Anti-Keylogger Tester

Discussion in 'other security issues & news' started by TairikuOkami, Jan 13, 2007.

Thread Status:
Not open for further replies.
  1. Get

    Get Guest

    Outpost stops DirectX and Screenshot1 for what it's worth, because the malware first has to come on your pc and then it must start without being noticed and what are the odds of that to happen on a well-protected pc? Still a nice test, but not a real "makes me feel sick"-thing.
     
  2. Tod

    Tod Registered Member

    Joined:
    Jul 13, 2006
    Posts:
    17
    If someone downloads and then runs a "free" crack/cracked software/screensaver/shareware or some other program that also include a keylogger, then only a keylogger detector will help.
     
  3. Get

    Get Guest

    Yes, I'm aware of the fact that people do dangerous things, but the user is also part of the protection of a pc and when that fails you can no longer speak of a well-protected pc. When you say "I want to download and run whatever I damn well please and my software must be able to stop everything"...yes then it's a good test and many many tests will follow.
     
  4. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    So after running these "user initiated" supposed malware tests everyone wants their HIPS to notify them evey time you use a screen capture app or print something in notepad, eh.

    Make it work like some real malware and do the tests without "user initiation" and then see how your security reacts!
     
  5. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,
    You obviously didn't read the news page or the AKLT description page about the screenshot tests : http://www.firewallleaktester.com/aklt.htm
    The screenshot tests are just a bonus. After writing this page someone informed me that the software SnoopFree has anti-screenshot features, which unfortunately is not able to block the two AKLT's test.
    That has never meant that "everyone wants their HIPS to notify them evey time you use a screen capture" unlike you said, but only that everyone wanting to be protected against screen capture and eventually has already paid for a security software against that, will be able to test it.
    As I said, that's just a bonus, if you don't need it, no need to criticize it and to make erroneous broad statements.

    A scenario for you (which has really happened) :
    You are browsing a trusted security forum, for years. One day, one bad people uses a vulnerability of the forum to plant his own code, which in turns will download an executable and execute it on all client's machine, using another Windows vulnerability (not yet patched).

    You end up with a real trojan running on your machine without "user initiation", undetected by your AV because new/packed/encrypted/modified, and is starting keylogging (even if you are running under a restricted user account).

    At this point, do you want to be hacked, or do you want your HIPS either to ask you if you want to run the executable or to ask you if you want the app to monitor your keyboard ? (thus detecting and blocking it).

    AKLT is a tool for people who already have security softwares installed, which are supposed to protect them from keyloggers. Thanks to AKLT, people can test their security appplications, in a friendly and harmless way, without downloading a real trojan or hoping with their "finger crossed" that their security will protect them as expected.

    I suppose, following your logic, that the antivirus EICAR test is also ridiculous ? Indeed, as I always "know" what I do and that I never download anything harmful, there is no need for an AV and hence no need for the EICAR test ?
    Obviousy not, I hope you got the analogy with AKLT.

    Regards,
    gkweb.
     
  6. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    No HIPS or AV on this test hard drive.

    Just Sandboxie and LnS ATM.

    OK, some may find your test usable.But I couldn't find it after emptying the sandbox.The same as would happen to any other zero day attacks.;)
     
  7. Get

    Get Guest

    It will never come to "if you want the app to monitor your keyboard ?", because HIPS will always notice the executable. When I don't allow AKLT nothing happens. Am I right or missing something? o_O (apart from a user who thinks "yeah great! a new executable! Let's allow it!!")
     
  8. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    This exe execute prevention talk is ridiculous, everyone will allow a "trusted" exe, so it´s nonsense to talk about. The sense of exe is to execute and nothing else.

    Interesting, Advanced Anti Keylogger loses in two tests, also in directx. Damn so many holes in security software.

    Beside a great testing tool, my compliments.
     
  9. Get

    Get Guest

    I wouldn't call a new exe which has come on my pc unnoticed trusted and when my HIPS asks me if it may execute I will most certainly block it.
     
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    First Test Results:

    1. Spydex AAK 3 Points
    2. Widestep AK3 high, PG, Raytown AK7.4 delayed 2 Points
    3. Widestep AK3 low/mid, Raytown AK7.4 direct, pgfree 3.4 0 Points
     
  11. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Well, I have at least gotten an indication that Keyscrambler Personal works well on defeating keyloggers on log-ins (see screenshot).

    According to what else this AKLT thing picked up, I may actually have to purchase the full version of KeyScrambler.

    On second thought, forget the screenshot, I can't edit it. Anyone else running Keyscrambler and AKLT will be able to see what I mean. I was using the GetAsyncKeyState part of AKLT.

    Guess I'll have to try the other modes, also, to see if Keyscrambler handles all of them. Pete
     
  12. Tod

    Tod Registered Member

    Joined:
    Jul 13, 2006
    Posts:
    17
    As stated previously great program! Gkweb, if you ever feel the inclination to make a new version, then it would be nice to also check for global hooks and DLL/code injection. Even if most HIPS currently detects these, it would still be nice to check for oneself, especially after updates to the security programs when things may get broken.

    Also, some trojans in the wild use video and small screenshots for keylogging.

    http://blog.hispasec.com/virustotal/9
    http://blog.hispasec.com/virustotal/8
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,159
    Location:
    UK / Pakistan
    Sandboxing is realy powerfull but even in ur case session-long keylogging will not be prevented as sanbdboxie does not prevent keyloggers. Also u can,t sandbox all ur PC.

    Anyway it seems a nice tool. Keylogging is one of the weakest point for most secrity applications.
     
  14. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    For what it is worth, I had a go at these tests with the following results:-

    Tests 1 & 2 got through everything on my inventory (including ZAP, PG and KAV 6).

    However Test 3 was auto-blocked by PG which alerted to aklt.exe attempting to create "a low level mouse hook". KAV's PDM also objected to an "attempt to run browser with command line parameters". Between the two of them this test was foiled. Funnily enogh, in retesting this KAV played no part, it was PG that stops it.

    Screenshot Test 1 was also foiled, this time by a combination of ZAP which objected to an attempt by "anti-Keylogger trying to control the keyboard input of the process....avp.exe" (ie KAV) and KAV itself which prevented "svchost.exe from running as a child of services.exe". I don't know what part ZAP played, but the capture was prevented.

    Screenshot Test 2 did get through and was saved as a .jpeg, the only consolation here being that it was prevented from being auto-displayed by ZAP which prevented anti-keylogger from launching Rundll32.exe (actually PG would have stopped this too had ZAP not got there first).

    So a mixed bag, but a resounding failure in the case of the first two tests!
     
    Last edited: Jan 17, 2007
  15. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I don't get this... or better, I get this talk is nonsense.

    The keylogger activity detection/blocking is obviously something that the security software should detect/block on executables already launched. You can't say that something that blocks an executables from running at all stops keylogger activities. Hell, it stops every activity, even if not malicious at all.
     
  16. Get

    Get Guest

    Yes, that's the whole point.

    No, it stops it and asks you to allow/block and that's the only simple point I'm trying to make. You must first allow an untrusted exe which you are mistaking for a trusted one and that's why this test doesn't make me feel sick, because what are the odds of that to happen on a well-protected pc (software/user). That's all.
     
  17. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    What about if you get a software from, say, a supposedly trusted source that has been compromised. You won't think twice about running it, but if keylogger activity is activated you won't notice.

    I don't get why you pretend it's so easy to distinguish between "trusted" and "untrusted" software so quickly. If it is not a program for which you wrote the code and/or reviewed the whole code and compiled it from the same source, there can always be some sort of distrust.
     
  18. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Finding out the correct CRC or hash of whatever app you're d/l'ing - and then checking to see if you got a "legit" d/l - would cover that in all except a case where you had a developer go rogue, wouldn't it? Pete
     
  19. Get

    Get Guest

    Only download from the author's site I would say and when the author has gone bad then it would be usefull to be protected, but then again what are the odds?.. and that's the reason why I don't loose sleep over this. That's all I'm saying. It's like saying..."we have developed something that keeps an eye out for people entering your house when you leave the door wide open and can distinguish the good from the bad" and then I say "well, I never leave my door wide-open and for that 1 in a 1000000 times I per misfortune will I'm not concerned.".
     
  20. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    CRC or hash? Apart from the fact that there's definitely not many that include a hash on their site, if the site's compromised then the md5 on the site could have been replaced as well (not to mention that CRC-32 is an extremely WEAK hash that can be easily forged anyway).

    A much better solution would be a PGP signature but then again, how many use PGP or even check for the signature anyway? And also, you need to have imported the developer's public key previously, otherwise the attacker could just replace the public key on the site with his own key and it would appear as a "correct signature".
     
  21. true north

    true north Registered Member

    Joined:
    Dec 14, 2006
    Posts:
    159
    Hi,
    KAV 6.0 PDW warns me only about keylogger and offered only to allow them !!!!!! NO way to terminate them. What could I do ?
    Thank for your advise.
     
  22. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,924
    Hello,

    Liked the idea of that - Linu ....

    Scenarios - bad code on trusted site - use non-IE browser, preferably with no scripts allowed and 99.994838372% of problems are solved.

    Trusting a source is 99% of security. If you think it's good, you'll run it. And vice versa. Existing setups can help in this case but not much. Once even the paranoid triple-HIPS users are convinced the programs is OK, they'll click through their 43 popups until everything goes quiet, because they are used to do it anyhow 670 times a day.

    On the other, keeping the setup to a minimum DEMANDS that the user be on alert all the time and uses his judgement constantly. Thus, absurdly, the chances of an infection are actually smaller, because all of your judgement comes from you - and nothing is left to automated heuristics and such.

    Screen capture - turn the monitor off... just joking...

    Mrk
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    Hello Mrk,

    Can you post a link to that from your sig - I'd like more information :cool:

    -rich
     
  24. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,924
    Hello,
    Only if you can prove you're a worker in corporation with more than 50,000 employees and that you are forced to run screensavers that have the words innovate, synergy and diversity showing somewhere...
    Mrk
     
  25. spindoctor

    spindoctor Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    83
    Great Tests Gk. My hats off to you for showing us all how there are still many areas our security programs can miss and the need to constantly improve them against the many possible new emerging or little known threats. I wonder how many other ways there are to keylog someone that we aren't aware of and our security/hips programs can't prevent.



    This would be nice to have a variety of small test programs that show if your security/hips programs are really doing their job. I guess some leak tests would cover some of that also.

    While I find GHs and Dll injection to be something worth testing against, I would like to see more tests like this AKLT because GHs and Dll injection are more widely known. More tests against the lesser known threats is what I would like to see.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.