This could be a problem!

Discussion in 'Trojan Defence Suite' started by lizardqueen, Jun 13, 2005.

Thread Status:
Not open for further replies.
  1. lizardqueen

    lizardqueen Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    8
    Hi, I thought I was pretty on top of the malware, but this has me stumped.
    I recently installed a key logger/monitor for a concerned parent and decided to install it on my own computer to see if my anti-malware software would find it. The name of the monitoring software is: "007 spy software" and it's made by www.e-spy-software.com.
    I used Spybot and a quick scan with TDS-3 and neither one found it. I also have Winpatrol running and it did not warn me, but Winpatrol did show a new startup item listed called winservice32. This is pretty scary because if this was not my computer which I know extremely well, I probably would not have caught this entry. This particular spyware takes screen shots, and logs keystrokes. If these tools can not find it what chance the does the average home user have to discover it?
    Does anyone have any recommendations for definitively finding this type of malware? This same company also offers a version that you can attach to a word document for covert installation. I would really like a reliable way to find and unmask these things. I posted this in another forum (not wilderssecurity), and got the brainless response that anti-malware tools are not meant to detect and remove legitimate programs that you pay for and install yourself. My point is obviously that such a tool as this could be installed without your consent and a reliable way to detect and remove it is necessary.
    Any help would be appreciated.

    Laura
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi lizardquee, The link you provided is fo a commercial keylogger and as such is normally classed as bone fide. Although you and I may not like it this type of software it is not classed as malware. TDS3 does identify some of them.
    For the AV - AT - AS companies it is a hard call, if they procure such software then they can detect them and give a description or possibly ask what action should be taken but the cost of this could be very high.

    There are specific anti keylogger programs that will probably detect commercial keyloggers.

    Prevention of keylogger install can be acheived using programs such as ProcessGuard.

    HTH Pilli
     
  3. FanJ

    FanJ Guest

    Hi,

    In addition to what Pilli already posted:

    When I look at the Primary List of TDS-3, I see mentioned
    Monitor.007SpySoft.306
    So I would guess that TDS-3 could catch it.
    You wrote that you did a quick scan with TDS-3.
    I'm wondering what would happen if you would do a full system scan with TDS-3.
    You can submit the files to Gavin : submit(at)diamondcs.com.au


    BTW:
    Symantec site:
    http://securityresponse.symantec.com/avcenter/venc/data/spyware.007spy.html
     
    Last edited by a moderator: Jun 13, 2005
  4. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    I was infected by a similar program about a year ago, called 'Realtime Spy' http://www.realtime-spy.com/ , I only noticed something was up when I noticed SVCHOST was connecting to an IP address I did not recognise. After a bit of detective work, I found the keylogs that it had uploaded to the server, it had grabed my credit card details, address, various passwords. Needless to say I was horrified. I canceled the cards and changed all passwords, and then sent a strongly worded email to the CEO of the company. He simply said it was not their problem and if I wanted to know anything else then I would have to get a lawyer to suppoena them!

    Since then I have tightened up my firewall rules, installed PG and TDS3 and changed from Sophos AV to NOD32.

    These 'legit' programs are as much of a threat as any trojan, and should be treated as such.

    Tom
     
  5. lizardqueen

    lizardqueen Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    8
    Thanks for the response. I'm glad that some see this could be a problem Just because a program is sold legitimately, doesn't mean it will be used so or that no one will back engineer to suit their purpose. I believe that IT personal should have the tools to discover all types of potentialy dangerous software. That being said; As frogfoot said, my firewall did pick up on the svchost accessing the net. Winpatrol, which I believe is similar to ProcessGuard did not alert me to a new startup process/service. I will give processguard a look though. The full system scan of TDS-3 did not show any alarms, but because I am a relative novice with TDS-S it's possible I missed something more subtle. As FanJ suggested, I will submit the scans. Again, I am not a victim of this software, but I have a curious mind and need to know how things work. I would like to understand how this particular program and others like them work.
    I used RootkitRevealer and it found the folder where the logs and screen shots from the keylogger were stored, which is helpful if you suspect a keylogger is present. But if they were uploaded by FTP at regular intervals the folder size could be kept small.

    Thanks again
    Laura
     
  6. FanJ

    FanJ Guest

    Hi Laura,

    Yes, please submit the files that this program ( :rolleyes: ) has put on your system !
    Thanks !!! :D

    And if you're on W2000 or XP, please have a look at ProcessGuard !
    Although I myself cannot run it on my old W98SE box, it is most definitely a program to look at ;)
    It's one of its kind (or how do you say that in good English...).

    Cheers, Jan.
     
  7. lizardqueen

    lizardqueen Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    8
    I'm sorry if this is obvious, but which files would you like me to submit?
    I thought you meant the log found in the TDS-3/logs directory.
    Is this correct?
    Laura
     
  8. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    You need a keylogger detector like SpyCop to be reasonably sure of detecting these things.
     
  9. FanJ

    FanJ Guest

    Hi Laura,

    If I understood you right, then TDS-3 did not detect it on your system.
    Do I understand that right?
    If TDS-3 indeed did not detect it on your system, then I would think that there is hardly any use of submitting the TDS-3 log.


    You installed that keylogger on your system.
    So, submit the installation file for that keylogger to Gavin so he can have a look at it.
    But maybe the installation file is too big to submit; I don't know.

    I have to admit that I still don't understand why TDS-3 didn't detect it on your system, having seen that one in the Primary List of TDS-3.
    But maybe I'm making a mistake here.

    I will ask Gavin if he would have a look at this thread.


    Regards, Jan.
     
    Last edited by a moderator: Jun 15, 2005
  10. rollers

    rollers Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    439
    you should run snoopfree (also free software) that will alert you to any program that trys to hook the keyboard or read any open windows without permission.
     
  11. lizardqueen

    lizardqueen Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    8
    Thanks for the help. Because this program is stealth, it's not easy to find all the files. I found the uninstall.dat file and took a look. This might be what you need. It looks a bit like this (this is only the first few lines):

    Inno Setup Uninstall Log (b) 007 Spy Software
    007 Spy Software  " m 
    COMPUTERNAME Owner
    Katz;C:\Program Files\Common Files\Microsoft Shared\DAO\System32
    C:\WINDOWS\ssmon.pasÿ 
    !C:\WINDOWS\system32\ssWebSite.urlÿ   
    C:\WINDOWS\system32\ssfaq.urlÿ  
    C:\WINDOWS\system32\ssmon.lnkÿ

    If this looks like what you need, I'll submit it. Also this program can be downloaded from http://www.majorgeeks.com/download3939.html
    -if that helps.
    I'll give spycop a look and I am also playing with processguard.
    I just want to know that if I get a call from someone that suspects they are being monitored illicitly, I can identify and remove such a product. The scarey thing is that there are no symtoms of malware to alert me. It's just disconcerting while thinking you are smarter than the average bear and therfore less vulnerable, that a simple, easy-to-obtain program such as this could do so much damage if misused.
    Laura
     
    Last edited by a moderator: Jun 16, 2005
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Thanks for the link, will grab this now and add detection
     
  13. lizardqueen

    lizardqueen Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    8
    Thanks Everyone. Beyond just finding it, I would like to better understand how a program such as this functions. Does this function as a root kit?
     
  14. lizardqueen

    lizardqueen Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    8
    Thanks Rollers! snoopfree nailed the keylogger instantly. I can now relax a little. This is interesting how these things work.
    Laura
     
  15. Kuno

    Kuno Registered Member

    Joined:
    May 10, 2005
    Posts:
    9
    Best defense with this is a firewall. If it logs the info, it will try to send it out. Then it is caught. Other than that, Ad-Aware and Pest Patrol seem to do well with them. At least I think I remember Ad-Aware doing well, but I know Pest Patrol goes after them....as well as everything else including the kitchen sink if you want it to.
     
  16. lizardqueen

    lizardqueen Registered Member

    Joined:
    Jul 18, 2004
    Posts:
    8
    Kuno,
    The firewall did not block this application because svchost had permission to access the internet. simply blocking svchost would not be a solution unless you were sure which process was using it to access the internet.
    laura
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Port Explorer can tell you in a blink of the eye and you can manage such connections, sniff and block and kill such processes, etc.
     
Thread Status:
Not open for further replies.