Summary of Anti-keyloggers

Discussion in 'other anti-malware software' started by toploader, Aug 24, 2005.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If you didn't noticed, my post about prizes was ment as a practical joke.
    Your questions will be answered by security experts, I'm not qualified.
    I won't buy these softwares anyway, because I don't pay for a messy security.
     
  2. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    looks a cute little product
     
  3. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    Online Armour seems a good guard dog Notok - will keep an eye on it's progress - it's still pretty new.
     
  4. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    happy birthday Erik - have a copy of snoopfree on me :D
     
  5. goodquestion

    goodquestion Guest

    OK, done with my tests with Elite and the different anti-keylogger/anti-spyware programs and here's the results.

    1. Snoopfree does not stop the Elite keylogger from logging your keystrokes. I think Snoopfree is mainly for protection against hook based keyloggers, not kernel based.

    2. Advanced Anti Keylogger 3.6.1 does effectively stop Elite from logging your keystrokes. Nice improvement from the older version of AAK 3.42 I tested eariler this year because that version wouldn't protect you from Elite.

    3. Keylogger Hunter 2.0 does not stop detect or stop Elite from logging your keystrokes. Again this AK only works against hook based keyloggers.

    4. Privacy Keyboard 6.1 and Anti-Keylogger 6.1 both fail to stop Elite from logging your keystrokes.

    5. Spycop 6 does detect the Elite keylogger through a manual scan.

    6. Security Task Manager 1.6f does not detect Elite unless it is out of stealth mode. Not much help really, in this case.

    7. Spyware Doctor 3.2 (full) does detect the Elite upon install, and will stop it from installing, but SD's realtime protection (Keylogger Guard and Process Guard) do not stop the Elite from logging your keystrokes if someone was able to install Elite. But then SD will not allow you to open Elite (windump view) once it is installed to see the logged keystrokes unless SD's realtime protection is shutdown. SD also will find and delete Elite through a manual scan.

    8. Pest Patrol 4 (full) will detect the install of Elite (asks if you want to delete this pest upon install) It will also find and delete Elite through a manual scan. But PP will not stop Elite from logging your keystrokes once it is installed, so you would have to do regular manual scans with PP to find and delete Elite if you or someone else allow it to install.

    9.UnHackme 2.5 detects Elite and removes it.

    10. RootkitRevealer 1.55 detects Elite, but is somewhat less user friendly than the other rootkit detector UnHackme, which seems better for a newbie or other users.


    The following other programs don't detect the Elite keylogger upon install or through manual scans.

    1. WinPatrol 9.7.0.18 (free)

    2. MSAS 1.0.615

    3. Spybot 1.4

    4. Ad-aware 1.06 (Free)

    5. Ewido 3.5 (free)

    6. A2 1.6 (free)

    7. X-Cleaner (free)

    I would have liked to test a few other programs but these kind of tests take too much time. Anyway this should give you plently of info to find a AS/AK program that will find and remove the Elite keylogger.
     
  6. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    Thank you very much for a thorough and very informative set of tests GQ - you have been a great help.

    for one thing it saves me bothering to install snoopfree

    i didn't realise elite was a kernel based keylogger - no wonder it's much harder to detect.

    with the information you have provided i and others can now make an informed choice about keylogger protection

    at the moment Advanced Anti Keylogger 3.6.1 or Unhackme with Spycop or Spyware Doctor as backup looks a good combination.

    thanks again for a first class piece of detective work
    cheers
     
  7. goodquestion

    goodquestion Guest

    No problem Toploader, glad it helped you out. I won't suggest which programs you or others should choose for keylogger defense, but I will say that programs like Snoopfree are still worth using, because the majority of keyloggers are still hook based, and SF does do a decent job of detecting them. Though some people prefer Process Guard or AntiHook (free :D ) to stop these keyloggers.

    One other thing, I'm surprised no one mentioned, is hardware keyloggers. None of the above scanners will detect them. If anyone else has physical access to your machine, you may want to check for them. http://www.spycop.com/keyloggerremoval.htm Also some can be hidden inside of a keyboard, and would be more difficult to find. But the Windows Onscreen Keyboard can be used to defeat them. ;) See ya.
     
  8. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    thanks again GQ
     
  9. controler

    controler Guest

    goodquestion

    Did you have Anti-Kylogger installed before you installed Elite?

    I think Anti-Keylogger does work at kernel level and does startup before the user even logs in.


    controler
     
  10. goodquestion

    goodquestion Guest


    Yes, I installed Anti-keylogger 1.6 before I installed the Elite keylogger, and after I installed Elite, and either way Elite will still log your keystrokes. When Elite is installed it goes right past AK 1.6 without any warning whatsoever. I don't think AK 1.6 will protect you against kernel level keyloggers.

    Not to say that AK 1.6 is a bad program. Many of the programs that do not detect Elite upon install, or afterwards through a manual scan, are still very valuable programs and have many other excellent uses, they just aren't good for detecting kernel level keyloggers.

    But the fairest way to do the tests would be to install the keylogger(s) first, and then the anti-keylogger programs, because what if you already had the keylogger installed and weren't aware of it? And who actually reformats before they install a anti-keylogger or any other security program?

    Though I hope those who read these tests don't just throw out all the anti-keyloggers and anti-spyware programs that didn't detect the Elite keylogger because some of them are definitely still worth using.

    Even with just free programs, I feel you can still have a decent amount of protection against keyloggers.
     
  11. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    if i'm going to get a specialist anti-keylogger then i want it to be able to detect the stealthiest keyloggers because every day those pesky trojan writers are getting sneakier and sneakier.

    i'm careful with my browsing habits, but in the past i've clicked on what i thought was an inocuous link in google and found myself directed to a hard core site - i do believe we need as much protection as possible.

    bit like a house really :D

    fences
    gates
    barricades
    moat with pirana
    guard dogs
    guard parrots
    burglar alarms
    locks
    bolts
    shutters on doors and windows
    all doors and frames solid steel
    all windows unbreakable glass
    motion detectors
    infra red detectors
    ultra violet marking of possessions
    log of all serial numbers of cameras hifi computers dvd players tv's etc etc
    closed circuit video surveilliance
    booby traps
    night vision goggles
    bucket of custard
    baseball bat
    duct tape
    handcuffs

    surely there is no one living in a house who doesn't have at the very minimum all the above :D
     
  12. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    ok having read GQ's excellent summary of anti-keyloggers - i've decided to call up the heavyweights iin this never ending fight against the forces of cold semolina pudding school dinners.

    i've downloaded and installed UnHackMe - it's in the tray monitoring once a minute and i've run a scan.

    i clicked the scan button - and literally one second later it says - that's alright no trojan found.

    i must admit i was somewhat taken aback that it told me in one second - i'm used to a scanner chugging it's way thru the entire contents of my hard disk taking on average half an hour.

    can this be? can UnHackMe tell me in one second that i'm free of all trojans including the disgusting parasitic process-injecting schooldinner.cold-semolina trojan?

    what is it checking?
     
  13. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Rootkits work either by modifying Windows' own data structures (process lists, etc) or by altering (hooking into) certain basic functions. What most rookit detectors do is an integrity check (to see if there is anything unusual) on such structures (which are held in memory) and some type of low-level scan to try to find any discrepancies that would suggest hidden items.

    While a low-level disk scan (e.g. to pick out hidden files) could take some time (likely less than an anti-virus scan though), a process/structure check which looks at memory only shouldn't need to take more than a few seconds (unless it gets stuck in that semolina - euch!).
     
  14. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    i guess as it took only one second i must be semolina free, Paranoid :D
    thanks for the explanation
     
  15. goodquestion

    goodquestion Guest


    Oops, I meant to say I used Anti-keylogger 6.1, NOT 1.6 when I wrote the above, my bad. The latest possible version of Anti-keylogger was used in my tests, not an older version. Sorry for any confusion it may have caused.
     
  16. controler

    controler Guest

    Yes I get the jest.

    I was one of the first here to talk about AV-At's NOt wanting to detect commercial keyloggers because of legal issues.

    I may give the elite keylogger a peek.

    Myself , when none others were interested, tested alot of commercial keyloggers and found bugs and hence got full free versions.

    I will give a small hint here.

    Try one useing special characters in an e-mail, like before & after the body.
    There is no harm in installing them since you become the ADMIN of the keylogger.


    controler
     
  17. controler

    controler Guest

    Elite Keylogger installed after Anti-Keylogger. Anti-Keyloggers detects nothing.
    Elite Keylogger installed after PG but PG dissabled, Then reenabled after. No Alerts.

    Boclean installed after Elite Keylogger, No detection.

    Security Task Manager Trial. Nothing here either.

    One thing I noticed is if I dissabled PG, System wanted to keep rebooting untill re-enabling PG.




    controler
     
    Last edited by a moderator: Aug 29, 2005
  18. controler

    controler Guest

    Ewido installed after Elite Keylogger. No detection. Only thing Ewido found was a few cookies.

    I am sure Elite installed cause i chose to allow changes after restart on my Windows Shared Computer Toolkit test computer.

    controler
     
  19. goodquestion

    goodquestion Guest

    Nice job Controler. One question though after you installed the Elite each time did you open it and set a password, then type in some keystrokes and again open Elite to see if it logged them while each anti-malware program was running?
     
  20. controler

    controler Guest

    I can not get the gui to start up on my machine.

    I tried the win + r and run windump view and neither seem to bring it up for me.

    I wonder if I got a bad install. I have only used windows shared toolkit for a few months but have tried a few different process explorers and none seem to see anything out of the ordinary.

    This morning After bootup, I am not seeing PG or BoClean start up. Seems the reboot loop is back also.
    I will have to mess with it more after work. Will try installing KAV's new Beta if I can get past the constant reboots.
     
    Last edited by a moderator: Aug 30, 2005
  21. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    Thanks for that info, goodquestion....very helpful. Regarding the above mentioned UnHackMe.....do you know if it will detect and remove Blazing Tools Perfect Keylogger? And are there any "legitimate" programs that would use this particular keylogger (like Yahoo Instant Messenger, for example)?
     
  22. goodquestion

    goodquestion Guest


    I don't think UnHackme would detect that keylogger because if I remember correctly BTPK is not a kernel based keylogger, and that's the only kind of keylogger Unhackme would detect.

    For the detection of hook based keyloggers, which the majority still are, you should use one of the other many anti-keylogger programs that are available. Remember, UnHackme is a rootkit detector, not a keylogger detector.

    I did test an older version of BTPK though in the past (end of 2004) and many programs did detect it including Spycop, Security Task Manager, Ad-aware, WinPatrol (on install), Pest Patrol etc.....

    I can't seem to get to the BlazingTools website though, it seems to be down or maybe they're out of business now, not sure.

    Many keyloggers can be configured to monitor the use of YIM, and other similar programs.
     
  23. Alex_123

    Alex_123 Guest

    Hi Guys,

    I tested AAK, Untihook, ProcessGuard with a lot of keyloggers but unfortunately found an application which seems does not use a keyboard hook.

    Please see
    http://www.geocities.com/martinisthebest1703/

    I tested it on VMWare with antihook, PG and Advanced Anti Keylogger. Nothing helps to stop it.
    Any suggestion would be greatly appreciated.

    Thank you,
    Alexander
     
  24. StevieO

    StevieO Guest

    Hi Alex,

    What a coincidence, i was looking at an installed the Undetectable Keylogger you mention, only yesterday !

    I scanned it at Jottis and it came back clean !

    I have that wonderful free App WinSonar running full time on my PC, and this killed it dead from launching at first. I always have either the Online or Offline shields on, unless i choose to disable them for a time whilst testing something as in this case.

    I also noticed that the KL window does stays on top whilst running.

    This is the claim on his website -

    Undetectable Keylogger - As the name states, its undetectable, and perfect as most things on this site. Its a simple stay-on-top program with a memo, that displays everything you type. It uses a special system of keylogging, which is magnificent if i may say so myself, so dont be surprised if your anti - keylogging software doesnt block it. If you want to test your pc and see if it is truly protected against spyware, try this. Note to people who think slowly: This is NOT spyware, it is only intended for testing if your computer is is really immune to spyware.

    . . .

    I don't think he is underselling himself with his statements at all !

    A very interesting piece of kit, and i'm looking forward to anyone elses comments about it.


    StevieO
     
  25. ----

    ---- Guest

    Yeah me too, but I don't trust these scanners.

    Irrelevant a keylogger of this nature is meant to be installed by you, so winsonar/execution monitor is not a factor.

    So? It's a PoC, it can be easily modified to stay hidden.


    Not new.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.