Xenotix Keylogger Test

Discussion in 'other security issues & news' started by CloneRanger, Feb 1, 2013.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    First off, thanks to subhrobhandari for posting about this :thumb: https://www.wilderssecurity.com/showthread.php?t=340672
    I'd not heard of it before. As PrevxHelp said they didn't detect it, i thought it would worth seeing what, if anything, might do so !

    I entered into ShadowDefender mode & installed xenotix_keylogger-3.0-fx.xpi into FF v3.6.14. Set 123 as my password.

    No problems installing it etc, then came here & inputted cloneranger & test123 as a fake PW

    x.png

    To view the logs: ALT+SHIFT+\

    x2.png

    It opens up another instance of FF & sure enough they are both visable & correct :eek:

    WSA didn't blink, as expected due to PH's earlier comments, & neither did Zemana ! I think this is quite a concern, as both these products are "supposedly" there to prevent keylogging.

    Could others test this on other AntiKL software, such as SpyShelter/OnlineArmor etc etc & post what they discover.
     
  2. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,416
    This shows you how useless AV software is. I'd try it on Online Armour but I uninstalled it :cautious: Sorry not much help.
     
  3. xboz

    xboz Registered Member

    Joined:
    Feb 2, 2013
    Posts:
    3
    Location:
    India
  4. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    Comodo fails with keyloggers too which past videos etc will demonstrate.
    The firefox add on looks interesting though.
     
  5. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    just tested this with eset, avira, avast, norton nis, kaspersky, wsa, outpost is, and bitdefender as those were the local images i had on hand none detected this at all not a peep from any of them. and as you said it was accurate in its output. wow this is def a major issue imo....i have a lic to just about every av out there and will test the rest this weekend to see if any will flag it but the major players mentioned above dont at this time. something like this could easily be masked as another "add on" and installed by a user thinking its something else and im sure someone could figure out to remotely access the info from it. im going to run some more tests and see if i can write something to somehow read the output remotely...
     
    Last edited: Feb 2, 2013
  6. chabbo

    chabbo Registered Member

    Joined:
    Jun 28, 2009
    Posts:
    350
  7. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    tested also with avg, as well as vipre and sophos still no detections from it.

    has anyone removed this and seen anything left from it? does it remove cleanly ill test this later to see im wondering if / what it alters anything in firefox and or leaves anything on the drive from it....
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ xboz

    Hi & welcome. You were quick to hear about this thread :D

    Very interesting add-ons you've made ! I realise from looking at your www's that it appears you only coded these, & the other stuff, to show what could be achieved, & not for malicious etc purposes. Well congratulations on accomplishing your objective, as more of us now know something we didn't know before. A Keylogger can be made that bypasses ALL known detection, so far anyway. POC's such as these should encouraged, as they force vendors to tighten up their products = :thumb:

    I was pleased to see your comment about the following.

    I intend to try it out soon, & will post back with my results. I hope others will too :)

    I noticed that the Options box was Greyed out after installing your KL, why is that, & what are they ? Also how do we delete the logs, as i couldn't see a way to do that ? Maybe it's in the Greyed out Options ? but as i can't access them, how to delete them ?

    TIA

    @ zfactor

    Hi & thanks for your continuing tests :thumb:

    There is also xenotix_remote_keylogger.xpi available which can upload the captures to an FTP www !

    As i was in SD mode, nothing remained after rebooting, so i can't say if it leaves data etc.

    @ chabbo

    The Opswat screenie is showing Installed KL's with an .EXE and/or .SYS etc, not Browser KL's such as this.
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    Online Armor may block it. I wish I had not just uninstalled it.
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    I installed the addon on FF 18.0.1, and it would not log my password. After it installed a little box appeared, and I typed in a password. I hit shift, alt, \, and another box appear that showed a bunch of question marks [backspace] [backspace] [backspace] [backspace], but no password. I wish I had online armor installed right now to see if Online Armor will flag the add-on when it is trying to install. I just uninstalled it. Default settings of VoodoShield 1.6 allowed the add-on to install. I have not tried tweaking it's settings. I do believe Voodo Shield 1.4 might stop the add-on from installing with default settings from my experience of it blocking so many things within the browser in the past. The latest version of Appguard also allowed the add-on to install in lock down mode. It did block FF from reading the memory. I still had no success logging anything.
     
  11. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Interesting, sadly i can't test it. No longer have any VM software installed. :rolleyes:
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Keylogger Beater Test

    Installed it & also Xenotix Keylogger again. These are KB's Options,

    kb1.png

    I then went to https://www.startpage.com & typed in Keylog Me

    sp.png

    You just hover you mouse over the character you require for about a second, & it appears where you initially left clicked on the page. Here's what XK displayed,

    sp1.png

    I next tried KB's Keyboard only option instead & typed various things into my browsers address bar. XB showed the following garbage in the address bar as i typed,

    J$]e(m"']edGD@v

    XK only showed,

    garb.png

    So Keylogger Beater definately works as a GREAT AntiKeylogger ;) in my tests anyway ! See if it works for you, & post your results etc :thumb:
     
  13. xboz

    xboz Registered Member

    Joined:
    Feb 2, 2013
    Posts:
    3
    Location:
    India
    @CloneRanger

    Hi, i didn't got what you meant by "Greyed out". To delete the logs, just detete the file log.html in the directory "C:\Users\<your username>\AppData\Roaming\Mozilla\Firefox\Profiles\<your profile folder>\Datax".
    And Somebody here posted that it's not working in FF 18. But it's working:D
    http://s9.postimage.org/56kr4c4yl/upload.png

    And still more is waiting there to come out.
    I will be talking at AppSec AsiaPAc 2013, South Korea on " Abusing Exploiting and Pwning with Firefox Add-ons."
    https://www.owasp.org/index.php/AppSecAsiaPac2013#Talk_Abstracts

    I would like to inform that there are 5 more Fully Undetectable POC add-ons in the list to be published including
    Xenotix Remote Keylogger
    Xenotix DDoSer
    Xenotix Session Stealer
    Xenotix Linux Password Stealer
    Xenotix Reverse Connect

    Xenotix Remote Keylogger is also available for download.
    Have a check at: http://keralacyberforce.in/xenotix-remote-keylogger-the-mozilla-firefox-keylogger/

    ><302
    Information Security Enthusiast,
    http://keralacyberforce.in | http://defconkerala.org | http://ajinabraham.com
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Like this for eg.

    opt.png

    OK, thanks ;)

    All the best with your AppSec talk & demo's etc :thumb:
     
Loading...
Thread Status:
Not open for further replies.