Keylogger

Discussion in 'Prevx Releases' started by szaki2, Oct 16, 2012.

Thread Status:
Not open for further replies.
  1. szaki2

    szaki2 Registered Member

    Joined:
    Apr 20, 2012
    Posts:
    29
    Location:
    Hungary
    Hello
    I try keylogger from there
    hxxp://blog.raxco.com/2012/10/16/does-your-security-software-pass-these-3-tests/

    Keylogger works fine catch my password on facebook. I try wirh explorer and firefox.

    v.8.0.2.27
     
    Last edited by a moderator: Oct 16, 2012
  2. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Any "keylogger" that is actually legitimate software will be allowed to log keys. There are three states of software:
    Good (Known to be Safe)
    Bad (Known to be Malicious)
    Unknown (Not known at all)

    Stuff that's unknown isn't allowed to log.
    Stuff that's bad is removed completely.

    Stuff that's unknown usually doesn't stay that way for long. But if the "test" were marked bad, people would accuse WSA of just calling it a threat (which it's pretending to be, really) and not letting it test. If it is marked bad, you'd have to override that and mark it good to allow it to run at all, which also allows it to intercept the key chain.

    How does Raxco's stuff know to block this "fake keylogger" (simulator) and NOT block legitimate keyboard intercepts, but still block malicious keyboard intercepts? Either the fake keylogger has to be aware of Raxco's security software, or the security software has to be aware of the fake keylogger. But then it has to block its keylogging but not actually get rid of it as a virus. Sooooooo... Either the keylogger test is cheating, or somebody could trivially pretend to be the fake keylogger and get a virus into the system that could do anything but log keys (because it blocks the keylogging but lets the rest run).

    And I'm not giving my email to people trying to scare people into buying their stuff, so I won't be able to tell you what it's marked as. You can scan the running application's file and post the line from the scan log if you like.
     
  3. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    It was asking for my name and email so i didnt use.
    To be honest i dont want any keyloggers on my computer thank you as i dont see any viable reason to use one unless im spying on friends and family which does not say a lot for me really.:ninja:
     
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    While doing your test where you on a http or https session?
     
  5. szaki2

    szaki2 Registered Member

    Joined:
    Apr 20, 2012
    Posts:
    29
    Location:
    Hungary
    I try http and https too. The identity shield not work. I hope this method of keyboard logging not work after prevexhelp see it. :)
     
  6. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    WSA's Identity Shield does block it if you have the Padlock on the Tray Icon as you can see it's blank as I was Typing this post!

    TH

    Capture16-10-2012-4.48.36 PM.jpg
     
    Last edited: Oct 16, 2012
  7. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Also this file is unknown to WSA as I scanned it:
    c:\users\daniel\downloads\keyboard.exe [MD5: 4015B96AD426FBC02F88E22E3CB850CB] [Flags: 00080801.11812]

    Also when it's running you can see that WSA is Monitoring the unknown EXE.

    TH

    Capture16-10-2012-5.01.57 PM.jpg
     
  8. szaki2

    szaki2 Registered Member

    Joined:
    Apr 20, 2012
    Posts:
    29
    Location:
    Hungary
    I not have padlock. win7 64 bit and windows 8 miss that padlock icon too.
    But exe monitored.
     
  9. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Accurate and trustworthy tests have their methodology documented fully.

    Acquired the keylogger simulator by using a spamtrap email. I'll be able to tell folks in the future whether Raxco sells off your email. ;)

    I installed WSA on an up to date clean install XP SP3 VM with only Firefox installed.
    Rebooted (Just In Case).
    Opened Firefox.
    Opened the Keylogger Simulator.
    Clicked "Start" in the keylogger simulator.
    Typed Some Stuff. Observed same stuff in the simulator.
    Clicked on Firefox.
    Went to https://www.google.com/. Lock appeared on WSA icon in the system tray.
    Typed Some Stuff into Firefox in Google Search Box. Nothing in the simulator.
    Typed "https://www.facebook.com" into Firefox address bar. Oddly enough, the keylogger simulator saw all instances of : and / and . but nothing else.
    Typed "fakeemail@here.com" and "fakepassword" into the Facebook login page. Keylogger saw nothing.
    Followup:
    Confirmed that Firefox was set to Protect in ID Shield.
    Found that the Keylogger was Unknown when scanning it.
    Found that the Keylogger was not a listed application in the ID shield at all.

    Result: ID Shield worked just fine in this particular test in the sense that it prevented any critical information from escaping. Unless your password consisted entirely of ./:../::.://: or something like that.

    Loaded up Firefox on a stock, up to date Windows 7 SP1 64bit System utilizing MWB Virtual KVM, utilizing the remote keyboard.
    Installed WSA. - NO reboot.
    Opened Keylogger.
    Clicked Start.
    Confirmed that Keylogger was capturing keystrokes by typing into the address bar of Windows Explorer.
    Opened Firefox
    Went to https://www.google.com/ - Keylogger captured all data typed into the address bar.
    Typed into the search field. - Keylogger captured all information typed into the search field.
    Changed to using the physical keyboard - Keylogger did not capture any information typed into the Firefox window on the physical keyboard.

    Oddities observed:
    When the VKVM mouse was moved back onto this computer, though Firefox still has apparent focus, the lock vanished from the WSA icon and typing onto the physical keyboard of the other computer was captured.

    Followup:
    Confirmed that Firefox was set to Protect in ID Shield.
    Confirmed that Internet Explorer was set to Protect in ID Shield.
    Found that the Keylogger was Unknown when scanning it.
    Found that the Keylogger was not a listed application in the ID shield at all.

    This is an unusual result to say the least. The keylogger was able to capture keystrokes from the Mouse Without Borders virtual device but didn't recognize it as a virtual device. It allowed it, despite "Allow keyboard input only from real devices" being check, and identified it as "@keyboard.inf,%hid.keyboarddevice%;HID Keyboard Device" under Sender Device. It was not able to capture keystrokes from the physical keyboard, however it identified the physical keyboard as the same device.

    From the looks of things, Mouse Without Borders somehow bypassed the ID shield protection and allowed the Keylogger to capture the keystrokes sent from the remote keyboard through MWB. However the ID shield still worked to block capture from the physical keyboard.
     
  10. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Can you please uninstall WSA reboot and install a clean copy from here http://anywhere.webrootcloudav.com/zerol/wsainstall.exe and make sure you have a copy of your license key as you will need it to install and go here https://www.paypal.com to make sure you have the Padlock on the Tray Icon and report back?

    Thanks,

    TH
     
  11. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    ok I have to ask.

    Any keylogger that is legitamate software will be allowed to capture stokes. But WSA doesnt know this yet so it is monitored.

    Is it allowed to capture strokes while monitored?

    If something is monitored, is it allowed to do anything that might comprimise your safety and security. The reason I ask is, PH has me thinking that if something is monitored, it can literally do nothing, period. If it can until it is decided it is bad, well then it is to late. So then monitored should really be an anti-executable untl it is determined if it is bad or good.

    The thing I am having trouble understanding is just what can or can not happen if something is monitored. WSA may be doing exactly as it should but I guess I need PH to state it in pig-LATIN for me. I mean honestly, I love this product, but there is a part of me that thinks I should be asking for the Carfax report. :) thanks TH and PH
     
  12. szaki2

    szaki2 Registered Member

    Joined:
    Apr 20, 2012
    Posts:
    29
    Location:
    Hungary
    Uninstall reinstall not help. No padlock. I think maybe not work with not english windows? In identity shield applications explorer and firefox in protected column.
     
  13. szaki2

    szaki2 Registered Member

    Joined:
    Apr 20, 2012
    Posts:
    29
    Location:
    Hungary
    I hope when monitored behavior analysis there. Maybe capture keystrokes not enough to alarm. This keylogger have active window when capture so maybe not bad enough to make alarm. Maybe if not active window and capture and send somewhere that make behavior detection nervous :)
     
  14. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Fake name and temp e-mail works.
    Passed with flying colors here but that's with my security.
    (and a quick reboot and all is gone also,here anyway) :D
     
  15. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Can you please contact the WSA support inbox and tell them your issues https://www.webrootanywhere.com/servicewelcome.asp?

    Thanks,

    TH
     
  16. szaki2

    szaki2 Registered Member

    Joined:
    Apr 20, 2012
    Posts:
    29
    Location:
    Hungary
    No lock no identity shield defense.
    identity shield.PNG
     
  17. szaki2

    szaki2 Registered Member

    Joined:
    Apr 20, 2012
    Posts:
    29
    Location:
    Hungary
    I alreay do that just not get just a "We know the problem work on it" type message. So now i just wait but not in safe.
     
  18. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
  19. szaki2

    szaki2 Registered Member

    Joined:
    Apr 20, 2012
    Posts:
    29
    Location:
    Hungary
    I hope we get new closed beta fast. ;)
    I try english win 7 64 bit and no padlock on that too.
    I out of ideas why not work. :)
    I draw padlock to monitor with pencil that 100% working method :D
     
  20. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Do you have anything else "protecting" your browser? Sandboxes (like Sandboxie) or other security software?
     
  21. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    No, no keylogger is allowed to capture keystrokes when entering into a protected website. It will be blocked even if we've whitelisted it.

    It can sometimes run but it is severely limited, and the newer heuristics we've put in place will likely prevent it from running entirely.

    Tiay ancay ometimessay unray utbay tiay siay everelysay imitedlay, nday hetay ewernay euristicshay e'veway utpay niay lacepay illway ikelylay reventpay tiay romfay unningray ntirelyeay.

    (See above if your pig-latin isn't fluent :D)
     
  22. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    The same experience like szaki2 is having :(

    No padlock and all keystrokes are recorded on secured webs in Opera 12.02 and IE9 :blink:
     
  23. Heco

    Heco Registered Member

    Joined:
    Mar 8, 2003
    Posts:
    264
    Location:
    Provence, France
    Ouyay houldsay alwaysay eplyray ikelay hattay...tiay ouldway ebay :)wacko: ) learercay orfay embersmay otnay ritingway nday peakingsay Englishay luentlyfay Oejay!:argh:.
    Erehay, niay Rancefay, eway ommonlycay peaksay VERLAN ithway riendsfay!

    Heerscay,;)
    Ervehay
     
  24. pegas

    pegas Registered Member

    Joined:
    May 22, 2008
    Posts:
    2,016
    I am afraid it might be the case. Probably you are using an OS with Hungarian localization, aren't you?

    I have long lasting issues with the missing padlock, Identity & Web shield, recently with Firewall and Webroot engineers think that all might stem from the different OS language than WSA supports. I am waiting for a remote session with Joe (PrevxHelp) to debug my system to see what's going on.

    Anyway, I have been told that even if Identity shield wouldn't be working correctly there are other modules in WSA which should substitute the shield to secure you properly. I hope that's true !!! Otherwise WSA pretends you are safe what in fact wouldn't be true and our PCs would be vulnerable !!!
     
  25. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Could be I just Tested Opera, IE9 32bit & 64bit and Firefox and they all passed my testing as I use US English I even tried Canadian French keyboard input and it worked fine. 17-10-2012 8-02-46 AM.png

    TH
     
    Last edited: Oct 17, 2012
Thread Status:
Not open for further replies.