Summary of Anti-keyloggers

Discussion in 'other anti-malware software' started by toploader, Aug 24, 2005.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest

    Did a bit more testing last night with Elite Keylogger with regdefend and KAV's new suite beta. regdefend catches the reg entries and KAV proactive (process guard)modual detects the processes. I allowed everything to install , then did a scan with KAV's AV. It still doesn't detect this keylogger.
    I did hear however, Anti-Keylogger verison 7.0 will proactivly prevent it.

    I will try out this undetectable keylogger just mentioned and see if I notice anything.

    controler
     
  2. goodquestion

    goodquestion Guest


    Interesting find there Alex_123. Yes, this is a tricky one to detect and it seems it gets past nearly every anti-keylogger program I've tried. Most of the popular anti-spyware (& anti-keylogger) programs don't detect it on install or through a manual scan either (including MSAS, Spybot, Ad-aware, Pest Patrol, SpywareDoctor, Ewido, A2, Spycop, Advanced Anti-keylogger, Prevx home etc..), but then I'm not so sure they should in this case, but it would be nice to be able to detect it through heuristics.

    So far the only program that does detect this program (out of the ones I tested) as a keylogger, is Security Task Manager. STM detects Martin's Undetectable Keylogger, but only rates at 32% as being malware. Though it does list it as a "keylogger" under Title,Description.

    I did notice also that System Safety Monitor will stop the keylogger from starting if you have SSM running when you try to start the keylogger, for those who may be interested.

    I think this goes to show no matter how protected you may think you are, there could always be a new, and perhaps quite unexpected, way to defeat your seemingly impenetrable defenses. So be careful people.
     
  3. controler

    controler Guest

    With the undetetable keylogger, Regdefend doesn't notice anything.

    Scans at Jotti & Virus Total show nothing. KAV's new Beta Suite - nothing with it on access or it's process guard. BUT BoClean detects and removes
    this one.

    controler
     
  4. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    thanks for the update GQ - this one gives anti-keyloggers an unusual challenge . the more variations on keyloggers we discover the better to test with.
     
  5. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    thanks Controler - i was wondering what BOClean would make of it.
     
    Last edited: Sep 10, 2005
  6. controler

    controler Guest

    Just tried IceSword 1.12 on it and under log process/thread creation tab. it shows the creator as explorer with PID of 1352 which created keylog.exe with PID of 3192.

    controler
     
  7. goodquestion

    goodquestion Guest


    Nice Controler. I'm glad your also testing some other programs than myself, that way others can see a wide variety of programs being tested, and see what does and doesn't work, and then decide which they would like to use.

    I don't have a license for BoClean so I can't test that one, so it's nice to see someone else testing it. But I do believe BoClean is a signature based detector, for the most part, so I wonder if someone just submitted the keylogger to BoClean and they recently added the sigs for it. It would be better if BoClean detected it with some kind of heuristics rather than sigs though.

    Personally I prefer to have at least one AK/AM that can detect a wide variety of keyloggers through heuristic type behavior alone (not signature based), because this is probably not the only keylogger around that doesn't rely on keyboard hooks to do its dirty work (e.g. Elite).

    There could easily be many different little known keyloggers (private builds) that use unknown techniques at this time, and IF BoClean and other scanners are detecting it by sigs alone that's not so good, but certainly better than nothing.

    But of course that not to say that the heuristic based scanners will find everything either, but it's probably best to have both. I realize some scanners do cover both, but I still prefer to have at least one scanner that concentrates on heuristics alone and leaves the sigs to others.


    @Toploader, I also look foward to seeing more variations or unusual keyloggers (other than hooks based) posted about here (whether by yourself or others), so we can test them to see what will or will not detect them. That way we'll all know how to stay safe from these threats, well those who read this thread anyway. :)
     
  8. controler

    controler Guest

    Thanks goodquestion

    Yes BoClean uses sigs but they are mem sigs and not file sigs.

    Kevin says pretty much everything that is around now was created by old
    programmers but just has new flavors added now.

    Anti-Keylogger doesn't use sigs and is proactive.
    I never tried AK on this new one yet. I have to reload my programs one at a time to test. I can tell you that BoClean does not detect Elite at present and I am not sure why. Hoping some of the their corporate clients aren't using this keylogger o_O

    This new English version of IceSword looks nice. :) If you have not tried it yet, I would suggest it. Very simple GUI & of course that is what we like to see now. There is no Help file yet but even mom could use this program, if she only knew what it's displays ment. Once thing that is nice is alot of the nasty stuff shows up as RED. Thinking if the author could add some guids and some other colors it would spiff it up a bit.
     
  9. StevieO

    StevieO Guest

    I've run a file analyser on the Undetetable Keylogger, and this is what the Import/Export table looks like. Also i've shown the available signatures for it too.

    Yes someone did send it to BOClean !

    Good to see the testing continuing.


    StevieO
     

    Attached Files:

  10. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    here's one for you to get your teeth into GQ/Controler (and anyone else who fancies some sport) - Probot SE 2.4.1 -

    # Stealth: invisible in process list
    # Includes kernel keylogger driver that captures keystrokes even when user is logged off (*)
    # ProBot program files and registry entries are hidden (*)

    (*) - xp and widows 2000 only

    http://www.nethunter.cc/probotse.php

    have fun :D
     
    Last edited: Sep 10, 2005
  11. controler

    controler Guest

    Nice program and interface Toploader.

    So far Regdefend blocked 9 entries to the registry. Will try some other apps later. KAV nothing.


    controler
     
  12. StevieO

    StevieO Guest

    A good find toploader.

    controler nice to hear that Regdefend is alert.

    I wonder if AH, SSM, PG, OA etc can block it ?



    This KL certainly looks interesting ! I scanned it at Jottis and got the above results.

    There seems to be a mismatch between the two VBA32 findings for some reason ?


    StevieO
     

    Attached Files:

  13. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    nice to see Regdefend and KAV under the microscope Controler :)
     
  14. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    thanks for the jottis test StevieO - a service i haven't tried yet - at least it seems to have some suspicions of the kl - to be fair jottis is primarily an AV service.
     
    Last edited: Sep 11, 2005
  15. goodquestion

    goodquestion Guest

    Ok I tested Probot SE 2.4.1 on my XP home sp2 test machine and just about all my scanners detect at least some part of this keylogger.

    MSAS detects part of PSE on install and many entries through a manual scan.

    Ad-aware detects through manaul scan.

    Spybot detects through a manual scan and tea timer picks up the install of part of the keylogger also.

    Pest Patrol detects on install and through a scan.

    Prevx home detects upon install.

    WinPatrol warns on install.

    Security Task Manager detects it at 100% as being malware.

    Spycop Detects the keylogger through a scan.

    Spyware Doctor finds 187 detections (processes, reg entries, & files) releated to the keylogger through a manual scan and also detects it upon install.

    X-cleaner free detects through a manual scan.

    Advanced anti-keylogger detects PSE.

    The only programs that didn't detect the keylogger (out of the programs I tested) were Ewido free and A2 free, through manual scans.

    I stopped testing here because like I said before just about every scanner detects at least some part of this keylogger.

    But one thing I would like to point out is that in my tests, I didn't bother to test every program to see which ones successfully removed all parts of the keylogger, or at least enough to disable it. That's something important to keep in mind if you do consider purchasing any AS/AK posted about here. So my tests are not necessarily showing which AK/AS are better or worse than others, only which do and do not detect a particular keylogger.

    Remember just because you can detect some form of spyware doesn't mean you can always successfully remove it with that scanner. Some may want to reformat to remove all traces of a keylogger if one is found on their computer, just make sure it isn't a false positive first.
     
  16. Pollmaster

    Pollmaster Guest

    Which entries are we talking about? And is this during the installation?

    Detects what? Warns of what exactly?
     
  17. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
  18. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    Your Mission should you you choose to accept it GQ/Controler is Powered Keylogger....

    The heart of Powered Keylogger is an advanced Windows 2000/XP low-core driver which runs invisibly at the lowest kernel level of operating system providing the best stealth functions. Nobody will be able to locate Powered Keylogger in your computer. Its folders do not appear in file search and will not be found by file managing shells. Not only program modules of Powered Keylogger are hidden, but the logs are unrevealed as well. No need to tell that Powered Keylogger is not visible in Tasks or Processes List, among installed programs, in Start menu (unless you prefer a visible installation), it does not show up in registry or Add/Remove Programs utility.

    http://www.downloadjunction.com/product/software/70367
     
    Last edited: Sep 11, 2005
  19. controler

    controler Guest

    pollmaster

    reran it again and this time got this.

    HKLM\Software\Microsoft\Windows\Currentversion\Runservices

    HKLM\Software\Microsoft\Windows\Currentversion\Run

    HKLM\System\Currentcontrolset\Services\Exiqjb32

    HKLM\System\Controlset001\Services\Exiqjb32

    HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Browser helper objects\{312fa154-e1b7-4336-9833-ee6b38d58b56}

    KAV Beta ISS gives numorous PG blocks.

    controler
     
  20. merlin353

    merlin353 Guest

    I'm relatively new at this but got interested in this key logger thread. I was curious to see what Safe-n-Secure would do if I tried to install Adanced Keylogger. Iit didn't catch it as a keylogger but it sure did catch it as being dangerous.
     
  21. goodquestion

    goodquestion Guest


    Winpatrol warns of a Bho install oxedub51.dll and a new auto startup program ecosew20.exe

    Prevx home has a few more warnings than WinPatrol (big surprise ;) ) notably the attempted install of the keyloggers kernel driver. Some warnings by Prevx- Pbcpl.exe, Depgen.exe, Instview.exe, Q.exe, Ecosew20.exe, Oxedub51.dll, Jcocib00.sys, Jlibjq48.sys.



    I also did a few other tests and here's what I found.

    Anti-keylogger 6.1 does prevent ProbotSE from logging your keystrokes. Good job AK.

    SpywareDoctor's Keylogger Guard doesn't prevent your keystrokes from being logged once the keylogger is installed.

    UnHackme detects the keylogger. Says it's suspicious to Trojan class Hacker Defender rootkit. It's detecting the kernel driver most likely.

    KeyloggerHunter doesn't do anything to stop the keylogger or prevent your keystrokes from being logged.

    RootkitRevealer detects the keylogger also.


    @Toploader, Thanks for posting with the new keyloggers, but I don't think I'll be testing any other keyloggers at this time. I really didn't plan on testing so many keyloggers all at once. The tests are quite time consuming, if done properly, and I can only do these tests in my spare time. If I can, I may test some of them later. :)
     
  22. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    you deserve the break GQ - your tests have made fascinating reading - i've learned a lot from them - cheers :)
     
    Last edited: Sep 11, 2005
  23. StevieO

    StevieO Guest

    goodquestion

    Thanks for all your Good Good work ! I look forward to more posts when you get a chance.


    StevieO
     
  24. goodquestion

    goodquestion Guest

    Thanks Toploader and StevieO.

    StevieO, don't count yourself out. I have found your contributions to this thread helpful as well.

    Right now I'm testing Powered keylogger. It looks to be another bad boy similar to Elite. But a few of the scanners are detecting it. I'll post the full results when I'm done. :)
     
  25. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    goodquestion......I appreciate your responses in various threads concerning keyloggers and your testing involving them, etc. I've posted a question in the thread entitled "UnHackMe" in the "other anti-trojan software" that I'm hoping perhaps you could help answer for me.

    Thanks
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.