Update: SpyShelter 3.0

peter what about combining sandboxie/defensewall with it?thanks

 

There is no PG SDK or API. There are APIs, introduced with Windows x64 kernel and defined with appropriate WDK. But the set of it is so limited that it is impossible to implement really strong protection under x32 without tricks, totally bypassing PG with no chance for it to determine it's tricked or with using application-level hooks can't be considered as a strong protection at all.

 

Ilya is defensewall compitable with this new program?do you know?thanks

 

I don't know, didn't test it.

 

@Peter2150

Hi, my reply was actually to firzen771 but i'm happy to answer.

Not scare mongering at all ?

firzen771 specifically asked me

The links/info i posted do just that.

firzen771 never mentioned anything about sandboxie or HIPS ?

What's not yet detected in the wild ?

 

'Plenty of warning' differs a bit between HIPS. OA gives you the ultimate warning set - execution, malicious activity (e.g. clipboard logging) and outbound connection. MD gives you execution and outbound connection, but misses out the biggest warning sign of the malicious activity, in the case of clipboard logging. I'd like to think that even if I did accidentally execute some malware, I'd catch the outbound connection, but I'd still like to have that failsafe warning as to the precise malicious activity.

 

You'd think, but I tested a clipboard logger the other night and MD didn't make a peep about driver installation. The only warning I got was "Create new process".

 

@Peter2150

From links i gave, and others below, they say it is BOTH, in the wild and also detected in the wild. So i don't understand how you reached the conclusions you did ?



Trojan.Peskyspy Description

Trojan.Peskyspy is a trojan that has the ability to listen in on data traveling between VoIP communications via Skype. Trojan.Peskyspy has been identified as the first trojan that is able to tap into or record conversations via popular VoIP applications. Trojan.Peskyspy does not have the ability to spread to other systems from one infected system but still posses a viable threat to any system running Skype, which is the application that is Trojan.Peskyspy has targeted.

Alias: Trojan-Spy.Win32.Skyper.e , Skytap , Trojan.Peskyspy , Troj/Skytap-Gen , Trojan-Spy.Win32.Skyper , Win-Trojan/Skytap.7680, TROJ_SPAYKE.C,

Trojan.Peskyspy Manual Removal Instructions

To remove Trojan.Peskyspy, you must first stop any Trojan.Peskyspy processes that are running in your computer's memory. To stop all Trojan.Peskyspy processes, press CTRL+ALT+DELETE to open the Windows Task Manager. Click on the "Processes" tab, search for Trojan.Peskyspy, then right-click it and select "End Process" key.

To delete Trojan.Peskyspy registry keys, open the Windows Registry Editor by clicking on the Windows "Start" button and selecting "Run." Type "regedit" into the box and click "OK." Once the Registry Editor is open, search for the registry key "HKEY_LOCAL_MACHINE\Software\Trojan.Peskyspy." Right-click this registry key and select "Delete."

Finally, to completely get rid of Trojan.Peskyspy, you must manually remove other Trojan.Peskyspy files. These Trojan.Peskyspy files can be in the form of EXE, DLL, LSP, TOOLBAR, BROWSER HIJACK, and/or BROWSER PLUGIN. For example, Trojan.Peskyspy might create a file like
%PROGRAM_FILES%\Trojan.Peskyspy\Trojan.Peskyspy.exe. Locate and remove these files

http://www.spywareremove.com/removeTrojanPeskyspy.html


Skype Wiretapping Trojan Publicly Released

The Swiss creator of a Skype Trojan that can intercept calls made using the VoIP program has released the Trojan's source code online in an attempt to allow for its widespread detection.

http://www.networkworld.com/news/2009/082809-skype-wiretapping-trojan-publicly.html


Skype spy Trojan escapes into wild

Now Symantec and Trend Micro have reported that a Windows Trojan with remarkably similar characteristics has turned up in their detection systems, Trojan.PeskySpy in Symantec nomenclature, and Troj_Spayke.C to Trend. Neither company states openly that the Trojan detected is related to Unteregger's open source creation, but there are enough clues to forge a strong connection.

Symantec describes how the Trojan intercepts API calls to Skype, capturing and storing audio conversations as MP3 files with caller, date, day and time stamps to identify them, and SkypeOut and SkypeIn call designations. The Trojans then attempts to upload the recordings to pre-defined locations after detecting and attempting to bypass named firewall filters.

http://news.techworld.com/security/3200665/skype-spy-trojan-escapes-into-wild


Federal Trojan: Source for Skype Trojan released (update)

Update: From the source of the Skype Trojan recently released an update. Also, the source code of the rootkit is still on the blog of the programmer's disposal. As previously announced Ruben Unteregger has now published the source code for its Skype Trojan. In 2006 on behalf of company ERA IT Solutions created the Federal Trojan variant may, after a successful infection of the system recording all conversations are conducted via Skype.

http://translate.google.co.uk/trans...com/news/bundestrojaner-source-f-r-2009-10-16


Skype trojan

http://www.megapanzer.com/?s=skype

I uploaded some screenshots of the VoIP-Recorder web GUI. For the end user it looks about like this when using the GUI for processing the intercepted Skype calls



http://www.megapanzer.com/2010/01/06/some-screenshots-of-the-voip-recorder-adminuser-gui

 

1- MD's alerts say more than that. Please provide a screenshot of MD's full pop-up alert. Not a quote -- a screenshot, please.

2- What is the name of the "driver" file?

3- Where exactly was the "driver" file installed (Was the file installed at kernel mode {ring 0} or user mode {Ring 3} or WHERE)?

4- Once the clipboard logger was installed, did it try to connect out?
4a- If "yes" then MD will definitely ask you to allow or deny. If you allow, shame on you, NOT on MD.
4b- If "no" then the clipboard logger is a castrated bull. A useless POC, nothing more.

 

Really simple to try it yourself - it's just the Zemana Clipboard logger test. To double check I tested it out on a clean VM as well. Same result - warning on create process but that is all. Of course it's just a POC, but that's not the point. The point is how well your HIPS alerts you to the suspicious activity, and in MD's case (at least on my setup) it misses the most important suspicious activity.

 

Hmm, I got 5 alerts just trying to launch the test. 1 create new process, 3 access memory of another process and 1 modify thread of another process. Of course after allowing all 5, the test was ready to do whatever it wanted without a popup from MD. I guess I don't understand but it appears to me that I got what I asked for by clicking permit to those 5 alerts. Are you saying that MD should alert when one copys text that appears in the test dialog?

 

You have used the word "driver" very loosely. Intentional or not, your post #34 is highly misleading. The only file used by Zemana's POC is "keyboard.exe". That is NOT a driver file. MD definitely alerts on drivers to ring 0 -- the proper job of a HIPS.

All you have done, ad nauseum, is to reiterate what has already been extensively discussed in THIS thread, especially in posts 25,26,28,29,30,34.

The fact that you have reiterated previous tests, and misused terminology in calling a simple exe file a "driver' (good grief!) makes me wonder what your point is.

Now I shall join in the reiterating circus by again saying -- using a firewall (or HIPS or behavior blocker or Network Monitor) to restrict outbound connections totally defuses keyloggers, thereby negating the need for the system drag engendered by running an anti-keylogger in real-time. The defusing can be accomplished by most any firewall, or MD, or OA, or DW, or SBIE, et alia.

Further, applications such as Keyscrambler, Private Keyboard, Neo Safekeys, etc, enable obfuscation &/or encryption of keyboard entries such that a keylogger is again defused totally -- without the need for the dollar and system costs attendent to using a real-time antikeylogger.

 

@Peter2150

Hi, nice of you to acknowledge the fact

Not everybody out there does or will have, a Sandboxie,DW,OA,MD etc type setup, so something like SpyShelter certainly wouldn't be a bad thing for them, or whoever decides to use it.

I agree though, $40 seems more than some would want to pay.

Always agree about running. No run it's Done

 

thanks peter i will stick with your advise of keeping my 40 bucks anyway defensewall covers alot of anti-logging features and more

 

Whoaaaa..hold you horses there I made no judgement about whether a driver was installed (and bypassed MD) or not...although I can see your point about how my post could be read in that manner. The fact that it is just a exe and doesn't install a driver is not the point here. The point is that your HIPS doesn't always give you plenty of warning and with MD and this particular POC, if you don't catch it on execution then you're reliant on catching the outbound connection (of course this POC doesn't have that). So my original point re: Peter2150's "you get plenty of warning" with a HIPS - maybe, but not always, it depends on the HIPS.

 

good advise peter

 

Tried SpyShelter for only a little while yesterday and it's an anti logger alright, played well with my other apps.
Not needed with my setup though, imo.
Those with some sort of HIPS should be covered as well.
Would probably be a nice addition to a setup such as FW,AV,with no HIPS, but not for forty bucks, a little pricey for what it is.
The GUI sort of looks like Executable Lockdown's while the alerts sort of remind me of Snoopfree.

 

It is a very MAJOR point. A HIPS that fails to alert on a driver isn't worth 2 cents. MD definitely does alert on drivers. Saying otherwise is a horrible slam against an excellent HIPS.

You're still repeating factors that have been rather thoroughly discussed in the thread over YONDER.

I have messaged Xiaolin about this issue. If you want to help rather than replow old ground, I request that you & others do the same (address is: support at torchsoft dot com).

Scoobs -- I do respect your views, and hope we can stay on good terms with one another -- agreeing to disagree on this point, of course. Shalom & aloha.

 

Zemana's clipboard logger just uses the user mode API SetWindowsHookExA to grab everything you cut/copy. I guess it's keylogger would use the same API too, though I couldn't be bothered looking.

 

Yes, I a probably am. I will hold my hands up on this one in that my comments are somewhat misdirected and bow out at this point. Everybody's still friends

 

SpyShelter Update to 3.1

Fix issues with certain files redirections
Some Bug Fix.

http://www.spyshelter.com/download.html


Rules.