Anti-Keylogger Tester

Discussion in 'other security issues & news' started by TairikuOkami, Jan 13, 2007.

Thread Status:
Not open for further replies.
  1. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    http://www.firewallleaktester.com/aklt.htm
    http://www.firewallleaktester.com/news.htm
     
    Last edited by a moderator: Jan 14, 2007
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Same as Martin´s Undetectable Keylogger?
    Side note: the AV guys haven´t added yet a signature for it. This isn´t a test for your malware scanner ;)
     
    Last edited: Jan 13, 2007
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    Thanks for the heads up, these are another couple of things that HIPS should protect against, hopefully most will do so in the future. ;)
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    GesWall stopped all of them, very nice.

    CyberHawk
    only prompted on first one and no more prompts after than. On repeat testing, no prompt on even first one, that was disapointing.

    Anybody tried SnoopFree?

    Edit: Just rechecked GesWall actuallt stops all except second screen capture method.
     
    Last edited: Jan 15, 2007
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Tried again with CyberHawk and it did stopped two of three keylogging methods but after a bit delay. #rd method not detected.
    CyberHawk of course does not protect against snapshots. Only software that I know to protect against screen snapshots/ captures is SnoopFree.
    Anyother HIPS to do this?
     
  6. Londonbeat

    Londonbeat Registered Member

    Joined:
    Sep 21, 2006
    Posts:
    350
    KAV6 proactive defense doesn't detect any of the tests either.

    Londonbeat
     
  7. CJsDad

    CJsDad Registered Member

    Joined:
    Jan 22, 2006
    Posts:
    618
  8. true north

    true north Registered Member

    Joined:
    Dec 14, 2006
    Posts:
    159
    KAV 6 does a poor job dealing with keyloggers. Only to accept them is NOT the way that should be.
     
  9. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    DSA caught two of the three keyboard monitors: GetKetState and DirectX. It did not catch either of the screenshots.

    I also was running NOD32 which did not pop up any warnings, even with DSA disabled. NOD32 has some new stealth sense technology that, I thought, was supposed to catch keyloggers. Although maybe that is on scan in-depth scan only?

    Spyware Terminator- realtime shield and HIPS enabled allowed all the keyloggers tests to execute.

    Comodo Firewall- with Application Monitor and Component monitor enabled allowed all keylogger tests to execute.

    Ashampoo Anti-Spyware (A-squared clone)- with AntiSpy Guard active allowed all keylogger tests to execute.

    CounterSpy- with Active Protection activated allowed all the keylogger tests to execute.
     
  10. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Nice
    Kudos to GKweb again

    No response from
    NAV
    BOClean
    PrevX (does warn that the AKLT.exe is not known and offers options)
    >>but then allows all 5 tests.
    CyberHawk
    Ewido direct scan
    Avira direct scan

    Jotti's 15-1-07, 0933: scan of AKLT.exe :nobody found nothing.

    At Virus total: eSafe and Fortinet both identified the AKLT.exe as "suspicious", nada from others

    I wonder whether this is a legitimate "malware" test?
    Is this really malware?

    Heh if the consensus is yes: there's a lot of disappointed end users :ouch:

    @Aigle: when you say GES Wall "stopped them all": can you elaborate a bit pls.

    Anybody check with DefenceWall??

    Regards.

    EDIT
    BOClean updated here 2314H: now detects the AKLT.exe as malware with single file scan.
    But allows the "5 tests" to proceed with no problem.
     
    Last edited: Jan 15, 2007
  11. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    AKLT is NOT a malware, and should never be detected as such.
    It is a test tool that can only run if you launch it, and it doesn't record anything,
    everything logged in th program window is lost when you close the program. Nothing is sent out (no network code in it).

    AKLT illustrates what a trojan could do, the purpose is to see if your HIPS detects AKLT monitoring your keyboard, not to see if your AV detects the file (which is not a malware).

    I'll contact BOCLEAN.

    Regards,
    gkweb.
     
  12. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Thankyou GK Web
    No problem. I was just wondering. :)
    Hehe, so far so good, the test is winning :cautious:

    My previous post was as usual a bit unintentionally cryptic.
    I dl'd the exe: PrevX warned me, ran it from the desktop to see what might happen (trust you a LOT ;) ! - and have FDISR snaps ;) )
    Effectively "nothing happened" other than the tests ran.
    No warnings from any of the "resident" tools
    Then ran scans with whatever was hanging around in that snapshot at that time just to see if anything might find something malicious.

    Will be interesting to see what utilities will detect the tests.
    My observation as to "is this malware" was directed more at the function of the tests: works as keylogger but doesn't try to phone home or "do" anything with the captured data. Therefore, I am wondering how many HIPS utilities will react to it, the data capture, as a threat?

    Damn you GKW LOL.
    GoodGreat little test.
    Need another rethink maybe.
    Regards.
    Edit: BOClean will now try and stop the exe from running. Labels it a "trojan"
     
    Last edited: Jan 15, 2007
  13. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Thanks for the clarification and your comments.

    Adding AV signature detection for AKLT will effectively detects AKLT as virus even before it has a chance to execute. The whole issue appears when an unknown malware executes on your system, and is starting to monitor your keyboard. At this point, no matter which AV you have, you need a proactive defense to analyse and detect the suspicious behavior of the malware, no matter how it is packed/encrypted to avoid signature detection.

    That is all the point of AKLT, enabling you to see if your defense detects the mimicked malware behavior, althought AKLT is not harmful in itself.

    Regards,
    gkweb.
     
  14. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Damn
    Stupid me.
    Mea culpa.
    If Jottis and VT add the sig: I might have screwed up your test
    I am so sorry.
    Rename the exe ??:oops:
     
  15. Tod

    Tod Registered Member

    Joined:
    Jul 13, 2006
    Posts:
    17
    Very nice program!

    When testing Cyberhawk only detects the first two methods when AKLT is not the active window. Is this how you should use AKLT? Or should you expect keylogging to be detected when AKLT is the active window?
     
  16. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Has anyone tested SSM or Prosecurity?
     
  17. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    hi i can't speak for aigle, but i too tried the tests and geswall passed all but the second screen capture test. for the 3 keylogger tests, geswall stopped all alphanumberic keys from being logged. the first screen capture test, captured nothing :D . the second screen capture test, however, did succeed in getting my screenshot.
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Tried snoopfree against it.
    It stops only second method of keylogging and second screen capture method.
    Will be interested if anyone tried it against ZAP and Online Armor,\they have good keylogger detection.
     
  19. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    i havent' tested myself but according to the firewall leak test site :
    http://www.firewallleaktester.com/news.htm#66
    so apparently the makers of prosecurity and ssm are aware of the problem and are correcting it as we speak.
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I downloaded the exe via bowser that was isolated by GesWall. When I run the exe GesWall asked if I want to isolate the exe as it came from an isolated source( my browser) I opted for yes. Test was able to run isolated but no keys were logged.( Just rechecked GesWall actually stops all except second screen capture method- I have edited my previous post).

    Hope it,s clear now

    I am interested too.

    It does not make any diference. This is not a test of signature based protection.
     
    Last edited: Jan 15, 2007
  21. dah145

    dah145 Registered Member

    Joined:
    Jul 3, 2006
    Posts:
    262
    Location:
    n/a
    KIS PDM detects the first and second one and the third one will be detected on the next Beta version (about a week)
     
  22. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Longboard: is it still unknown to Prevx1?
     
  23. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    No response when running AKLTexe with prevx in expert mode.

    @ Someone: How about for you??
     

    Attached Files:

  24. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Usually i don't run such tests.
    But i am a curious man, and thank you guys for your testing and reporting:)
     
  25. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    heh
    PrevX just now updated
    will check again
     
Loading...
Thread Status:
Not open for further replies.