This Keylogger Defeats Zemana And Comodo D+

Discussion in 'other anti-malware software' started by markedmanner, Feb 2, 2011.

Thread Status:
Not open for further replies.
  1. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    Private firewall blocked this one :D The HIPS module it got is the killer:D
     
  2. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Nope, it's still very hard to remove.
    Theres a way to remove from the Comodo files (I don't remember how)
    Anyways, i remove them manually always, and the last time i did (2 weeks ago) it had around 10300 around entries (Not the most accurate but it was over 10k 100% sure), COME ON 10K entries?!? :cautious: :thumbd:
     
  3. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    815
    Location:
    India
    unfortunately, maintainability of TVL in comodo is poor. Hope they would improve in the upcoming version..

    Thanks,
    Harsha
     
  4. TheIgster

    TheIgster Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    719
    Location:
    Canada
    Well, fair enough, it is easy enough to just turn that option off anyway, but do we know for sure it's that easy to add something to the trusted vendors list? Just because one person says "Yeah, allow that"?
     
  5. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    AppGuard nailed it. Lol
     
  6. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,975
    Location:
    Boston, MA
    Kees,
    The only reason I check off the first one is I don't trust their trusted vendors list. There have been instances that the "trusted vendor" was scamware or other things such things.

    The second option is exactly why I don't have it checked.
     
  7. lws

    lws Registered Member

    Joined:
    Aug 28, 2009
    Posts:
    196
    Great :thumb:
     
  8. 16s

    16s Registered Member

    Joined:
    Jan 7, 2011
    Posts:
    32
    I thought some in the thread my appreciate a brief explanation of how passive key logging works. It's a very basic concept used by many applications. Here's a simple example that many can relate to:

    When you press the P key while playing a video game on your PC, the game pauses. How does the game know to pause? The game is monitoring the state of the P key. Like all keys, the P key has two states (up or down). Now take that concept and begin monitoring the state of all the keys on the keyboard. Loop over and over again very quickly noting state changes. When you do that, you have a passive key stroke logger.

    Pros:

    * Runs as a restricted user. No need for admin rights.
    * More difficult (but not impossible) to detect in general.
    * Simple to write (no kernel hooks, etc.)

    16k was written to demonstrate this concept for educational purposes only. It's not malicious nor harmful. There's no need to distrust my authenticode certs or blacklist my apps. I'm on your side here.
     
  9. markedmanner

    markedmanner Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    134
    Thanks for writing this little app and pointing this out. I had always been curious about this. Because when I type in Open Office, Word etc.. Zemana and other HIPS never notified me of the program reading my keystrokes. Clearly its a trusted program but I always asked my self what if a keylogger operated in the same way? I would not be even notified of it logging what I type and that is what you have done here. Although CIS and Zemana will both detect it but you have to adjust settings and they will not detect it with the default settings.

    I would also like to see a test against keyscrambler. Has anyone tried this?
     
  10. markedmanner

    markedmanner Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    134
    Languy99 had a great example of the FAIL of Comodo software blacklist in one of his videos. A piece of malware was installed because of a vendor on the whitelist. See video here: -http://www.tubechop.com/watch/128284-
     
    Last edited by a moderator: Feb 3, 2011
  11. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    5,496
    Location:
    New York City
    Website currently blocked by ClearCloud DNS.
     
  12. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,794
    Spot on:thumb: This works even in Clean PC Mode. I've just checked it..

    Anyway, for those of you worried/concerned over the Trusted Vendors List in Comodo, here's how to clear it:

    1. Go to the CIS install directory and open the 'database' folder:
    C:\Program Files\COMODO\COMODO Internet Security\database

    2. Now, delete the file named "vendor.n". Alternatively, create a fake file with the same name (you can use Notepad) and replace it.

    Repeat this whenever the program is updated.
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Here's how i've arranged my settings, which successfully blocked this ;)

    sett.gif

    s2.gif
     
  14. markedmanner

    markedmanner Registered Member

    Joined:
    Nov 1, 2009
    Posts:
    134
    Nice tip I also tried the settings recommended and indeed comodo does not have to be in paranoid mode to block this. I think the trusted vendor list and trusting digitally signed installers can mean malware gets installed possibly. This is proof of that.
     
  15. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    This is why, they cause are the LAZY MEMBERS!!
    Okay, i'm fine you do a whitelist but PLEASE, you don't need to add every single thing from the whole internet!

    Specially that the list contains so many random companies IMO. :cautious: :thumbd:
     
  16. 16s

    16s Registered Member

    Joined:
    Jan 7, 2011
    Posts:
    32
    Sadly, you're right. The moron circus has officially started. Go around the clowns: http://74.207.233.100/16k

    Someone should ask them why they waited until now to block it. 16k has been up for years.

    Edit: Our hosting provider is receiving abuse complaints too. Reminds me of the movie "Dumb and Dumber".
     
    Last edited: Feb 3, 2011
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Well, ClearCloud DNS service for sure isn't that old. You/someone else who visits your website can always submit your domain to be removed, via ClearCloud block page.

    By the way, Paretologic also labels your domain as malicious, according to VirusTotal. Just so that you are aware.
     
  18. 16s

    16s Registered Member

    Joined:
    Jan 7, 2011
    Posts:
    32
    Yes. There are lot's of clowns in this circus. It ought to be a good one.
     
  19. sm1

    sm1 Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    567
    Does it block with default settings?
     
  20. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    oh yes didnt do any setting..or any fancy things..it just nails everythings that stinks..:D :thumb:
     
  21. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    So this thread is BUSTED! :D
     
  22. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    You better believe it my good friend:)
     
  23. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,416
    Location:
    Outer space
    I don't know what was wrong before, but Zemana does block it now.
     
  24. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Software conflict probably? :)
     
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,416
    Location:
    Outer space
    I thought so too, but can't pinpoint it. Had Trendmicro browser guard installed(seems unlikely product to conflict) when I booted my VM again I was uninstalling BG while I was editing Zemana settings, I tried the keylogger again and Zemana blocked it. However after installing BG again Zemana still blocks it and the settings of Zemana are the default expert settings which I had before as well when Zemana failed.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.