Summary of Anti-keyloggers

What type of tests would you like to see?

 

WHich rootkit scanner did you post again?

controler

 

My interest in testing trojans/worms is to test how the firewall responds if such malware did get installed. I run tests on files I receive in email attachments, or hear about from someone else where I can download.

Here are some tests:

1) Most recently, I received via email attachment the SoberQ and was able to test it, and I posted here.

2) A while back, I tested the drive-by site here mentioned in another thread:

3) Back in April, I received a bagle variant here via email.

4) I learned of a web site that disguised a trojan as a program here


If the firewall does it's job, the trojan (with or without keylogger) or worm cannot send out to the attacker

In line with ErikAlbert's approach - firewall and ShadowUser - you reboot and you are back with a clean system.

-rich
________________
~~Be ALERT!!! ~~

 

please now which one is the best Anti-keyloggers

 

Sorry guys i did not have time to search all the posts, But heres another anti-keylogging product i Personally have helped the developer with improving his product, Im not a programmer but i have ideas/concepts and vmware for testing keyloggers. i dont want to sound like an automated advert machine But i think you guys might want to have a look at this. http://www.remove-keyloggers.com/ its called Anti Keylogger Elite. So far i tested it with most hook based keyloggers and now they are mostly stopped as far as i can tell. Kernel based keyloggers like ELITE are at present Not detected/blocked but i have made him aware of this point (actually way before i saw this forum but yea). The interface and gui is a little hokey, But i will and "am" helping him with this. It protectes you from screenshots as well as keyloggers. But the main thing for me is it crashed my system a bit with Tiny Personal Firewall . . If someone else can confirm that would be good. with my help it now defends against Spector 5.0 keylog and screenshot. He will be working on kernel based when he gets back from a trip in about 1 week or so. This software has potential which is why i am helping him. From what i tell it will "eventually" be a cheaper version of something similar to Privacy Keyboard. If any of you are programmers he would always relish help with kernel keylogger detection just a thought.

Anyway please . . i would like your thoughts and feelings on this . have a look at it and do some testing and let me know what you think.

Cheers

Wes

 

??

 

No one is responding most likely because it sounds like your trying to sel us AK Elite, unlike the other posters in this thread who were just trying to help us understand how to defeat keyloggers.

 

Well firstly, i am making this program known since i have not seen it mentioned. If you want to talk about all these different programs Why do you say that about what i am telling you? I am telling you that i am helping this guy make a good product and its worth checking out. . . and he is now aware of kernel keyloggers such as ELITE Keylogger, Until i gave him inforamtion (that i found my self) . . . if you dont want any new people giving you information i will leave this post well alone and leave it to "better" people i guess . . . Yea what ever. You want to know how to stop keyloggers and then someone brings a new program to the table and now i am a damned sales token ok . . . What ever i dont really care its information take it or leave it Pal.

 

When the 14 (or is it 15) days demo period expires on the product called Ewido, what to expect then? Can I expect limited functionality? Can I keep using it, and manually update downloading their rulesets?

What ruleset is necessary, the 2-3 day old one, or can I safely run the complete one each time (I am thinking of the time after the demo period) ?

What to expect?

 

The additional features listed for the Plus version here are the ones lost on conversion from full trial to free version.

Blue

 

Not to say anything bad, but there are some typos on the webpage of AKE product. Hope the guy making the code of this product is not that unaccurate when coding software and rulesets.

 

What about my ruleset update question asked earlier, which one is supposed to be used? Do they both work? I suppose if you only use the 2-3 day old one, that after a longer period of missing doing the updates you will miss out on some. Then I wonder if the automatic update function is parked when using the free lisence? (It does say "Daily database updates" in the list below)

So if I understand that page of information correctly, I would be able to keep the following functions:

Heuristics to detect unknown threats
Scanning and cleaning of the Windows registry
Support for NTFS-ADS scanning
Daily database updates
Patch proof by using strong signatures
Analysis tools (startup, connections and processes)
Intelligent online-update
Scan inside archives
Secure detection and deletion of DLL-Trojans
Generic crypter detection through emulation
Generic binder detection
Free E-Mail Support
Automatic Clean Engine
Quarantine for suspicious files
Multilingual User Interface

 

I don't understand this question.

You lose the automated update facility, just update manually prior to a scan

The updates are available, it's not automatic, you have to initiate the update manually. A very small price to pay IMHO.

I believe so. I own the Plus version, the free version in on some other PC's here. That looks to be a fairly accurate breakdown.

Blue

 

The creator of AKE is chinese and his english is not good, Hence i help him with typing But he has yet to impliment changes since hes on a trip. But he is a very good programmer and with ideas i give him he makes his software better and he will be working on Elite keylogger as Soon as he gets back i can assure you !

And i hope he can fix all this soon.

 

Just tested "Spydex's Advanced Anti Keylogger Lite", and I am not to impressed so to speak. I cannot know, but this tool seems to block some legitimate software. I leave it to you to say if it is legitimit or not. But to me it looks legitimate enough.

One annoying thing is "the floating notification prohibition message" that just stays 5 seconds, and when you get 3 concurrent messages it is hard to press the "details" link. Can be adjusted in preferences to 30 seconds to make it better. However the software has no menu-options that let you browse blocked elements later on. However, I was able to extract these details of the blocked elements:

c:\WINDOWS\system32\drivers\SynTP.sys
Synaptics Touchpad Driver
(seems legitimate to me since it is delivered by the notebook manufacturer)

c:\Program Files\AVPersonal\AVGNTDW.SYS
Filter Device for Windows XP/2000/NT
(seems legitimate to me since it is located in AntiVir program folder)

vax347b.sys
(with no further details, seems legitimate to me, but cannot pinpoint it more than that it is located in the C:\WINDOWS\system32\drivers folder, and the name is very close to the Alcohol 120% 's driver file called vax347s.sys which is a virtual optical drive unit)
This could be a malware, but it is hard to tell.
All I can extract is the properties of the file:
3.47.0.0 built by: WinDDK
(And what is WinDDK exactly? )

Does seems like it gives a few false positives. Could you verify this?

 

Who are you asking?

 

Its hard for software to know which sys file or kernel driver is ligitimate or not so the software should provision for manual changes. Does that software allow you to specify block or exclude?

 

Prevx 1 now seems to have a keylogger built in.

 

WHAT?? a protection software has a keylogger in it? how do you know. Are you basing this off the fact that it might have a sys kernel driver ?

 

I'm sure he meant keylogger detection..

Prevx 1 Beta Update Release v1.1.0.19


This release contains the following changes:

- Keylogger detection for unknown programs
- Buffer Overflow detection
- Detection and termination of running malware on startup
- IE Home page protection
- Improved BHO, ActiveX, IE extension and toolbar protection
- New Graphical User Interface and console layout
- Improved policy detection for Community information
- New Window in Jail (called Probation) to allow any application to be run even if determined bad by the Community.
- Password controls on the console
- Improved support diagnostic functions
- Support for Proxy servers during Installation and configuration
- Improved support for system tray icon
- Delete function now works on items in the Jail and not the Holding Cell
- Updated Helpfile, Tutorials and Bug fixes

 

Did anyone get to test Anti Keylogger Elite yet?

 

Kernel/Driver keylogger

A kernel keylogger operates at operating system level, which means it is first in line for the data coming from the keyboard. In many ways, a kernel keylogger replaces or alters the core software that is responsible for interpreting the keystrokes and turning them into the characters you see on the screen. How this is accomplished varies depending on the hardware and OS.

Within Linux, an attacker could alter the code of any system file (e.g. keyboard.c) and rebuild the kernel. This would cause the keylogger code to become part of the core OS, which would load each and every time the computer was booted. A Window driver level keylogger could easily be installed by overwriting a core .dll or .exe file that is loaded when the OS is booted up. Depending on the OS, the keyboard logger could be loaded right after the operating system detects the hardware connected to the computer, which would give it full control of the entire system and even provide access to the authentication information required by the end user to access the computer. In other words, the keylogger would have more power and access than the user.

The benefit of this type of keylogger is that it can be undetectable. Because the keylogger is executed before the rest of the computers programs, it can take precautions to hide itself. Unfortunately, this also means the keylogger may miss some information that passes at the application layer, such as autocompletes and address bars. Despite this, a kernel keylogger is generally considered to be the best because it is undetectable.

 

Well, not exactly undetectable. But yes, very hard to find. Almost undetectable would be a better explanation.

 

yes thanks for pointing that out strider, the above text is an extract from a security article (link contained in extract). i agree with you - much of this thread has been devoted to detecting the undetectable - so far eveything has been detected. but it's always possible that out there in the raging torrent of the cybersea there swims the mythical legendary perfect undetectable keylogger.

 

here is a possible candidate for undetectable keylogger of the year....

"The keylogger is absolutely invisible and undetectable on the user's desktop and cannot be seen in the task manager. More than that, by using advanced hooking techniques, Spytector keylogger can be used in the same time with the firewall installed on your computer"

"Spytector shouldn't be detected by antivirus applications, it is a commercial legitimate keylogger (monitoring tool). Our customers should be able to use Spytector on their computers in the same time with their antivirus software, so the version they receive must be (and will be) undetected"

"Can I use Spytector in the same time with my firewall?
Yes, Spytector is undetectable. By using advanced hooking techniques, the keylogger bypasses most of the existing firewalls"

http://www.spytector.com/faq.html