Xenotix Keylogger Test

First off, thanks to subhrobhandari for posting about this https://www.wilderssecurity.com/showthread.php?t=340672
I'd not heard of it before. As PrevxHelp said they didn't detect it, i thought it would worth seeing what, if anything, might do so !

I entered into ShadowDefender mode & installed xenotix_keylogger-3.0-fx.xpi into FF v3.6.14. Set 123 as my password.

No problems installing it etc, then came here & inputted cloneranger & test123 as a fake PW



To view the logs: ALT+SHIFT+\



It opens up another instance of FF & sure enough they are both visable & correct

WSA didn't blink, as expected due to PH's earlier comments, & neither did Zemana ! I think this is quite a concern, as both these products are "supposedly" there to prevent keylogging.

Could others test this on other AntiKL software, such as SpyShelter/OnlineArmor etc etc & post what they discover.

 

This shows you how useless AV software is. I'd try it on Online Armour but I uninstalled it Sorry not much help.

 

Hi there, i am the creator of xenotix keylogger. This keylogger can bypass both executable based ant-keylogers like the KeyScrambler and even the On Screen Keyboards. As of my knowledge the only way to protect from this keylogger is to use: https://addons.mozilla.org/en-us/firefox/addon/keylogger-beater/

Regards,
Ajin Abraham (><302),
Information Security Enthusiast,
keralacyberforce.in | defconkerala.org |
ajinabraham.com |

 

Comodo fails with keyloggers too which past videos etc will demonstrate.
The firefox add on looks interesting though.

 

just tested this with eset, avira, avast, norton nis, kaspersky, wsa, outpost is, and bitdefender as those were the local images i had on hand none detected this at all not a peep from any of them. and as you said it was accurate in its output. wow this is def a major issue imo....i have a lic to just about every av out there and will test the rest this weekend to see if any will flag it but the major players mentioned above dont at this time. something like this could easily be masked as another "add on" and installed by a user thinking its something else and im sure someone could figure out to remotely access the info from it. im going to run some more tests and see if i can write something to somehow read the output remotely...

 

http://www.opswat.com/products/metascan

this shouldnt work?

http://www.opswat.com/sites/default/files/keyloggersanonymous.png

 

tested also with avg, as well as vipre and sophos still no detections from it.

has anyone removed this and seen anything left from it? does it remove cleanly ill test this later to see im wondering if / what it alters anything in firefox and or leaves anything on the drive from it....

 

@ xboz

Hi & welcome. You were quick to hear about this thread

Very interesting add-ons you've made ! I realise from looking at your www's that it appears you only coded these, & the other stuff, to show what could be achieved, & not for malicious etc purposes. Well congratulations on accomplishing your objective, as more of us now know something we didn't know before. A Keylogger can be made that bypasses ALL known detection, so far anyway. POC's such as these should encouraged, as they force vendors to tighten up their products =

I was pleased to see your comment about the following.

I intend to try it out soon, & will post back with my results. I hope others will too

I noticed that the Options box was Greyed out after installing your KL, why is that, & what are they ? Also how do we delete the logs, as i couldn't see a way to do that ? Maybe it's in the Greyed out Options ? but as i can't access them, how to delete them ?

TIA

@ zfactor

Hi & thanks for your continuing tests

There is also xenotix_remote_keylogger.xpi available which can upload the captures to an FTP www !

As i was in SD mode, nothing remained after rebooting, so i can't say if it leaves data etc.

@ chabbo

The Opswat screenie is showing Installed KL's with an .EXE and/or .SYS etc, not Browser KL's such as this.

 

Online Armor may block it. I wish I had not just uninstalled it.

 

I installed the addon on FF 18.0.1, and it would not log my password. After it installed a little box appeared, and I typed in a password. I hit shift, alt, \, and another box appear that showed a bunch of question marks [backspace] [backspace] [backspace] [backspace], but no password. I wish I had online armor installed right now to see if Online Armor will flag the add-on when it is trying to install. I just uninstalled it. Default settings of VoodoShield 1.6 allowed the add-on to install. I have not tried tweaking it's settings. I do believe Voodo Shield 1.4 might stop the add-on from installing with default settings from my experience of it blocking so many things within the browser in the past. The latest version of Appguard also allowed the add-on to install in lock down mode. It did block FF from reading the memory. I still had no success logging anything.

 

Interesting, sadly i can't test it. No longer have any VM software installed.

 

Keylogger Beater Test

Installed it & also Xenotix Keylogger again. These are KB's Options,



I then went to https://www.startpage.com & typed in Keylog Me



You just hover you mouse over the character you require for about a second, & it appears where you initially left clicked on the page. Here's what XK displayed,



I next tried KB's Keyboard only option instead & typed various things into my browsers address bar. XB showed the following garbage in the address bar as i typed,

J$]e(m"']edGD@v

XK only showed,



So Keylogger Beater definately works as a GREAT AntiKeylogger in my tests anyway ! See if it works for you, & post your results etc

 

@CloneRanger

Hi, i didn't got what you meant by "Greyed out". To delete the logs, just detete the file log.html in the directory "C:\Users\<your username>\AppData\Roaming\Mozilla\Firefox\Profiles\<your profile folder>\Datax".
And Somebody here posted that it's not working in FF 18. But it's working
http://s9.postimage.org/56kr4c4yl/upload.png

And still more is waiting there to come out.
I will be talking at AppSec AsiaPAc 2013, South Korea on " Abusing Exploiting and Pwning with Firefox Add-ons."
https://www.owasp.org/index.php/AppSecAsiaPac2013#Talk_Abstracts

I would like to inform that there are 5 more Fully Undetectable POC add-ons in the list to be published including
Xenotix Remote Keylogger
Xenotix DDoSer
Xenotix Session Stealer
Xenotix Linux Password Stealer
Xenotix Reverse Connect

Xenotix Remote Keylogger is also available for download.
Have a check at: http://keralacyberforce.in/xenotix-remote-keylogger-the-mozilla-firefox-keylogger/

><302
Information Security Enthusiast,
http://keralacyberforce.in | http://defconkerala.org | http://ajinabraham.com

 

Like this for eg.

OK, thanks

All the best with your AppSec talk & demo's etc