Email PI? A trojan?

Email PI http://209.126.175.209/splash.php is a Email installed keylogger, with other Trojan like abilities, that can be installed upon a computer from a floppy or via email in the form of email greeting card. Is this a commercially available Trojan (I believe it is) and should Anti-Trojan Software consider it to be a fair target?

 

Hi, jamming!

Just thought I'd let you and everyone else know - Email PI is already detected by SpyCop (everyone else can check their anti-keylogger program-of-choice's DB and report if it's covered there or not).

Couldn't get the "Enter" button to work on that page you linked to (for good reason, I'm sure! ), so I couldn't read what led you to the conclusion that the program was a "commercially-available Trojan" that should be detected by AT programs - but from what I could see, it's a keylogger and if you are truly concerned about the possibility of having a keylogger on your computer, you should be running a dedicated anti-keylogging program - not depending on an AT or other program that only detects keyloggers as a sideline.

AT software developers/providers have quite enough to do keeping up with Trojans.

AV software developers/providers have quite enough to do keeping up with virii.

I think they should both keep on concentrating on what they do best, because it seems to me that only dilution of effort and duplication of effort result when they try to do otherwise.

But that's just me. Pete

 

hey pete

good to see you, man

could you point me in the right direction to find what you've described as a dedicated anti-keylogging program?

i read a post from jamming on the TH forum in which he made the point that, "anything that trys to slip through into your computer by flying a false flag is a Trojan by definition". EmailPI installs by sending an e-greeting card. a tad bit clandestine, don't you agree?

well, without getting hung up on definitions (i supplied jamming's partial def above), i'll share with you that EmailPI is definitely commercially available. the 'enter' button does work (maybe it was suffering downtime when you tried), and here's one item you see when you peruse the page...

List Price:
Email PI.
Unbeatable Value,
Introductory Price : $89.00

---> Purchase & Install in minutes.
---> Free Demo.

Symantec calls it security response. i like that term. their database of 63,000 threats is comprised of viruses, trojans and worms. TrojanHunter has like 28 keyloggers in their database. magnus obviously perceives them as a threat.

i respectfully disagree with your contention that an AT vendor who adds keyloggers to his detection list is diluting his product! on the contrary, pete, i will applaud that sort of inclusion wholeheartedly, and consider it to be good, solid product enhancement.

i'll repeat something i posted over on the TH forum....

i strongly believe that any AT or AV tool vendor who determines to add as many of these keylogger programs to their database as possible, will enhance that tool's popularity greatly.



mark

 

SpyCop - http://www.spycop.com/

Who's Watching Me: http://www.whoswatchingme.com/wwmOverview.html

Anti-Keylogger: http://www.anti-keyloggers.com/


NP, Mark, that's what it's all about - different viewpoints.

I would point out, however, (as I did via PM) that the TH/DCS/TC/Tauscan/SBS&D teams (all of whom claim to provide "some" measure of A-KL detection) are all very small in number (ranging from just one to four or five people) - with only so much time and resources to spare. The evidence of this is in the number of keylogging programs they provide protection against.

Currently SpyCop (the only one with which I'm familiar) provides detection for 336 keylogging programs - there's a big difference there between it and the others that are not dedicated anti-keylogger programs.

Then, too, you have to consider the fact that the major keylogger players can and do go to great lengths to keep changing their programs to avoid detection - indeed, one of them (at least) has, in the past disabled the anti-keylogging program(s) that were trying to detect it - not a good scenario if your anti-keylogger program is also your AT program.

The major players in the keylogger market charge big bucks for their programs. That means that to provide proper protection against/detection of them every time a new version rolls out, the program has to be re-purchased.

That gets you back to the "small" organization problem again (and definitely the "Free" one) - do they have the money for that? If they do - is that where they want to be spending it?.

Detecting hacker-made Trojan programs doesn't involve purchasing their programs (thank God) - you just grab a copy of it wherever you can get, decompile it or whatever and put out defs and cleaning instructions.

Just my thoughts as to why key-loggers are a horse-of-a-different-color - and need separate treatment.

(I'm not rabid about this or anything, I just feel strongly about it - nothing is lower on the food chain than a keylogger. And believe me, I do respect your [and everyone else's] opinions).

And I won't continue to bore anyone with this (that was never my intent), so I'll hush now. Pete

 

I agree with Spy1, I don't want or expect AVP's or Trojan scanners to detect all keyloggers. I use keyloggers myself, the are great parent control programs, and they have came in handy for me.

Keyloggers are so easy to find, if one takes the time to learn about their computer, ie know what's starting with windows. Keyloggers must start with windows,and the use notepad to create their logs, then they must ask for permission to access the INTERNET to mail the logs, unless as in my case, I have the logs, copied to my computer, so I can access them from there.

If one is concerned, they should do as you suggest, and get a anti-keylogging program. Every Computer I own has keyloggers, I installed them for security, they server a purpose, but yes they can be misused also.

 

i use a program called StartupMonitor that prompts me when a program registers an executable to run at system startup, and asks me if i wish to allow it YES or NO. i've always considered it to be a useful little program that helps me keep tabs on what is going on behind the scenes, so to speak. do you think this is an effective way to discover a keylogger starting with windows?

as for their use of notepad, do you know if there are logs left by keyloggers (doesn't seem likely), or, more likely, could a user view his documents list (start/documents) to see the notepad file that the keylogger created?

and finally, in asking for permission to mail the logs, wouldn't a good firewall detect this outbound attempt?

thanks



mark

 

The logs are created in windows temp folders, are they left behind? Yes in some cases, cause most people just clean their temp folders, and never look inside their folders. So the victim cleans up the logs left behind, without even knowing it.

A lot of people use batch files, or some other program to automatically clean out their temp folders, on reboot, this deletes, all the logs create, by the keylogger. some keyloggers, delete the logs, as soon as they are sent to the user, and that way they can create a new log file, rather than have more than one log file.

The startup monitor program should work fine, also use TH and see what's starting, plus use msconfig, and you are covered.

Yes, a good firewall will protect you, from a keylogger, that attempts to send the logs out. keyloggers do not mess with your firewall, and are controlled easily enough.

Now a Trojan on the other hand might kill your firewall, disable it, add it's self to the ignore list, or even uninstall the firewall, or leak through it via, hooking to an allowed application. so a Trojan is a real threat and must be removed as soon as possible, the keylogger is not that big of a threat, and can be dealt with easily enough.

 

between keeping tabs on processes that start with windows, and running a good firewall that alerts on outbound attempts, i am starting to get a better handle on how to protect against keyloggers.

also wondering if any AT/AV heuristics (say for instance NAV's incoming email scanning or ZA's email scanning) would react to these eBlaster-type keyloggers that can be delivered via e-greetings?

appreciate the input very much



mark

 

excellent point. except TH has taken a nice preventative step against that happening with their watchdog.exe that renames itself, right?

you're full of good points today, pete

LOL! well said. my feelings too.

great links, thanks so much. i guess i should have googled around some before asking, but this way i got the benefit of hearing your personal recommendation along with the links.

does it cross your mind from time to time as you peruse these many freeware detection programs, that they could very easily be the ones to worry about far more than any yet undetected intruder?

or has my paranoia officially grown to outrageous proportion?



mark

 

I just read over the Email PI, personally, it would be easy to detect, here is an insert from their site.

As you can see it comes as an attachment, meaning, ZA would probably rename it, My e-mail client would simply block the attachment, to begin with.

But let's say just for the hell, of it, I let it on to my PC, I use an install monitor to install any program, so I would know of course where the keylogger was installed, and remove it.

If one simply doesn't open the attachment, nothing can be installed, You can read the e-mail and all will be fine, to be honest i would like to receive one of these e-mails, with this keylogger, then i could tell you everything about it. Where it's installed, what registry keys it uses, and how to completely remove it.

 

Worst-case scenario is, of course, someone with physical access to your computer - keylogged info doesn't have to get sent anywhere - it's just collected and then physically off-loaded (no, I'm not talking about a hardware keylogger, either - although those can be quite a threat, too).

And, yes, someone with the required technical knowledge could find keyloggers without the benefit of a specific program to do so - but realistically, how many people are going to take the time to learn how to do it?

The more sophisticated keyloggers don't show up anywhere normal - not on the Desktop, not in the Start/Programs menu, not even when you do a C/A/D. And, if I were going to keylog someone (and had physical access to their computer), I'd sure enough do a re-start after installing it to see if anything (such as Start-Up Monitor or the like) popped up - and if it did, I'd "Okay" the new start-up (as far as that goes, I'd give the keylogger server rights on the subject computer so that wouldn't let out a peep, either).

How many people (besides us ) check their start-ups and their "Approved" program listing in their firewalls every day when they start their computer?

Damned few, I'll wager.

However, if they can click one button after firing up their computer and have a scan run by a good anti-keylogger program that's religiously updated by its' maker and whose sole goal in life is to assure that computers operator that the machine is clean before he/she presses any other key on the computer - well, you're not entirely eliminating the threat (from a totally new keylogger, or one that's just come out with a new - un-detected-by-anyone version - but you sure have brought the odds down tremendously as far as being blind-sided by something that's easily detectable or that's been around for awhile.

(I'm so sorry! I really was going to hush! ). Pete

 

If a developer has an engine and a technology to identify and go after anything a user does not want on his/her system or PC he should do it. What are you old pros doing in this thread trying to divvy up the rice bowl ?

Then let the user decide ..if it is running too slow..eating up too much of his resources..or conflicting with another third party application .

If you can stop them all in real time..do it...if you can not..then clean it up...and if you can do that without making that user run 4 different product..go for it.


I will let you all work out the details on which ones are best or better.

 

If it has - join the club! Got any particular one in mind? Pete

 

That has always been the problem with that free stuff for we all know the more you pay the better it works.

Why... you even have some out there that are trying to tack on an insurance policy and a long term maint. policy. I make sure I buy all those upfront at the time of purchase.

You never know when your lightening arrestor will need cleaning.


Got to run guys..the Sears repairman needs help figuring out how to start his van. He told me he could not fix the fridge but his son, the ear/nose and throat specialist would be back tonight to treat the cat.

Hope they just give me one bill.

Hugs,

John

 

hey pete

yeah, they all look pretty suspicious to me mark

 

lol! Mark, I see you weasled quite nicely out from under the "loaded question of the day"! Pete

 

man i hate weasels!

you mean, "Got any particular one in mind?"

well, they all look pretty suspicious to me.

(it weren't no weasel!)



mark

 

per Magnus on the TrojanHunter forum...

"Commercial keylogger detection will be improved. If you find a link to one (or more) that TrojanHunter doesn't detect, it would help greatly if you could e-mail it to submit@trojanhunter.com."