New keylogger tests from Zemana

Discussion in 'other anti-malware software' started by aigle, Aug 21, 2008.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    I understand and apologize for my remark. I cant answer your question, but hopefully someone can.
     
  2. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Yeah, I was hoping there is a free program that encrypts everything typed using the keyboard.
     
  3. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    I just tested it and it did not block any of them - it failed every test.
     
  4. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    So much for that :p :thumbd:
     
  5. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Try it for yourself - It does not stop anything - unless I did something wrong?
     
  6. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Ok, so let me understand this. You use Ubuntu VM for netbanking and you fear that a keylogger might infect Ubuntu ... o_O
    In that case, you can use some virtual keyboard in FF for Linux. Like:
    http://imtranslator.net/keyboard.asp


    PS: If you are running a Guest OS ,then a keylogger hooked in the Parent OS can not read type stokes done in the Guest OS. The keylogger will have to make a hook in the Guest OS also, to work ;)
     
  7. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Are you by any chance using Vista ? :doubt:
     
  8. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Nope, XP
     
  9. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    Ubuntu cannot be infected with any keylogger. However, because I run vista as host, whatever is entered into the keyboard, whether I am in Vista or ubuntu, will be picked up.

    And are you indicating that if Vista was infected with a keylogger, that it's impossible to pick up keys typed into Ubuntu?

    P.S That link doesn't support Ubuntu Linux. The website says, Windows 95/98/ME/NT/2000/XP MS IE 5.x or higher Firefox 1.5 or higher. Macintosh
    Firefox 1.5 or higher.
     
    Last edited: Sep 12, 2008
  10. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Yes, it is. Since a Keylogger in Vista will hook onto the Windows Kernel, not linux kernel. Just because you run Linux in a VM, it doesn't mean it will send your keystokes over to windows. Both are seperate (in a virtual way).
    For example, a GetKeyState on Vista will work only if Window receives info about the Key State. But it never will, its received by only Ubuntu and processed accordingly.
    Just try any Keylogger test app. It will fail to read the keystrokes from the Virtual OS.
    Well, the site says:
    Plus its a JavaScript based keyboard, so it will work on any browser (regardless of OS) which can support JS. Like Firefox, Konqueror,K-Melon, etc.
     
  11. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Thanks. I had trialed PrevX earlier on Vista. Their Vista offering is still in beta and has some issues with UAC.
    Thats why I asked, thanks ;)
     
  12. truthseeker

    truthseeker Former Poster

    Joined:
    Jan 26, 2008
    Posts:
    977
    The security professionals on freenode disagree with you.

    So I have no idea who to believe :p
     
  13. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Believe in your self ;)
    Just test it out, with some keylogger tests like ATK, Zemana. Also try some commercial keyloggers like Refrog.
    Then conclude.

    Hypothetically every piece of software can be compromised. But I don't see it happen everyday. Only setups which will yield any gain will be exploited. That's why there are literally no viruses for OSX, even when it has plenty of holes. So unless you have a few millions in that bank account of yours, realistically I don't see any malware/attack hook onto your Ububtu VM anytime soon.
     
  14. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    How do you get Prevx to pick up all the tests? I would like to experement with this app - can anyone help?
     
  15. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Well i just tried it out and surprisingly the zemana keylogger is unable to record anything entered into the virtual machine. All the aklt keylogging tests fail as well. Very interesting.
     
  16. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    [partial oftopic]
    would it be correct to assume that host and guest instances on a virtual machine are pretty much seperate computers?

    Can an infected host infect a guest instance?
    (I assume 99.99% of all malware that infects a guest can't infect the host, otherwise malware testers would not use VM's for testing)
    [/partial offtopic]

    Do they usually bundle keyloggers with other infector types?

    Are there any malwares that can infect VM file types? ( The stored vm session .vxd )
     
    Last edited: Sep 13, 2008
  17. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Keystokes/Processing done by Guest OS are not passed onto the Parent OS by VM. They terminate inside the VM itself. That's why any Windows Logger will not be able to read from VM OS.

    But hypothetically such attacks can happen. Since for the parent OS, VM is a running process. The only way for that would be for the malware/attacker to hook onto the VM and thereby intercept/read calls done to hardware. But IMO, such attacks are unlikely as such scenarios are nonviable for malware writers .

    As of today, no such VM hooking programs exist. And existing malware, can't go out of or go into a VM environment.
     
  18. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    They all use GetKeyState or similar windows calls to get the keystrokes.
    But when using a VM, only the VM environment will receive user input and the VM will directly communicate with hardware. So no intercept.

    You can only intercept, if you manage to drill into the VM. Good luck with that :thumb:
     
  19. BrendanK.

    BrendanK. Guest

    NIS 2009:
    Key Logger Simulation Test - - - - - FAIL
    Screen-Logger Simulation Test - - - FAIL
    Webcam Logger Simulation Test - - DID NOT TEST
    Clipboard Logger Simulation Test - - FAIL
    SSL Logger Simulation Test - - - - - POC not Available so far

    Mamutu:
    Key Logger Simulation Test - - - - - PASS?
    Screen-Logger Simulation Test - - - PASS?
    Webcam Logger Simulation Test - - DID NOT TEST
    Clipboard Logger Simulation Test - - PASS?
    SSL Logger Simulation Test - - - - - POC not Available so far
    [GLOW="red"]
    ?=Gave a paranoid warning
    [/GLOW]
     
  20. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    Wow, I expected NIS 2009 ( now with Norton Anti-bot integrated ) to atleast pass keylogger test o_O
    Guess, Symantec has toned down NAB in NIS 2009 to avoid popups or hysteria !!
     
  21. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Are there sandboxie settings that will allow the keylogger test to run in a sandbox but not allow it to see key strokes typed outside the sandbox?
     
  22. Pseudo

    Pseudo Registered Member

    Joined:
    May 4, 2008
    Posts:
    193
    You can setup Sandboxie so that new keyloggers can't live.
     
  23. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    I've done that already for my browsing sandbox.

    I do have a test sandbox that allows anything to run however hooks, drivers etc are blocked. What worries me is that when the keylogger runs in the test sandbox it is able to read keystrokes globally. Is there a way to stop this?
     
  24. Pseudo

    Pseudo Registered Member

    Joined:
    May 4, 2008
    Posts:
    193
    Since Sandboxie doesn't allow drivers, that eliminates some keyloggers. Otherwise, yes, keyloggers will function in the sandbox (until you empty it). I hope Sandboxie looks into anti keylogging in the near future.
     
  25. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Well my test sandbox has the following configurations:

    Enabled=y
    ConfigLevel=4
    AutoRecoverIgnore=.part
    AutoRecoverIgnore=.jc!
    BlockWinHooks=y
    BlockDrivers=y
    BlockFakeInput=y
    LingerProcess=trustedinstaller.exe
    LingerProcess=acrord32.exe
    LingerProcess=jusched.exe
    LingerProcess=syncor.exe
    LingerProcess=devldr32.exe
    LingerProcess=wuauclt.exe
    DeleteCommand="C:\Windows\System32\sdelete.exe" -p 3 -s "%SANDBOX%"

    If the key logger test is run in the sandbox, it has global reach. That's kind of worrying!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.