Keylogger

Hello
I try keylogger from there
hxxp://blog.raxco.com/2012/10/16/does-your-security-software-pass-these-3-tests/

Keylogger works fine catch my password on facebook. I try wirh explorer and firefox.

v.8.0.2.27

 

Any "keylogger" that is actually legitimate software will be allowed to log keys. There are three states of software:
Good (Known to be Safe)
Bad (Known to be Malicious)
Unknown (Not known at all)

Stuff that's unknown isn't allowed to log.
Stuff that's bad is removed completely.

Stuff that's unknown usually doesn't stay that way for long. But if the "test" were marked bad, people would accuse WSA of just calling it a threat (which it's pretending to be, really) and not letting it test. If it is marked bad, you'd have to override that and mark it good to allow it to run at all, which also allows it to intercept the key chain.

How does Raxco's stuff know to block this "fake keylogger" (simulator) and NOT block legitimate keyboard intercepts, but still block malicious keyboard intercepts? Either the fake keylogger has to be aware of Raxco's security software, or the security software has to be aware of the fake keylogger. But then it has to block its keylogging but not actually get rid of it as a virus. Sooooooo... Either the keylogger test is cheating, or somebody could trivially pretend to be the fake keylogger and get a virus into the system that could do anything but log keys (because it blocks the keylogging but lets the rest run).

And I'm not giving my email to people trying to scare people into buying their stuff, so I won't be able to tell you what it's marked as. You can scan the running application's file and post the line from the scan log if you like.

 

It was asking for my name and email so i didnt use.
To be honest i dont want any keyloggers on my computer thank you as i dont see any viable reason to use one unless im spying on friends and family which does not say a lot for me really.

 

While doing your test where you on a http or https session?

 

I try http and https too. The identity shield not work. I hope this method of keyboard logging not work after prevexhelp see it.

 

WSA's Identity Shield does block it if you have the Padlock on the Tray Icon as you can see it's blank as I was Typing this post!

TH

 

Also this file is unknown to WSA as I scanned it:
c:\users\daniel\downloads\keyboard.exe [MD5: 4015B96AD426FBC02F88E22E3CB850CB] [Flags: 00080801.11812]

Also when it's running you can see that WSA is Monitoring the unknown EXE.

TH

 

I not have padlock. win7 64 bit and windows 8 miss that padlock icon too.
But exe monitored.

 

Accurate and trustworthy tests have their methodology documented fully.

Acquired the keylogger simulator by using a spamtrap email. I'll be able to tell folks in the future whether Raxco sells off your email.

I installed WSA on an up to date clean install XP SP3 VM with only Firefox installed.
Rebooted (Just In Case).
Opened Firefox.
Opened the Keylogger Simulator.
Clicked "Start" in the keylogger simulator.
Typed Some Stuff. Observed same stuff in the simulator.
Clicked on Firefox.
Went to https://www.google.com/. Lock appeared on WSA icon in the system tray.
Typed Some Stuff into Firefox in Google Search Box. Nothing in the simulator.
Typed "https://www.facebook.com" into Firefox address bar. Oddly enough, the keylogger simulator saw all instances of : and / and . but nothing else.
Typed "fakeemail@here.com" and "fakepassword" into the Facebook login page. Keylogger saw nothing.
Followup:
Confirmed that Firefox was set to Protect in ID Shield.
Found that the Keylogger was Unknown when scanning it.
Found that the Keylogger was not a listed application in the ID shield at all.

Result: ID Shield worked just fine in this particular test in the sense that it prevented any critical information from escaping. Unless your password consisted entirely of ./:../::.://: or something like that.

Loaded up Firefox on a stock, up to date Windows 7 SP1 64bit System utilizing MWB Virtual KVM, utilizing the remote keyboard.
Installed WSA. - NO reboot.
Opened Keylogger.
Clicked Start.
Confirmed that Keylogger was capturing keystrokes by typing into the address bar of Windows Explorer.
Opened Firefox
Went to https://www.google.com/ - Keylogger captured all data typed into the address bar.
Typed into the search field. - Keylogger captured all information typed into the search field.
Changed to using the physical keyboard - Keylogger did not capture any information typed into the Firefox window on the physical keyboard.

Oddities observed:
When the VKVM mouse was moved back onto this computer, though Firefox still has apparent focus, the lock vanished from the WSA icon and typing onto the physical keyboard of the other computer was captured.

Followup:
Confirmed that Firefox was set to Protect in ID Shield.
Confirmed that Internet Explorer was set to Protect in ID Shield.
Found that the Keylogger was Unknown when scanning it.
Found that the Keylogger was not a listed application in the ID shield at all.

This is an unusual result to say the least. The keylogger was able to capture keystrokes from the Mouse Without Borders virtual device but didn't recognize it as a virtual device. It allowed it, despite "Allow keyboard input only from real devices" being check, and identified it as "@keyboard.inf,%hid.keyboarddevice%;HID Keyboard Device" under Sender Device. It was not able to capture keystrokes from the physical keyboard, however it identified the physical keyboard as the same device.

From the looks of things, Mouse Without Borders somehow bypassed the ID shield protection and allowed the Keylogger to capture the keystrokes sent from the remote keyboard through MWB. However the ID shield still worked to block capture from the physical keyboard.

 

Can you please uninstall WSA reboot and install a clean copy from here http://anywhere.webrootcloudav.com/zerol/wsainstall.exe and make sure you have a copy of your license key as you will need it to install and go here https://www.paypal.com to make sure you have the Padlock on the Tray Icon and report back?

Thanks,

TH

 

ok I have to ask.

Any keylogger that is legitamate software will be allowed to capture stokes. But WSA doesnt know this yet so it is monitored.

Is it allowed to capture strokes while monitored?

If something is monitored, is it allowed to do anything that might comprimise your safety and security. The reason I ask is, PH has me thinking that if something is monitored, it can literally do nothing, period. If it can until it is decided it is bad, well then it is to late. So then monitored should really be an anti-executable untl it is determined if it is bad or good.

The thing I am having trouble understanding is just what can or can not happen if something is monitored. WSA may be doing exactly as it should but I guess I need PH to state it in pig-LATIN for me. I mean honestly, I love this product, but there is a part of me that thinks I should be asking for the Carfax report. thanks TH and PH

 

Uninstall reinstall not help. No padlock. I think maybe not work with not english windows? In identity shield applications explorer and firefox in protected column.

 

I hope when monitored behavior analysis there. Maybe capture keystrokes not enough to alarm. This keylogger have active window when capture so maybe not bad enough to make alarm. Maybe if not active window and capture and send somewhere that make behavior detection nervous

 

Fake name and temp e-mail works.
Passed with flying colors here but that's with my security.
(and a quick reboot and all is gone also,here anyway)

 

Can you please contact the WSA support inbox and tell them your issues https://www.webrootanywhere.com/servicewelcome.asp?

Thanks,

TH

 

No lock no identity shield defense.

 

I alreay do that just not get just a "We know the problem work on it" type message. So now i just wait but not in safe.

 

Mine passes https://www.paypal.com

TH

 

I hope we get new closed beta fast.
I try english win 7 64 bit and no padlock on that too.
I out of ideas why not work.
I draw padlock to monitor with pencil that 100% working method

 

Do you have anything else "protecting" your browser? Sandboxes (like Sandboxie) or other security software?

 

No, no keylogger is allowed to capture keystrokes when entering into a protected website. It will be blocked even if we've whitelisted it.

It can sometimes run but it is severely limited, and the newer heuristics we've put in place will likely prevent it from running entirely.

Tiay ancay ometimessay unray utbay tiay siay everelysay imitedlay, nday hetay ewernay euristicshay e'veway utpay niay lacepay illway ikelylay reventpay tiay romfay unningray ntirelyeay.

(See above if your pig-latin isn't fluent )

 

The same experience like szaki2 is having

No padlock and all keystrokes are recorded on secured webs in Opera 12.02 and IE9

 

Ouyay houldsay alwaysay eplyray ikelay hattay...tiay ouldway ebay wacko: ) learercay orfay embersmay otnay ritingway nday peakingsay Englishay luentlyfay Oejay!.
Erehay, niay Rancefay, eway ommonlycay peaksay VERLAN ithway riendsfay!

Heerscay,
Ervehay

 

I am afraid it might be the case. Probably you are using an OS with Hungarian localization, aren't you?

I have long lasting issues with the missing padlock, Identity & Web shield, recently with Firewall and Webroot engineers think that all might stem from the different OS language than WSA supports. I am waiting for a remote session with Joe (PrevxHelp) to debug my system to see what's going on.

Anyway, I have been told that even if Identity shield wouldn't be working correctly there are other modules in WSA which should substitute the shield to secure you properly. I hope that's true !!! Otherwise WSA pretends you are safe what in fact wouldn't be true and our PCs would be vulnerable !!!

 

Could be I just Tested Opera, IE9 32bit & 64bit and Firefox and they all passed my testing as I use US English I even tried Canadian French keyboard input and it worked fine.

TH