Summary of Anti-keyloggers

it's a good thing to be rigorous in life though there are those who are not very rigorous about their spelling (rigious) and i'm sure GQ tries to be as rigorous as possible. but bare in mind that there are very few "experts" here - most of us are just guys and gals hanging out with a shared interest in securing their computers. the tests in this thread have evolved informally and are about people trying things out and sharing the results - they don't "have" to do this they choose to give of their time. these are not professional lab tests and are not being presented as such. this is about trying things out and having a little fun doing so. having said that i'm sure the testers try their best to master the arts of rigour.

i am also more than happy for anyone - expert or not to contribute to the testing process.

ladies and gentlemen a toast to rigour and all who sail in her

 

in this thread i've expressed concern about the effectiveness of scanners at detecting steath trojans/rootkits here's part of an article discussing this very subject....

Makers of antispyware and antivirus programs, pay attention to this article.

An ugly trend is developing in the world of antispyware. It is my belief that, very soon, all current tools and methods used to detect and remove malware will become obsolete. Very soon, malware will be able to load at start up and run on the computer without being detected by any existing scanner.

It is starting to happen already. More and more often, browser hijackers today use rootkit technology to protect themselves. I have run into it myself on my test computer and it was all I could do to remove it.

A rootkit-protected hijacker uses any of various methods to alter how Windows operates. Once the rootkit is operational, it is able to monitor system queries and filter out anything that mentions itself. For instance, let's say that file abcxyz.exe hijacks all browser home and search settings, keeps them from being changed back and pops up advertisements every 90 seconds. If it is protected by a rootkit and you open the folder containing the file, the rootkit will prevent Windows Explorer from displaying the file. If you open the Task Manager, abcxyz.exe will not be shown as a memory process.

This is how it works today and it gives us plenty of trouble when trying to help someone fix it. However, the tools we use today allow us to spot the existence of abcxyz.exe. It has to load when the computer starts, so HijackThis will show us the registry entry that causes it to be loaded. We can find the infection. We just have a hard time explaining to someone how to find it and remove it.

I see trouble ahead. It is only a matter of time before some miscreant designs a better rootkit. I believe that rather than simply hiding a file from Windows Explorer and the Task Manager, future rootkits will be able to provide malware designers with true stealth mode.

Imagine this for a moment. A flaw is discovered in Internet Explorer which allows any piece of software to be executed. Exploiting this flaw, the installer for a truly clever malware is downloaded and executed. The first thing that happens is the installation of an advanced rootkit. This rootkit injects itself directly into the Windows kernel, bypassing all higher-level functions.

A registry entry is written which loads abcxyz.exe as a Windows Service. A service will load whether anyone is logged onto the computer or not and is more difficult to remove than a program installed normally. The abcxyz.exe file is loaded into memory. Every 90 seconds afterward, ads begin to pop up. Realizing that something is wrong, the user goes looking for the culprit. This is where he is going to run into trouble in the near future.

The first thing he does is to perform a scan with his antispyware program. All antispyware programs look for spyware in the same manner. They search the hard drive looking for files known to belong to malware. They ask Windows for a list of processes running in memory, then look to see if any of those are bad guys. They look at the registry to see what is loading at start up and to check for toolbars or BHOs installed into Internet Explorer. This is where they are going to fail when confronted with an advanced rootkit and a stealthed malware.

The rootkit is sitting in memory, monitoring every system query that passes through the kernel. When the antispyware scanner asks Windows for a list of running processes, the rootkit filters out abcxyz.exe. When the scanner asks for a listing of files, it filters it out again. When the scanner is looking at the registry, the rootkit filters out the entry that shows abcxyz.exe loading as a service. Seeing nothing suspicious, the antispyware scanner reports that all is well.

The user goes to our message board and asks for help. He is told to download HijackThis, run a scan and post the contents of his log file. He does this and waits for a response.

The advantage of HijackThis over antispyware scanners is that anything not installed as part of Windows will be shown, whether it is malware or not. However, it depends on Windows to give it this information. With the advanced rootkit running at the kernel level, no information about the malware is passed onto HijackThis. The user's log file will be perfectly clean.

This is the threat we soon will be facing. No matter how good a scanner may be, it depends on receiving accurate information from Windows to detect malware. With the advanced rootkit running, Windows is made to lie. Windows itself cannot be trusted to deliver accurate information about the contents of memory or of the hard drive. The malware is running in true stealth mode. Ask Saddam how well his air defenses fared against US Air Force stealth fighters and you see the problem. Or, more accurately, you don't see it.

So, if Windows cannot be trusted to provide the information we need, how are we going to track down malware? The answer to this, thankfully, is very simple. You need to look at the hard drive from another operating system.

No, I am not saying that the poor user has to set up his computer to dual boot Linux and Windows. There is a small program out there called BartPE that already does exactly what we need.

the full article is here

 

My SpyCop detects the spy lantern programs, both home and pro.

 

ok time for a quick state of the antikeylogger union....

as we have seen there is a variety of software out there that has some success in stopping keyloggers. we have not been able to test them all by any means PG being a notable absentee..

is there a product out there that can stop 100% of all software keyloggers?

my first answer would be no but PG developers do make this claim

i make no comment as it hasn't been tested here - also the comments are quite old now and were made with the exuberance of releasing a new product to the market - if the claims are true then PG offers the most significant protection available - 100% of trojan keyloggers and 95% of manually installed kl will be probably be stopped.

that is a difficult act to follow - one could quite justifiably say do we need to spend any more money on anti-keylogger software? - just buy PG.

for those who believe in layered defence then there are other areas worth considering....

firewalls - if there is a trojan out there that can defeat PG then the second line of defence is the firewall. a keylogger trojan is not much use unless it can phone home with all your juicy juicy information. a good firewall should block most attempts to phone home. but as you can see here in these PoC tests no firewall scored anything like 100% -the tests are a year old now - it would be interesting if anyone using the new versions of the big hitters - Zone Alarm, LooknStop, Jetico and Outpost could test to see whether their scores have improved. As of Oct 2004 NO firewall could stop Copycat and Wallbreaker - only one firewall could stop thermite and only 2 firewalls could stop DNStest. PG states that it can defeat copy cat and thermite - if a trojan is good enough to defeat PG then it is most likely good enough to defeat the best firewall too.

Specialist trojan detectors - UnHackMe, BOClean, Trojan Hunter. running one of theses may further improve your chances of catching the ultimate stealth trojan (assuming they have the best heuristics - the ultimate stealth trojan will not yet have a signature so any trojan detector without heuristics will only protect you from the known)

Rootkit detectors - Again PG has got this base covered - additional detectors are Icesword, a rising star - Blacklight also a new kid on the block and Rootkit Revealer.

There is also OA to consider - the developers are putting a lot of work into it's anti-keylogger capabilities.

So gentle reader i will leave you with that perennial question - "is there a keylogger trojan out there that can defeat 100% of all current detection software?" the best should defeat all layers of protection - but can it?

 

Wonderful news !!!

I just tried 12 FW tests again with ZA Free and the new MS DDE exploit vuln fix config as i explained earlier on today in here https://www.wilderssecurity.com/showthread.php?t=101088

I passed all of them but one at first and then all of them, including CopyCat and Thermite which threw up errors, even though IE was running and i was connected, as shown here, the bottom 2 are Thermite

http://img410.imageshack.us/img410/1885/ccth11ly.png

The initial thorn being WallBreaker. On the first run Test 1 went straight through. Test 2 ZA prompted me 3 times for access trying to get past with some unusual requests of some of my running Apps. The first was an attempt to use MaxMem.exe, the second was a try with Windows Explorer, the third with MWSnap.

After this somehow it went through ! But the interesting thing is that i went into ZA and blocked those Apps from access and tried again. This time i could click on the second test as often as i liked and i just kept refusing the prompts for access by ZA this time attempting it with IE.

So it would appear that the DDE fix seems to do a lot more than i realised it did before. I havn't changed anything else other than what i've stated, so good news all round !


StevieO

 

Beat all current detecion methods (short of booting up on cd with trusted OS) once installed yes.

To get installed in the first place through remote attacks is the real challenge i think, since it needs to get past process montioring + behavior monitoring of drivers, registry etc. Possible of course, but a big feat. And if you split up your defenses among say 2/3 or more software, they need to research ways around each of them.

I can imagine that happening, but I have a wild imagination.

But once they have their malware installed, i think the advantage shifts to the attacker. Firewalls shouldn't be a problem.

Of course social engineering makes most of your layers moot. If i can persaude you to install this nice little rootkit detector, you will remove all the obstacles yourself. "Driver wants to install?, Sure!" Game over.

That's why I'm extremely worried about the problem of installs. Most people seem to worry abotu getting infected merely by surfing some spyware site, but I don't think that is really a serious honest, if you know what you are doing

 

thanks vey much for the update StevieO, that is encouraging news - we've got to stop those pesky trojans from phoning home and they can be very very sneaky

 

i agree that is a big concern DA - that's why we need a detector that monitors all executing code at all times regardless of whether it's whitelisted or not and reports on any suspicious behaviour. i'm hoping OA will make progress in this important area.

 

That's won't help. It's not just whitelisting. The nature of such warnings are always vague, at best they can describe what is happening on a superficial level, as long as you can think of some pausiable reason why it is happening, you might still allow it.

Social engineering is a human problem ,it cannot be solved by technical solutions.

 

Yes another blah blah, rootkits are going to take over the world story. No disrespect intended toploader and to Mike , but this is Kind of getting old.

2005 is apparantly the year of the windows rootkits.

 

well you will have to take that up with the author of the report DA - here in this thread we are looking at ALL the methods used and how we can block them.

 

"Social engineering is a human problem ,it cannot be solved by technical solutions."

R U trying to say IceSword is a evil rootkit? or just rootkit?

There is a big Difference. No the Chinese are not trying to take over the world.
What would that gain?

As mentioned before, Kevin from BoClean thinks rootkits are not that big a deal. He thinks you can detect them from Ring 3. Usermode at present.

But ah yes, we want to try stay ahead of the game for once not lag behind as toploader says.

I am sure MS is keeping an all seeing eye on the development of rootkits.

Let's see what Vista has to offer.

controler

 

MyPlanet Software Anti-Keylogger v1.4?

 

found this one too..... http://www.tooto.com/keyloggerkiller

 

And

version 6.2 is out now

http://www.anti-keyloggers.com/

 

HUH? I'm not saying anything about Icesword. I love icesword. I repeat if people are guilible and believe whatever people tell them..... Read Mitnick's The Art of Deception if you haven't.

Sure we are. all humans are. Or at least countries are. For power. But no I don't think Icesword is their way to conquest.

So he says.

Nuff said. Of course toploader is wondering in https://www.wilderssecurity.com/showthread.php?t=101011&page=2 if the "installspy" he installed to protect his system has spyware , exactly what I am talking about.

 

"Read Mitnick's The Art of Deception if you haven't."

I watched him on Tech-TV

I agree about the art. That is a huge tool in getting on a system or in many other things in life. I think his teachings helped people today ward off some phishing attacks.

I fully agree with you on the spyware bundled with what we thought was safe
programs. We remember both Dell & HP doing it. I don't think there is as much of this going on anymore.

The movies still come out with superhero movies now and then but you don't see many new John Wayne type movies anymore
or even the old black & white movies where they actualy called the bad guys villians LOL ,, dating myself here again.
I gotta stop going off on these wild tangents.

controler

 

Well said Toploader.



Thanks AvianFlux and Toploader for posting the links to those new anti-keyloggers, they look interesting. I'll be looking foward to testing them against some of the bad boy's to see how they do.

Anti-keylogger has a new version 6.2? that's good to know Controler, thanks. I haven't been checking their website, so I wasn't aware of that. I wonder if it can now stop Elite?

 

Hi all,

I thought i'd better give you an update and report my latest findings regarding my earlier FW tests above.

Today i repeated them and once again passed all with this exception. Both WB Test 1 and 2 passed 100% with no IE running, as i get prompted from ZA Free for both which i deny. With IE running Test 1 gets throgh with no prompt. Test 2 gets through, but i do get a Alert about 1/2 a Sec after it has. Tests 3 and 4 don't apply to me as i'm not using XP etc.

I/m not sure what's different today as i havn't changed anything, i may have overlooked something yesterday which i can't explain at this moment, if so i apologise ! Anyway i didn't want to leave anyone with the wrong impression, so i've posted ASAP.

Just to be sure about the DDE exploit i also did the ZabyPass test several times with IE running, and happily passed every time. So that fix definately still works which is good news for all.


StevieO

 

All but a few are commercial keyloggers.

Am I right to assume that everyone's interest in keylogger detection is in helping others? For surely no one here could imagine being compromised by someone gaining physical access to their own computer to install one.

For the trojan keyloggers - assuming one gets installed (not likely after seeing all of the protective measures discussed here) nothing is compromised until the harvested information is sent out to the attacker. Here, the lowly firewall comes to the rescue.

Do you have some examples? I would like to test.

If you are referring to disabling the firewall, I can't speak for others, but with Kerio 2.1.5, ghost and I have run several tests and Kerio's password protection blocked attempts to disable the service and kill the process. There is the possibility of using an API call but not likely to succeed if you run in non-Admin mode.

Most Trojans/Worms send out by:

1) email - usually by means of their own SMTP email engine, as in the recent SoberQ and was blocked by the firewall when I tested it. The firewall alerts when an application for which there is no outbound rule attempts to connect out.

2) by connecting to a web site, as demonstrated by the firewall leak tests. People have pointed out that in these PoC tests no firewall scored anything like 100% - especially Copycat and Wallbreaker, Thermite, DNStest.

All but DNStest are easily blocked if you set your browser rule to prompt for each outbound attempt, as StevieO (I think) does. Your normal web routines are not prompted when you use a custom address list.

I blocked DNStest by disabling Windows DNS client and creating separate DNS rules for each application that needs to connect out. DNStest is blocked because it uses the normal Windows DNS applications - services.exe for Win2K, svchost.exe for WinXP - which are invoked by DNS client.

Whether these leaktests are really relevant has been beaten to death in other threads, but for those who are concerned, it is possible to defeat all of them.

Like Rootkits, Keyloggers invoke a lot of fear because of the so-called stealth, but with the many new protective measures now available, they shouldn't cause undue concern if you are careful (IMHO).

-rich
________________
~~Be ALERT!!! ~~

 

I agree with this. Not likely at all, unless you are tricked into installing one yourself in the cool rootkit scanner I posted.

I'm not too sure about this.

I'm not sure about this, but the methods of so many leak tests are so simple-, minimal programming is required, I would be amazed no one has tried to use them, at least for special home made stuff.

I think most people would not appreciate doing this. It means getting bored by prompts everytime you google for information and visit new websites.

That said I do limit the ip ranges that can be visited by antivirus updaters and email clients, but I'm just too lazy to do it for browsers. I suppose that's very silly of me, since if an attack comes it will be directed at browsers probably.

There are other less extreme methods to beat such simplistic leak tests for example setting your default browser to be untrusted, while using another, but this isn't 100% foolproof and there is some inconvience. Besides i imagine a smart trojan would have a list of typical applications that are typically given full access to the web and not rely just on the default. But then again, you could counter that by renaming all your apps so they didn't have typical names which could be countered by md5 hashing which could be countered by a small randomising program, which could be...

Or maybe the trojan would be able to read the filter rules of whatever firewall you were running and directly figure out what apps were trusted.

But all these scenarios, assume the bad guy has already 100% access to do what it wants, in such a case you are lost anyway.

Yes, I do this too. I think this might actually be workable in terms of the payoff versus cost unlike the above. You need to do it once for each app only, so at worse it doubles the length of your filter list.

Well i suppose it depends on the lengths you go about to defeat them. I could set a firewall to prompt on everything, and it would defeat almost every leak test based on mantipulating trusted apps, yes.

Also why can't there be attacks based on the bugs in the filtering design. A mean if you have a rootkit, why can't it hook "lower" (whatever that means) then the firewall, so the firewall can't see it? Or maybe the firewall itself has a bug so it doesn't see certain network communications etc etc

I agree, the key is not letting them on. If they get on, it's pretty much game over, no matter what you do. That said, many people seem utterly paranoid about getting infected by drivebydownloads and load up on lots of software, but wouldn't blink an eye if they were invited instead to download and install some cool software.

 

hi Rich - can't help you out with a test specimen, my trojan box is pretty empty at the moment - perhaps Symantec will let you have a copy of this to play with.

12 Bypasses certain firewall programs by sending them special character codes that automatically create a trusted rule for the Trojan process.

 

By damage - I was referring to being compromised - I edited it to be clearer.

Likewise. I was surprised to read the author of Firehole stating that no evidence of that PoC being used had been discovered.

Regarding your other comments: yes, some of the measures are extreme, yet I wanted to show that if one is really concerned about these exploits, there are ways to combat them (disabling DDE mentioned in another post being one way).

And, as you rightly point out, other sneaky ways to thwart the defense will appear, and the cat-and-mouse game will continue.

Not much more to add to that!

-rich
________________
~~Be ALERT!!! ~~

 

Thanks tl, my experience has been that they won't.

It's frustrating that the descriptions on these sites are often very general.

For instance, many trojans are described as "sending out using its own SMTP emailing engine." No details as to how this works, much less how to defend against it.

It took me lots of time/research to understand how this works, and finally being able to test one confirmed how they work and how they can be blocked.

Why these sites are not more forthcoming with information is a puzzle. You cite:

Which firewalls? What kinds of codes?

When the site doesn't give more details, readers are left to speculate, and this creates fear that they are helpless to defend.

In this case, of some comfort, perhaps, is that the threat metrics for this trojan are low.

And, of course, being a trojan, the user has to be tricked somehow into letting it install.

-rich
________________
~~Be ALERT!!! ~~

 

Yes, that's what I thought we were trying to do here is help people from complete beginners to more intermediate level users. And we are not assuming that no one can gain physical access to your computer and install a keylogger that way, (such as on a workplace computer, at home by a spouse/girlfriend/boyfriend etc..). In fact no assumptions are made at all as to how the keylogger(s) could be installed. We're just trying to help others to find ways to detect if a keylogger could be installed on their system, and some ways to block them from being installed. Far from any professional level tests, yet still hopefully somewhat helpful to some who may visit here.

But as Toploader stated, any others who wish to submit their own tests are welcome to do so.

Rmus, I would be very interested to know if you'll be posting the results of any tests you are doing yourself against malware, on this site. I'm sure there are many who would be interested in seeing any such tests, I know I would. It would be quite interesting to see how some of the anti-rootkit and HIPS type programs actually do against real hardcore malware like rootkits and trojans, if that's what your testing and will be posting about.