Summary of Anti-keyloggers

Discussion in 'other anti-malware software' started by toploader, Aug 24, 2005.

Thread Status:
Not open for further replies.
  1. StevieO

    StevieO Guest

  2. controler

    controler Guest

    Oopssss forgot to mention, Give IceSword 1.12 a try also if you think you have some nasty. Look at the SSDT's

    controler
     
  3. Fraekazoid

    Fraekazoid Guest

    Thanks, ill check them out
     
  4. goodquestion

    goodquestion Guest

    As Controler stated BoClean will detect it. I also discovered that Security Task Manager detects it. Sometimes it is helpful to read through the entire thread first, because there you may find the answers you seek. ;)

    Maybe I'm wrong, but it seems to me what JRCATES was asking about was a all-in-one anti-malware detector for spyware, trojans and keyloggers, which is beyond the scope of this thread. If you look through the tests done here, perhaps you'll find a anti-keylogger you like. Good luck. :)
     
  5. passingthru

    passingthru Guest

    The thing is what exactly is Boclean detecting? I thought it was harmless, merely a test. I read that it was picked up because someone submitted a copy, does that mean Boclean will catch all keyloggers using that technique? Or is it merely capable of detecting this specific sample? If the latter, it's not really useful.

    As for preventing keyloggers, I'm not really worried about someone dropping it remotely , other safeguards will kick in, before even the anti keylogger specific precautions get a swing at it.

    Of course, if someone has physical access to your machine to manually install your keylogger, all bets are off.
     
  6. goodquestion

    goodquestion Guest


    Fraekazoid was asking about this particular keylogger, not a modified version, that may or may not even have been developed as of now.

    I'm not sure if BoClean will detect all keyloggers using a similar technique to MUK. I haven't tested BoClean, or know enough about how it detects malware, to be sure. Apparently someone did submit the program to BoClean for analysis and to be added to its defs though.

    But I think you MAY have a better chance to detect a keylogger like MUK, or one similar in design but perhaps modified to be hidden, with a program like STM. Which uses a "generic analysis" approach to find malware, and doesn't rely on sigs of any kind.

    Of course there no guarantees when we're dealing with techniques that could be used by malware, and most of the anti-malware vendors seem to be ignoring or are unaware of at this time.
     
  7. Velocity

    Velocity Registered Member

    Joined:
    Aug 2, 2003
    Posts:
    10
    Hey Guys - some good info in this thread. I know this is focused on anti-keyloggers, but I'd be interested in how a spy program that doesn't log keystrokes is detected by spy scanners. Here is a link to an older but simple one called Screen Recorder which stealthly records screenshots - just as damaging as a keylogger IMHO:

    Direct download link Removed

    No direct download links please. A url is preferred.
     
    Last edited by a moderator: Sep 17, 2005
  8. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    No, I was actually asking if there were any anti-spyware programs that "specialize" or do a particularly effective job at detecting and removing keyloggers and offers a free trial period (i.e. - SpyCop and others). I didn't ask about specific "anti-keylogger" programs because I assume that there are probably only a few, and neither would "scan" in a traditional sense or offer a free "trial" period.
     
    Last edited: Sep 17, 2005
  9. controler

    controler Guest

    passingthru


    From what I know about BoClean, if the nasty is a new code, it's generics may catch it but most nasties are just another form of old stuff, repacked ect. In these cases, Boclean will still detect it.

    jrcates

    Anti-Keylogger 7.0 will be interesting the way it sounds. Untill it is released, You can still always try their current version on trial.

    Found here http://anti-keyloggers.com/

    You will also find very good link at the bottom of the page to learn all you ever wanted to know about keyloggers. Happy reading :D
    Under Library

    controler
     
  10. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    Thanks controler....I checked it out, but it seems to be more of a tool to "prevent" keyloggers (from either installing or activating) and doesn't "scan" for them. I am curious as to an effective scanner that would detect and remove keyloggers which are already present on a system. I'm using Spyware Doctor 3.2, A-Squared (free), TrojanHunter 4.2 and Ad-Aware SE (free) for scanners, but Spyware Doctor is to be the only one tested that seems to be receiving good testing reviews for detection and removal. That's why I was curious if SpyCop or any other scanners offer a free trial period.....
     
  11. controler

    controler Guest

    JRCATES

    In the early days Anti-Keylogger did have a scanner but since they are becomming more obsolete, they did away with it. Don't you think a program that is proactive without sigs is better then one that may or may not have the sig for a certian keylogger ?

    controler
     
  12. goodquestion

    goodquestion Guest

    I realize Kevin from BoClean has told you that nearly all malware is just repackaged forms of older things, but I have to disagree. While it is true that certain things will remain the same as far as malware goes, such as new drivers being installed and new start up entries added and what not, but still there are undetectable forms of malware right now!

    So if all the same old techniques are used then why is it possible for the so-called holy father to come out with these rootkits that cannot be detected with ANY of the current anti-malware programs? So Kevin is partly right, but to be completely honest he is not 100% correct that all the same old techniques are used.

    It is very possible to create a keylogger that would be completely undetectable to all available anti-malware scanners. The only reason BoClean is detecting MUK right now is because someone submitted the program to them so they could add the sigs for it. But I'm pretty sure BoClean did not detect it before the program was sent in.

    So I wonder if BoClean could then detect a modified version of MUK that was made to be much stealthier. The way things look now, I don't think it would.... unless it was added to the start up list, new drivers were added, altered the reg in some way etc.... But then again I'm not even sure if BoClean detects all these changes, so it still may not detect it.


    JRCATES,
    I don't like to make recommendations to others on which programs they should use. I would really rather you decide for yourself what you want to use, after you try them out to see what you like best. That being said I know A2 Personal, Ewido, UnHackme, STM, & SpywareDoctor all have free trials. Some of the other programs mentioned here like WinPatrol and Snoopfree do have free versions, if that's what your looking for.

    When it comes to Anti-keyloggers for my own system....I'll just say, I use a few. ;)

    I do think SpywareDoctor does a good job of detecting quite a few keyloggers, and since you already have it that will help some.

    I also have noticed that the combination of STM and UnHackme together seem to detect just about every keylogger around and both are very fast (only take seconds), no wating around for long drawn out manual scans to check your system for keyloggers. Both also detect other forms of malware, besides just keyloggers. But again the decision is entirely yours what you want to use, don't just take my or anyone else's word for it on what is best for you. Best of luck. :)
     
  13. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    In the case of HackerDefender, it defeats rootkit detectors by not hiding from them. To achieve this though, it needs to be able to recognise which programs are rootkit detectors and it is quite likely doing this via signatures (which would be highly ironic, a malware program adopting techniques from anti-virus scanners).
    This comment applies for any security software that works by signatures. Software that works by other means (detecting registry entries or hooks) would fare better, requiring rootkit-level techniques to defeat (assuming their hook inspection was comprehensive).
    Being a memory scanner, BOClean should handle malware encryption/compression quite well though hex-editing would be another matter. As for "stealthier" keyloggers, this really would come down to the evolution of rootkit techniques - it is likely that they will soon reach a point where detectors have to take the bootdisk approach.
     
  14. controler

    controler Guest

    Wasn't Backorffice one of the first great rootkits?
    I think Kevin has been aware of rootkits long before they became a popular
    buzz word on security forums. I do however think we need to keep the pressure on rootkits.

    If you look at my posts, I do use a varity of programs. I use whatever I feel
    like using on any givin week. I have also done my share of rootkit reading.
    And as I mentioned in some of my testing on some of those keyloggers,
    Even though KIS scan didn't pick anything up, but it's PG did.

    Just like not many people posting yet on IceSword here. None showing any experience testing nasties. I have posted a few. Would like to see more however.

    At least I post as a registered poster and am proud to :D

    I really do believe in the proactive stance on securing your PC.

    Yes, It's all good.

    controler
     
  15. controler

    controler Guest

    One thing I will say about IceSword. It has a powerful process terminator.
    It will shut down PG. Or you can force the unloading of mod's.

    controler
     
  16. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    I decided to look at IceSword after reading some of your posts.
    It was a pain getting a good connection(on dialup)for the download,but it was worth the trouble!
    What kind of "nasties" are you looking for tests on?
     
  17. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    OK anyone who fancies some keylogger detecting try PC Acitivity Monitor Professional....

    PC Acme™ software family represents a new generation of monitoring products which work on a deep system kernel level as never before. This means protection from detection and removal by special tools, invisibility for firewalls, complete transparency for the user and the operating system.

    http://www.pcacme.com/download.html
     
  18. StevieO

    StevieO Guest

    Hi toploader,

    PC Acme's website looks very similar to the http://www.anti-keyloggers.com website ?

    If you scroll down to the bottom of the page you will see the same type of info on both.

    It could be a clone company, or maybe they are trying to widen their scope !

    Interesting to say the least.


    StevieO
     
  19. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    hi Stevio - yes you are right - good detective work there!

    a whois on the domain names reveals they are both registered to Raytown Corp (Camden DE 19934)

    it's a great way to sell anti-keyloggers - Mr X wants to spy on Mr Y so goes to the PC Activity Mon website and buys it. Meanwhile MR Y thinking that Mr X is spying on him goes to Anti-Keylogger Website and buys it. Result 2 sales for Raytown.

    the question is does Anti-Keylogger detect PC Activity Monitor Pro? :D
     
    Last edited: Sep 18, 2005
  20. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,107
    Location:
    South Texas, USA
    Besides the free SnoopFree Privacy Shield, what other one anti keylogger program would you use? No one has tested Ewido Active Scanner for keyloggers yet right?

    dja2k
     
  21. Pollmaster

    Pollmaster Guest

    I don't think is correct. Not with the private versions definitely.

    It's the name of the game these days. Good guys and bad guys use the same technique to hide from each other, for termination of their rivals,protection etc.

    I read that any rootkit that can detected without using the bootdisk approach is just a flawed rootkit. :)
     
  22. controler

    controler Guest

    SteveO

    Raytown has been making PC spying programs for years.
    I found Anti-Keylogger by finding the PC monitoring program first.
    I used to complain they were playing both sides of the fence. :D

    They used to post both programs on the same page and so I scratched me head and thought, hum, if they understand keyloggers this much, they should be able to make one of the best antikeyloggers.

    I am sure I still have those old copies laying around from back when they scanned. Raytown then decided to take away as much user interventions as they could. leaving basic things like exclusions.

    I don't even know if my old posts on Anti-Keylogger still exist here LOL

    I tried Privacy Keyboard and I didn't like it as much. That was just my opinion.
    THat was back when I was testing commercial keyloggers and always thought, wow nice code. It would be easy enough to use code like that
    in an unpublic way.

    I am still at question as to what really a rootkit is. If a code hides registry entries and windows files and has a usermode or kernel mode drive alone, is that rootkit. It was common practice to hide everything as much as possiable years ago. Now the rootkit authors think hum, in order to hide from detection we need to unhide but only for a while, NOT fulltime. and me laughing here a bit but leaving booby traps in peices of memory? to do such things as delete the old memory code and move it on to a new spot. Is that morphing code in mem? I don't know.

    controler
     
  23. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,205
    Location:
    USA
    Thanks, gq. Yeah, I have some of the programs that you mentioned (Spyware Doctor 3.2, UnHackMe 2.5, WinPatrol 9.7 PLUS, A-Squared 1.6 free) and am waiting for ewido 4.0 to be released to try. Online Armor, while not tested, has features specific for and is designed to recognize, detect and prevent keyloggers from activating as well....so I feel pretty good about my security set-up in that aspect. I was primarily asking about scanners, just to see if any program excelled at detecting dormant keyloggers already present on a system through scanning techniques.

    Thanks again, though, for all of your testing and for posting the results ;)

    .....much appreciated :D
     
    Last edited: Sep 18, 2005
  24. goodquestion

    goodquestion Guest




    Sadly the trial of PC Activity Monitor Pro 7.4 is only a demo, so any results we get testing it may not be as accurate as with the full product. PCAM was even showing in Windows Task Manager, so I wouldn't think it would be too hard to detect it or stop it. But I did some quick tests on it anyway, on the usual xp home sp2, and of course the latest possible fully updated versions of all AS/AK were used in the tests.

    The following programs detected PCAM 7.4 upon install or through a manual scan.

    Prevx home detects PCAM on install. A few of the detections were Fbclient.dll, Mscvp70.dll, fbserver.exe.

    WinPatrol warns of a new service being added, fbserver.exe.

    Spycop detects PC Activity Monitor through a manual scan.

    Security Task Manager detects PCAM but only rates it at 23%.

    SpywareDoctor detects PCAM (about 370 detections) through a manual scan.

    UnHackme, RootkitRevealer, & Blacklight beta all detected Startdrv.log & Startdrv.sys.


    The following failed to detect PCAM through manual scans.

    Ad-aware

    MSAS

    Spybot

    Ewido (free)

    A2 (free)

    Pest Patrol

    In the future though, I don't think I'll be testing anymore demos, because the test results are somewhat inaccurate compared to what we would get with the full product.

    A fully functional trial version is far better than a demo, and is really the only version(s) that can be reliably tested, outside of purchasing the keylogger.



    JRCATES, I'm glad you found the info on keyloggers here helpful. :)
     
  25. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    thanks for the test GQ - didn't realise it was a demo - thought it was a trial.

    perhaps Wilders would be willing to purchase a license for testing purposes? :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.