Playing with Keyloggers and scanners

Discussion in 'privacy technology' started by aigle, Aug 19, 2006.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I played a bit with some keyloggers and want to share it.
    I downloaded following keyloggers and installed them while disabling most of my security appliances on two
    laptops with windows XP.

    Ghost Keylogger
    HomeKeylogger
    Family Keylogger
    Advanced keylogger
    Martin,s undetectable keylogger
    Ardamax keylogger
    Paq Keylogger
    Elite Keylogger

    I am not whetehr all of them are legitimate or not as i just googled and downloaded them( some were detected as trojans by some scanners).

    I tried following security software against them( mainly detection issue).

    SnoopFree
    OA trial
    KIS( few months old signatures) trial
    Antivir free
    Ewido trial
    SSM free( only for Elite Keylogger)
    Windows Defender
    SuperAntispyware free
    Prevx1
    RootKitRevealer and F-secure blacklight rootkit scanner beta( only for Elite keylogger).

    I am really impressed by SnoopFree. It really caught the action of all but two( Martin,s keylogger and Elite), and when I opted to stop some keyloggers, it successfullly
    stopped them from keylogging and screen shot capturing. Also when I tried to destroy the detected keylogger files, it destroyed most of them with a reboot.
    It is really wonderful piece of software, very small foot-print, low resources, no system slow down and is free. It did not detected however Martin,s keylogger( that no other scannner/ software could detect as well except KL Detector) and Elite Keylogger ( that was not detected by any software except for RootKit scanners).

    Online armor detected all but three of them( Martin,s , Elite and one more that I don,t remember now-- and the most imp thing here is that this detection like SnoopFree was on behaviour. The
    difference in protection from snoopfree is that OA stops the Keylogger from working at all and keylogger software announces that it failed to make a hook while snoopfree lets the keylogger work apparantly( no hooking failure annoucement by keylogger) but if u check its log, u will find it empty. Both are really good here- top class behavioural detection. Only one thing in OA needs improvement that the popups of unknown software execution and Keylogger software execution were similar- they shouild have different colors so that user can get alerted immediately.

    After installing all keyloggers I first scanned with Ewido and the results are here. Ewido missed detection of Martin.s Keylogger, Elite keyklogger and partially missed Ardamax( detected the resistry keys but missed files). I was really impressed by Ewido, it detected them both by signatures( and by heuristics as well- pls correct me if I am wrong). When I tried to delete the keyloggers detected by Ewido, Ewido deleted all except Advanced keylogger- showed error here. Rescanned abd deleted Advanced keylogger enteries again and Ewido again showed partial deletion and some error. However 3rd scan with Ewido was clean and I rescanned with KIS to confirm and it was clean as well, so Ewido was able to clean all the keyloggers that it could detect.
     

    Attached Files:

    Last edited: Aug 19, 2006
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Plying with Keyloggers and scanners

    Here is the result with KIS scan. Almost like Ewido.
    When I tried to delete the keyloggers detected by Ewido, Ewido deleted all except Advanced keylogger- showed error here. Rescanned abd deleted its enteries again and Ewido again showed partial deletion and some error. However 3rd scan with Ewido was clean and I rescanned with KIS and it was clean as well, so Ewido was able to clean all detected ones. So Ewido and KIS were similar in detection. They missed Martin,s , Elite and Ardamax keylogger( unlike ewido - KIS detected Ardamax files but after cleaning with Ewido, second scan with KIS did not show any such thing, though Keylogger was still working- however I am not so sure what was the error here as I did not investigate it fully).
     

    Attached Files:

    • KSA.JPG
      KSA.JPG
      File size:
      108.9 KB
      Views:
      1,937
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Plying with Keyloggers and scanners

    Antivir worked more than expected, detected and removed all but Martins and Elite ones. A scan with KIS after Antivir was totally clean.
     

    Attached Files:

  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Plying with Keyloggers and scanners

    More from the log of Antivir.
     

    Attached Files:

  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Plying with Keyloggers and scanners

    Scan with windows Defender- detected only 3 of them- a mediorice performance- mainly lacking Heuristics here I think. So in that scenario, it is acceptable.
     

    Attached Files:

  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Plying with Keyloggers and scanners

    SAS free -- only detected one- and I was rather dissappointed. I think SAS might be poor in Keyloggers area.
     

    Attached Files:

    • SAS.JPG
      SAS.JPG
      File size:
      87.2 KB
      Views:
      1,883
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Plying with Keyloggers and scanners

    Prevx 1- as they have offered me a free key so I thought I must check it as well( while using for sometime I did found Prevx improved in the way that though it still uses more ram but impact on system speed is really decreased significantly than past, i am noticing the worse slow down I had noticed in my system with Prevx in the past). Anyhow I disabled Prevx and installed key loggers( except Martin,s Keylogger and Advanced Keylogger -- from my previous experience I can remember that Prevx automatically detected Advanced Keylogger and jailed it. About Martin,s keylogger I have no idea and I forgot to check but i doubt that Prevx can deytect it).).
    After installing keyloggers I activated Prevx and ran a smart scan followed by internet verification. It said it has jailed 8 items but when I opened jail, I found only 4 processes- all related to FamilyKeylogger I think.
     

    Attached Files:

  8. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Re: Plying with Keyloggers and scanners

    Very interesting research. :thumb:
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Plying with Keyloggers and scanners

    Processes jailed by Prevx( related to family keylogger).
     

    Attached Files:

  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: Plying with Keyloggers and scanners

    Now few words for Elite Keylogger. It is a kernel based keylogger and once installed it was not detected by any software including SSM, however it was expected from the nature of the software.( Though SSM will of course stop its installation i think). It can be completely hidden and seems real nasty privacy threat.
    I ran RootKit revealer and Blacklight Scanner and they detectecd it but ofcourse I detected it as I was aware that it is on my system, and I did find out its process name by making it visible and checking process list from SSM, otherwise it is not easy to detect it for an ordinary user like me---just liek rootkits I think.
    I am really interested if anyone can tell how to detect kernel based key loggers more easily.

    And final words-- these are no test, just some play with keylogger as I was really interested in this sort of Privacy risk. My main concern was heuristic/ behavioural detection and I found SnoopFree and OA good here.
    I really missed that I was not able to run BOClean, SpySweeper and Spyware doctor-- anybody has knowledge about these software whether they have any sort of non signature based protection against key loggers or not?
    Pls post ur thoghts and experiences here
     

    Attached Files:

    • llll.jpg
      llll.jpg
      File size:
      94.6 KB
      Views:
      1,869
  11. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Thanks for the work, very insteresting :thumb:
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks. It,s just my hobby, very interesting to compare different software in this way. Also I get a real idea about different software in this way. These are no tests, just a play but It really gives me a personal sort of experience with different software and I am confident to decide about the better choices.
    I remember when I plyed with different spywares and scanners and that was the time I realized how good SpySweeper is as compared to other antispywares, so in the same way now I have really felt the usefulness of SnoopFree and OA to defeat keyloggers.
     
    Last edited: Aug 19, 2006
  13. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    good work aigle :thumb:

    maybe ill start using snoopfree again.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks.
    It was a pleasant surprize for me. I never expected it to be so good. I don,t use real time SAS as I don,t need it but I do use SnoopFree and it gives a bit piece of mind as sometimes I operate my bank account by internet as well.
     
  15. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    If your copmputer for playing/testing around is still configured for this test, can yuo give 'asquared' a chance?
     
  16. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Same here aigle, I think i'll give it another try!
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    a-squard scan. Results are as good as Antivir, KIS and Ewido. I did not checked it thorouly asunlike others it is not listing all related componenets of a keylogger under one name. It is spreading them in multiple groups that makes the list so big.
     

    Attached Files:

    • a.jpg
      a.jpg
      File size:
      99.5 KB
      Views:
      1,767
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Comodo firewall caught two keyloggers while hooking Opera and many other appliances, family (or home--- not sure) keylogger and Ardamax keylogger. Nice work by a firewall. ZoneAlarm Pro also detects keyloggers, will try to check.
     

    Attached Files:

    Last edited: Aug 21, 2006
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Tried briefly Zone Alarm Pro and it is almost as good as OA in detecting keyloggers. I really like the behavioural blocker function in ZAP. I wish if they had released a standalone Behavioural blocker software( OS Firewall of ZAP). I feel it to be the best behavioural blocker in the market.
     

    Attached Files:

    • zop.JPG
      zop.JPG
      File size:
      28 KB
      Views:
      1,731
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    A pop up snapshot from SnoopFree. Iforgot to take any snapshot from OA-- my mistake, that system snapshot I have deleted now so I can,t post OA snapshot unless I reinstall it.
     

    Attached Files:

  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Regarding Elite keylogger if somebody installs on ur PC and uses "send log by e-mail" function in it, then it might be caught durind sending mail by a good firewall but I could not test it. However I got pop up from comodo while configuring this function.
     

    Attached Files:

  22. controler

    controler Guest

    If you are up to it, could you give a dedicated anti keylogger a try and post results? Curious as to how it does against the rootkit Elite.

    http://www.anti-keyloggers.com/

    controler
     
  23. controler

    controler Guest

  24. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Wow I didn't know SnoopFree also took photographs. :p
     
  25. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    nice desktop :thumb:
     
Thread Status:
Not open for further replies.