Urgent: "Boss Everywhere" Keylogger

Thanks again for keeping this site up - great resource. Hoping to get some feedback on this: Updated Spyware Dr 1/13/05 and it detected "Boss Everywhere" keylogger. A bit surprised that TDS-3 didn't find it but Spyware Dr did. I'm a consultant using a co.-provided laptop & have full admin status. I don't play on this laptop, but spend allot of time doing research on the web. Seems I've been in a security war ever since I got broadband. Anyone have any info on the common origins of this keylogger? Any feedback is greatly appreciated - thanks

 

Analyst502,

To eliminate the possibility that Spyware Dr. is not reporting a False Positive....what kind of info does it display after the scan....a registry key location, hard drive location....etc ?

 

Excellent - thanks ronjor..

 

here's what S Dr displayed:

Infection Name: Boss Everyware

Location: HKCR\.dbf

Risk: Medium

Thx for the response

 

Here is some good reading in case you have not seen it before.

http://www.anti-keyloggers.com/monitoring_products.html

Bruce

 

Thanks Brue - appreciate the info

 

Yes about a year ago I made a big fuss about security apps not detecting
commercial keyloggers. I won't name names. I collected alot of them and
tried the detection rate with different seurity apps.
Ok one company I will name is Kaspersky. I wort them over and over and subitted the files. Their answer was to use the extended and the other one which I can't remember at this time to find what they called RISKWARE.
funny thing is none of their defs found most of the keylogges.
That is when Spy1 started checking out the keylogger world.
Since then I have not tried testing keyloggers again. I dodn't know if things have changed now or not. At that time we didn't have processGuard.
I do know that Anti-Keylogger did find most of them.
Maybe I will check some things out again now that I own PG, BoClean and TDS-3
I won't try KAV again because I just don't like the ADStreams thing they are doing.

Bruce

 

I must also mention that a few well know firewalls did not catch the log file being sent out via your trusted e-mail app. At that time the only program that gave a clue was Norton AV. The little splash screen would kick on letting me know something was going out on e-mail even though I didn't have my e-mail client open. I am sure now days PG would catch it but I don't know it would if outlook were givin permision to access by always allowed.

I may check into it. I will be gone for two weeks now for work so I dought I will get at it for a while.
I think one of the finist keyloggers is Ghost Keylogger. So if someone wants to mess around, I suggest downloaded the trial of that and post back the results here.



Bruce

 

Maybe I shall try this one since I have the full version of anti-keylogger
and all the other goodies. It is the newest keylogger made by the same company that makes anti-keylogger, Raytown...

It is untested at this poing but here is the news article link.

http://www.keylogger.org/press_releases.cgi?id=5

SPy1? I suggest you also try this kernel mode keylogger out.
They claim even experienced users can't shut it down.


Bruce

 

I thought this Acme product claim rather interesting. I downloaded the demo and after allowing it to bypass Tiny 6 and PG when they warned me and after making sure that TDS would identify it I saw that it was indeed hidden from Task Manager but that in TaskInfo2003 6.0.0.122beta it shows the hidden process (highlighted in the left pane), identifies the associated driver (highlighted in the lower right pane) as well as lets you see the driver (in the upper right pane). I was not able to see it in the 5.0.1.104 version of TaskInfo2003 nor in Process Explorer 8.52. Also, the 6.x ver of TaskInfo was able to terminate the process.

(note- no comments are welcome regarding RAM and VM utilization, it is rather a sore topic for me )

 

...one addition to make, there are actually at least two other drivers associated with the keylogger (also referenced in the Handles section for the process) and they appear to be dedicated to each of the following; registry events, keyboard events, file events.

Also, TaskInfo shows the executeable is launched from c:\winnt\system32 although it is not visually present there (I have Explorer set to hide nothing) but if I open up OllyDebug I cannot attach to the process since it does not see it but if I manually type the path (as opposed to browsing for it) it can open it up for debugging (though most of the debugging features of OllyDebug are beyond me, still it looks cool! )

 

Great work Dan

I have tried the older version of TaskInfo. It seems funny that PE doesn't detect it. If I remember correct Tiny works at the kernel level so I am guessing this new TaskInfo does also. I know how powerful Tiny is, I just wish it was not so complicated for the normal user to figure out.
I do remember however some conflits using BitGuard and PG at the same time.

I am heading out of town for two week for work so I won't get a chance to mess with this much.

It would be a good idea for someone to submit the files located on this page.
I dought many of the AVAT companies have them yet and if they do they may not add them anyways
These are all untested Keyloggers. The IOPUS one looks interesting.
" To avoid tampering of the software, it features a unique file protection that makes the ActMon files truly invisible to every user and every windows software."
Lots of times if you do test their Keyloggers, they will give you a free lifetime
full version.

http://keylogger.org/reviews.cgi?null=1

Thanks

Bruce

 

Hey Dan

I see there is newer TaskInfo Beta posted here

http://www.softpedia.com/get/System/System-Info/TaskInfo.shtml


Bruce

 

Does anyone know how to start the xp on screen keyboard in Windows xp? I can't seem to find how to start it. Right now I use X-Cleaner free to start it (in X-cleaner free, goto expert tab, and down the bottom launch on screen keyboard). But I would just like to know how to do it from within xp itself.

It seems like this would be a good way to defeat many different keyloggers. I know some keyloggers capture screen shots, but from what I understand they don't capture screen shots continuously, just every now and then, so it seems like the on screen keyboard would be good to beat even the screen capture features in some keyloggers. Thx.

 

Nevermind, I found it. start > all programs > accessories > accessibility > on-screen keyboard. Sorry, i'm still somewhat new to xp, been using 9x/me for much longer.

 

Bruce / All - thanks for all the great feedback - just coming up for air for the first time this week. Long hours had me hooked to my VPN via broadband 22hrs/day. Now Spyware Dr. won't make it through a scan w/o freezing up on a file called ILookup/Vroom. Also killed I-Explorer - looked like a tcf but couldn't access proprerties . geeeze! This is like a freakin' war...what's bizarre is that I still remeber the days when I was totally oblivious....

Sorry to ramble - thanks again all - I'll check out your suggestions and update you on results

 

Analyst


Spyhunter claims to remove it.

http://www.enigmasoftwaregroup.com/jump6.shtml


Bruce

 

Bruce - In FireFox, all I got was a blank white page when I clicked on that link (although it did say something about a 2x2 pixel - web-bug?).

When I went there in IE, I got a warning from SBS&D (see screenshot - and, yes, I blocked it).

I queried SpyCop tech support about the ACME stuff, and this was their reply:

"Hello,
Our tech team just download, installed and tested both versions of the ACME
program and they were detected without a hitch. Even low level driver mode spy
programs running below the kernel can't escape SpyCop because SpyCop is a brute
force file scanner and, unlike most "fast scanning" competitors, does not rely
on keyboard hook detection. SpyCop has its own low-level scanning engine as of
v6.2.

Answers to common questions - http://www.spycop.com/faq.htm
SpyCop User's Manual - http://www.spycop.com/scmanual.htm
Adware vs. monitoring - http://www.spycop.com/spyware-safety.htm
Download the latest software version - http://www.spycop.com/download.htm

Regards,

SpyCop Support"

I'd d/l this stuff and play with it myself, but I simply don't have the time to go through all that to set them up correctly to where they're supposed to be in their most "invisible/un-detectable" state (I'll find an example of that in a minute and re-post). Pete

 

In the meantime, however, I went ahead and d/l'ed the SpyHunter "free" scanning tool (which seems at the moment to be running resident in my SYSTRAY - sigh):

 

I "Allowed" that and ran the scan (before I noticed that the DB date was 06/14/2004 ! ) :

 

Even using the "Update" button only brought the DB date up to 09-02-2004 ! WTF is up with that? Is the free version that far behind the pay version? Because, if it is, that's pretty useless.

Anyway, look at the instructions for setting up SpyTech's SpyAgent program: http://www.spytech-web.com/spyagent/stealthguide/ - you've got to go in and change program locations from the default, re-name exe's, etc. etc. - I'm sure all your dedicated government agents/jealous housewives/husbands/detective agencies/employers IT dept.'s may know (and have time to do) this stuff correctly and effectively, but, truthfully, that's pushing all MY abilities to the max - I can't spend all that time and run the risk of screwing something up here totally just to check detection.

Doesn't matter if the program is "new" or not - I've started with a "clean" machine and ProcessGuard's going to keep it that way (along with full scans by SpyCop). Pete

 

It has been my experience that a number of anti-keylogging software products don't detect commercially available keyloggers for one reason -- they see them as legitimate and not pests. Boss Everywhere is a commercially available product designed, ostensibly, to monitor employees. http://www.rocketdownload.com/details/Misc/6357.htm

I once got into a long debate via email with the developer of one anti-keylog programs on the subject (can't remember which one). He said his software never detects such commercial software as it is not a pest. Unfortunately, such software can be used illegally, installed remotely etc. You need to rely on more than one scanner.

Personally I think it is irresponsible to market software as "anti-" anything and then to make a subjective assessment regarding which of said products represents a threat. Let the user decide what the intent is.

 

Anti-Keylogger does not use sigs and therefore does not care if it is
commercial or rouge. It looks at what the program is hooking ect.
I feel keyloggers are more important then most make them out to be because
they are way more dangerous to a persons life then a viris. A virus is made moslty for destruction. A keylogger wants your credit card and password info.
That is far more benificial then destroying a PC.
The other main threat is trojans for SPAM.

Bruce

 

I can assure you that SpyCop does not share that view.

SBS&D, most A/V's and most A/T's all include some keylogger detection capabilities - yes, I'd quite agree that you need a dedicated anti-keylogging program if you're concerned about ever being keylogged at all .

I agree.

So does SpyCop. Pete