Summary of Anti-keyloggers

hi ---- , yes i do see your point and i do agree with it as i stated in my post - if there is anything invisible on my system i want to be able to find it - that's why we need detectors like ice sword - to detect what other software cannot find.

there is always a chance that a properly configured system may still let a trojan in - as trojan writers discover new exploits. this is why i want layered protection - if a program like winsonar can stop the majority of trojans from installing then that is half the battle - but i would still want a program that could detect anything that might have slipped through. if a program like OA or PG can stop both install and detect and stop what's already there then that for me is the ideal software to cover both bases.

having said that there is never going to be a 100% perfect solution we don't live in a perfect world - there is always a chance that a trojan will be developed that can evade all detection software. it depends if the trojan writer can discover a method that defenceware hasn't thought of. that's why others are going the virtualisation and sandbox route.

 

drive shield - here's another possible defence solution - a variation on the sandbox - it write protects the hard drive.

whatever solution(s) the user chooses - there always remains the question - "is this solution(s) 100% effective in all possible situations" - if a trojan specifically targets the defence software can it disable it? is there a way that a trojan could penetrate a sandbox/drive shield?

the disadvantage of the write protect solutions are that they are inconvenient - when i'm sufing i like to download all sorts of stuff i want to keep - it's a hassle to keep switching off protection software so you can download to the hard drive - that's why i prefer a good monitoring solution instead.

 

at the moment if i were to choose existing software to guard against keylogger trojans - i would probably choose AV = Kaspersky or NOD, Firewall = Outpost 3.0 with spyware plugin, Realtime Blocker = Winsonar or OA or PG and possibly Unhackme and Regdefend, On Demand Scanners = Icesword, Counterspy and Port Explorer.

This costs money of course in both initial purchase and possible annual fees and being a cheapskate i want to do it as cheaply as possible. so at the moment i have no commercial software protecting my computer. i'm relying on freebies. this is by no means the best solution but it's always a trade off - how much does one want to spend to protect against all eventualities?

i'm hoping that over time i will find enough freebies to offer significant protection.

 

Re: two time PC Magazine award winner

Hi Toploader,

I'm not going to rush out and buy this for a while - but I did find this interesting article related to Spector.

http://www.interhack.net/pubs/spector/


Mike

 

Re: two time PC Magazine award winner

It was written in 2002, before the current windows craze about rootkits, but look at the following quotes.

The measures recommended to detect it sounds a lot like one that you would take to handle a rootkit.

I don't agree with the bottom line though. It seems to be good enough to fool even the fairly computer literate users in Wilders. The masses of course are even worse off.

 

thanks for the article Mike - i wonder if spector Pro 5 is significantly better than Pro 3 stealth wise? - would be nice to test but at $99 a pop it's an expensive test

 

That would be pretty close to Wilders concensus actually for a secure setup against everything. Except Winsonar isn't as highly looked up to as compared to the rest because it's free.

For firewalls, ZAP, Look N stop also has it's supporters. I doubt the spyware plugin will make much of a difference.

For spywarescanners : Counterspy and Spysweeper are favourites

Then you missed out antitrojan category....

 

hi ----, yes i missed out the anti-trojan category because i'm not convinced that there is a good enough program out there - with the possible exception of BOClean. At the moment i prefer the likes of OA or PG to block whatever trojan tries to execute. having too many real time detectors installed may course conflicts.

as always defence software's ability to block a trojan is only as good as it's detection capapilities.

at the moment the gold standard for stealth trojans appears to be hacker defender brilliant (correct me if i'm wrong, i'm only going from what i've read so far) so one could have all the above software installed and possibly still not be able to stop it - one of the reasons i'm not prepared to pay money until i'm absolutely convinced that commercial software is good enough to beat the best.

this means good heuristic detection because signature detection is limited at best.

 

OA and PG don't really stop trojans from executing. They stop programs that you know are malicious from executing. That's completely different.

If I slipped a trojanised copy of some software that you usually use say
winpatrol, OA and PG wouldn't be able to help you.

At the beginner level,i apreciate there is a grave concern over malware being run on the fly without user permissions through mistakes in browser configuration, unpatched systems etc.

The more advanced users though, have a different concern that cannot be addressed by execution monitoring. I know Mike loves the evil screensaver example, but that isn't a realistic example and such simple minded attempts (using binders) to infect someone won't work anyway on another one savy, OA execution monitoring or no.

 

Obviously I mean, it was presented as an upgrade. A trojan horse.....

 

More accurate to say will only stop programs you decide to block from executing. But I agree with the comment in general terms. What OA does is try and give you a chance - a chance to stop it, to terminate the process - a wake up call in some cases where users may go "hang on a moment". Although, I will concede that for most users if they were sent an email that said "Do not open this" with an attachment that was called "ComputerKillerDoNotClick.exe" then a number of people would execute it.

OA would note that the file had changed before executing. If the file started to do "strange" things - starting other processes, establishing hooks - then OA would warn. Again, there is a social side that is oft overlooked. If you were toploaders friend, and you said "here you go buddy" then he'd likely click it, and there would be nothing that OA (or anything) could do to stop him.

My evil screensaver example is basically a friendly way to explain things. It really did happen (although, I knew damn well what I was doing when I opened up the zip file).

What it all comes down to is a decision on trust. I went to a site many, many months ago - wanted to play some kind of flash game, and my browser told me I needed a plugin. The site looked legit. It wasn't and I scored a nice could of BHO's for my trouble. Fortunately, BankSafe caught them and I knew immediately that something "bad" had happened and was able to remedy it (manually).

Don't get me wrong - I'm not suggesting for a moment that OA is perfect - but it's far from useless, even for the savvy. As the whitelist is built up (and some other initiatives we are quietly working on in the background) OA will become more and more quiet.

This means that when it *does* pipe up, something is more likely to be wrong than right.

 

That is really true. But such people are beyond hope anyway. You can monitor the number of such instances much like one of your competitors Prevx right? So you should have stats on this.

Yes, but that's another aspect of OA and PG seperate from the application starting without permission that Toploader is a big fan about.

My concern with this other features is that they are generally too difficult to understand. A whitelist might help if the user sticks only to the mainstream software I agree.

Not an unlikely scenario. I have seen people on this forum talk about some promising software scanner as an aside in a thread, and then a link is posted to it. The admins eventually removed it for "admin review", but by then I wondered how many people had already downloaded it and tried it. Worse it was never stated why the link was removed, and since the admins do it routinely for harmless links to PoC as well some might conclude it was nothing.

The scary thing is none of my antiviruses could detect anything wrong with it, neither could any online scanner, I sent it for analysis, and a few *weeks* latter, one or two antivirus began to detect it as malware. Even now many big name AVs considered first tier don't detect it.

I disagree about the nothing part. An antivirus or antitrojan with a huge warning that it is malware would stop most people. Unless his "friend" was good enough to persaude him that it was a false positive, but those people are also beyond hope :0)

Don't get me wrong, I'm not saying that OA is useless. The rollback ability is nice, the antikeylogging detection, anti-dns, monitoring of weird behavior (if a user could be smart enough to figure if it's a real threat) etc all are nice even for a savy user.

I'm just not sold on one aspect of it, the monitoring of exe starting. As good as your whitelist is, I'm pretty sure it won't be enough to make surfing quiet enough for me.

I hang out at alt.comp.freeware, and like to play with freeware on top of security products. A complete software junkie. This means that my application list consistantly changes, espically with new versions. No whitelist is able to keep up really.

For me, it is more important and in fact critical that i have a scanner that can tell me something IS malware, rather than merely one that tells me, I started running something I clicked a second ago.

 

Right now, we only share data with the server about which apps people have trusted. I don't have stats on this per se, but when I am reviewing applications I have seen some malware (usually BHOs) that have been trusted by users. In this case, I mark the malware as untrusted and the next autoupdate, the user gets an error.

One thing I am really keen on doing is getting information out there. With that in mind, we're reworking the way our database works at the server side so that we can try a little experiment and share this sort of statistical information with the community.

I agree with you there completely. You'd go nuts if you knew how much effort went into the wording on some of the OA dialogs. And, I look at it now and I think - wow, who understands that. And all I ever see is an orange popup. So, clearly there is room for improvement. Ben is working on the 1.2 UI concept which will be an incremental, but important update of the current GUI to try and make these things more clear.

That is pretty scary. It plays into the area of trust and critical thinking on behalf of users. When OA first got mentioned on here, one user suggested not to go try it in case the company was "bad". I grew up with these things, so the concept of folders, files and so on are "natural" to me. My mum, ahhh don't get me started. "Why is the yahoo video window disappearing when I type in the other yahoo window". There is no way she will ever have the computer savvy to make intelligent decisions about what is safe, and what is not.

So, each time we find some problems with OA - real, imagined, theorectical - we have a look and see if we can make it more useable.

There was a nice anecdote on slashdot where a guy allegedly sent a small exe called 'virus' to the whole company, with instructions not to open it. The exe merely logged the name of anyone that clicked it, and sent it back to the sysadmin. As I recall , it was something ridiculous like 40% - although, depending on the job I'd click on it on the off chance I'd get a day slacking off out of it

The problem is malware evolves quickly. The whole idea we are working towards with OA is to get to a stage where we can:

i) Classify - Known Good, Known Safe,or not known.
ii) In case of unknown - see the behaviors and characteristics a program exhibits and make some intelligent (and automatic) decisions about the likelihood of it being malware.
iii) Try to prevent system damage with rollback and other related concepts in the case where mistakes are made (for example, in 1.2 we will have protected folders that only certain apps are allowed to access - the data is worth more than the OS)

We're working on gathering the data and the ideas to make this happen. For now we have the program blocker (which you can turn off if it annoys you).

We just added a couple of rules to the email filters to try filter out some basic worms - which may not help you, but could (hopefully!) help millions of others. Maybe we need some kind of assisted mode.... an army of well intentioned geeks doing continual research based on automatic requests from users... "Please wait while an OA system admin figures out if this file is safe"... Sell a million copies of OA, and I think it could be done

For now, I'm off to sleep... getting late here and my wife wants to know why I'm talking to ------ instead of her!

Mike

 

hi ----, i should point out that i'm not paticularly a fan of any one defence method - i'm interested in all approaches hoping i will find the most effective combination. like you i want something that flashes a big red light when a trojan or keylogger is detected. with a message saying "this is likely to be a trojan - install at your own risk" but then there are plenty of scanners out there that throw up false positives so it's still down to the user.

stopping execution is one method but if you whitelist then you need something else to warn you that it's misbehaving. that's why i'm interested in OA as it looks like Mike is well aware that additional protection and warning systems are needed.

there are number of approaches here - signatures that detect known offenders (unwieldy - and only as good as it's last sig)

exec protection - gives you the choice whether you want to execute - ideally it should be able to scan the program looking for hidden trojans.

on going protection - as a program is executing - check to see what it's doing and warn if it is showing keylogger behaviour.

protect critical system areas e.g regdefend concentrates on the registry - which is good for everything that alters the registry - but not all malware uses the registry.

mointor and warn if an unknown process tries to access the internet. this is a very important area because a keylogger installed remotely is useless if it can't transmit it's log file out. there again it depends on the ability of defence software (usually the firewall) to detect an outgoing attempt. as we all know firewalls are not a 100% perfect and there is plenty of stuff out there that can evade detection.

again we come back to the keyword detection - defence software is only as good as it's detection capability.

this is why it's important to have as many layers as possible including patches, system hardening and switching off known vulnerable entry points using something like XP Antispy.

as you stated earlier there are generally the computer savvy the computer illiterate and the computer anywhere in between savvy.

ideally we need products that protect us regardless of how savvy we are - because we can always have an off day.

 

You singled out winsonar as one of your most important apps, that is why I think you are a big fan of execution protection.

Antitrojans do that.

 

hi ----, Winsonar is an application that i've tested recently - and i was impressed with it's ability to kill a driveby download at birth. having said that i realise that is only half the battle. if OA can do what Winsonar does and also provide ongoing monitoring of trusted processes for suspicious behaviour then that will be a significant improvement on Winsonar.

i like Winsonar because it is free i haven't installed it on my production machine yet because i believe there is a new version in the pipeline and i don't like to keep uninstalling/reinstalling.

ideally an anti trojan should flash the red light - my personal belief is that the current crop of anti-trojans are not good enough. for an anti-trojan to be any good it needs real timer heuristic scanning. BOClean is realtime but i believe it is predominantly sig based (again correct me if i'm wrong) we haven't had the opportunity to test BOClean against the keyloggers in this thread so i don't rule it out.

as for other AT - Ewido detected next to nothing in GQ's tests, some people like A-Squared others don't rate it at all - depends who you believe - the free version was on test here. Trojan Hunter is another contender - again it's not been tested here and i don't know of many people who are running it so i reserve judgement here. also as has been debated previously there are those who believe anti-trojans have had their day because good AV now does that role well too.

it all depends how much software you want to run in your machine - as i said previously you can run all the software in the world but if it's detection abilities are not good enough then you have wasted your money. that's why i'm not going to buy anything until i think that it's up to the job of tracking the best. i don't want to buy software only to find it's out of date or too limited and i need to find something better.

whether we will ever achieve a perfect 100% i doubt - it may be that we will always have to accept that there will be a 1 in 1000 chance that a brilliant trojan writer out there will produce trojans that current software can't detect.

i do like the first defense virtual snapshot approach - assuming that a trojan doesn't find a way to write it self to all the snapshots. first defense is also good for testing software for other than malware reasons. if the software malfunctions and crashes the system then you can just discard the snapshot and your primary system is safe.

imo - Notok's sig link on system hardening is the first thing anyone should read if they want to protect their system. then people can decide whether they want to pay for additional protection.

 

All seeing eye looks good too . I know Mike is going to get a heart attack here, but I think open source and free beer software that covers such areas can be workable, since unlike a antivirus, there isn't a necessity to continually update definitions (and then there is claimav!) so people can just volunteer code as they see fit without being commited.

Of course such software would be inherently more noisy unless there is someone also working on whitelists.

There is heuristics and then there is HEURISTICS.

I'm not surprised that ATs like Ewido, Boclean, TH don't do well in such commerical keylogger tests. That doesn't seem to be their focus. It is more likely that such products are employed 'legimately' by employers for example.

There's nothing to prevent a hacker who already gained root access via other methods to use them of course, but this is rare i suspect, since it's easier to use their own tools which are better adapted to such tasks (smaller, more intergreted with their other tools etc) and for other reasons (pride)

You seem to have the impression that how well you are protected is measured by how well you can detect commercial keyloggers. I doubt this premise. Unless we really have some generic code detection which OA claims to have.

I think leaving aside the example when someone has direct physical access to your machine, I think detection of commerical keyloggers is not that important.

Definitely system hardening is what is often gets lost in the software shuffle. That's why some people can go to "Dangerous" sites and not get a scratch.

 

just to clarify my point on protection. i measure how well one is protected based on the software's ability to protect not just from keyloggers but all possible trojans/rootkits and other stealth techiques - keyloggers are just one particular application of a trojan (albeit an important one).

i'm simply saying that how well you are protected depends on the quality of a scanner not the quantity.

 

Hey all,

I decided to join the forum here because someone stole my name and was posting and causing trouble under it. All the posts in this thread are mine, it was another thread (threads?) where the impostor posted. I guess joining the forum has other benefits also like being able to upload screenshots and correct errors etc....

So anyway, I was wondering which security programs (AK/AT/AS/AV ect..) you would all like to see tested in any future keylogger tests? I realize some of the programs I have tested like Ad-aware and Spybot may not be programs many of you are interested in seeing tested, so I though I would ask what you all would like to see tested the most. Please limit it to only a few programs, the one's you would most like to see tested....say, your top two or three choices.

Of course that doesn't mean I'll be testing every program myself, hopefully others will test some of the programs I can't. But I'm just trying to get a general idea of what are the programs you all would most like to see tested against any keyloggers and omit the one's that you don't want to see tested. Thanks.

 

hi GQ - personally i'm interested to see just how good PG is - as it's a contender for primary defence shield - i don't however expect you to pay for a full product licence if you don't have it installed (i don't think the free version has keylogger protection enabled?)

personally speaking - ideally i would like as few security programs running realtime as possible in my production setup, firewall yes, AV yes and one other a HIPS like PG or OA.

there are quite a few others one could choose to run for additional realtime protection like UnHackMe, BOClean and Spyware Doctor but as i say i'm really looking for a HIPS that can cover all bases in the rootkit/trojan/spy arena. but please do use the above for tests as i find their results very interesting.

Advanced Anti Keylogger 3.6.1 seems to be good so i think that's worth using for tests as a specialist product.

Icesword too - as that seems to be the best rootkit detector at the moment.

 

Ok Toploader, so it sounds like you want to see the following tested.

PG = I have no license for that one and the free version isn't worth testing imo.

OA

UnHackme

BOClean = Can't test it because I have no license.

SpywareDoctor

Anti-keylogger 3.6.1

Icesword = Call me paranoid but the reason I haven't downloaded this one yet is because I just don't feel comfortable downloading the program from some strange Chinese website I know so little about. Maybe after enough people post saying it's safe I'll give it a try.

So you have no interest in seeing X-Cleaner, Ad-aware, Spybot, Spycop, STM, Ewido, MSAS & A2 tested in the future against keyloggers?

You know what I think would be interesting though? If we could test some real malware like keylogging trojans, rootkits and such, now that would be interesting wouldn't it? The real hardcore stuff! And see how well these anti-malware programs do against that.

 

yes i would like to see PG tested out as it has specific keylogger defences - i would like to see how good they are. if anyone out there has PG and fancies trying it on the keyloggers mentioned in this thread please do - same goes for BOClean.

i would rate Spyware Doctor and Counterspy as the main contenders for on-demand scanning behind PG or OA. so if you fancy counterspy that would be nice.

with regard to - X-Cleaner, Ad-aware, Spybot, Spycop, STM, Ewido, MSAS & A2 - the only ones worth testing at the moment are STM - though i get the impression it struggles with kernel level keyloggers and Spycop as it's a specialist product - it's pretty clear from the tests so far that the rest you mentioned are not really up to it and probably not worth your time. let's concentrate on the best.

regarding real malware - i'm always on the lookout for new beasties to play with GQ

 

GQ,

Can you post exact details on your testing procedure/methodology. What is your setup?

The last time someone (maybe it was even you?) did a large keylogger test he was torn to shreds by "experts" who felt that testing such things should not be done unless you had some sort of training and that such results were useless.

To protect yourself, I highly recommend you develop a rigious testing methodlogy and post it so people can comment on it.

 

here's a whole page of keylogger curiosities GQ - you may find something to your liking.