Discussion in 'other security issues & news' started by TairikuOkami, Jan 13, 2007.
Same as Martin´s Undetectable Keylogger?
Side note: the AV guys haven´t added yet a signature for it. This isn´t a test for your malware scanner
Thanks for the heads up, these are another couple of things that HIPS should protect against, hopefully most will do so in the future.
GesWall stopped all of them, very nice.
CyberHawk only prompted on first one and no more prompts after than. On repeat testing, no prompt on even first one, that was disapointing.
Anybody tried SnoopFree?
Edit: Just rechecked GesWall actuallt stops all except second screen capture method.
Tried again with CyberHawk and it did stopped two of three keylogging methods but after a bit delay. #rd method not detected.
CyberHawk of course does not protect against snapshots. Only software that I know to protect against screen snapshots/ captures is SnoopFree.
Anyother HIPS to do this?
KAV6 proactive defense doesn't detect any of the tests either.
This gives a brief description of certain programs used in the test including Kaspersky.
KAV 6 does a poor job dealing with keyloggers. Only to accept them is NOT the way that should be.
DSA caught two of the three keyboard monitors: GetKetState and DirectX. It did not catch either of the screenshots.
I also was running NOD32 which did not pop up any warnings, even with DSA disabled. NOD32 has some new stealth sense technology that, I thought, was supposed to catch keyloggers. Although maybe that is on scan in-depth scan only?
Spyware Terminator- realtime shield and HIPS enabled allowed all the keyloggers tests to execute.
Comodo Firewall- with Application Monitor and Component monitor enabled allowed all keylogger tests to execute.
Ashampoo Anti-Spyware (A-squared clone)- with AntiSpy Guard active allowed all keylogger tests to execute.
CounterSpy- with Active Protection activated allowed all the keylogger tests to execute.
Kudos to GKweb again
No response from
PrevX (does warn that the AKLT.exe is not known and offers options)
>>but then allows all 5 tests.
Ewido direct scan
Avira direct scan
Jotti's 15-1-07, 0933: scan of AKLT.exe :nobody found nothing.
At Virus total: eSafe and Fortinet both identified the AKLT.exe as "suspicious", nada from others
I wonder whether this is a legitimate "malware" test?
Is this really malware?
Heh if the consensus is yes: there's a lot of disappointed end users
@Aigle: when you say GES Wall "stopped them all": can you elaborate a bit pls.
Anybody check with DefenceWall??
BOClean updated here 2314H: now detects the AKLT.exe as malware with single file scan.
But allows the "5 tests" to proceed with no problem.
AKLT is NOT a malware, and should never be detected as such.
It is a test tool that can only run if you launch it, and it doesn't record anything,
everything logged in th program window is lost when you close the program. Nothing is sent out (no network code in it).
AKLT illustrates what a trojan could do, the purpose is to see if your HIPS detects AKLT monitoring your keyboard, not to see if your AV detects the file (which is not a malware).
I'll contact BOCLEAN.
Thankyou GK Web
No problem. I was just wondering.
Hehe, so far so good, the test is winning
My previous post was as usual a bit unintentionally cryptic.
I dl'd the exe: PrevX warned me, ran it from the desktop to see what might happen (trust you a LOT ! - and have FDISR snaps )
Effectively "nothing happened" other than the tests ran.
No warnings from any of the "resident" tools
Then ran scans with whatever was hanging around in that snapshot at that time just to see if anything might find something malicious.
Will be interesting to see what utilities will detect the tests.
My observation as to "is this malware" was directed more at the function of the tests: works as keylogger but doesn't try to phone home or "do" anything with the captured data. Therefore, I am wondering how many HIPS utilities will react to it, the data capture, as a threat?
Damn you GKW LOL.
GoodGreat little test.
Need another rethink maybe.
Edit: BOClean will now try and stop the exe from running. Labels it a "trojan"
Thanks for the clarification and your comments.
Adding AV signature detection for AKLT will effectively detects AKLT as virus even before it has a chance to execute. The whole issue appears when an unknown malware executes on your system, and is starting to monitor your keyboard. At this point, no matter which AV you have, you need a proactive defense to analyse and detect the suspicious behavior of the malware, no matter how it is packed/encrypted to avoid signature detection.
That is all the point of AKLT, enabling you to see if your defense detects the mimicked malware behavior, althought AKLT is not harmful in itself.
If Jottis and VT add the sig: I might have screwed up your test
I am so sorry.
Rename the exe ??
Very nice program!
When testing Cyberhawk only detects the first two methods when AKLT is not the active window. Is this how you should use AKLT? Or should you expect keylogging to be detected when AKLT is the active window?
Has anyone tested SSM or Prosecurity?
hi i can't speak for aigle, but i too tried the tests and geswall passed all but the second screen capture test. for the 3 keylogger tests, geswall stopped all alphanumberic keys from being logged. the first screen capture test, captured nothing . the second screen capture test, however, did succeed in getting my screenshot.
Tried snoopfree against it.
It stops only second method of keylogging and second screen capture method.
Will be interested if anyone tried it against ZAP and Online Armor,\they have good keylogger detection.
i havent' tested myself but according to the firewall leak test site :
so apparently the makers of prosecurity and ssm are aware of the problem and are correcting it as we speak.
I downloaded the exe via bowser that was isolated by GesWall. When I run the exe GesWall asked if I want to isolate the exe as it came from an isolated source( my browser) I opted for yes. Test was able to run isolated but no keys were logged.( Just rechecked GesWall actually stops all except second screen capture method- I have edited my previous post).
Hope it,s clear now
I am interested too.
It does not make any diference. This is not a test of signature based protection.
KIS PDM detects the first and second one and the third one will be detected on the next Beta version (about a week)
Longboard: is it still unknown to Prevx1?
No response when running AKLTexe with prevx in expert mode.
@ Someone: How about for you??
Usually i don't run such tests.
But i am a curious man, and thank you guys for your testing and reporting
PrevX just now updated
will check again
Separate names with a comma.