prevx.com/blog/83/Is-Limi...ot-really.html

Anyway, let's not derail this thread further.

[Scoobs72]

Oh jeez...I've just tried Advanced Keylogger in my Win XP (SP3) VM and it successfully captured login details from Paypal. I couldn't get All-in-one Keylogger to work properly, but given Safeonline was bypassed by Advanced Keylogger I'm sure Aigle's test results are correct for that also.

Joe, if you want to do a remote support session to try to diagnose this drop me a pm.

[aigle]

Quote:

Originally Posted by CloneRanger

I'm on XP
Which 2 out of the 3 are they ? Let me know and i'll do it

All in one Keylogger bypassed Prevx SOL and took snapshots of https session on paypal.com login. Also Advanced Keylogger bypassed Prevx SOL and keylogged the user name and password from paypal.com login page.

Get them from here.

http://www.relytec.com/
http://www.eltima.com/products/keylogger/

[Triple Helix]

Don't forget what PrevxHelp has said about Keyboard language:

Quote:

Originally Posted by PrevxHelp

I tested this here as well (XP SP3 but shouldn't make a difference) and SafeOnline blocked everything. There are a number of factors which could be affecting it, from language settings to whatever CTM is doing behind-the-scenes. I can certainly investigate closer if wanted but on multiple PCs here, I've yet to see a single keystroke get stolen across English, British English, and Spanish keyboard configurations. Fundamentally "Advanced Keylogger" does nothing different than the Zemana leaktest or other leaktests.

Be aware that even though it may be protected from the initial entry, if there is a Man-in-the-Browser infection like Zeus, Caberp, Torpig, Silon, etc. on your PC, it will still be able to see credentials when they are sent across the network unless you use browser protection software.

TH

[Triple Helix]

Also see how Prevx is doing with real Keyloggers here: http://malwareresearchgroup.com/cate...roducttesting/

TH

[Scoobs72]

Quote:

Originally Posted by Triple Helix

Don't forget what PrevxHelp has said about Keyboard language:

TH

Well, keyboard language for me is English.

[Scoobs72]

Quote:

Originally Posted by Triple Helix

Also see how Prevx is doing with real Keyloggers here: http://malwareresearchgroup.com/cate...roducttesting/

TH

How are these not real keyloggers?!!!!!

[Kernelwars]

Quote:

Originally Posted by aigle

All in one Keylogger bypassed Prevx SOL and took snapshots of https session on paypal.com login. Also Advanced Keylogger bypassed Prevx SOL and keylogged the user name and password from paypal.com login page.

oh man tried them right now.. boy

[Triple Helix]

Quote:

Originally Posted by Scoobs72

How are these not real keyloggers?!!!!!

Who said they weren't? I was just pointing out that MRG is testing against malicious keyloggers sorry that I didn't make myself clear!

TH

[Kernelwars]

Quote:

Originally Posted by Triple Helix

Also see how Prevx is doing with real Keyloggers here: http://malwareresearchgroup.com/cate...roducttesting/

TH

[CloneRanger]

All-in-one Keylogger & Advanced Keylogger test v PSOL

XP/SP2 Admin

Installed both under ShadowDefender, with ALL my security disabled, apart from PSOL.

All-in-one Keylogger captured a screenshot



I have manually allowed protection for Wilders in Prevx, so it shouldn't have captured that

In the Textual Report i only found one Keystroke logged out of many i did ? The Wilders one was not it, but note above.

Didn't find any www's logged.

I found it visably slowed my screen movements with text files & screenies etc I'm sure people would notice & investigate

Not sure if it worked properly as it was buggy, or was it that PSOL protected me ?

MORE

[CloneRanger]

Advanced Keylogger was a different class altogether

Captured dozens of screenshots, here's just 2



Captured keys etc









PSOL didn't block any of the above ?

[Kernelwars]

Quote:

Originally Posted by CloneRanger

Advanced Keylogger was a different class altogether

Captured dozens of screenshots, here's just 2

Attachment 222850

Captured keys etc

Attachment 222851

Attachment 222852

Attachment 222853

Attachment 222854

PSOL didn't block any of the above ?

oh boy..time to rethink

[Scoobs72]

Quote:

Originally Posted by Kernelwars

oh boy..time to rethink

Something weird is going on here. Maybe we're all testing in a VM and Prevx SOL has some problems in VMs due to the keyboard and screen interfaces??

Edit: Damn, just noticed Cloneranger is testing with Shadowdefender. Bang goes that theory. Common denominator is XP then??

[moontan]

PrevxHelp:

Quote:

Be aware that even though it may be protected from the initial entry, if there is a Man-in-the-Browser infection like Zeus, Caberp, Torpig, Silon, etc. on your PC, it will still be able to see credentials when they are sent across the network unless you use browser protection software.

according to Wikipedia, the only way to prevent Man-In-The-Browser attacks is through what is called "transaction verification".

Quote:

A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place. The only way to counter a MitB attack is by utilising transaction verification.

Transaction Verification must utilise either Out-of-band technology (the use of two separate channels) or an independent signing device, e.g. a programmable card-reader, capable of having transactional information re-keyed into it in order to create a code cryptographically linked to the underlying transaction detail.

One of the most effective methods in combating a MitB attack is through an out-of-band (OOB) Transaction verification process. This overcomes the MitB Trojan by verifying the transaction details, as received by the host (bank), to the user (customer) over a channel other than the browser; typically an automated telephone call.

-http://en.wikipedia.org/wiki/Man_in_the_Browser-

i'm no expert but according to the above it seems the only way to be safe beside "transaction verification" is not to get infected in the first place.

[SAW]

Has anyone tested Trusteer's rapport with these key loggers ,it's a bit heavier on the system but would protect your browser better if it does work against them.

[Scoobs72]

Quote:

Originally Posted by SAW

Has anyone tested Trusteer's rapport with these key loggers ,it's a bit heavier on the system but would protect your browser better if it does work against them.

Tests by MRG have shown it to be less effective than Prevx SOL. Back on topic...clearly there is a bug/possible regression going on here. I have previously tested SOL against keyloggers in XP and it did what it claimed. For some reason it's now not doing that - at least for XP. We just need to give PrevxHelp some time to respond.