This Keylogger Defeats Zemana And Comodo D+

Discussion in 'other anti-malware software' started by markedmanner, Feb 2, 2011.

Thread Status:
Not open for further replies.
  1. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,474
    Location:
    Paris
    Once again, in Zemana open up Settings and click Expert Mode in General Settings and again in Expert Settings.
     
  2. 16s

    16s Registered Member

    Joined:
    Jan 7, 2011
    Posts:
    32
    Hey Guys,

    I wrote 16k in 2007. And until this post on Wilders, no one has ever heard of it. It's a simple program. The source code is available on the website for download and has been for more than a year. It's a proof of concept on how to write a passive keystroke logger. All of this is explained on the website. If you don't know what a passive keystroke logger is, then read the source code.

    I'm sure there are other passive keystroke loggers available (written by bad guys) that go right around AV products and intend to do harm, but 16k is not one of them.

    Edit:

    Here's the source code: http://16s.us/16k/16k.cpp
    Here's who it is written by (me) : http://16s.us/address/
     
    Last edited: Feb 3, 2011
  3. markedmanner

    markedmanner Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    134
    I think you hit the nail on the head. I am using safe mode not paranoid for CIS. As far as Zemana goes Im not sure why someone else had it catch it. I had Zemana installed with all features enabled. idk I will look into it.
     
  4. markedmanner

    markedmanner Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    134
    I will try this later today to see if I get a different result.
     
  5. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
    Needless to say DefenseWall alerts to it and Zemana alerts to it if in 'Expert' mode. Prevx never batted an eyelid.
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,416
    Location:
    Outer space
    I have everything on expert mode, which asks for confirmation on every signed applications except signed MS applications, but even with them on ask, it still doesn't ask.

    As I said, I have everything on Expert mode. Besides if you set it to expert in one tab, it is also automatically on expert settings in the other tab.
     
  7. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    The keylogger defeated Sandboxie as well. I opened up the keylogger in a very restricted environment but can still capture my keystrokes in an other sandbox where I keep my browser... however, it's not as if the keylogger can send the sensitive data to anyone as Sandboxie won't allow it any access to the Internet.
     
  8. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    This is a legit software as that website is the home page of the producer.
    Comodo has digital signature for it, so it's not malicious.
     
  9. chinook9

    chinook9 Registered Member

    Joined:
    Jan 27, 2008
    Posts:
    444
    Could you give more of an explanation? What do you mean by "I opened up the keylogger in a very restricted environment"? What restricted environment?
     
  10. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,975
    Location:
    Boston, MA
    Comodo doesn't need to be on paranoid to block it. Execution control has to be set limited or higher. Sandbox settings should have automatically trust trusted installes and automatically run installers/updaters out of the sandbox, unchecked.
     
  11. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    This +1
    For better protection on Comodo :)
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,152
    Location:
    UK / Pakistan
    Not a bypass. SBIE doesn,t block simple keyloggig infact. Not a feature of it i mean. It can however stop the data leak by keylogger according to its configuration.
     
  13. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,049
    Location:
    USA
    Yes, but you might still want to be aware of and choose to block a legit keylogger. Zemana AL has an option to:

    "ignore certificates and ask for confirmation for all keyloggers (so called Employee Monitoring)"
     
  14. osmandemi

    osmandemi Registered Member

    Joined:
    May 5, 2010
    Posts:
    61
  15. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Comodo D+ does have an option to disable auto trusting, it's just their lazy users asking them to white list every single damn thing on earth.

    The first thing i do when installing Comodo is ALWAYS disable auto trusting and deleting the whole vendor list. PERIOD! :D :thumb:
     
  16. Narxis

    Narxis Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    477
    WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.

    The reputation-based system uses "the wisdom of crowds" (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.


    If nobody in the Norton community used this file then it will give a yellow warning with the following message: You are the first user....

    But you can run the file if you want to run it.

    If WS.Reputation.1 kicks in then Norton analyzes as a threat and removes it from the system.
     
  17. TheIgster

    TheIgster Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    719
    Location:
    Canada
    Not sure about the trusted installers one. What's wrong with trusting their whitelist? Personally I think it makes our lives easier.

    Now the other one, running installers outside the sandbox automatically, I agree with, I think. Why on earth would they have this checked by default? I suppose it allows for easier installations and installations that work, but it also allows nasties to get in much more easily. I am on the fence about this setting.
     
  18. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Nothing wrong if they allowed us to disable it :rolleyes: (With that i mean create my own trusted installer list) :D
     
  19. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    To clarify - SafeOnline does protect against this threat as long as you are typing on a secured website (which is what it intends to protect). The file uses a very simplistic keylogging technique which is blocked by SafeOnline and every other antikeylogger that I'm aware of. We haven't bothered marking it as malicious via signatures as SafeOnline will protect all entered data.
     
  20. Rampastein

    Rampastein Registered Member

    Joined:
    Oct 16, 2009
    Posts:
    290
    KIS also blocks it, if you disable trusting apps with a digital signature on PDM.
     
  21. TheIgster

    TheIgster Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    719
    Location:
    Canada
    I didn't say there was anything wrong with it, I was just curious why people would, that's all.

    I've also seen you use that rolling eyes quite a bit...you do know in what context to use that emoticon right?
     
  22. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Just for the records... browser security in ZA Extreme jam the keylogger (on defaults).
    The keylogger log keys but the wrong ones... :)
     
  23. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    Thats the coldest one:D
     
  24. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Hahaha, i just love using emoticons (I'm kiddy)

    Because, it's trusting things i don't want to, even if it was legit.
    Ex. Let's say your cousin installs a keylogger in your PC made by company Noob, then D+ auto trusts that file because it was signed by company Noob.
    Wait what . . . it's allowing my cousing to keylog me?

    Anyways, why would you trust 99% of those companies if you don't even know them!
    I have read like 1/5 of that list, and i can swear i don't know like 90% of it! (And that's a conservative number)

    It's like trusting your PC to unknown dudes . . . :cautious:
     
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I do hate the fact there's no easy way to remove all those trusted software vendors from COMODO's trusted vendors list, except removing one by one o_O They are so many! The last time I tried COMODO in a virtual machine (like 2 months ago), there was no way to remove them, other than that.

    Has it changed o_O
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.