Script-based keyloggers

Discussion in 'other anti-malware software' started by Melf, Apr 9, 2012.

Thread Status:
Not open for further replies.
  1. Melf

    Melf Registered Member

    Sep 7, 2010
    Spyshelter fails vs keylogger script

    I'm trialing SpyShelter on x64. I've always been curious as to how an anti keylogger would do against a script-based keylogger running in a document viewer (e.g. MS Office, Media player, Picture viewer, PDF reader etc).

    From here I found a simple POC of a keylogger macro in MS Excel (screenshot attached, bottom).

    SpyShelter was set on 'Ask User', so that nothing is auto-allowed.

    Result: Fail. Keys logged from browser including login/password fields, keys logged in MS Word and notepad as well (screenshot attached, top - ignore the poor parsing of text, this is just a POC).

    I did not receive a single pop-up in these tests. Oh, except for the three pop-ups I got when I opened MS Word before even opening Excel (i.e. false positives before the test even started :S).

    I tried to see if running Excel as Low Integrity would beat this. Excel wouldn't start.

    I was running Office 2003 (old I know). It is set to disallow unsigned macros by default, I had to change the security level to run this. *However*
    a) at work I and many others routinely receive MS Office files with macros enabled that actually do something that is needed
    b) this is just meant to act as a representative. Most programs capable of running some scripting language don't have provision for the script to be signed.

    1. Open Excel
    2. Press Alt-F11
    3. Insert -> Module
    4. Copy-paste the code from the link
    5. Save
    6. Press Alt-F11
    7. Press Alt-F8 to run the macro
    8. Go type some test text in your browser and put on a sad face

    Edit: Changed title to be more sensationalist so I can get some discussion going here :)

    Attached Files:

    Last edited: Apr 11, 2012
Thread Status:
Not open for further replies.