Playing with Keyloggers and scanners

Discussion in 'privacy technology' started by aigle, Aug 19, 2006.

Thread Status:
Not open for further replies.
  1. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    Sure, I will post a screenshot with explanation while I am in the office, about 1 hour from now :)
     
  2. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    If you have a program that can detect it, why not?

    How is this somebody?
    If is me intentionally, at least I know that I have a program that detect it.
    If is me and I install a malware, without knowing that is a malware, I would like to know that!
    If is another person, and you aren't on the PC, of course that you will not know...
     
  3. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    I've misplaced my copy of MUK and the site is not available any more - could someone kindly mail me a copy please?
     
  4. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    Hi Kareldjag (and everyone) - it's been a long day, my apologies for taking so long to get this up and available.

    What you can see in the image below is a test/debug app running the OA Kernel mode driver from OA V2. MUK gets it's keylogging capability from repeatedly calling getKeyState (as you can see, it makes this API call a fair few times).

    By detecting which applications call getKeyState, and how often - we have a behavior-based detection of MUK-class keylogger. Hence, this is flagged as a possible keylogger by OA - at least the OA driver. Of course, some other programs will call getKeyState regularly - but OA whitelist will take care of this in the released version.

    We're able to detect Elite Keylogger (after install) in two different ways giving v2 some nice rootkit capability detection as well. Its works in a similar way to rootkit revealer - comparing what the winAPI shows, versus what we can determine for ourselves in other, sneaky ways. If there's a difference between the two - it means something is hiding, and we can alert on it. I'm highly confident OA 2 will pass Aigle's test 100%.


    Cheers

    Mike
    http://dl1.online-armor.com/tour/muk_oa.jpg
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Nice to see.
     
  6. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Nice results, aigle! Good work!
    Can you please test NOD32 against them? I"m curious..of course if you have time. Otherwise I'll try to test them by myself. :D
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Hi pykko I am really sorry. All the test snapshots are erased already and I have my exams ahead. It takes much time and being on dial up is really not easy. Hope u will not mind. If next time I make a setting, sure I will check NOD as it is my favourite AV. Infact I did not intend to use any AV here but two laptops I used for this play- one was having Antivir and other with KIS trial- so that was the main reason I scanned with them and missed NOD.
     
    Last edited: Aug 22, 2006
  8. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Very interesting info kareldjag. This link is dead. Has it moved somewhere else? Or was the info too good for public consumption?

    For the "JitterBugs," perhaps AK vendors could make a software that would insert a randomized anti-jitterbug delay before the keypress is sent out. The same way that randomized delays on packet data could counter "clock-skew identification".

    @aigle
    Thanks for making this thread. :thumb:
    Good luck on your exams!
     
    Last edited: Aug 22, 2006
  9. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,207
    I got an alert from SnoopFree about keyboard hook when starting my Yahoo Messenger. Any idea if this is normal for yahoo or my system was compromised?
     
  10. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,639
    yahoo messenger may use hooks for keyboard shortcuts, for its typing indicator, or for chat/im logging.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Thanks.
     
  12. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Good luck aigle! Get a 10 (or A) :D
     
  13. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Interesting aigle,

    And good luck for exams ;) .

    Congratulations to Mike, as the OA 2 proto is one (will be ;) ) of the very few apps able to detect Muk ! :D

    nicM
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    @pykko
    @nicM

    Thanks.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I mean exactly this.
     
  16. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Does it means that you use ring3 functions hooks to determine such the behaviour?
     
  17. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I've just tested NOD32 against the following keyloggers:

    Ghost Keylogger
    Elite Keylogger
    Paq Keylogger
    Home Keylogger
    Ardamax Keylogger
    Family Keylogger
    Gold Keylogger

    Its detection rates were not so good as I expected. :(

    Here's the scanning log. It detected only 9 infected files.
     

    Attached Files:

  18. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    The same files scanned by Avira found 26 infected files
     

    Attached Files:

  19. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Now, the final screenshot with scanning results after scanning the installers. Better detection rates, 17 files detected.
     

    Attached Files:

  20. ASpace

    ASpace Guest

    Good job , pykko ! :thumb:

    :D
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Nice job. However I don,t know how we can compare the results of two( NOD and Antivir)?
     
  22. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    well, anyway NOD32 sometimes doesn't detect some dlls and other files belonging to a malware type but only the .exe, but I think they still miss some of these threats. :cautious:
     
  23. ASpace

    ASpace Guest

    samples@eset.com :D :D :D
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    U think he doesn,t know this?
    These samples are there on the net, and can be googled very easily. They must have been on net for quite some time. If u need to send such samples to an AV then u must re-think.
     
  25. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I'm using this e-mail so often that I forgot it. :D :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.