Summary of Anti-keyloggers

Discussion in 'other anti-malware software' started by toploader, Aug 24, 2005.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest


    Another way to sometimes get a LIC is to find a bug and submit it after they give you a LIC :D

    BTW This is a much prettier site of Raytown. I like the female robot.

    http://www.keyloggers.com/

    controler
     
    Last edited by a moderator: Sep 19, 2005
  2. controler

    controler Guest

    "Today our products and custom solutions may be found in more than 80 countries all over the world including a large number of Fortune 500 companies, law enforcement, government and military agencies."

    Not to pick on any one company or even say it would be a wrong thing to do but when I see this kind of about info, I wonder how many private builds are out there and that they don't somehow fall in the wrong hands. Any version of software that gets a multiyear contract and maybe even an extended service contract to keep it undetectable. It would be worth the monies I am sure.

    controler
     
  3. controler

    controler Guest

  4. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
  5. goodquestion

    goodquestion Guest

    Re: Introduction to keyloggers


    Nice find Toploader. That article really explains things well, but one thing I did notice they left out is that virtual keyboards, like the free Windows on-screen keyboard, won't stop all keyloggers from logging your keystrokes. Even when hover mode is used. So you can't always rely on a virtual keyboard. They work good against hardware keyloggers though. :)
     
  6. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    hi GQ, seems to me that one way to defeat all keyloggers would be voice recognition - something that has never really taken off.
     
  7. goodquestion

    goodquestion Guest

    Thanks for posting the link to those keyloggers Controler, but I don't think I'll be testing any of them. I am willing to test single keyloggers, that use unusual techniques (other than hook based), if others post about them here and ask to have them tested, but I'm not going to just test a bunch of common keyloggers off some website.

    Besides we should all have a pretty good idea by now.....which of the more common keyloggers will be detected by which AK's at this point.....right? ;)



    Toploader, sounds like voice recognition is something worth looking into. I wonder though if it can distinguish the difference between your actual voice and a good quality recording of it, that could possibly have been recorded with a hidden audio bugging device of some kind.
     
  8. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    i think the voice recognition would also have to recognise a user before going to the pub and after (6 pints later) :D
     
  9. goodquestion

    goodquestion Guest


    So this is something you have a lot of experience with? ;) :D
     
  10. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    just thinking of all possible scenarios GQ ;)
     
  11. goodquestion

    goodquestion Guest

    For those that may be interested, I recently decided to do a few tests with Online Armor 1.1 against 3 keyloggers (Elite, Powered & MUK) and here's the results.

    OA 1.1 blocks the install of Elite and Powered keyloggers, and will stop MUK from starting, but I didn't test OA against MUK before it was posted and talked about in this thread.

    Though OA does not prevent the keyloggers from logging your keystrokes if they are allowed to install. That includes all three (Elite, Powered and MUK). So if someone was able to install one of these keyloggers on your computer, OA would not stop them from logging your keystrokes.

    OA seems very similar to the way SpywareDoctor stops keyloggers from installing. Once the keylogger is installed, neither program does anything to stop them or warn you that your being keylogged.

    I also still like the warnings you get from A2 Personal's guard over the warnings I got from OA. A2's warnings seem explain things more to my liking.

    Here's a warning message from OA when I was installing Elite:



    An unknown program is trying to run

    The program ek_setup2.5.exe, located in C:\documents and settings\computer user 1\desktop is trying to start. Online Armor does not recognize the program. Only open it if you are sure you know what it is. While this information can be forged, it may help you to decide whether to trust this program.

    Product name: (blank)
    Version: 2.5.0.0
    Company: Wide Step Security software



    All the warnings are very similar sounding to this. While there is some information that a new program is attempting to install, it's not telling you it looks like it's some kind of malware or is using techniques similar to some malware, as A2 Personal guard did. You get a very generic warning from OA. But overall OA is not a bad program imo, and does successfully stop the install of all three keyloggers. :)
     
  12. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    thanks GQ - i was wondering what OA would make of them.

    the fact that keyloggers can do their stuff without further hindrance once installed makes the case for layered protection - i think it's good to have a manual scanner like spycop up ones sleeve just to double check all is ok.

    also having the means to lock a computer if it's unattended (e.g in an office environment) would stop someone from being able to manually install a logger while you were away from it.
     
    Last edited: Sep 25, 2005
  13. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    Hi there,

    We'll be doing some work on the error messages that get mangled when there is no version information.

    There is a separate keylogger warning inside OA if it is using a technique that OA picks up on - but in these cases and for the current release of OA, that is not the case. (Normally, it would give a warning along the lines of "A program capable of recording your keystrokes has started" - I think the DCS example keyboard hooker will trigger this message.)

    The undetectable keylogger is interesting; Someone [on my team] is going to take a look at how it works soon enough, but right now we're coming up to the end of a pretty large reworking of OA so everyone is busy on that, along with multilanguage issues and a few other interesting bits and pieces.

    FWIW - Normally if there is a test program listed, I don't add them to OA's list as "not trusted" as this would present an unfair test. The only time I would update OA with something like that is if it were malicious, or we'd figured a generic way to block/detect it.


    Cheers

    Mike
     
  14. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    there are two scenarios for software keyloggers

    Installed on your PC manually by someone who has gained physical access.
    Here HIPS systems would be of little use because on installation the installer can reply to the HIPS that it's a trusted application when an alert comes up. By the time you returned to your PC you would be none the wiser. Locking your PC so no one else can gain access while unattended would be the logical solution to this one. Advanced Anti Keylogger should stop the logger from recording.

    Installed remotely probably by a backdoor trojan.
    This is a more likely scenario - here i would expect HIPS and a good AV to pick this up on download and/or installation. (i include anti execs like BOClean and UnhackMe and realtime anti spy like Counter Spy and Spyware Doctor here)

    For those without HIPS or a good AV then a good keylogger scanner like Spycop that can detect stealth mode kernel loggers is vital.

    to stop keyloggers undetected by first line defences from recording your key strokes - Advanced Anti Keylogger 3.6.1 would seem to be the solution.

    products like AVG, MSAS, Ad-Aware, Spybot and Ewido currently do not offer adequate keylogger detection.
     
    Last edited: Sep 25, 2005
  15. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    Keylogger News from around the world

    Why you need protection against hard and soft keyloggers...

    In 2004, Nguyen Van Phi Hung, a computer engineering student at the National University of Singapore, was sentenced to 20 months in prison for using a Trojan horse program to steal passwords and user IDs from other students. He ran a program called Perfect Keylogger on a web page where he posted an online game. Hung then sent a hyperlink to the game to his fellow students so whenever one of them played, Perfect Keylogger would be installed on their computer and Hung could capture their information. He used a fellow student's online bank account to purchase $947 worth of prepaid phone cards and a $138 magazine subscription.
    **********************************************************

    A sixteen-year-old high school student in Fort Bend, Texas, has been arrested for stealing the answers to an upcoming exam. He did it by installing a key logger (a device which records which keys are pressed on a computer keyboard when somebody types) on the teacher’s computer. The boy put the device, the size of a pen cap, on the back of his teacher’s computer when the teacher was not looking, and it remained there, capturing every keystroke, for four days, until the boy was questioned for trying to sell exam answers, and he confessed.
    **********************************************************

    Keylogging software was discovered in 2003 at more than 14 Kinko locations in New York. The perpetrator, Juju Jiang, pleaded guilty to installing Invisible KeyLogger Stealth software and using it to open bank accounts with the names of some of the 450 users whose personal information he collected. Also in 2003, Valve Software founder Gabe Newell found the source code to his company's Half-Life 2 game stolen after someone planted a keylogger on his computer by taking advantage of a Microsoft Outlook flaw.
    ***********************************************************
     
  16. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    and a few more....

    Sunbelt Software Inc. says it has identified the keylogging spyware that is feeding sensitive personal information to the "massive identity-theft ring" identified by company researchers last week. According to the Florida-based security software company, the keylogger is named Srv.SSA-KeyLogger. It's a variant of a family of Trojans sometimes known as W32/Dumaru. Trojan progams by definition do not spread. Users typically download them onto their PCs without realizing it, or they acquire them through other malware.

    According to Phil Owens, product manager at Sunbelt Software, the keylogger is known to be present in adware downloads offered at certain porn and hacking sites. He says that users of unpatched Windows systems prior to Windows XP SP2 can have their PCs infected simply by visiting one of these sites. In other instances, a confirmation dialogue box may be the only warning that a dangerous download is about to take place. This particular malware, the company warns, steals data from user's Internet sessions, including logins and passwords from online banking sessions and E-commerce sites, and from Internet Explorer's Protected Storage Area, which can contain personal information for use with the browser's Web form AutoComplete function. Specifically, it captures browser window titles and keystrokes when it detects words associated with financial interactions -- including "bank," "casino," "eBay," "login," and "PayPal," to name a few.

    Because it runs under Internet Explorer, company president Alex Eckelberry notes in his blog, the keylogger "is generally undetectable by a software or hardware firewall." It also turns off the Windows firewall. What's more, the keylogger blocks access to the Web sites of many anti-virus security companies by altering the hosts file on infected machines. Sunbelt Software, ironically, isn't among the companies listed. Once the program has captured enough data, it sends the information in a text file to a remote server where the information is presumably harvested by criminals. This server, Sunbelt claims, is located in the U.S. but registered to an offshore entity. As of Thursday morning PST, the server was still active.
    **********************************************************

    British authorities stymied a massive bank heist that reportedly was dependent on a keylogger, the same kind of spyware that has jumped three-fold in the last year and puts consumers at risk from hackers and phishers. According to reports in the British media from the BBC and the Financial Times, among others, the scheme was set to steal 220 million pounds ($423 million) from the London offices of the Japanese bank Sumitomo Mitsui. The National Hi-Tech Crime Unit (NHTCU), the country's cyber-cops, began investigating last October after the bank discovered that hackers had infiltrated its network and were using a keylogger to capture keystrokes. Police arrested an Israeli man, identified as Yeron Bolondi, 32, in Israel after an attempt was made to transfer 13.9 million pounds ($26.8 million) into an account there. All told, the gang was planning to transfer the $423 million to 10 different bank accounts, said police. The NHTCU would not confirm whether the keylogger was planted by an inside accomplice, or inserted by hackers working outside the bank's network.

    "From what we know from our SpyAudit data, there's a good chance this wasn't even a planned attack," said Richard Stiennon, the vice president of threat research for Boulder, Colo.-based anti-spyware vendor Webroot. According to Webroot's SpyAudit ( a for-free spyware auditing tool it makes available on its own site) 15 percent of enterprise PCs tested have a keylogger already installed. "They could've gotten a keylogger onto the bank's network by tricking an employee (in a phishing-style scam) or walking into the bank and sitting at an employee's terminal," said Stiennon. "But why Sumitomo? Why not a bigger bank, like Barclays? It may be because they broke into the network another way and only then noticed that a machine was already infected with a keylogger. "It reminds me of how Microsoft was hacked back in 2004, when a Microsoft developer's home computer lead the hackers into Microsoft. The same thing may have happened here, where the thieves recognized that they'd hit the mother lode by stumbling across the keylogger-infected system."

    Keylogger infections have exploded in the last year. British security firm Sophos said that the number of keyloggers it's spotting daily has jumped three-fold in the past 12 months. "It all comes back to this ongoing trend of more and more malicious code being developed with keyloggers," said Gregg Mastora, a senior security analyst with Sophos. Criminals have pushed especially hard the last three to four months. "Clearly, [they've] upped their efforts online," he added. "A keystroke logger is just like a thief looking over your shoulder as you type in your PIN at the ATM. Except in this case, you never leave the 'security' of your own home, and neither does the thief."
     
    Last edited: Sep 25, 2005
  17. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
    So, what are yours recomendations to protect us agains't keyloogers?

    I only use Outpost Pro, NOD32 and WinPatrol PLUS for my active protection and never had problems...
    For demand, I have ewido plus, UnHackMe Free and CounterSpy...

    I'm waiting for the next versions of AntiHook and ProcessGuard...
     
    Last edited: Sep 25, 2005
  18. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    i think it's best i don't give recommendations VC - i can only go on what i've read here of GQ's tests like you.

    my main concerns are to stop keylogger backdoor trojans.

    from what i've read so far don't use IE for one thing.

    Winpatrol should protect you from autostarts being added to the registry and also checks the HOSTS file for changes. i've only got the free version so i don't know how good R.I.D is. From what i remember of GQ's tests Winpatrol (free) didn't detect much.

    i've had no experience of Nod so don't know how good it's keylogger detection capabilities are.

    Outpost should block the keylogger from transmitting out - but there are trojans that can bypass firewalls.

    UnHackMe performed pretty well i believe.

    A HIPS system like PG ot OA should stop unknown processes from starting but if you have told them you trust the application not realising there is a trojan hidden inside your trusted program then Advanced Anti Keylogger should stop keystrokes being recorded.
     
  19. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,537
  20. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    thanks for the link VC - would be nice to check how WP-Plus performs against the loggers we have tested here - if there's anyone out there with a copy who fancies a go - please let us know.
     
  21. Mikkey

    Mikkey Guest

    Having the following on your system should keep you pretty safe from Keyloggers.
    Security Task Manager
    A-Squared personal with Guard enabled
    Spycop

    I'd be amazed if there is a keylogger out there that can bypass those three.

    M.
     
  22. goodquestion

    goodquestion Guest


    Interesting, so it sounds like the current release of OA will only detect hook based keyloggers, with its internal warnings....for the most part, and not kernel based. But if I was going to do more tests of OA, against hook based keyloggers, I would use real keyloggers not a simulated test program. But I suppose it might be fun to try the DCS keyboard hooker some time.

    As far as MUK goes, what if someone modified the current version of MUK so it was hidden? I don't think it would be that hard to do. So, though it is a test program right now, it could easily be a hidden keylogger, with a little modification.
     
  23. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    Exactly right. We're working on the detection of Kernel mode keyloggers as we speak, amongst other things.

    I have tried OA against a number of keyloggers - one in particular was interesting... sat there in the background, only grabbing a hook when you went to certain online banking sites. Nasty stuff.

    If someone modified MUK (we know the method used now, so that will be in the next major release of OA), it would depend upon how it was hidden.

    At the current moment, if it was hidden inside the Kernel then the current release of OA may not get it (assuming it was installed before OA) - but we're lifting our game on the detection Kernel mode stuff in future releases.

    I don't pretend for a moment that OA is perfect at catching everything - but it's going to get lots of work over the coming months to get it as close as we can to that state.


    Mike
     
  24. goodquestion

    goodquestion Guest

    Thanks for your input here Mike. It sounds like OA is shaping up to be one decent program. Though if you want my humble advice, I would avoid turning it into one big suite that tries to do it all, because if some clever hacker comes along and figures out a way to disable OA, you could end up with little or no defenses.

    I know it's probably been said a million times, and I don't want to sound redundant to anyone who may be reading this, but that's why I like to layer my defenses by using mutiple security programs from different companies. Many programs together, and yes some that overlap somewhat, for your defenses against malware provide a virtual fortress, and will give you that extra edge that may just save your bacon someday.

    Same goes for keylogger defense. Multiple anti-keyloggers together provide the strongest defense against keyloggers. Though not all AK's are created equal, and they all won't find all of the same keyloggers. It's just plain smart to have more than one AK imo.

    Of course you could just rely on HIPS programs like AntiHook(free), OlineArmor, ProcessGuard, Prevx home(free) or A2 Personal guard to prevent keyloggers to begin with, if you think you can handle these programs. But many of these HIPS programs just don't explain their warnings clearly enough imo, especially for newbies. I still like to have AK's around because these HIPS programs are not completely foolproof.
     
  25. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    Good point. With OA we're trying to make a simple package, multiple chances to stop the bad guys - and make it as easy as possible.

    We're working on updates, 1.2 and other nice interesting things around it to try and make it easy to understand, simple and unobtrusive to use - and thorough protection.


    Mike
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.