A keylogger that bypasses even SpyShelter

It's interesting...but unfortunately it works not so good as author said. It does not correctly catches keystrokes in my own language (Polish) while using "Alt"...left "Alt"...in connection with some letters but we can see proper catching while using "Shift". For example letters like ę ó ą ś ł ż ź ć ń in words for example święta or żółć (even don't try to pronounce it ) are not detected but QWERTY... etc. are detected.
So I think that add-on is written for catching properly only classic Latin letters especially in English words.

SS realy don't warns about add-on's actions to catch keystrokes...even after deleting all rules for Firefox...hmm...

 

Thats when features such as SafeZone, SafePay and SafeMoney comes into play with isolated ad-hoc browsers or running on a naked browser of your choice.
So, only trusted add-ons or not even that will be allowed... Simple and it does the trick

 

Frankly, I can't believe that some people here still don't understand that a browser add-on, once that it's installed, is simply unstoppable. An add-on is part of the browser's code: If the add-on is malicious, your browser is malicious, period. If the browser is trusted in your HIPS all its add-ons are trusted as well.

Have you ever seen separate entries for your add-ons in the processes list of your HIPS, the exclusions list of your antivirus, etc.?

For example, Keyscrambler or Zemana Free encrypt the keystrokes so only the application where you are typing in can read what you are writing. But an add-on, a plugin or whatever that injects the application can see everything that happens inside of it. And, of course, as you allow your browser to go through your firewall this can't help you either.

 

OK...fully agree...but what about situation when anti-logger/HIPS has no rules for browser? How could we call our browser in such case - "trusted" or "untrusted"?

 

I have notified Zemana about this and will report back their answer.

 

Just out of curiosity, if you expect a program to "protect" you from an add-on which is part of the browser process, wouldn't you be unable to use the keyboard with your browser then?

 

indeed.

anyway, i rarely have more than 1 addon installed in a browser, not including Flash Player.

the more of those things are installed, the more the odds of something going bad happening later on.

security starts with the browser and email application.

 

So why doesn't the key scrambler approach work with this kind of keykogger?

 

I believed (perhaps erroneously)that key scrambler was supposed to encrypt at the keboard driver level before the app whether that's firefox or an addon??http://www.qfxsoftware.com/ks-windows/how-it-works.htm

EDIT
I reread your post and the link I posted and understand now the problem

 

probably because it is deemed as a browser process.
once you install an addon, you pretty much have invited the vampires inside your home, so to speak.
your only hope is that they behave themselves.

unless a drive-by malware can automatically install such an addon, then there is nothing to worry about.

 

If you've installed it as an add-on / extension to Firefox and give Firefox internet access within Sandboxie, then you will have granted that access to the keylogger as well.

 

SpyShelter's anti-keylogger module, Zemana, Trusteer Rapport, etc., all are based on a white list approach. It doesn't matter if the white list is made entirely by you or it comes hard-coded within the app.

Also, they all let you add your own exclusions too: They let you expand their white list.

They all trust known browsers by default. Add-ons (scripts inside the browser) are outside their scope.

With one (apparent) exception: Trusteer Rapport blocks untrusted add-ons, but they use black-listing/reputation for this, nothing to do with anti-keylogging.

 

Firefox can run and update, but if in my SBIE nothing 8including every Mozilla add-on) can update or run unless I want to.

 

I can understand the add-on not updating unless you do so outside of Sandboxie, (that's how I update my few extensions and Firefox itself),...but if you give Firefox permission to connect to the internet, what makes you think that the "extension" is being denied internet access?

As far as Sandboxie is concerned, the "add-on" is part of Firefox and that is where the danger lies.

 

Restrictions don't help because the keylogger/addon uses Firefox as a vehicle to send information out (as Tzuk says at the bottom of the link that I posted earlier).

True.

Bo

 

Than Tzuk should create restrictions where I can we can configure which add-on can be allowed or blocked to start/run and access the internet.

 

Maybe you shouldn't add extensions to Firefox that aren't trustworthy and haven't been well researched in advance of your doing so.

Seriously though, you can decide which ones start, run and have access to the internet by choosing to install or not...and by uninstalling any you don't trust.

I'm not sure that any program exists that can give you the kind of granular control you seek, though it would be nice to have, I'll admit.

As to what Tzuk should do, I think you're overstepping...

 

So NoScript and AdBlock Edge are not trustworthy...

 

I think they are but I can't guarantee that they are.
(That said, I do use each of them. Well, NoScript and Adblock Plus. I've never used Adblock Edge and know nothing about the developer of that extension.)

 

CWS, you can create and use a separate Firefox profile for your sensitive browsing and dont install any addons while you use it. Or install NoScript and Adblock, they can be trusted.

In my personal case, I use three addons, they are three of the four most popular Firefox addons. Those addons can be trusted. The danger is when someone uses 30 or 40 addons.

Bo

 

I'll do that, big thanks for the help.

 

OK but...SS on "ask user" level (without built-in rules) and empty WL/BL is still completely silent. I think I can expect from such app to be more sensitive especially if I know that I can have more then one rule for app/process what is normal in SS or other similar "like HIPS" apps.

As I said above...I don't expect protection against process but mainly against its suspicious/unknown actions. It's the cause that I use SS or every other HIPS/BB apps.

BTW...could someone confirm such behaviour of "nifty keyleogger" with other than English language (using "Alt" with other letters)...if I type "żółć" add-on shaw in log (repeated more than few times)

"Alt+Ctrl+k" shows window with log.

 

it usually is the user who is the weakest link in the chain.
all tools have limitations and it's up to the users to understand them.

like i said, addons can be pretty powerful and the less of them installed the better, imo.
they can be a huge security concern...

your browser and email application are your main gateway to the internet and must be protected.
and the best place to fight the Barbarians is right at the gates.

 

I still find it hard to believe that this sort of keylogger isnt detected and sorted out....as NM said "it always seems impossible until its done".Im gonna be disappointed if this isnt fixed by someone.

 

If I recall correctly, the only time I've been notified of a screen or key logger in connection with Firefox during a browsing session was when the "Plugin Container for Firefox" was called upon to retrieve some audio or video content. This was via Online Armor's HIPS.

I really can't think of any other instance offhand except for Firefox (and Thunderbird) itself requiring certain logging permissions in order to update the program.