Summary of Anti-keyloggers

Interesting that a keylogger would use a BHO. For breeching the firewall?

In any case, I don't expect even the best keylogger to avoid being detected during installs, if you have monitoring of kernel/services/drivers (or registry keys related/ file system).

After installs, I do expect them to be somewhat invisible, E.g If they are still visible in the startups, they would be pretty useless against a fairly skilled user.

 

Hi,

*Invisible, undetectable...what a great marketing!

Since a soft is designed to work under Windows, it uses Windows architecture.
Therefore, it needs Windows files (.exe, .dll, .drv, .sys etc) and functions (APIs).

Even some keyloggers with rootkits features ( http://www.image-dream.com/membre/up/Michelkareldjag/p1.jpg ) can be prevented and detected.
The user just needs to have the right security product.
With only an AV, many keyloggers will remain invisible (then an HIPS is recomended).

Keylog is an interesting keylogger but easily prevented: http://www.image-dream.com/membre/up/Michelkareldjag/stopkeylog.jpg
Translation: "this application was not be able to start because winspool.drv cannot be found.the reinstallation of this application can solve the problem."

*Some other Anti-keyloggers:

SSAkeylogger Cleaner: http://research.sunbelt-software.com/ssaclean.cfm

Kldetector: http://dewasoft.com/privacy/kldetector.htm

*Jrcates: UnHackMe monitors (not scan) binary files and almost registry in real time.
Some rootkits (and keyloggers) have the ability to hide keys from the registry and this product has the ability to detect them (specifically "service" keys).This problem is related to Native APIs.
The demo simulates only what you should do to stop/clean the rootkit (stop service and remove reg keys).
Personally, i've not seen more easy to use anti-rootkit product.

Regards

 

Thank you for that information, kareldjag. I have heard that it is incredibly simple to use, but the demo had no dialogue (volume) or written words accompanying it (it was just a screen simulation)....so it was rather uncertain as to how it arrived at the point in the demo that it did, and how much of a "Help" file or tutorial was provided with the product to explain what steps to take in case a rootkit was detected. Thanks for sharing this info and helping to clarigy this.....

 

Finally finished the tests on Powered Keylogger v 1.1. Tests were again done on a Win xp sp2 test machine. This keylogger seems very similar to our old friend Elite, and seems very difficult to remove. Even SpywareDoctor recommends you attempt to remove it in safe mode. If that doesn't work there is always reformat C.

Security Task Manager again fails to detect the keylogger when it is in stealth mode, but will detect it if out of stealth mode. Alot of good that does you.

Spycop detects PK through a manual scan.

Prevx home again warns of the install of the keylogger (including kernel driver)and will stop it.

UnHackme detects the keylogger.

RootkitRevealer also detects PK.

SpywareDoctor detects PK upon install (and will stop the install) and through a manual scan.

Advanced Anti-keylogger 3.6.1 does prevent PK from logging your keystrokes.

Anti-Keylogger 6.1 also prevents the keylogger from logging your keystrokes.

BlackLight beta detects PK.


The following programs fail to detect Powered Keylogger (which won't be much of a surprise to some) either through manual scans or upon install:

Ad-aware free

X-cleaner free

MSAS

Spybot (including TeaTimer)

Pest Patrol

Ewido free

A2 free

WinPatrol

Keylogger Hunter

 

nice one GQ - not quite in the Elite Class but a stubborn and worthy opponent - most of the heavyweight anti-keyloggers found it - i would have expected better from ewido it doesn't seem to see keyloggers very well. wonder if the paid for version performs any better?

thanks for all the work you are putting in.

 

It would be nice if you can test some of these keyloggers witht the ewido guard and a-squared guard...

Thanks

 

i noticed that some keyloggers like elite need to have admin privileges in order to install - (not so in case of powered k/l)

perhaps another reason to run a limited user account and password protect the admin account.

i did a quick test with - all seeing eye (which doesn't need admin to install) and it alerts to any attempt to install a keylogger (as well as anything else)

 

VaMPiRiC_CRoW,
I have already had both A2 Personal (not free) and Ewido on my test machine for the 30 day trial period, so the only way I could legally test the realtime protection of either is to purchase a license, and I'm not really interested in doing that at this time.

Also here's what Fish had to say about Ewido and its ability to detect keyloggers.
https://www.wilderssecurity.com/showpost.php?p=549190&postcount=11
I'm assuming that applies to its realtime protection as well. Though future versions look to be promising.

I'm not sure the Ewido realtime guard would make that much of a difference anyhow. If you can't detect it with a manual scan, why would using the realtime guard make that much of a difference? It either detects the spyware or it doesn't. From what I've heard the realtime protection in many of these scanners can be less accurate than a manual scan in most cases anyway.

I'm sure A2 Personal would be different, with its Malware-IDS, but like I said it can't be tested on that machine, and I'm not testing keyloggers on my main system. Maybe somone else would be able to test them.


Said by Toploader:
i noticed that some keyloggers like elite need to have admin privileges in order to install - (not so in case of powered k/l)

perhaps another reason to run a user account and password protect the admin account..

i did a quick test with - all seeing eye (which doesn't need admin to install) and it alerts to any attempt to install a keylogger (as well as anything else)



Some good ideas Toploader. Running as non-admin is always a good idea. I've also been checking out All-seeing eye, it does look to be an interesting app.

Like I had said eariler in this thread, and I still feel the same way, it is possible to protect yourself all for free. AntiHook would also provide a good layer of free protection.

I suppose I was just testing the AK/AS programs here to see what they could and could not do, I'm not saying that there aren't other ways. Prevention is always the preferred way to defend yourself in any case.

 

goodquestion.....have you already used the 30 day trial for TrojanHunter, or would you be able to download version 4.2 to your PC and test it for effectiveness against keyloggers (both the scanner and the guard)?

 

Yes, I think I would be able to test that one. As far as I remember I never trialed TrojanHunter on that computer. Ahhhh, yet another app to fiddle with.

 

hi VC - this thread is primarily about anti-keylogger software but feel free to broaden it into other areas of k/l prevention.

there are a number of reasons why an individual may find a keylogger on their machine

1 - jealous husband/wife who suspects their other half of cheating on them.

2 - industrial espionage - many companys use anti surveillance tools like bug sweepers and cell phone jammers - if a rival company could install a trojan employee in the company then he or she could install keyloggers on the computers and email the secrets to the rival.

3 - backdoor trojans - here of course physical access is not needed to install - it can be squirted down the telephone line - it would be nice to have a backdoor trojan keylogger to use for testing purposes - to see just how effective anti k/l software is at detecting intrusion via the internet - maybe i should write to Symantec or McCafee and ask them for one.

the main defence against backdoor trojans imo would be firstline - AV like Kaspersky or NOD32 - second line a memory protector like BOClean - third line HIPS software like Online Armour. depends how important it is to protect your computer to warrant spending bucks to secure it.

like you i want to find out just how much can be done for free.

 

here's a tiny little keylogger called erm tiny

http://home.rochester.rr.com/artcfox/TinyKL

Only 7.50 KB in size when installed.
Logs window title, application path, date and time.
Compatible with different keyboard layouts.
Does not appear in the Task List in Windows 9x.
Does not appear under Add/Remove Programs.
Advanced installer lets you rename every component that gest installed on the target computer.
Can automatically run every time your computer starts.
Tiny Key Logger is Free!

 

goodquestion,
thanks for your explanations

 

the tiny keylogger is quite well known so i would expect it to be found by most detectors - i put the setup file thru virus total - most sniffed it out without much trouble.

 

this is what it's all about detecting this little naughty and all the ones like it....

Srv.SSA-KeyLogger
Risk Severe

Date Discovered
August 09, 2005

Description
The spyware keylogger, named Srv.SSA-KeyLogger is a backdoor program that injects a process into Internet Explorer that opens various ports through which it monitors for certain values typed using your keyboard (i.e.; specific characters, numbers, etc.). When it encounters any of the values for which it is searching, it saves the keystrokes into a text file. When the file reaches a certain size, Srv.SSA-KeyLogger, sends a notification packet with the key stroke information to a Web site so the information can be easily accessed by the person(s) stealing the information. After which, it repeats the process.

Srv.SSA-KeyLogger also adds entries to user computer HOSTS files in order to prevent users from accessing antivirus and security Web sites, redirecting them to the local computer instead. Plus, it harvests data from the temporary Internet files on the user's computer. Srv.SSA-KeyLogger is a new variant of an existing Trojan family known as W32/Dumaru. The web server it reports to is located in the U.S., but the domain is registered to an offshore entity.

Key Facts

* Leaves an extremely small footprint - 26KB.
* Runs under Internet Explorer (IE), so it is generally undetectable by a software or hardware firewall.
* Steals data in the IE Protected Mode Storage area.
* Steals data from the Windows clipboard.
* Steals logins and passwords from a number of programs, including WebMoney.

The Trojan blocks access to the following web sites by adding the following entries to the hosts file:

127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 us.mcafee.com/root/
127.0.0.1 www.symantec.com

The Trojan also targets the following programs:

WebMoney
Far Manager
Total Commander

 

and one more....

Horseserver.net, klikfeed.com & Backdoor.Haxdoor.D

This the analysis for the new infection that Hijacks search engines and creates popups. It also logs keystrokes and opens a backdoor to the machine. The keystrokes are sent as an email to an undetermined location.

Symptoms of a HijackThis log are:

QUOTE
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - Startup: winupdate32617713[1].exe

A file similar in name to winupdate32617713[1].exe is placed in the user's startup directory under their profile. The path is:

C:\Documents and Settings\username\Start Menu\Programs\Startup

It then launches the program. The program then does the following steps:

* connects to ftp.freebsd.org. Unknown if this is a type of a DOS or attempting to download a file.

* Downloads /1.gif which is an executable gif.

* Downloads /dllr.exe. When run this connects to /dd/dial.exe?id=1277 and downloads sbar.exe. When sbar.exe is executed it downloads tibs3.exe which is part of a dialer.

* Downloads /search.exe and saves it as a temp file. Search.exe then download and installs bin/BHO.dll. This bho is copied to c:\windows\system32\dsmanager.dll and is upx packed. DsManageris a search hijacker that when you search with www.google.com, www.yahoo.com, search.msn.com you instead get the results back from 61.131.54.618.cc on the first page. This includes their own sponsored links. If you go to a next page it will show the correct results.

Clicking on links in this hijacked search page also opens popups from klikfeed.com

* Downloads /dialers/126099.exe and saves it as a temp file. This installs an app into c:\program files\WebSiteViewer which tells you how to use the adult dialer. It also adds linkes named Youn Teen Sex.lnk to your desktop and start menu. The links point to "C:\Program Files\WebSiteViewer\126099.exe" /ac:126099 /sk:tte /lc: /ul

* downloads /private/X/537.exe which appears to be dialer related.

* Starts popups to /1.html which attempts to install windupdates.

* Adds itself to the Add/Remove programs as MDS Search Booster
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDS Search Booster

* Installs a keylogger which is a variant of Backdoor.Haxdoor.D. This keylogger will log certain keystrokes such as visiting websites, entering forms, writing in notepad or other documents, writing email, etc. The keylogger is installed as a device service on your machine.

 

I made a mistake. Actually I never tested A2 Personal on that computer, only A2 free. I did a check, and there was no trace of A2 Personal ever being installed on that machine. It must have been another computer I was testing it on, which I no longer have now. I've gone through a couple test PC's since last year. But I can't install Ewido again, to test its mem guard, I know that for sure.

So I did test the A2 Personal 1.6 Guard against three keyloggers (Elite, Powered & Martin's Undetectable Keylogger) and here's the results on Win xp sp2.

A2 Guard does block the installation of the Elite keylogger. A2 Guard pops up and says:
File Name: C:\Windows\system32\windump.exe
Diagnosis: Found a possible process Patcher or code injector.

What does this mean?
While executing the program A2 detected a possible malicious behavior. Patching process or injecting code is a technique many backdoors and rootkits use to hide from anti-malware software but is sometimes used by anti-malware software itself. If you don't know that program its recommended to terminate it and send it in for firther analysis.

Also A2 Guard did block the install of Powered Keylogger. Saying:
File Name: C:\Documents and Settings\computer user 1\Local Settings\Temp\is-4BLJ0.tmp
Diagonsis: Program tries to install a service or device driver

What does this mean?
Installing a driver or system service in general is nothing suspicious but it can impact your system security cause it allows rootkits to become active. If you know or install the application above its recommended to allow the program. If you are unsure terminate it and send it in for analysis.


But A2 Guard failed to detect Martin's Undetectable keylogger. It seems not much does yet detect this keylogger. But overall I really like A2 Guard. I think it does a good job helping to explain what the warning is all about better than some of the other IDS type programs available. A2 Guard get's a thumbs up from me.

I also tried TrojanHunter 4.2 against the same three keyloggers (Elite, Powered & MUK). TH 4.2 failed to detect all three either through its realtime protection or a manual scan. But then TH is mainly for trojan detection anyway and not for the detection of keyloggers.



Nice work by the way Toploader.

 

Sent this test to the a-squared team

And I doubt that the ewido guard detects these keyloogers because is more weak than the ewido scan on-demand...

 

Yes, that's what I've heard. But it would still would have been nice to be able to test it. Maybe on my next test computer.

 

As far as an anti-spyware/trojan/keylogger product that specializes in keylogger detection and offers a free trial period, which software would anyone suggest to try? Spycop? Any others?

 

No, the guard is NOT weaker, it uses the same engine but without the archive scanning... It also does a memory scan like BOClean...

 

Thanks for the correction...

 

If you don't mind my asking, what DOES detect Martin's Undetectable keylogger ? googling or searching this forum didn't turn up much

also, i'd be interested as well to know what the currently recommended anti keylogger software would be (joining JRCATES's question), if such a recommendation could be given that is

cheers

 

Freakazoid

I didn't try PG on it just KIS's PG but in my post I mentioned BoClean did detect it. Fish claim A Squared has a mem scanner also but he or anyone else did not mention if they tried the paid on Martins.
From what I understand ALL keyloggers use windows hooks unless they used high level code.
We also know alot of games, mouse drivers ect use hooks which leave alot of false possitives for scanners. No I am not one of those that freak out on every little false possitive. I would rather a good generic protection do more then less and if it creates some false possitives, no problem.

But Alais BoClean has no trial.

controler

 

thanks...