Anti-keylogger Undetected

Nick S

Thank you

looks like PG stops everything and KProcCheck finds every hidden process.
I have used KProcheck before also.

Bruce

 

I'm quite glad to see that PG did indeed log AKL with AKL being pre-exisiting.

And, PG did exactly as advertised by logging it and letting it run in "Learning Mode" , then assigning it default "privileges" after coming out of "Learning Mode" .

I was kind of thinking that someone who was un-familiar with PG and its' alerts might have missed that - that's why I said

back in post #17.

The whole situation still drives home the point that someone un-familiar with PG can miss that kind of thing, or mis-read it, though - and give pre-existing malware the "OK" to run.

Good work, Nick! Pete

 

Bruce and Pete, glad to have helped . I imaged that scenario in case it needs further study.

Nick

 

Hi Guys,

I had the chance to test anti-keylogger. I went to the security screen and picked the anti-keylogger program and set it to "Deny Always". I then rebooted my system, and the first thing I saw before windows loaded is "Your system is protected by anti-keylogger". So I let windows continue to load to see if anti-keylogger would appear in the system tray. It did, and it was the last thing to appear as usual. So Process Guard could not block it.

I guess that speaks a lot for anti-keylogger, as the trojans it blocks are unable to block it. And Process Guard can't either, not that I would want it blocked.

Nick,

I'm running anti-keylogger 6.0 from http://www.anti-keyloggers.com
Are you testing with the same version.

Here is the log file message after setting to "Deny Always" and then rebooting.
Sat 16 - 10:13:25 [EXECUTION] "c:\program files\anti-keylogger\anti-keylogger.exe" was allowed to run
[EXECUTION] Started by "c:\windows\explorer.exe" [152]
[EXECUTION] Commandline - [ "c:\program files\anti-keylogger\anti-keylogger.exe" ]

And like I said, learning mode never found it on booting. I had to use "Add Application" from the protection list to get it recognized, and I'm not sure how I got it to the security list. Ithink I manually started a second instance of it.

casper1

 

Thanks for the update casper1.

I may try loading Anti-Keylogger to see if System Task Manager/Spy Protector detects it.

Rich

 

Hi casper1,

I used the 6.01 trial version. Did you reboot twice while in learning mode? I reboot twice and then manually enable all Global Protection Options and manually disable Learning Mode. Then I do one last reboot. Other users tend to run their favorite apps while in Learning Mode. I don't, and prefer PG to capture only system and security processes.

Nick

 

Thanks casper1, I appreciate the followup info.

Nick, thank you, too, for so much careful testing.

I'm wondering if rickontheweb may have hit on a critical difference. I boot up into a LAN environment and his experience with user-level programs that beat PG to the punch sounds like what I've grown accustomed to. I'm wondering if, possibly, casper1 is booting into a LAN environment and Nick is not?

 

Hi,

*Controler, KprocCheck is bypassed by the Golden version of Hacker Defender.
The same for RKDetector Pro (also finds hidden process/service) which i use.

*I use SnoopFree which does not have signature database and i never noticied a simIlar problem with PG.

*For more information:

-a recent and interesting paper: http://www.securityfocus.com/infocus/1829

"Although hook based anti-keyloggers are better than signatures based anti-keyloggers".

-an old one but also interesting: Windows Key logging and Counter-measures (pdf) : http://www.security.org.sg/code/antikeylog.html

Regards

 

Hi kareldjag


Thanks for the links.

in the first link, author talks about sig based & hook based anti-keyloggers.
He doesn't acknowledge the existence of a kernel based anti-keylogger, which is what Anti-Keylogger is, using rootkit technology, that loads before OS. Actualy at this point , I don't know if it loads before the OS or only before user login.


Bruce

 

Hi earth1 and rickontheweb,

I only run single-user, stand-alone XP Pro systems. I have reloaded the test image and want to repeat the test in a multi-user environment. Would adding a limited user account to the existing AKL/PG setup make the test conditions less realistic or should I start from scratch and install AKL, then PG, onto a multi-user environment? I know there have been issues with PG and multi-user setups, but I have not followed the threads closely. Thanks for your input.

Nick

 

After adding a second admin account and a limited user account to my existing setup (AKL and PG already installed), PG continues to successfully block anti-keylogger.exe from executing after multiple restarts and user-switches. Keep in mind that anti-keylogger.exe must be set to Deny Always for PG to block it from executing. If you set it to Permit Once it will execute, and PG will display the Unable to ask user comment in the Security List.

Nick

 

Hi,

I've quickly tried anti-keylogger to understand the problem.
Then ok. I've run RKDetector which killed antikeylogger.exe (hidden process as noticied it NickS).
This antikelogger has a good protection during the boot.

Against rootkit methods, any weakness during the boot could be an issue.
And PG has this weakness.

Regards

 

Very interesting, Nick! I was using the list of "Permit Once (Unable to ask user)" security actions to determine which programs start before PG protection is effective. I should have realized that Deny Always is still effective without a GUI, while Permit Once is GUI dependent. That still leaves the mystery of why Deny Always doesn't stop AKL for casper1, though. Perhaps it's a separate startup race between services that load before logon, where dcsuserprot.exe wins on your system and the AKL service wins on casper1's. It does make more sense that network initialization would affect contention prior to logon.

On a more positive note, it might be helpful to split PG's "Block new and changed applications" into to two separate options. The new option would be to "Block new and changed apps at startup only" (until procguard.exe is able to ask the user) and the current option would become "Block new and changed apps always". I never use the current option, but I would certainly like to maximize the barrier against startup programs I haven't explicitly approved.

Thanks again, Nick. You are truly indefatigueable!

 

Re: Anti-keylogger Undetected - Bootvis

"Microsoft used to have a tool called BootVis available that allowed you to trace the startup process and graph out what is loading and in what sequence. This way you could see what's loading before ProcessGuard or exactly when your firewall is loading etc."

It is still available here http://www.softpedia.com/progDownload/BootVis-Download-3465.html

It can be helpful

 

I have 5 pcs networked through a wireless router, 3 are hardwired, and 2 radio connections. I'm using a linksys router. The PC with AKL and PG on it is hardwired and the primary PC on the router. It's running XP Home Service Pack II. The only explanation I can see is that AKL executes before PG. It is designed to start up as early as possible to catch all key logging processes, but so is PG. So maybe it is just the luck of the draw which one runs first, since they are both competing to run as early as possible to catch all threats

casper1.

 

Yup, looks like a LAN to me.

Perhaps we should start recommending disabling all network connections (LAN - wireless/land line, broadband, etc.) for the 3 boot learning mode installation of ProcessGuard? Or whenever you want to use learning mode in a boot up re-learning scenario.

That would seem to solve the problem of learning in all processes that seem to load before PG in a network enabled connection environment.

But that doesn't solve the problem of having things load earlier than PG once we reboot with our network connections always enabled, after learning mode is turned off. I guess that's where start up protection applications become essential, so we can detect changes to our startup settings.