Javascript Keylogger Test

Discussion in 'other anti-malware software' started by CloneRanger, Aug 22, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I couldn't get this to start for some reason ?

    Anyway, some of you might like to see if it'll run for you, & then test it ;)

    Forget about whether or not your AV/AM detects it, that's not the point :p What is though, do dedicated Anti KL Apps such as Zemana/SpyShelter/Prevx/Trusteer/KeyScrambler etc etc detect it, and/or block the logging ?

    So let's see what happens, if you get it to run etc that is !

    From the readme.txt

     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I thought at least a few of our Super keen testers would be onto this & posting their results by now !

    Maybe you couldn't get it work either, or ?

    Be nice if you could :) as i couldn't :( but really wanted to ;)

    EDIT

    Well i've just heard by PM that a Major testing house is Very interested in this :) Even if nobody else is :p yet anyway ! So expect to see them using this technique in future testing :thumb:
     
    Last edited: Aug 24, 2011
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmm... I missed it. Sure will test but busy at the moment. Wil post back after some days or more, I hope.

    Thanks, looks very interesting indeed.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Can,t download the file.
     
  5. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    974
    Location:
    Paris
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Look forward to it :thumb:

    :)

    I didn't post that link just in case it wasn't allowed :p Your link is in my link :)

    @ jmonge

    ;)
     
  8. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    I've tried OA++ in Fx 6..result - failed
    Please see the attached screenshot..
    waiting to see comodo d+ along with dedicated antiloggers..
     

    Attached Files:

  9. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    WebrootSecureAnywhere = PASS

    EDIT: WSA detects it on execution. So I rebooted to a fresh snapshot, turned off WSA install the key-logger and tested it.
    All key strokes were captured.

    Enabled WSA via the start menu and as soon as WSA started the Key-logger was detected and shut-down + quarantined.
     

    Attached Files:

    Last edited: Aug 25, 2011
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    How about getting it out of the Quarantine and make an exception for it and see if SafeOnline/Identity shield can block the logging technique itself?
     
  11. Tarantula

    Tarantula Registered Member

    Joined:
    Jul 23, 2010
    Posts:
    357
    Windows 7
     

    Attached Files:

  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Got it working myself on my win7 x64 VM, with Opera 10.50. Put protection for both HTTPS and HTTP sites to max and it was able to log keystrokes, though I'm not sure if WRSA was protecting it as it is a local HTML file, not an URL.

    That's because the keylogger.exe is a local server listening to the keystrokes send by the Javascript to local IP, and Windows firewall doesn't give it access by default.
     
  13. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    This was also what I was thinking. Did further tests, with an interesting outcome.
    Restored the file from quarantine :thumb: :thumb: :thumb: GO WSA:D

    I am limited to 5 uploads, the results are repeated, either blocked or not.

    IE was only partially bypassed(intranet setting turned off by default) With only the first keystroke being captured. This was identical for all tests with IE.

    Chrome was completely bypassed
    The fullscreen shot is where specific protection was added for that particular page by WSA identity shield, but as mentioned above it is not a URL and I expected this to fail.
     

    Attached Files:

  14. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i was only able to make the first test work.

    anyway, IE9 on W7 passed.
    Chrome failed.

    for the last couple months my daily browser has been Chrome while IE9 is only used for sensitive stuff/online banking.

    after this test, i feel better for having used IE9 for banking. :p
     
  15. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    good idea;)
     
  16. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    That makes perfect sense.
    One good thing about Chrome is how quickly they patch.
    Seems like much faster than IE vulnerabilities.
    ;)
     
  17. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    anyway, i did the test with UAC on which means IE was in Protected Mode.

    i don't know if IE9 would still be protected with UAC off though...
     
  18. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    did anyone test spyshelter please share ur findings?:D
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    What exactly were you testing? The browsers or WSA? If the latter, then why does that mean that Chrome was completely bypassed? Wouldn't it be WSA?
     
  20. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    WSA was at no time bypassed, if I take the key logger out of quarantine and restore it back to my system and allow it, what outcome do you expecto_O

    I had to ignore 4 security warnings for it to work in the first place:cautious:

    As for IE and Chrome, well IE partly blocked the logger and Chrome didn't.

    This test has absolutely no scientific value at all, BoerenkoolMetWorst asked me to restore it from quarantine and I did.
    Then posted my results;)
     
  21. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    My test:

    Antivir - no reaction
    OA detected start of program - passed
    Threatfire detected Internet connection - passed
    FF + Noscript - passed > Noscript turned off - passed
    Keyscrambler changes every key - passed
     
  22. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    :thumb: good test
     
  23. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    I guess because it's not a typical one-exe-keylogger like those "in the wild". The AV companys must first find and consider this keylogger as a threat and would then add the signature of this KL. This KL is a much better test for behaviour analyser.
     
  24. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    check my post @ 7.21
     
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Oh, OK. Now I understand the test you've done. I was confused, because I didn't understand what exactly you were testing, if WSA or the browsers.

    I got a vague memory that IE treats local htmls differently, blocking certain actions.

    I may be wrong, though. There's been a very long time since I last used IE, in a proper way.

    I don't have a test system. Still, you could always block JavaScript in Google Chrome, and then allow on a per-site basis. I'm talking about real situations, not necessarily this test. I'm wondering if this would make Google Chrome block the keylogger or if there's more to it?
     
Loading...
Thread Status:
Not open for further replies.