Why Is Zemana Antilogger Free Dialing Out While I'm Browsing?

Discussion in 'other anti-malware software' started by itman, Jan 15, 2015.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    WIN 7 SP1, IE10

    First, I had a license for the Pro version a few years back and thought I would give the latest free version a try.

    Installed it yesterday. Later, I noticed an outbound connection from Zemana while I was surfing. Thought that a bit odd since I know of no reason why this software needs to connect outbound unless for an update which it does at boot time I believe? More so when I am surfing nonetheless.

    Today I thought I would check this out again. Sure enough, I had another outbound connection while I was surfing. It is connecting to IP, 137.117.17.70, domain name, waws-prod-bay-003.cloudapp.net. Clouldapp.net is associated with MarkMonitor which is almost always tracking activity.

    Anyone else notice this activity and have an explaination for it?
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes, I'm afraid that certain security tools are kind of shady. It's trying to protect you from loggers, but at the same time is possibly spying on you, how ironic.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    That old American truism always comes to mind to me; "There ain't no such thing as a free lunch."
     
  4. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    359
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Only features available on the free version are anti-keylogger and SSL protection. Now supposedly, SSL protection includes checking for fraudulent CA root certificate activity. As far as I am aware off, CA root updates are few and far between.

    The activity I am observing occurs whenever I connect to a major commercial web site like HomeDepot, Lowes, etc.. Again, sure looks like a dial home on web activity to me.

    BTW - the IP most used is 168.62.20.37. Presently, I am blocking all IPs to cloudapp.net from Antilogger.exe. Also cloudapp.net is a Microsoft server farm.
     
    Last edited: Jan 15, 2015
  6. FOXP2

    FOXP2 Guest

    Too late. By the time you noticed it, they got everything you got. Power down now and get a new computer and change to another ISP. Hurry!! :D
     
    Last edited by a moderator: Jan 19, 2015
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    There's no need for this, I also hate apps who want to phone home. But it seems to be the standard nowadays, I even see Windows 8 doing this for unclear reasons, it's really a shame.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I looked again at the data in TCPView when antilogger.exe dials out and no data is being sent or received. Why it is connecting is beyond me. At this point I suspect it might have something to do with the CA root certificate checking Zemana claims it performs. So for the time being, I will allow its outbound activity and monitor it.

    As other people in Wilder's have pointed out, Zemana is less than cooperative in explaining the internal workings of the Antilogger product.

    I also noticed a glitch with Thunderbird. Sometimes when Thunderbird opens, the Zemana toolbar icom turns off indicating Thunderbird is not protected. Other times, the icon is green after startup. Finally a few times after Thunderbird startup, the icon turns green after a while.

    I also don't like that Antilogger is using Wininit to do it's .dll injection at system start up time. Don't know how they do it in WIN 8, since Wininit injection ability is turned off by default. Last time I saw Wininit .dll injection on my PC, it was from the nastiest malware I have ever encountered. The bugger malware also changed tons of access permissions on my WIN 7 build. I am wondering now if Zemana has done likewise. Most established software like Emsisoft Anti-malware for example does not use Wininit to do it's .dll injection. Also Antilogger has injected it's .dll into EMET 5.1; again something to wonder about.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Looks like I spoke to soon. Caught Antilogger in a long and persistent connection uploading and downloading data. That was it for me. I uninstalled it and rebooted.

    After uninstalling, I verified that wininit was no longer injecting any .dll. Guess what? It still was but the .dll did not show up in the event log entry. This is exactly what happened to me previously as I described above. My theory is Zemana is injecting a hidden .dll to do its spyware activities. So I did a system restore from the point prior to the Antilogger install and system is back to normal. My name for this product now is Zemana CrapLogger.
     
  10. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    359
    Interesting. I'm curious as to what other people might think of this. So, with your permission, I would like to link this thread to another forum if you allow it.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    This sounds quite bad, thanks for the research.
     
  12. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    The dlls being injected are easily found in a KeyCryptSDK folder and are by no means 'hidden'. While I agree that they should use a better approach as AppInit is no longer recommended for use by Microsoft, even Windows 8 has it and only disables the use of this mechanism if you use secure boot. If you have UEFI and Secure Boot enabled then I am unsure how they handle this and your assertions may have some merit but my understanding was that secure boot only applies to the pre-os environment. I don't have a spare physical machine that supports it to run tests on and my VM does not include the security package required to enable for testing either so I'm afraid I won't be much help there.

    Setting
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    "RequireSignedAppInit_DLLs"=dword:00000001
    will at least prevent 'unsigned' malware from using it.

    You can also find the AppInit_DLLs entry here and see the dll that zemana, or other software, is injecting.

    If you choose you can also disable it yourself by setting LoadAppInit_DLLs to 0 but be careful as its possible something else you are using will no longer function correctly.

    As for the internet activity it is a common issue with a lot of software these days. However, it can easily be controlled or prevented through firewall rules. I don't like software that does this kind of thing but it can be rather difficult to find proper alternatives that actually respect your privacy without requiring strict controls especially when it comes to 'free' Keystroke encryption on a 64 bit system. If you're truly worried about what it is sending and receiving try looking through the packets or block it from the internet completely and simply check for updates manually.
     
    Last edited: Jan 16, 2015
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I originally had LoadAppInit_DLLs set to 0 after a malware incident I mentioned previously. The Zemana Antilogger installer overrode it and changed it to a value of 1. And yes, AppInit is one of the oldest malware infection techniques used.

    I never have found to date any commercially available software let alone security software that uses Wininit to perform .dll injection.

    I forgot I had previously enabled CAPI2 event logging. I checked that log this morning and have not had a CA root certificate update since 1/14/2015. So the Antilogger dial outs where not related to that activity.

    I am also a bit upset that EMET allowed itself to be injected with the Zemana .dll. So much for its self protections.
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I've posted about this several times before, but @ the times nobody seemed to care ? From memory, Zemana said it was just normal, or words to that effect. Which didn't explain what it was Actually doing ! I block ALL Z's outbounds woth my FW.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Actually, this is something what I also don't understand it. I'm starting to think that perhaps it's not possible to protect your own process against dll injection. That would be a bit weird, but apparently MBAE and HMPA can also inject code into security apps like Webroot.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    One of the permission categories on this key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, is TrustedInstaller. So as long as the app is in that category, it can update LoadAppInit_DLLs and AppInit_DLLs values.

    What I did notice was that Emsisoft's Anti-Malware A2Guard and A2Service were not injected i.e. they blocked the loading of the .dll. I would expect the same from EMET. I did also notice previously when I was using Norton IS, it allowed it's Sonar program to be injected with Zemana's .dll.

    Appears to me that perhaps the anti-exploits are actually doing the exploiting .......:cautious:
     
  17. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    That should all depend on details of injection. If a programs dev know or expect his program will be injected by another program, defending this is relatively easy (at least against most common technique such as by LoadLibrary or SetWindowsHookEx). But because denying all injection will surely cause many problems, I'm not sure when injection was unexpected how they can protect their process except for privilege.
     
  18. Emre TINAZTEPE

    Emre TINAZTEPE Registered Member

    Joined:
    Dec 28, 2014
    Posts:
    84
    Hello Everyone,

    I'm Emre, Lead Software Architect @ Zemana :)

    Ouch. That was my first reaction when I read Itman's post against our product. I will try to address each of Itman’s concerns.

    We have strict ethical principles here at Zemana about collecting sensitive user information and to do so would be against our morals and company policies. Our main revenue stream is selling our product, and in our 8-year history, we have never tried to make money from advertising or bundling toolbars. We do collect anonymized statistics, just like any other software product. (You can find them in our Privacy Policy page)

    We also have a very clear distributions policy which prohibits bundling our installer but not every download site respect it and they are bundling annoying stuff on top our installer but in this case you can verify our digital signature before installing our products from thirty party download portals.

    Every setup we release to the public is digitally signed with a time-stamp so anyone can use a basic sniffer to verify what kind of data we are collecting in any of our versions.

    Our cloud infrastructure is hosted on Microsoft Azure's network (you can read our success story on Microsoft Turkey Blog); the mentioned "cloudapp.net" domain is their cloud service address. AntiLogger Free connects to our cloud every thirty minutes to check for product updates or a new ROOT CA. This can be turned of easily from settings (although we don’t recommend it because we are monitoring major Internet security products inspecting https data with self-signed root CAs).

    I do not know of any dll-injection methods (from kernel APCs to user-mode third party libraries) that aren’t abused by malware like AppInit_DLLs. In our research, AppInit_DLLs was the most stable method, and it works with UEFI Secure Boot if the DLL is properly signed. MS trying to retire it for other reasons (We can discuses this in another topic)

    And for those of you, who are much more technical, feel free to ask me directly with questions or concerns.

    Also, tomorrow we will be releasing a brand new version of Zemana AntiMalware which will be using 10 AntiVirus Engines running in the cloud (Powered by OPSWAT MetaScan Engine) and I will be checking this forum frequently from now on. As always, we appreciate all WildersSecurity member feedbacks and we will do our best to improve new AntiMalware with your feedbacks.

    Thanks.
     
    Last edited: Jan 20, 2015
  19. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    Welcome, Emre!
    I am using ZAL Free and have no complaints so far...
     
    Last edited: Jan 19, 2015
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    About AppInit_DLLs

    The AppInit_DLLs infrastructure provides an easy way to hook system APIs by allowing custom DLLs to be loaded into the address space of every interactive application. Applications and malicious software both use AppInit DLLs for the same basic reason, which is to hook APIs; after the custom DLL is loaded, it can hook a well-known system API and implement alternate functionality. Only a small set of modern legitimate applications use this mechanism to load DLLs, while a large set of malware use this mechanism to compromise systems. Even legitimate AppInit_DLLs can unintentionally cause system deadlocks and performance problems, therefore usage of AppInit_DLLs is not recommended.

    http://msdn.microsoft.com/en-us/library/windows/desktop/dn280412(v=vs.85).aspx
     
  21. Emre TINAZTEPE

    Emre TINAZTEPE Registered Member

    Joined:
    Dec 28, 2014
    Posts:
    84
    I agree, it is frequently used by malware but in the end it is "as the name suggests" injection and regardless of the method used, aim is hooking some APIs to divert execution into your own routines. Using this method won't make malware's job harder or easier since it is just two registry keys which can be abused by malware so easily. The reason we use AppInit_DLLs is, it is currently one of the most guaranteed techniques when used carefully and properly.

    As a side not, the reason Microsoft is trying to avoid this feature is, it caused to too many issues with deadlocks due to inappropriate implementation by malware which caused too much support cost.
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Can you give a bit more info about how Zemana's Anti-SSL Logger works? Does it inject code into the browser to look for changes being made to browser memory? How does it compare to G Data BankGuard and HitmanPro.Alert? Another question: why not make the "SSL-Logger Test Program" available? I suppose the only thing that it does is modifying browser memory (IAT/inline hook), so I don't see why it can't be released.

    http://www.zemana.com/LeakTest/ssllogger-test.aspx
    http://www.surfright.nl/nl/alert
    https://www.gdata-software.com/newsroom/news/article/2720-g-data-bankguard-makes-online.html

    So you are not using SurfRight anymore, any reason for this?
     
  23. FOXP2

    FOXP2 Guest

    Well, excuse me. But noticing an app is connecting out doesn’t mean spying. And is there any disputing by the time the outbounds are noticed, it’s... Too Late! BTW, I meant to add a :D to my post. I brain locked; it’s there now.

    It’s about time! :thumb: Hi Emri. I’ve been for years telling Armagan some one at Zemana needs to get active here. I started the Zemana AntiLogger PRO Thread and Zemana Free now with SSL Protection threads here in the attempt to localize each. (Mods may disagree, but I think the threads should be separate.) I hope you might scroll through those two every now and then for anything you’d like to address. While I've used PRO on a few systems (currently on two) over the past five or six years, I don't use AntiMalware. But in light of a new version, I might start a thread for it, too. Unless you beat me to it...

    So, maybe move this over to the PRO thread? Doesn't make much sense to continue here.

    And MODS: IMHO close this thread??

    Cheers.
     
    Last edited by a moderator: Jan 19, 2015
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    I knew it was meant to be funny, but it's IMO not necessary to be sarcastic about someone who's annoyed by some app dialing out.

    Zemana Free also offers this feature. And it's cool with me if Emre TINAZTEPE wants to respond in some other thread.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    There are more effective and as Microsoft pointed out, less "troublesome" methods of performing .dll injection. Listed below are a few:

    1. Window hooks (SetWindowsHookEX)
    2. CreateRemoteThread
    3. ZwCreateThread or NtCreateThreadEx ? Global method (works well on all versions of windows)
    4. Via APC (Asynchronous procedure calls)

    The only other commercial software I have encountered in recent history that used AppInit_Dlls was an earlier version of Avast Antivirus. Uninstalling that software caused major problems in the AppInit_Dlls area on my PC. Also as a matter of information, the Zemana AntiLogger uninstaller caused an issue in that it did not set the LoadAppInit_DLLs value back to its previous value of "0" that I had set it to. It left that value either a blank or set it back to its default value of "1." There is also the issue of Antilogger overriding the do not load value I had previously set LoadAppInit_Dlls to rather than terminating it's installation.

    But the primary issue of having legit software use the AppInit_Dlls feature for .dll injection is it gives malware an opportunity to add a malicious .dll there and go undetected. It's a given, the average user does not know about Autoruns, the Tools area of CCleaner, etc., or is running software like WinPatrol or the like that inform/alert for AppInit_DLLs loading. He might be sophisticated enough to know to occasionally view his Event Log area. He sees an entry in his warning log about Wininit loading .dlls into every process. It scares the hell out of him. He checks it out and gets advice that is just Zemana Antilogger loading it's stuff and that's OK. Later, along comes Mr. Hacker who drops his bad guy .dll into the AppInit_DLLs area. The user once verifying the original Wininit warning message, never looks at it again. And even if he did since only short DOS names are shown, he wouldn't know what was loading anyway. Also remember that in Win 7, the RequireSignedAppInit_DLLs value doesn't exist in the registry, it has to be manually added.
     
Loading...