Does WSA Detect/Block Xenotix KeylogX?

IXenotix KeylogX is a Keylogger add-on for Mozilla Firefox.

https://addons.mozilla.org/en-US/firefox/addon/xenotix-keylogger/

 

No it doesn't, and that's by design. Browser add-ons are subject to the same sandboxing that the browser itself runs through and therefore can be managed by the user directly. There are similar add-ons which could potentially be used to leak data (like HTTP Watch and extensions which let you debug browser traffic) and disabling these interfaces would cripple most browsing.

If you're suspicious of any add-ons, you should definitely just remove them, or, open your browser in safemode which avoids loading any add-ons.

 

Hi there, i am the creator of xenotix keylogger. This keylogger can bypass both executable based ant-keylogers like the KeyScrambler and even the On Screen Keyboards. As of my knowledge the only way to protect from this keylogger is to use: https://addons.mozilla.org/en-us/firefox/addon/keylogger-beater/

Regards,
Ajin Abraham (><302),
Information Security Enthusiast,
keralacyberforce.in | defconkerala.org |
ajinabraham.com |

 

wow almost concerning in a way not about wsa but about this type of keylogger, if these become the norm and somehow become auto installed then we could have a major issue. i know you should be able to see this in the addon's unless im wrong but many people that are basic users never go there to see whats installed, does this have any indication that its installed?? going to test this out now to see how this works.

 

Doesn't "Isolate untrusted add-ons from data" cover this?

 

That's why the good browsers have all made it impossible for third party auto-installation and some if not all have made that decision retroactive, disabling third party add-ons and requiring the user to make choices about them.

 

fine but what about this being hidden under another plug in? diguised as something else so the user installs it and then when it doesnt do as advertised they say forget about it and dont bother removing it. i have people come in all the time and they have a dozen add ons installed and dont even know why they are there. sadly most people dont know enough to not install things like that...

 

True, but if you look at how many people complain about the Webroot plugin "not working", I'd think more people fail to install rather than do install. Plugins are not executable code though. They are extensions of the browser itself. Which means that even regular AV has to know a very well-defined signature of it that is very specific, so any modification to the plugin will evade other AV too. In WSA's case, there's no executable to evaluate, since it's the browser itself.

But we do know that if the plugin is capturing keystrokes and tries to send them somewhere, the somewhere can get caught by WSA, because we've seen this happen on the browsers.

Edit: I've also noticed that the people with half a dozen or more addons usually had them installed by third-party means, which is what and why was retroactively disabled. So something running outside the browser can't just plop it in and hope the user doesn't notice. Now the user actively has to choose, and most of the less-clued ones won't bother to turn them back on.

 

i agree with most of what you said. i do wish there was a switch to detect these type of things or not for those who choose to, i see in the newest avast there is a browser cleanup tool i wonder if they will implement something like this... i would not need it but again as i said there are many who would rather it be turned on then not.

 

I think it definitely should detect it. Someone from Webroot informed me earlier this year that software that can be uninstalled by the user is generally not detected by WSA. I do not like that at all. I had WSA installed on my mothers computer, and I was constantly having to uninstall bundled software which sometimes contained trojans. It was bringing her computer to a very, very slow crawl. It was not even usable. The last time I removed 2 system 32 viruses from her computer. I would say it probably came with the bundled software. I think it should warn the user, and give them the option what they want to do.

 

32 viruses from bundled software on your mums PC? - I really can't get my head round that, the only bundled software I've seen with viruses come from none legal software? - In 17 years on the net I have yet to have a more than a worm & a few bits of spyware on any PC I own or use & I've had & built heaps from the 286 onward - I've had WSA on several PC's for pushing 2 years & have yet to have any infection, that also goes for several relatives/friends etc WSA accounts I monitor including my mums

I think WSA is fine as regards this issue as it is.

 

That's not technically true - if the software is malicious, it will be detected/removed. I suspect the comment was made because it is rare that malicious software includes an uninstaller. We don't leave it on the system just because it has an uninstaller.

 

PC_Fiddler, I believe your reading Cutting_Edgetech's post wrong, if I'm not mistaken he means 2 viruses in the system32 folder.

 

You are absolutely 100% correct & I apologise without reservation to 'Cutting_Edgetech' - Thanks for pointing my error out!