Help dealing with a sophisticated keylogger

Hi, I've been involved in a campaign to assist the current protesters in Iran, and I'm certain that I've been infected with (what I'd guess) is a fairly sophisticated keylogger or piece of spyware.

My setup is Windows 7, Kaspersky Internet Security 2009, and KeyScrambler Premium.

The reason I believe this is what's happened, is that Keyscrambler, (which is fully Win 7 compatible), started warning me that it was no longer encrypting my keystrokes. It does this at very specific times as well E.g. any encryption related task consistently "turns it off." So if I go to compress and encrypt a file, as I'm choosing a password, "zap!" it stops working. It's very odd, and in the 2 years I've been using it, I've never experienced anything like it.

I've not received any warnings from Kaspersky (I probably should be running the new beta with Win7, rather than 2009. It just bugs me not using something I've paid for. Bit stupid though!)

I've used a number of other AV scans, none of them show any infection either. However if it is government produced spyware, that's perhaps no surprise.

I've really got 2 questions:

( a ) What's the best way for me to rid myself of this (assuming you agree that I'm not misreading the tea-leaves)?

( b ) I have a clone of my system disk (on an external hardisk) that I made with Acronis. Would copying that over my infected system disk definitely solve the problem? Is there any way a virus could survive (perhaps by spreading to the clone as soon as the external USB it's on is plugged in)?

Many thanks.

 

The chances that you have some sophisticated keylogger on your system are close to zero, in my humble opinion. Most likely this is nothing more than Keyscrambler acting up, possibly because of some kind of conflict with Kaspersky running on Win 7 that it's not at all designed for. Why do I think so?

1) You have discovered no actual evidence of any malware infection, whatsoever.

2) No anti-malware scanners have detected anything that even warrants suspicion. That in itself isn't saying very much, since bypassing signature-based anti-malwares is not difficult.

3) You are running Windows 7, an operating system that isn't even in the stores yet.

4) You are reading this forum, which is a security forum. That implies at least a measure of security awareness, which in itself vastly decreases your chances of being infected with anything.


Nowadays it seems that a lot of people attribute any oddness in their system or software to malware and hackers and what not, even without any reason to do so.

Where would this keylogger have come from? How would it have been able to infect your system? Execute much unknown, untrusted code recently? Running without a firewall, with open ports? No? Unpatched browser with ActiveX, Java, scripting and such enabled? No? There aren't countless methods of getting malware into a system, and that goes for the government as well. There is a lot of paranoia in the web about governments and three-letter-agencies having godlike powers of intrusion, mostly spread by people that obviously don't have the slightest clue of what they are talking about, but that is the nature of life. Buying into the FUD, though, is a good way to lose both sleep and sanity.

You can, if you wish, engage in further diagnostics by looking at running processes and loaded DLLs, checking autostart locations, running comparisons of the filesystem from within the OS and then booting from a clean media like a Linux or WinPE disc, and so on, but odds are you'll find nothing. Before attempting anything radical like format and reinstall, I would attempt to verify that the system is infected. Because right now, nothing points to infection. But a lot points to just having software issues due to a new operating system and incompatible programs. Running KIS 2009 on Win 7, you are extremely lucky if you aren't getting blue screens of death left and right.

 

Get Diskmon and a packet analyzer, go ahead and write a fake password and see if there's any network activity or disk activity.

If you have a keylogger, it would have to send the data out in real time or write it to a file then send it out at a predefined time. So these 2 tools will show if these activities are happening.

 

Or, the keylogger could just store the password data in memory, without writing it to a file at any point in time, and could send the data out later, such as when the computer and network connection are idle, implying that the user is probably not present at the computer. There does not need to be any immediate disk or network activity which could be monitored at the point of entering the password and the keylogger logging it.

That said, this is much more likely a case of software incompatibility issues than malware infection.

 

Thanks for the feedback guys.

Yep - you've persuaded me - whatever happens, I'm gonna stop being a dick about that, and run KS's Beta.

You've made a lot of really valid points about the lack of actual evidence, and I'm afraid this post doesn't really change that. I do think you're overestimating my security knowledge, but even allowing for that, I know that I put my computer at risk, at least initially...

When I first visited one of the main sites that was organizing assistance, I went there out of interest, and had no expectation of becoming involved. My normal setup is *reasonably* secure: everything properly updated, and yup, I can tick off most of the thing you listed, however, unless there's an obvious reason not to, I do normally have Java and JS enabled; which was the case in this instance.

Once I was there, I saw a couple of things that weren't being done well, that I knew I could help with. I did debate with myself whether to install a Virtual Machine, a pared down browser, TOR and all the rest of it, but - because of the very real need for speed - I decided in the end just to carry on as I was, at least until the basic stuff was done.

Whilst I acknowledge that there's no positive sign of an actual infection; the site I'd visited, had been (I didn't know then) and continues to be, attacked fairly vigorously by unknown parties. [FWIW, these attacks may actually not be coming from the Iranians (or their proxies), as there've been other groups (particularly Neo-Nazis) who've made their dislike of what we're doing extremely clear.] But either way, it's a fact that the site has been a target both of DOS, and other more intricate assaults.

Within 24 hours of using the site, and posting material that definitely won't have won the hearts and minds of the Iranian Security Service (Farsi translations of OTPOR manuals, and other similar materials), the problem I've described was occurring.

I don't want to bore you with all the background, but there're also reasons that Keyscrambler specifically is reasonably likely to have become a target of the Iranians themselves. Briefly: after the election, they mounted a huge effort to stop people from blogging, tweeting, and otherwise speaking out via the internet. Initially, this led people to focus primarily on distributing TOR, together with the creation of as many bridges and relays as possible. However as reports started to come in that some of the TOR users were being arrested as well, there were *suspicions* though I don't know how well founded, that keyloggers were being used.

Either way, we made a big effort to promote and distribute the free edition of Keyscrambler, along with some other stuff. Within a week of that, the issues I'd been having with Keyscrambler Premium changed. The red "Encryption module error" popup became less frequent, and has more or less stopped, and instead, Keyscrambler (which should show a solid green bar when functioning normally) frequently appears to be working (in the sense that there's no bright red warning), yet there's no sign of the green bar at all. Importantly, the green bar continues to "disappear" in the same manner, and the same time as the original bright red bar would appear.

I know how flakey these "symptoms" sound, and under any other circumstances I would absolutely assume that it was just a straightforward error. However reinstallation (of Keyscrambler) is not resolving the problem, and I do think that there's a fairly good chance that it's not just a simple conflict.

I'll carry out some of the checks that you've both referred to - though I won't be able to do this until tomorrow now - and let you know the results.

Thanks again for your time, it's appreciated.

 

Anti-keylogger http://www.anti-keyloggers.com is supposed to be one of the best.

For more information click http://www.anti-keyloggers.com/download/ak_help.zip to download the User Manual for Anti-keylogger

The unregistered version of Anti-keylogger anti-spyware software is fully functional for 4 (four) hours from the moment of the system restart, after that the program switches off. You will be able to re-launch the program only after the operating system is reloaded. The number of such reloads is restricted to 10 (ten). When the limit is reached, the program will cease to work and you should either uninstall or register it. http://www.anti-keyloggers.com/download.html

You could also run some ARK's Antirootkits to sniff for hidden Apps/files etc. I see you run Windows 7 so your options are likely to be somewhat limited, as in Vista. I can recommend some which are Vista compatable which may work, let me know.

Surfing Anon might be advisable too, try the excellent Xerobank, or the free Ultrasurf.

If you can browse with any or all of these disabled, Java/Scripting/ActiveX/iframes, so much the better. I do for 99% of the time, and have done for years. See here https://www.wilderssecurity.com/showthread.php?t=246935 for some very usable Apps to disable/enable those and more in real time, should you need to.

Have you tried uninstalling and reinstalling KeyScrambler Premium ? I read there have been some issues with KS not responding etc, so it might be partly due to that ?

Also running a pre release OS and expecting it to be 100% all round, is asking a lot. Even when it's actually released i fully expect all manner of bug fixes and vulnerabilities that need sorting in the months/years afterwards ! I would go back to XP and lock it down as much as possible, or Vista if you must !

Let us know how you're progressing.

 

In this case, the browser and associated plugins are the most likely, perhaps the only possible infection vector - assuming you have not knowingly downloaded and opened files from the site in any other program than the browser & its plugins, or been in email/IM contact with users of the site, in which case any program on your system that has been used to open such files would be a possible additional entrypoint, as well as any vulnerabilities in your email/IM programs.

That raises the question of is your software fully updated? Acrobat Reader plugin updated? Flash, Java? Those are commonly exploited. The browser should also be fully patched, for security.

But a drive-by infection of a Windows 7 system, with KIS 2009 on it, is not something that happens a lot.

KIS 2009, I seem to recall, has HIPS features. Have you seen any unusual warnings from that source? That is, if such features work on Win 7, which they probably don't.

If I were you, I might also contact Keyscrambler support, and inform them of the situation, and perhaps send them any log files for debugging that Keyscrambler may make. But before that, I'd uninstall KIS 2009, and keeping well away from the site that you suspect for possibly being compromised and infecting you with a keylogger, test whether Keyscrambler works better without KIS around. If it does....

Another thing that you could do is ask around if others that have visited the site and use Keyscrambler are suffering similar issues - and if they use Win 7 and KIS, too.

There's a lot of things that one could check, but it's difficult to find something that isn't necessarily there at all. It is somewhat impossible to prove that you are not infected - that is a general rule. It can also, sometimes, be very difficult to prove that you are infected.

Occam's razor, though. You may have a highly sophisticated keylogger that specifically targets Keyscrambler, and yet does so without actually completely disabling and terminating Keyscrambler or other security software on your system - and all this infecting an operating system that isn't even officially released yet. Or, you could have a software conflict caused by running a kernel-hooking anti-keylogging software and a kernel-hooking security suite on a release candidate version of a new operating system. Which sounds more likely? In any case, good luck hunting! And do recall, that if you really feel you are infected, but can't find proof, and wouldn't mind reinstalling, there's no reason why you couldn't do that. If one is going to do that, might as well do it right, though: run fixmbr, wipe the hard drive clean (write it full of zeros), and if you're feeling really paranoid, flash the BIOS with a known clean version, and then reinstall from clean media.