Who's Watching Me

Looking forward to a full test myself!

I tossed those two posts I found into the mix only because I had finally gotten around to visiting the GRC forums for the first time in three days and they kind of leaped out at me.

I, too, found the second one interesting, in that it was good to know that : "SpyCop does not go by filename, therefore autorenaming does not affect it's
scanning capabilities." Apparently, auto-re-naming is one of the ways KL programs avoid detection and SC takes that into account.

Sidenote to John - I'm all for programs that do the job quicker and easier, as long as I'm getting equal (at least) protection.
The first post I linked to stated: "But it will not detect keystroke programs that are not in the public." (That was in reference to WWM). I took that to mean that the more sophisticated (pay) KL programs wouldn't be detected. Note: Have no idea whether the individual quoted knows what he's talking about or not - just thought it was an interesting comment. Haven't had a chance to get back there and follow the thread yet.

Also, I recently had contact with someone who's had problems getting SC to work (he didn't try the trial version, first, and there seems to be a system conflict preventing the program from working - that could be why they have the trial version set up like they do (I'll keep us posted on that situation and SC's response to it, too).

Anyway, I gave him the links for HookProtect, Anti-Keylogger and WWM to give him something else to work with while he gets the other sorted out (I'll let you know about that, too, if I hear back from him).

Anyway, that's where I'm at with this - let's just find the best anti-keylogger program! Pete

 

Amen to that - and preferably one which won't let MyJerk Lantern walk all over it.  

 

Checkout - I'll tell you what - after reading up on all the capabilites of a program like WinWhatWhere ( http://www.winwhatwhere.com/w3i4/index.htm ), it's enough to give you the creeping horrors! Pete

 

Hmmmm..

Here's an idea.  To my great disappointment, my last one (Vegetarian) seemed to go down like a lead balloon, but nil desperandum.

It would seem that anti-keylogging technology is in its infancy, and to date, the keylogger-writers appear to have all the advantages.  I'm not suggesting we can obviate signature files or hook detectors, but they've proven to be limited.

I tip my hat to DiamondCS for the basis of this suggestion:  a sacrificial goat, like their .COM and .EXE programs which are created to see if they become infected.

In this instance, I propose an application which accepts or simulates keystrokes while (at least apparently) being connected to the Net.  Scenario:  my antiKL app inputs 30 chars, malware sends 30.  My antiKL inputs 50, malware sends 50.  A few more tests like this and we know we've got a keylogger.  Suppose the malware encrypts, but that will likely involve a fixed proportional output buffer size increase relative to the input.  To put it more simply, if it costs two bytes to encrypt one byte, then we will see a string of ten characters input sent as twenty bytes of output.  A few tests like this, and for sure we'll know if we've got a keylogger installed.

Thoughts?  Praise?  Brickbats?  Donations?    Developers, even?

 

Short update: I had my facts wrong as re: the individual who was having problems with SC - he was using the trial version, not the full program. I should be hearing from him again - keep you informed. Pete

 

what if the keylogger logs the stokes to a file and sends the file out only once in a while? What if the keylogger waits for other thraffic so it can try to blend in? What if the keylogger uses raw sockets so that it becomes difficult to detect that packets are being sent at all?

 

Yes.

Or, to put another way, we need to have s/w which clearly associates programs with traffic.  How wonderful that would be.