Script-based keyloggers

Discussion in 'other anti-malware software' started by Melf, Apr 9, 2012.

Thread Status:
Not open for further replies.
  1. Melf

    Melf Registered Member

    Joined:
    Sep 7, 2010
    Posts:
    105
    Spyshelter fails vs keylogger script

    I'm trialing SpyShelter on x64. I've always been curious as to how an anti keylogger would do against a script-based keylogger running in a document viewer (e.g. MS Office, Media player, Picture viewer, PDF reader etc).

    From here I found a simple POC of a keylogger macro in MS Excel (screenshot attached, bottom).

    SpyShelter was set on 'Ask User', so that nothing is auto-allowed.

    Result: Fail. Keys logged from browser including login/password fields, keys logged in MS Word and notepad as well (screenshot attached, top - ignore the poor parsing of text, this is just a POC).

    I did not receive a single pop-up in these tests. Oh, except for the three pop-ups I got when I opened MS Word before even opening Excel (i.e. false positives before the test even started :S).

    I tried to see if running Excel as Low Integrity would beat this. Excel wouldn't start.

    ~~~
    Details:
    I was running Office 2003 (old I know). It is set to disallow unsigned macros by default, I had to change the security level to run this. *However*
    a) at work I and many others routinely receive MS Office files with macros enabled that actually do something that is needed
    b) this is just meant to act as a representative. Most programs capable of running some scripting language don't have provision for the script to be signed.

    ~~~
    Instructions:
    1. Open Excel
    2. Press Alt-F11
    3. Insert -> Module
    4. Copy-paste the code from the link
    5. Save
    6. Press Alt-F11
    7. Press Alt-F8 to run the macro
    8. Go type some test text in your browser and put on a sad face

    Edit: Changed title to be more sensationalist so I can get some discussion going here :)
     

    Attached Files:

    Last edited: Apr 11, 2012
Thread Status:
Not open for further replies.