Urgent: "Boss Everywhere" Keylogger

Discussion in 'privacy problems' started by Analyst502, Jan 13, 2005.

Thread Status:
Not open for further replies.
  1. Analyst502
    Offline

    Analyst502 Registered Member

    Thanks again for keeping this site up - great resource. Hoping to get some feedback on this: Updated Spyware Dr 1/13/05 and it detected "Boss Everywhere" keylogger. A bit surprised that TDS-3 didn't find it but Spyware Dr did. I'm a consultant using a co.-provided laptop & have full admin status. I don't play on this laptop, but spend allot of time doing research on the web. Seems I've been in a security war ever since I got broadband. Anyone have any info on the common origins of this keylogger? Any feedback is greatly appreciated - thanks
  2. ronjor
    Offline

    ronjor Global Moderator

  3. Bubba
    Offline

    Bubba Updates Team

    Analyst502,

    To eliminate the possibility that Spyware Dr. is not reporting a False Positive....what kind of info does it display after the scan....a registry key location, hard drive location....etc ?
  4. Analyst502
    Offline

    Analyst502 Registered Member

    Excellent - thanks ronjor..
  5. Analyst502
    Offline

    Analyst502 Registered Member

    here's what S Dr displayed:

    Infection Name: Boss Everyware

    Location: HKCR\.dbf

    Risk: Medium

    Thx for the response
  6. controler
    Offline

    controler Registered Member

  7. Analyst502
    Offline

    Analyst502 Registered Member

    Thanks Brue - appreciate the info
  8. controler
    Offline

    controler Registered Member

    Yes about a year ago I made a big fuss about security apps not detecting
    commercial keyloggers. I won't name names. I collected alot of them and
    tried the detection rate with different seurity apps.
    Ok one company I will name is Kaspersky. I wort them over and over and subitted the files. Their answer was to use the extended and the other one which I can't remember at this time to find what they called RISKWARE.
    funny thing is none of their defs found most of the keylogges.
    That is when Spy1 started checking out the keylogger world.
    Since then I have not tried testing keyloggers again. I dodn't know if things have changed now or not. At that time we didn't have processGuard.
    I do know that Anti-Keylogger did find most of them.
    Maybe I will check some things out again now that I own PG, BoClean and TDS-3
    I won't try KAV again because I just don't like the ADStreams thing they are doing.

    Bruce
  9. controler
    Offline

    controler Registered Member

    I must also mention that a few well know firewalls did not catch the log file being sent out via your trusted e-mail app. At that time the only program that gave a clue was Norton AV. The little splash screen would kick on letting me know something was going out on e-mail even though I didn't have my e-mail client open. I am sure now days PG would catch it but I don't know it would if outlook were givin permision to access by always allowed.

    I may check into it. I will be gone for two weeks now for work so I dought I will get at it for a while.
    I think one of the finist keyloggers is Ghost Keylogger. So if someone wants to mess around, I suggest downloaded the trial of that and post back the results here.



    Bruce
  10. controler
    Offline

    controler Registered Member

    Maybe I shall try this one since I have the full version of anti-keylogger
    and all the other goodies. It is the newest keylogger made by the same company that makes anti-keylogger, Raytown...

    It is untested at this poing but here is the news article link.

    http://www.keylogger.org/press_releases.cgi?id=5

    SPy1? I suggest you also try this kernel mode keylogger out.
    They claim even experienced users can't shut it down.


    Bruce
  11. Dan Perez
    Offline

    Dan Perez Retired Moderator

    I thought this Acme product claim rather interesting. I downloaded the demo and after allowing it to bypass Tiny 6 and PG when they warned me and after making sure that TDS would identify it I saw that it was indeed hidden from Task Manager :rolleyes: but that in TaskInfo2003 6.0.0.122beta it shows the hidden process (highlighted in the left pane), identifies the associated driver (highlighted in the lower right pane) as well as lets you see the driver (in the upper right pane). I was not able to see it in the 5.0.1.104 version of TaskInfo2003 nor in Process Explorer 8.52. Also, the 6.x ver of TaskInfo was able to terminate the process. :)

    (note- no comments are welcome regarding RAM and VM utilization, it is rather a sore topic for me :D )

    Attached Files:

  12. Dan Perez
    Offline

    Dan Perez Retired Moderator

    ...one addition to make, there are actually at least two other drivers associated with the keylogger (also referenced in the Handles section for the process) and they appear to be dedicated to each of the following; registry events, keyboard events, file events.

    Also, TaskInfo shows the executeable is launched from c:\winnt\system32 although it is not visually present there (I have Explorer set to hide nothing) but if I open up OllyDebug I cannot attach to the process since it does not see it but if I manually type the path (as opposed to browsing for it) it can open it up for debugging (though most of the debugging features of OllyDebug are beyond me, still it looks cool! :D )
  13. controler
    Offline

    controler Registered Member

    Great work Dan :D

    I have tried the older version of TaskInfo. It seems funny that PE doesn't detect it. If I remember correct Tiny works at the kernel level so I am guessing this new TaskInfo does also. I know how powerful Tiny is, I just wish it was not so complicated for the normal user to figure out.
    I do remember however some conflits using BitGuard and PG at the same time.

    I am heading out of town for two week for work so I won't get a chance to mess with this much.

    It would be a good idea for someone to submit the files located on this page.
    I dought many of the AVAT companies have them yet and if they do they may not add them anyways :mad:
    These are all untested Keyloggers. The IOPUS one looks interesting.
    " To avoid tampering of the software, it features a unique file protection that makes the ActMon files truly invisible to every user and every windows software."
    Lots of times if you do test their Keyloggers, they will give you a free lifetime
    full version.

    http://keylogger.org/reviews.cgi?null=1

    Thanks

    Bruce
  14. controler
    Offline

    controler Registered Member

  15. freakzone
    Offline

    freakzone Guest

    Does anyone know how to start the xp on screen keyboard in Windows xp? I can't seem to find how to start it. Right now I use X-Cleaner free to start it (in X-cleaner free, goto expert tab, and down the bottom launch on screen keyboard). But I would just like to know how to do it from within xp itself.

    It seems like this would be a good way to defeat many different keyloggers. I know some keyloggers capture screen shots, but from what I understand they don't capture screen shots continuously, just every now and then, so it seems like the on screen keyboard would be good to beat even the screen capture features in some keyloggers. Thx.
  16. freakzone
    Offline

    freakzone Guest

    Nevermind, I found it. start > all programs > accessories > accessibility > on-screen keyboard. Sorry, i'm still somewhat new to xp, been using 9x/me for much longer.
  17. Analyst502
    Offline

    Analyst502 Registered Member

    Bruce / All - thanks for all the great feedback - just coming up for air for the first time this week. Long hours had me hooked to my VPN via broadband 22hrs/day. Now Spyware Dr. won't make it through a scan w/o freezing up on a file called ILookup/Vroom. Also killed I-Explorer - looked like a tcf but couldn't access proprerties . geeeze! This is like a freakin' war...what's bizarre is that I still remeber the days when I was totally oblivious....

    Sorry to ramble - thanks again all - I'll check out your suggestions and update you on results
  18. controler
    Offline

    controler Registered Member

  19. spy1
    Offline

    spy1 Registered Member

    Bruce - In FireFox, all I got was a blank white page when I clicked on that link (although it did say something about a 2x2 pixel - web-bug?).

    When I went there in IE, I got a warning from SBS&D (see screenshot - and, yes, I blocked it).

    I queried SpyCop tech support about the ACME stuff, and this was their reply:

    "Hello,
    Our tech team just download, installed and tested both versions of the ACME
    program and they were detected without a hitch. Even low level driver mode spy
    programs running below the kernel can't escape SpyCop because SpyCop is a brute
    force file scanner and, unlike most "fast scanning" competitors, does not rely
    on keyboard hook detection. SpyCop has its own low-level scanning engine as of
    v6.2.

    Answers to common questions - http://www.spycop.com/faq.htm
    SpyCop User's Manual - http://www.spycop.com/scmanual.htm
    Adware vs. monitoring - http://www.spycop.com/spyware-safety.htm
    Download the latest software version - http://www.spycop.com/download.htm

    Regards,

    SpyCop Support"

    I'd d/l this stuff and play with it myself, but I simply don't have the time to go through all that to set them up correctly to where they're supposed to be in their most "invisible/un-detectable" state (I'll find an example of that in a minute and re-post). Pete

    Attached Files:

  20. spy1
    Offline

    spy1 Registered Member

    In the meantime, however, I went ahead and d/l'ed the SpyHunter "free" scanning tool (which seems at the moment to be running resident in my SYSTRAY - sigh):

    Attached Files:

  21. spy1
    Offline

    spy1 Registered Member

    I "Allowed" that and ran the scan (before I noticed that the DB date was 06/14/2004 ! ) :

    Attached Files:

  22. spy1
    Offline

    spy1 Registered Member

    Even using the "Update" button only brought the DB date up to 09-02-2004 ! WTF is up with that? Is the free version that far behind the pay version? Because, if it is, that's pretty useless.

    Anyway, look at the instructions for setting up SpyTech's SpyAgent program: http://www.spytech-web.com/spyagent/stealthguide/ - you've got to go in and change program locations from the default, re-name exe's, etc. etc. - I'm sure all your dedicated government agents/jealous housewives/husbands/detective agencies/employers IT dept.'s may know (and have time to do) this stuff correctly and effectively, but, truthfully, that's pushing all MY abilities to the max - I can't spend all that time and run the risk of screwing something up here totally just to check detection.

    Doesn't matter if the program is "new" or not - I've started with a "clean" machine and ProcessGuard's going to keep it that way (along with full scans by SpyCop). Pete

    Attached Files:

  23. Butters
    Offline

    Butters Registered Member


    It has been my experience that a number of anti-keylogging software products don't detect commercially available keyloggers for one reason -- they see them as legitimate and not pests. Boss Everywhere is a commercially available product designed, ostensibly, to monitor employees. http://www.rocketdownload.com/details/Misc/6357.htm

    I once got into a long debate via email with the developer of one anti-keylog programs on the subject (can't remember which one). He said his software never detects such commercial software as it is not a pest. Unfortunately, such software can be used illegally, installed remotely etc. You need to rely on more than one scanner.

    Personally I think it is irresponsible to market software as "anti-" anything and then to make a subjective assessment regarding which of said products represents a threat. Let the user decide what the intent is.
  24. controler
    Offline

    controler Registered Member

    Anti-Keylogger does not use sigs and therefore does not care if it is
    commercial or rouge. It looks at what the program is hooking ect.
    I feel keyloggers are more important then most make them out to be because
    they are way more dangerous to a persons life then a viris. A virus is made moslty for destruction. A keylogger wants your credit card and password info.
    That is far more benificial then destroying a PC.
    The other main threat is trojans for SPAM.

    Bruce
  25. spy1
    Offline

    spy1 Registered Member

    I can assure you that SpyCop does not share that view.

    SBS&D, most A/V's and most A/T's all include some keylogger detection capabilities - yes, I'd quite agree that you need a dedicated anti-keylogging program if you're concerned about ever being keylogged at all .

    I agree.

    So does SpyCop. Pete
Thread Status:
Not open for further replies.