Playing with Keyloggers and scanners

My God! It,s my mistake. Actually snoopfree does not take snapshots, rather it stops any software from taking snapshots of ur desktop or any other window. I use FastStone capture to take snapshots and have given it permission in snoopfree settings to do this job. So what happened in fact is that, when snoopfree gave a pop up about the keylogger hooking my keyboard, I tried to take a snapshot of this pop up, snoopfree stopped this snapshot until I replied to its pop up by saying Yes( its, s nice example showing how it stops keylogging in realtime). So all that captured by Faststone capture, was a part of my desktop rather than the pop up of snoopfree. It was my mistake that I upoloaded it with out seeing. Sorry

 

May be sometime latter. Actually just shortly before I saw ur post I deleted all my test snapshot in RollbackRx, so all these test snapshots are gone now.

 

haha, at least snoopfree does it job well.

 

can they prevent a kernel based keylogger tho?

 

Nice to see someone actually putting security software through it's paces. Thank you

 

Any anti-execution software like OA, SSM and PG must block its installation but I did not test it. On my tset systems SSM and OA did gave pop ups when I installed Elite Keylogger but I allowed its installation. Of course these pop ups were just the same as u get pop ups on installation of a legitimate software, so user will be the one to decide.

 

Bitdefender's new anti-rootkit beta can detect Elite Keylogger.

 

aigle,

can you try the GMER, and the behavioral blockers Cyberhawk and Spyware Terminator?

GMER Tutorial
GMER also have "System protection and tracing"...

For Spyware Terminator, enable all its real-time protection features...

Thanks

 

Hi Aigle,

MUK repeatedly calls getKeyState (or GetAsynchKeystate, can't quite recall offhand) - sort of like a polling keylogger. This is detected as a behavior inside OA 2.0 so it will generically detect this type of threat when released.

Elite is a Kernel mode logger - we catch this behaviorally with OA2.0 as well after installation - at least our prototype did

If you would like to have a play with the alpha of OA 2 (with firewall) and in a week or two Kernel Mode as well to confirm my wild claims, then feel free to drop me a PM

At this moment I'm not planning to make OA2 available for public beta until it's almost ready for release.



Mike

 

Hi Mike! Thanks for the input. So version 2 will be nice. I am just an ordinary user so I don,t think I can play with Alpha but i will be interested in the beta version of course when it is open for testing. BTW I think the key logging behaviour detection pop ups should have a separate color scheme than others so that one can be alerted immediately.

 

How can I download it?

 

Will only try gmer with Elite keylogger. Otherwise all test bed is already gone. So for Spyware terminator I am sorry, may be some time later if possible.
I tried CyberHawk,s behavioral blocking with some of them and it did not detect any keyloggers from them except when I triede to open log file of one of keyloggers- playing with CH was not so detailed but I can sya that it did not perform any good. Spycatcher also caught only one keylogger but on the basis of signature probably( not sure).
Remember in all cases I made a test bed with different keyloggers preinstalled and then installed/ activated security software to see whether they can detect actual ongoing keylogging or not. I am sure if I would have tested the actual installation of keyloggers many software will detect it easily but it is a totally different scenario.

 

Hi,

Nice review Aigle: theory and reading makes any knowledge volatile, experimentations make the knowledge yours.

One of the most interesting resources about keyloggers (the pdf is interesting):
http://skrasavi.ds.uiuc.edu/Others/keyloggers.htm

It's currently impossible for security sofwres to cover all spying possibilities: soft/hardwares keyloggers, sniffing, tempest, sound of keyboards, webcam...

Researchers of Pennsylvania University have recently published a study about devices which can use covert channels to transmit data.
As the original paper is technical, i just give this article from networkworld:
http://www.networkworld.com/news/2006/080806-keyboard.html

NB.covert channels are well known from administrators/network managers.
This is a classical but very effective method for bypassing firewalls and IDS.
The french firm HSC will release an anti-covert channels tool in a few months:
http://www.hsc.fr/ressources/outils/sstic06/index.html.en

@Mike: as even kaspersky proactive module do not detect the MUK windows hooks, is it possible for you to post here the screenshot POC?

Regards

 

Spyware Terminator also have Realtime Shield, so you can try it to see if it detects the installation driver of Elite keylogger, if he install a driver...

 

Thanks for ur post. Infact as I posted in the thraed title I am totally incapable of running any tests but just like an ordinary user I like to play a bit with theses malware and security software- it,s a great fun indeed.

The link u gave seem to have a lot of information and the covert channels are totally new to me and rather scary. I will read ithem later.
Thanks for all this info.
BTW, so at the moment there is no software to cover these covert channels?

 

Will try to see, as I told any anti-execution utility might detect and block it but do u think that if some body installs it on ur system, he will let its instalation to be blocked?
Infact I didinot checked the ability of Security software to block the installation of keyloggers. All I checked was that if u have a preinstalled keylogger on ur ur system and it is looging ur keystokes etc, how u can detect this keylogging behaviour in real time without signatures( the on-demand scans I did were just to see the signature basede/ heuristic detection). So If I want to see the efficacy of security software to block actual installation of keyloggers in real time, I will have to start from zero as it is an altogether different scenario though interesting as well. I will try to check as uasaid but will not promise( have an exam ahead and going to have nightmares!)

 

Installation of Elite keylogger
Antivir blocked its installation on signature based detection.
Spyware terminator HIPS function blocks it according to user interaction but spyware componenets does not block its installation.
CyberHawk gives probabale malicious action pops ups on its installation and will probably block its inatallation according to user action( I did not opted for blockage, I just allowed it on CH pop ups).
SSM blocks its installation according to user interaction and infact any good HIPS/ antiexecution software will do so for obvious reasons.

 

SSM blocks its installation

 

Scanning by blacklight.

 

Scanning by Rootkit revealer

 

aigle, can you try running/installing these in Sandboxie? Make sure you don't run them outside before, just IN the sandbox.

 

Gmer after Elite Keylogger install

 

Sandboxie stopped it cold. It was there in Sandboxie but not working probably, as I was not able to start it in the usual way but of course I am not 100 % sure that it was not logging the keys.
Geswall allowed some parts to be added in windows but again it was probabaly not functioning and I was not able to start it in the usual way. RootKit scans with gmer, blacklight and Rootkit revealer were clear in both cases, at least to me-- I am totally new in rootkit area, never scanned for rootkits before so may be I am mistaking somewhere. However in all probability, sandboxie and Geswall are stoppping it, making it dysfunctional, that,s really nice.

 

I'm quite sure it wasn't logging... did you check the contents of the sandbox? I really doubt it was even able to start anything, but if it was, the logged stuff should be in the sandbox.

 

there were its files in the sandbox but when I clicked its icon, it did not open anything.
Usual way to start this keylogger is to type ""runelitekeylogger in run and then wait instead of pressing OK, until it will ask for password( otherwise it is completely hidden). I did it and nothing appeared. Its loggged stuff is probably encrypted or something like that and if u can,t start its GUI, U can, t access it.
Later after some time when I have time I may configure it to send log by e-mail and then I can be sure whether it is logging or not but I am even now almost sure it will not work in sandbox.