how detect/defeat keyloggers?

Discussion in 'other anti-malware software' started by 6's&7's, Jun 20, 2004.

Thread Status:
Not open for further replies.
  1. 6's&7's

    6's&7's Guest

    Hello

    What are the best ways to detect and defeat keyloggers that you know of? Port monitors? Will System Safety Monitor help? What other types of programs can be used to detect keyloggers, besides programs like Spycop? I'm trying to find out as many ways as possible to detect and defeat keyloggers. Thanks for any help.
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  3. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    spy cop is the best for keylogers it even detects hardware keylogers that the fbi puts in your pc when you take your pc to the repair shop by law the repair shops are now required to spy on you

    if you are being watch by law enforcement fbi ect they might put a hardware keyloger on your pc at the pc repair shop with out your knowledge

    this is common practice and under the new patriot act its perfectly legal

    best thing to do is buy spycop

    second thing to do is if you ever have to put your pc to a repair shop for hardware take out your hard drive and put in a chessy 20 or 10 gig hard drive you can pick up for 15 bucks lol

    and then take it to repair shop to do what ever

    for software problems you can always come here to wilders lol
     
  4. 6's&7's

    6's&7's Guest

    Thanks for the answers guys. Looks like Spycop is about the best way to find those nasty keyloggers. But i would still like to know of any other ways if there are any. I'm just not sure Spycop would find everything that's available. Isn't the database around 450 keyloggers detected. There must be more than that many keyloggers available, all over the entire internet- i would think.

    And Mr. Blaze i have a cheap 12gig hard drive i normally put in my computer if on those rare occasions i bring my computer into the shop. But thanks for the warning. I learned that the hard way. The last time i took in my computer, when i got it back it had a couple trojans on it. But i can't really prove they came from the shop, because the computer was used briefly (online) before i checked it. I am far more careful now. I didn't think Spycop, or any software product could detect those hardware keyloggers though.
     
  5. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    i cant remember but i think tds can spot a few nastys not sure you might want to pop in the dcs forum above and ask the dcs family

    if they say tds does spot keylogers then buy it if you dont have it

    dcs company has the biggist data base in the word of knowen and not knowen nastys

    these guys were there from the first trojan ever made

    so if they do say there software spots keylogers get it
     
  6. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    oh yeah just a heads up most keyloger finding software is expensive just cause the rarety of some of these


    i do remember another good company notweel heard of

    but there deal was if it cant find it you get your money back and you can keep the software

    the only company ever to offer that promotion

    you might want to look in google

    with something like money back and full application if we fail to find keyloger

    something loke that ill do a hunt
     
  7. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    You ARE joking right? Please tell me that.... if not.. thank bloody God I don't live there. :mad:

    And you guys talk about freedom.... man.... be a bloody riot here if that happened, sorry.. OT for a bit, back On topic now. ;)

    OK, also get spybotS&D, it searches for Keyloggers, it's free.

    You can get TDS also as keylogger in essence is trojan, and do scan with evaluation version, just wont get auto updates/RTM protection.

    But it will scan, detect and you can delete with it.

    Cheers, TAS
     
  8. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :'( nope not kiding we even have few guys here that run small pc repair shops that had said it is true they have to report anything evill in your pc

    most are algaints it and say the hell with the goverment they just want to fix your pc and thats it

    but you know everything starts here in usa so these bloody laws eventualy end up where you are mate blimey hell and all that

    or where ever you come from look at the riaa and music industry

    canadah was the only one with big ones not to bow dowen

    i like canada they fight till the end

    if i ever had any one watch my back it be a canadin cause they wont go dowen to the bitter in
     
  9. dread

    dread Registered Member

    Joined:
    May 18, 2004
    Posts:
    195
    Pestpatrol will. If you think you have one you can even do a free online scan but it will not remove it only tell you about it http://pestscan.com/ScanOrTrial.asp Alot of av's are starting to add detection for that. Do a search on google they do have spycop as one of them http://www.google.com/search?hl=en&ie=UTF-8&q=keylogger detection
    If you that worried about it you gonna have to shell out some bucks for one. A port monitor could, but i was told that some cant be seen even with a port monitor even if it gets on the net. Mr.Blaze what you saying that every computer shop in the usa puts some spyware on your computer to monitor you and the shop has to tell the fbi everything on your computer? If so I know some shops thats gonna be thrown in fbi prison they would never do that. But before long I wouldnt doubt it. You cant do anything now on the net. If you use p2p appps they scan and try to watch you even if it is legit stuff. They watch the chats too lol. Eventually the usa gov is gonna kill the internet no one will want to use it for nothing but surfing and that too if not already silently being watched will be announced that they will start watching it to. Best bet get spybot adaware and well get a paid one and load up on port monitors and stuff that will monitor what is getting on the net and where the data is going. Look at http://www.security-forums.com it is one of the forums in that google search looks like they have some intersting discussions on it and the different kinds.
     
  10. olds

    olds Guest

    If a key logger has been installed by a hacker in a rootkit you won' tfind it.
    what do Hackers do, HOW?
    The root kit is the man-in-the-middle, standing between the operating system on your computer and the programs that rely on it, deciding what those programs can see and do. What you can see and do. What windows task mgr, can see and do. It uses that intercept position to hide itself. If an application tries to list the contents of a directory containing one of the root kit's files, the hacker program will censor the filename from the list, it just doesn't show up. It'll do the same thing with the system registry and the process list. It will also hide anything else the hacker controlling it wants hidden -- mp3s, password lists, a DivX movie. As long as it fits on the hard drive, the hidden cargo doesn't have to be small or unobtrusive to be completely cloaked. A Paradign Intelligence track/investigation will reveal it. It can even hide its self in "free space". These attacks amount to an almost second operating system that you can't control, or even see. You don't know its there, it makes its self invisabe to all programs on your system, and can record and send out your every keystroke and page view as well as all passwords and Credit card #'s.
    Even record your conveersations via you MIC.

    Bobreny
     
  11. chiphead

    chiphead Guest

    Hi Olds
    So how do we go about detecting these so-called rootkits? There has got to be some ways to do it. You said something about a Paradign intelligence track/investigation, what is this and how do we go about doing it? Could you explain it somemore? Thanks.
     
  12. bluekey23

    bluekey23 Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    77
    I was curious about how to detect rootkits and asked about it in an unrelated thread several weeks ago. So, did a couple of other posters. But nobody picked up on it and the topic seemed to die out. I know that procguard will alert you if a new driver or hook tries to execute, but suppose you already had those on your system before procguard was installed. Then you start out with procguard in learning mode and maybe procguard thinks they're okay? Or am I missing something here? If anyone knows of a good program to detect rootkits on XP, I'd love to hear about it.
     
  13. saveher

    saveher Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    3
    Thank you for recommending spycop. I am going to install that one tomorrow. I already have a battery of malware utilities but nothing that good for keyloggers.

    On a related note: My hubby is a divorce attorney and told me that he had the family's (husband & wife share it) computer brought in and the firm's tech department made a copy of the hard drive before returning the computer to the house. He represents the wife. The IT guys were able to get at everything on the system. Found lots of juicy stuff. I didn't ask about whether they had to crack passwords, etc. but this really irked me. I go to all this trouble to beef up my privacy. Can someone like my H "borrow" my system and have my hard drive copied and invade my privacy that way? I am the sole user of an XP OS system and have separate passwords on Win and Outlook, etc.
     
  14. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi saveher.

    Just to note, if u plan on trialing it, this version is severely limited in comparison to the full version.


    snowbound
     
  15. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Really? I very much doubt this - and the Spycop homepage makes no such claim. A proper hardware keylogger requires no software or drivers and should not therefore be detectable by any Windows software - a good example of such an item is KeyGhost - see here for a review. Edit: SpyCop can't detect hardware keyloggers at all - see their article on this.
    Sorry, I call BS here. Shops may be required to report anything suspicious they find but there is no requirement for them to actively search your system (though some may do so). And given that hardware loggers cost over US$100, the idea of one being installed on every PC brought in for repair seems ridiculous - even for John Ashcroft.
    Possible but rather unlikely - this would depend on you taking your computer out for repair. A more feasible option would be to break into your house and install it - and breaking in at least should require a court order.
    Wire intercepts (where your phone lines are monitored) are permitted by the Act but keyloggers are a separate area, and were permitted in certain cases even before the Patriot Act (see here for an example).
    A good point but you do need a working OS installation on that disk. It may also hamper troubleshooting if the problem turns out to be with the drivers or software you normally use.
    If you suspect this, the only way to be sure is to start your system from a known clean installation (e.g. a Linux CD-ROM with whatever NTFS drivers are needed to read your disk) and check your system - or boot from a Windows CD-ROM, use FIXMBR to clear the boot table, wipe your hard disk (with FDISK and FORMAT) and reinstall Windows.
    If you are concerned about others having access to your data, you should use strong encryption to secure it (check out a utility like PGPDisk - also check out this discussion on alternatives). However you must remember the passphrase otherwise there is no way to recover the contents - and make sure you keep (encrypted) backups since if your hard disk fails it be will far harder (if not impossible) to restore even a part of your data.
     
    Last edited: Jul 20, 2004
  16. saveher

    saveher Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    3
    Thanks, snowbound. I was planning to purchase the full version provided my system passes the compatability test.
     
  17. saveher

    saveher Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    3

    Thanks for the links. I will check those out. I run a RAID mirror on my system. Will these work with that config?

    Just a few weeks ago I had to use File Scavenger to retrieve some data files that went AWOL. My concern about encryption is that going that way would rule out necessary recovery situations like this...true?
     
  18. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    A good point worth repeating. Considering that SpyCop costs $50, Windows 2000/XP users would be better served with a program like Process Guard which costs $30 and will prevent the installation of software keyloggers and a whole host of other malware as well as protecting your security software from being shut down by such malware. In contrast, SpyCop does not have any termination protection (it relies on obscurity, changing the name of the executable file as mentioned in their FAQ) so could be easily disabled by a trojan intent on keylogging.
     
  19. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    For hardware RAID it should (since it creates a file that is then treated as a "virtual" disk. For software RAID I would advise testing first.
    You can't have your cake and eat it here I'm afraid! With encrypted data, partial recovery is going to be impossible so backups should be regarded as critical (they should be anyway - hard disks can and do fail). Just make sure that the backups themselves are encrypted...
     
  20. blackrain

    blackrain Guest

    who else would be interested in compiling all the programs but a keylogger/cracker himself? hmm, well, just a thought.
     
  21. controler

    controler Guest

    Hello and greetings

    Wouldn't this be the best place to read about rootkits?

    http://www.rootkit.com/

    and as I asked before has anyone been using Vice and if so what do you think?

    It shows usermode and kernel mode rootkits?
    I now see they list a new program called Klister which they claim shows even rootkit processes.

    controler
     
  22. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Finding memory patches can be done, especially usermode patches - but its possible that already newer versions of rootkits will exist which aren't found by these sorts of programs. It just takes enough work to hide well enough. I can think of many ideas rootkit authors could use to stop these programs from working, I like to think of it as a rule in the war between rootkits and protection/detection:

    The first code running on the system wins.

    Without knowing for sure who is attacking you, without knowing for sure exactly what their rootkit can do, how can you say a machine is secure ? Its not possible, there are too many methods to hide. The security program is also at a disadvantage - it is public and anyone (rootkit author) can download it and look at what it does, then find a way to remain hidden from it. The rootkit is the unknown, this is a huge advantage..
     
  23. controler

    controler Guest

    Greetings

    One more thing I would like to add for bed.

    For those of you that don't look at your Setupapi.log in windows 2k or xp

    here is the MS link to a DOC files that explains it.
    Now all we need is a eice of software that deciphers this info and makes it easy for use to read and understand.

    Wondeing if this log catches root kits if since MS claims it logs every driver install since the system was born.

    http://www.microsoft.com/windows2000/techinfo/administration/setupapi.asp

    Also any having luck with Wintask 4.0?


    controler
     
  24. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    ProcessGuard - yes with some effort to set it up to block Global Hooks can indeed block any good keylogger which uses that type of hooking. Its possible to stop nearly any keylogger. Be aware that blocking Global Hooks wont block some really junk keyloggers which are badly coded (GetAsyncKeyboardState to check a keys status), but these keyloggers rarely exist in an actual attack because they are absolutely terrible.. even just typing fast will defeat them and they miss keys !

    ProcessGuard will allow you to set up a system so that 99% of keyloggers cant be used, even newly created or commercial ones which wont be detected by most scanners. That is the main benefit, unknown malware is a huge reality these days. It has many other benefits such as rootkit blocking, keylogger blocking is not its main purpose. Perhaps in the next version or some future version we can make it very easy to set up in this way, since it is a very powerful possibility.

    On scanning yes TDS-3 detects most keyloggers as well as trojans etc. There are also commercial anti-keylogger programs which could do a good job, but I would steer away from any one which doesnt have a trial version. If you can get a trial version, then test it against any keyloggers you can find, commercial keyloggers which have trial versions would be the best (like Perfect Keylogger). Going this way I would also make sure its a newer version created AFTER the anti-keylogger program so it cant be detecting the keylogger by signature ;)

    In the end the best way to not get a keylogger or any malware is to set up your system in a clean state in the first place and then to be careful what you allow to run on it :)
     
  25. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Just delete or edit the file.. good idea though - until newer rootkits come along that cover this base too :doubt:
     
Loading...
Thread Status:
Not open for further replies.