AT & Keyloggers

Discussion in 'other anti-trojan software' started by JO, Dec 3, 2003.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Sorry - had to go to the grocery store.

    I think the screenshot tells the story.

    And remember, even though SpyCop depends to a large extent on def updates - there haven't been any def updates to SpyCop since the 29th of December.

    Con - My apologies for taking so long to get this done - I'm fighting a failing HD and wife's health problems here.

    Anyway, once I saw Paul recommending AKL - I knew I had to do something! :D Pete
     

    Attached Files:

  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Now that my son's finally off the computer, I'll continue.

    After running the scan with SpyCop - and having the Iopus keylogger detected by it - I decided to see if TDS-3 would pick up on it.

    From a cold start (the preliminary opening scan of TDS, which I have set to check everything at program start), TDS-3 did not pick up on the new autostart entry for the keylogger (I would have thought that it would?). Then, I ran AutoStartViewer (which I have put in TDS - thanks for THAT) and it clearly identified wskrnla.exe as being in the start-up (the obvious draw-back there is that you wouldn't have a clue as to what it was if you hadn't already read this thread! :D ).

    Okay, now I'm going to run a full scan with TDS-3 and I'll be back later with the results.
     

    Attached Files:

  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    This is the line in AutoStartViewer that I'm referring to.
     

    Attached Files:

  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    TDS-3 did not alarm on this keylogger. It did show me an NTFS ADS for the wskrnla.exe - but again, someone wouldn't know what that is unless they recognized the exe name as belonging to IOpus. Since the exe found in the stream wasn't alarmed on, there's no way to get any further information about it from TDS (if it had been alarmed on, you could have).

    Note: In the screenshot, you can see an alarm on kl-detector.exe - unfortunately, this is not a keylogger - it's a keylogger detection tool (TDS has been notified about the FP).

    I'm gonna run SBS&D, AA and NOD32 next. Pete
     

    Attached Files:

  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Nothing found by AdAware (free version). Both things in the screenshot have been set like that by me long before I ever started messing with IOpus.
     

    Attached Files:

  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Nothing found by SBS&D
     

    Attached Files:

  7. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    While I'm waiting for NOD to complete its' full scan, a couple of points:

    It's quite obvious that dedicated anti-keylogging programs are the way to go if you're seeking effective keylogger detection!

    (Can someone say "Amen"? )

    I want it clearly understood that I don't fault SBS&D, AA or even TDS for not alarming on this keylogger - since this is not the primary function of these programs.

    I'm up against the wire time-wise with the server maintenance outage here - but I'll be back sometime tomorrow with the rest of my results and thoughts. Pete
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Hmm - they must not be using the same clock I am.

    NOD never peeped about it either (nor do I blame it for not doing so).
     

    Attached Files:

  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Commercial keyloggers are legitimate programs, even though someone can buy one and use it just like a trojan on their friend or spouse. Specialised programs do have their spot, but the most used ones end up in AV labs and get detected. We also detect a lot of them :)
     
  10. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Big anti-keylogger breakthrough!

    Just in regards to keyloggers, we've made big breakthroughs late last year and also today with blocking them and essentially rendering their keylogging capabilities null and void. How? You'll see for yourself in the next release of Process Guard (maybe later this week), but essentially what Process Guard does is secure access to the SetWindowsHookEx API functions (there are two - ASCII and Unicode) by blocking all processes from accessing the functions except programs that you grant Allow access to, such as explorer.exe.

    Securing the SetWindowsHookEx function was very challenging, but comes with several rewards:
    - Virtually all keyloggers require SetWindowsHookEx to install a global keyboard hook (this is now blocked by PG, rendering virtually all keyloggers useless).
    - Some leaktests such as Firehole use SetWindowsHookEx to inject their DLL into programs typically allowed by firewalls such as Internet Explorer (this is now blocked by PG). Jason's making a post about this now in the Process Guard forum :)
    - It's possible to use SetWindowsHookEx to inject a DLL into a process and then have the DLL terminate the process (this termination method is now blocked by PG).

    We'll release more details as soon as we can, stay tuned ... :)
     
  11. controler

    controler Guest

    Wow thatnks for all the info guys :D
    spy1 as you can see most of the detection is only on the one main exe.
    you will have to either remove the other files manualy with the help of the text file i left in previous post, or use iopus's own uninstall to remove them.
    PG is comming along great. I was doing some API hooking reading the other day.

    spy1? did you remember seeing an option to turn of keylogging and just use the screenshot funtions ect of iopus? lol which kinda sucks because even it is not logging your keystroks it logs your screenshots of IM, and pretty much everything. Same techniques used today by
    non commercial keyloggers.
    one way KAV is getting around not being accused of catching commercial keyloggers is to have it's manual update_x and update_ext
    this way they are not liable.
    I still haven't tested these defs because i am trying KAV's new beta 5.0 which can not be updated at this time manualy with the X and EXT defs
    So in a nut shell

    non-comercial keyloggers= fair game

    comercial keyloggers = tread queitly

    Thanks Everybody

    con
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I think theres a copy of this one to add to detection from spy already, I was just so busy today I didnt get some things in. Higher priority detection for things like the new Nuclear RAT beta of course, which is popular already.

    TDS detects some versions of IOpus products by memory scanning, and some ripped trojan / modified versions. Even some spyware if I remember right. Its possible this was already detected in memory if you run a memory scan. Either way I'll add more detection very soon as a few attackers do like to download these commercial keyloggers off Kazaa to use them maliciously.
     
  13. Oric48k

    Oric48k Guest

    Does PestPatrol detect this keylogger with it's Key Patrol component?

    Oric
     
  14. Oric48k

    Oric48k Guest

    Ok, I have fully read through this thread and am curious as to which software detects this latest BETA of the iopus-starr keylogger. The following software is mentioned throughout this thread. Where i could find a reference confirming if the software detects it or not, i have placed the answer next to the software, otherwise i have put 'Yes or No'. Is it possible to complete the testing. Personally i have been trialling both Spycop and Anti-Keylogger. But i also have a licenced version of PestPatrol. So if the PestPatrol keylogger detector(Key Patrol) detects this latest BETA of the iopus-star, then i may just stick with Pestpatrol. I am also interested if any of the others detect it or not. KAV(x-bases), Trojan Hunter or BOClean. Very interesting thread btw. :)

    TDS: Confirmed No
    Spycop: COnfirmed Yes
    Anti-Keylogger: Confirmed Yes
    KAV(x-bases): Yes or No
    NOD32: Confirmed No
    PestPatrol: Yes or No
    Spybot: Confirmed No
    Ad-aware: Confirmed No
    Trojan Hunter: Yes or No
    BOClean: Yes or No

    Regards,
    Oric
     
  15. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    I have a question. How does a keylogger get on once computer? I assume that someone that has access to the computer will put it on there. Am I right?
     
  16. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    notageek - Keyloggers can be installed to your computer via:

    Email (clicking on a malicious attachment, which would then install the keylogger)

    Via Trojan infection (which could install a keylogger as one of the Trojan's functions)

    Or, by having someone with physical access to your computer install it manually (either as software or hardware). Pete
     
  17. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Thanks Pete for the info. I don't have to worry about clicking links in my email cuz I don't click any links.
     
  18. Uncle Jean

    Uncle Jean Guest

    Joe,

    A few days ago, I tried "YAW" and the first scan found two keyloggers that none of my other programs was able to "see"...

    UJ
     
  19. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    May I ask what "YAW" is?
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi notageek,

    I think Uncle Jean is referring to http://www.yaw.at/
    I could not find an english version of that site.

    Regards,

    Pieter
     
  21. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Correct, Pieter.

    YAW (Yet Another Warner) is in essence software designed to cope with dialers - database focussed on common European ones, developed by Andreas Haak.

    regards.

    paul
     
  22. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Thanks Pieter and Paul. Dialers are mainly outside the US right?
     
  23. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Yes, and not a tremendous concern if you're not on a dial-up connection.

    I've also got to question whether we're talking dialer or keylogger detections as re: "Uncle Jean"'s post. Pete
     
  24. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Thanks for the info Pete.
     
  25. Uncle Jean

    Uncle Jean Guest

    OOPS... Sorry, I meant "dialers" of course.

    UJ
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.