Summary of Anti-keyloggers

thanks for your input Nick - you make a very good case for adding icesword to one's toolkit.

 

And one's feature list

 

Have you played with OA toploader? You have execution protection - which creates a file that you have trusted. BUT if it tries to do something interesting (hooking) you get a keylogger warning as well. If it tries to autostart, even tho you have trusted it - you're warned and can block it. And, roll it back it you realised you made a terrible mistake.

When the new kernel code comes into play, it's going to be wicked.

 

It is of interest to notice the technology behind OA is usermode (madshi) so in the case of the unfortunate mistakes the OA hooking is easily removed by the smart malware, this is not to make it less as it does have the nice user interface

 

hi mike i'm looking forward to playing with the kernel version - if OA does all you say then it's going to be fun.

 

It does. Feel free to play with the current version; when we do the 1.2 (and subsequent) releases, we'll be resetting eval keys so people can play more than once.

 

hi floating - you make an important point which i forgot to include in my previous post - namely how vulnerable is OA (or PG, Prevx, Winsonar etc) to being taken down by malware?

 

I tried a few quick tests with SpyLantern pro version 5.0.2 (not home) trial, and here's the results on Win xp.

Prevx home detects SL on install, with option to block it.

STM detects SL at 100%.

UnHackme detects SL.

Blacklight beta detects SL.

WinPatrol detects the install of a new service (Bopytu.exe), which seems to change each time the keylogger is installed.

SpywareDoctor detects SL through a manual scan.


The following failed to detect SL.
Spycop
MSAS
X-Cleaner free
Ad-aware free
Spybot
Ewido free
A2 free
Pest Patrol

 

cheers GQ - another logger that talks the talk but can't walk the walk - looks like most of the specialised defenceware have got it's number - though i'm suprised that spycop failed to find it.

i would expect the likes of prevx to detect the install but i wonder if it was installed before prevx would prevx be able to detect it?

 

this is the keylogger i would like to see tested - again it boasts of being the very best the one all other keyloggers should be judged by....

http://www.amecisco.com/whyus.htm

"Our competitors use DLL-based technology to capture keystrokes. The technique does not work in a DOS box, nor does it work under many Java chat rooms and it won't capture NT/2000/XP network login. And this method is easy to detect and defeat with a specialized software. (For example, AOL will disable most competing keyloggers, but not our IKS.) The driver approach, however, logs every keystroke entered because it "sees" the keystrokes even before Windows does"

http://www.amecisco.com/whyus.htm#whyiks2

"Because IKS is a driver, it cannot be seen running from alt-ctrl-del or anywhere else. The only thing you need to install on the target computer is the IKS driver. And the only thing that driver generates is an encoded binary log file. Both the driver and the binary log file can be renamed so that an exhaustive filename hard driver search won't turn up anything. Even an registry search won't work because there is no identifying registry strings necessary to install the driver"

http://www.amecisco.com/customcompile.htm

The stealth features of Invisible KeyLogger Stealth for Windows 2000/XP are generally good enough to protect the program from prying eyes. After all, there is only one program file iks.sys that has to be on the monitored system and the file and its associated registry keys can be renamed.

However, if you are worried that someone may come up a piece of software that scans every file in the system for a particular matching binary string or "signature" in iks.sys, we can prevent that from happening by making you a Custom Compiled version.

 

Not sure it would be a fair test with that one Toploader, because it's only a demo. But I'll give a few tests anyway to see what we get.

A truly fair test would be if the keyloggers was fully in stealth mode before you go looking for it though, and demos usually can't be put into full stealth mode. That's why I don't like to test demos, because they give others a false sense of security when they see every anti-malware program detect it. But that wouldn't necessarily be the case with the full payware version.

Oh, and Prevx home didn't detect SpyLantern after it was installed, only as it was being installed.

 

that's interesting peter sounds like KAV is doing it's job which is encouraging - looks like the demo has a signature - if that's the case i would expect most detection software to pick it up.

pest patrol says it recognises it

 

Hi,

I've also found that KAV is very good at halting dodgy DL's, usually when it gets to 99%. So if i want to DL something to test etc that's in its database i have to disable it for that time.

Also i have a Nasties/Tests folder that i have had to exclude from being scanned by KAV as it used to find and lock them etc. Good in one way, but not if you want to keep them !

The OA dedicated Anti KL sounds like a very nice idea, and i'd like Mike + Co to seriously consider it. Should be a nice price too lol.

It seems as if the tables might be turning at last on some of those devious stealth methods used to evade dectection. Fight like with like hey !

Good work guys.


StevieO

 

watching the detectives

it's about time we gave these naughty trojans a run for their money StevieO - there must be no hiding place - let's find all the dark corners and install some lightbulbs - once we have sorted out XP we can start all over again with Vista - just think we could choose a really boring life and get a Mac - a vote of thanks to Microsoft for providing so much gainful employment and entertainment - if Windows ever gets it's act together many thousands will be out of a job.

lights cameras action roll em

 

I'll test this when I get into the office in about an hour.

 

Finished testing Invisible Keylogger Stealth 2.1 demo and quite a few of the scanners find it. Also this demo cannot be installed in full stealth mode, which usually makes it easier to find. Here's the results on Win xp.

Pest Patrol detects the IKS.

Prevx detects IKS on install.

MSAS detects the keylogger upon install and through a manual scan.

Ewido free also detects IKS.

A2 free finds IKS with a manual scan.

Spycop detects the keylogger through a manual scan.

Spybot finds it also.

SpywareDoctor detects IKS through a manual scan.

The programs that didn't detect the keylogger out of what I tested were WinPatrol and Security Task Manager, just about everything else did detect it though. But STM did detect IKS when you open the program, but gave it a 0% rating as being a form of malware.

 

Detects on install is worthless. Unless it's something specific like "This is a keylogger".

Keyloggers like rootkits don't boast of the ability to be invisible before they are installed. The real test of a keylogger is to detect them *after* they are installed.

Keyloggers are most likely to be installed after the attacker already as some control over your system, typically physical access or some remote exploit or tricking you to run it as a trojan.

 

------

I don't think that "Detects on install is worthless" at all ! And a KL etc or any nasty is hardly going to jump up and announce what it is or what it wants to do now is it.

As long as you are prewarned that something is about to happen and can prevent it, then that beats after the fact detection any day. And yes of course post event detection is better than none, but trying to track down and Successfully remove an RK or a similar stealthy App isn't the easiest thing to do.

Physical access is one thing, but some remote exploit or trying to trick you to run a trojan is exactly what prevention being better than cure is all about !

Also you dismiss out of hand by your comments goodquestions time and efforts in doing the tests on all of our behalfs. I'm positive i'm not alone in being grateful to him and others who do this and share their results with us, and i hope they continue to do so too.


StevieO

 

for me both detect at install and detect after install are of the utmost importance. anyone who thinks detect at install is not important should try visiting hxxp://195.225.177.33 (discovered by StevieO) using IE with medium ptoection. The moment you land on the site it immediately downloads trojan after trojan - if this is not killed at birth it will take over a computer in seconds. Once it's installed you will spend hours cleaning it out and you will need a very good spyware cleaner to do it.

i'm impressed with Winsonar for that very reason - with protection on i can surf the net knowing that if i visit a site that tries to download a trojan Winsonar will detect it immediately and kill it so that it doesn't get the chance to unleash a massive payload. whether there is stealth trojan that can somehow elude Winsonar i don't know - some trojans can elude windows task manager neccesitating a specialised product like icesword to detect them.

having said that i agree that one also needs the ability to find stuff that might be already on the machine prior to detection software being installed or because a trojan might be hiding in a whitelisted program. i'm greedy i want the best of both worlds - i'm hoping a program like OA will be able to deliver that protection which is why i'm glad mike is involved in the testing process.

the reason i was interested in Amerisco is it claimed it could operate invisibly by installing just a driver and an encoded log file. running as a driver is another method that needs to be incorporated in defenceware protection. amerisco doesn't provide a full trial of their software so it's difficult to test how good it is without shelling out $99. i don't see the point of releasing a demo that doesn't have the stealth features of the main product because to a prospective purchaser it proves nothing - i would never buy a product based on a demo test i want to test the real mcoy before parting with hard cash.

i too would like to thank - good question, mike, stevieo, controller, peter and anyone else who takes the time to contribute tests results to this thread. i've learned a lot.

 

StevioO let's comment in reverse order.

You misunderstand. I'm not dimissing the efforts of all these people. You need to be able to see the difference between commenting on the result of a test (in this case Prevx is worthless against keyloggers) and the usefulness of the test itself.Knowing that prevx home does not detect keyloggers is useful information.

Exactly! it's going to be a trojan pretending to be something else, which you happily allow when the install prompts comes up. That's plus physical access or complete remote acess of your system is the most common way keyloggers of the type you are testing are installed.

See above.

Detection is better than cure is a nice mantra. But detection has to be specific or the warning to be unexpected to be of any use.

It is nice to have generic monitors monitoring different aspects of your computer, I'm not denying that.

But for keyloggers, their claim to invisibility is only made *after* they are installed. Trying to see which products "Detect" them on install is not the point of the game.

Simply monitoring every part of the file system (or being slightly more specific) will "Detect" any keylogger when it's installing.

In my view this sort of detection is missing the point. It's similar to people who proclaim that they beat a leak test, because the moment they click on it, they disallow it to run because they use some Antiexecutable.

Trying to trick you would fall under social engineering and no amount of generic installing prompts will be able to safe you.

 

two time PC Magazine award winner

Spector Pro this is another $99 beastie - doesn't look like there is a trial version available to test but i'm including it here because it's a highly rated product that shows what defenceware is up against.

Stealth Mode
Stealth technology ensures that Spector Pro is completely protected from everyone except those with authorized access. It will not appear in the Windows System Tray, Desktop, Task Manager or Add/Remove Programs Menu. It will not be detected by anti-virus or anti-spy software.

 

A properly configured system without any bells and whistles can visit such sites without problems. But that is besides the point.

No one is denying that selective generic monitoring of your computer has some (debtable) value except against self installed programs. But for the purposes of an anti-keylogger test, the idea is to see if its claims to invisibility is true or not.

And that can only be tested after they are installed.

It's pointless to declare victory because the keylogger isn't invisible when it is being installed and Prevx makes a vague warning that c:\programfiles is being altered.

I hope you see my point.

My phrasing was bad in the original post - first sentence, but I hope this helps clear it up.








i'm impressed with Winsonar for that very reason - with protection on i can surf the net knowing that if i visit a site that tries to download a trojan Winsonar will detect it immediately and kill it so that it doesn't get the chance to unleash a massive payload. whether there is stealth trojan that can somehow elude Winsonar i don't know - some trojans can elude windows task manager neccesitating a specialised product like icesword to detect them.

having said that i agree that one also needs the ability to find stuff that might be already on the machine prior to detection software being installed or because a trojan might be hiding in a whitelisted program. i'm greedy i want the best of both worlds - i'm hoping a program like OA will be able to deliver that protection which is why i'm glad mike is involved in the testing process.

the reason i was interested in Amerisco is it claimed it could operate invisibly by installing just a driver and an encoded log file. running as a driver is another method that needs to be incorporated in defenceware protection. amerisco doesn't provide a full trial of their software so it's difficult to test how good it is without shelling out $99. i don't see the point of releasing a demo that doesn't have the stealth features of the main product because to a prospective purchaser it proves nothing - i would never buy a product based on a demo test i want to test the real mcoy before parting with hard cash.

i too would like to thank - good question, mike, stevieo, controller, peter and anyone else who takes the time to contribute tests results to this thread. i've learned a lot.[/QUOTE]

 

here's pc mag articles for those who are interested....

http://www.pcmag.com/article2/0,1895,244681,00.asp (2002)

"A descendant of the Netbus Trojan horse...."

http://www.pcmag.com/article2/0,1759,1619184,00.asp (Pro 5.0 - 2004)

"Some programs do a better job of hiding themselves than others. None of them appear in the Windows Task Manager or the Add/Remove Programs list, but eBlaster and Spector Pro do the best job of hiding: We found no traces of either app in the Windows Registry...."