Zemana Antilogger works HOW exactly?

Discussion in 'other anti-malware software' started by Gullible Jones, Jun 30, 2014.

  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    From their homepage:

    http://www.zemana.com/product/antilogger-free/overview/

    This seems half-baked at best.

    For those who are wondering what I mean, it's pretty simple: if you scramble keystrokes as they're entered, they have to be unscrambled and converted to correct keycodes somewhere, or applications will not be able to understand what you're typing. What is encoded must be decoded to be useful.

    Also, any key(s) or algorithms used to encrypt data must be stored in main memory somewhere.

    Also, if they implement any access control to try and enforce this stuff, they don't say it...

    Point is: encryption is not magic. If a bad application has the same privileges as a good one, it will be able to read the same data. If a program is compromised successfully, any keystrokes entered into its window can be recorded. If an attacker has unfettered access to all your user's processes, any keystrokes can be logged, period.

    Nonetheless, I will do some testing of this program later today. It will be interesting to see if it holds up...
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Good thread. I´ve been trying to figure this thing out myself. :D

    But from what I understand, tools like Zemana and Trusteer are trying to block malicious browser hooks, that means that even if code is injected into the browser, it still can´t modify (or hook) browser memory, and as a result isn´t able to sniff/steal data. :)

    EDIT: I´m talking about the Pro version which is able to stop SSL loggers. The free version is trying to stop "normal" key-loggers who are using global/window hooks.
     
    Last edited: Jun 30, 2014
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Hmm interesting. So they might just be blocking DLL injection, etc., and it got mistranslated by the marketing team or something.

    I'll still give it a try though...
     
  4. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    It will be interesting what you find.

    Currently running the pro 1 year license mentioned on here and hips has only popped up twice for portable firefox and tinyresmeter097
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    No, you´re misunderstanding, there´s a difference between the free and pro version. :)

    The free version works just like KeyScrambler, it´s a nice protection against "normal" keyloggers. These kinda keyloggers normally use global hooks but are sometimes also kernel based. The pro version protects against advanced banking trojans who make use of inline and IAT hooks.

    https://www.qfxsoftware.com/ks-windows/features.htm
    http://www.zemana.com/product/antilogger-free/overview/
    http://mnin.blogspot.nl/2009/05/volatility-plug-in-for-iateatinline.html
     
  6. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @Rasheed187, it's the free version I'm skeptical of, due to the seemingly magical claims about how it works.

    Re the pro version, that's a HIPS, plain and simple. And by what I'm seeing probably a decent one. It appears to implement some form of DEP hardening, which I have not seen in older HIPS software.
     
    Last edited: Jun 30, 2014
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Well, 100% protection is not possible anyway, so I do believe it´s useful to encrypt keystrokes. And the cool thing is that both the free and pro version try to protect already infected machines, something that old HIPS couln´t do. So even if you allow memory modification, it might still be able to stop malware from stealing data. And where did you read about "DEP hardening"? AFAIK it doesn´t try to stop exploits at all. :)
     
  8. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Okay, wow. The free version appears to work exactly how they say it does, and also exactly how I expected it might. Color me disappointed.

    It will probably protect from global hook and messing with the Windows shell, though I must say that this way of doing so is really roundabout. I don't see how it could protect from man-in-the-browser though, and it definitely wouldn't work against a malicious driver (but y'all already knew that).

    Honestly I wouldn't trust the free version very far though. If you have malware creating global hooks, I would think your user account is probably compromised, and you have much bigger problems.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes you need the pro version for protection against man-in-the-browser malware. And don´t forget, with HIPS you can block driver and global hook loading, it´s the logical thing to do if you don´t trust some app. Did you already test the free version against kernel mode key-loggers? :)
     
  10. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Only if the malware in question is of the most simplistic kind. Against e.g. TDSS, forget it.

    That's actually what I really take issue with...

    Once a user account is on a privilege-based OS is compromised, it is not trustworthy, period. Anything running with that set of privileges can be considered accessible to the attacker.

    Furthermore, local privilege escalation is common across all platforms. Once an attacker has run a malicious binary, you can pretty much assume your OS is rooted.

    So if Zemana is making claims about blocking keylogging by active malware, I would say they're marketing their product in an irresponsible fashion.

    Not really. If you access the memory space of e.g. Firefox and see what data it is reading, you can probably log keystrokes within Firefox's window. Zemana might (probably does) have tricks to make that harder, but in the end it is IMO obfuscation, not security. "Security" would be preventing the compromise to begin with.
     
  11. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    You're posting to fast for me to keep up :)

    If you don't trust some app the logical thing to do is to not run it. :)
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    How did you test it ? There's only one way to test it properly, & that's with the appropriate malware. Let us know whe you have.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes of course, Zemana and SpyShelter have already been tested against standard key-loggers and screen-grabbers, and they couldn´t even stop all of them.

    Well, that´s what I mean with 100% protection is not possible. They are able to defeat some malware, but not all.

    I´m not so sure if that´s true. Zemana has also been tested against man-in-the-browser malware, and most of the time it could stop them. Like I said before, just like Trusteer, it´s trying to block (or "unhook") browser memory modification. About your second comment, you need anti-exploit and AV for preventing the compromise. HIPS (behavior blockers) don´t know if apps are malicious or not. That´s up to you. :)
     
    Last edited: Jun 30, 2014
  14. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @CloneRanger: I didn't "test" it. There are other (safer) ways of doing so than live malware (e.g. Metasploit and other such frameworks) but I don't have my desktop set up for that right now.

    (Personally I do not mess with live malware. Too much of a risk right now.)

    I will explain my procedure if you want. I'm not sure if the mods will be happy with it though. :(
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    That´s true, but I´m talking about "not fully" trusted apps. Sometimes you may think that some app is safe, but if it triggers some high risk HIPS alert, then something may be wrong. That´s why I always run them "sandboxed" with Sandboxie. :)
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    @ Gullible Jones

    About your PM (DEP hardening), I really don´t think that Zemana is capable of blocking exploits. ;)

    On Win 32 bit, all HIPS hook those functions.
     
  17. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @Rasheed187: I've yet to see other HIPS hooking those syscalls, but then last time I seriously looked at one was a few years ago. PrivateFirewall didn't last I checked, and I don't think Outpost 6.51 did either. Things have changed though (oh boy how they've changed...).

    I may test it vs. Metasploit at some point... Maybe. Have other stuff going on at the moment.

    Edit: they do actually indicate memory management protection in one panel in the Pro version. In any case it looks (based on some Googling) like the hooks in question could be used to reinforce DEP, at least theoretically. But IANAWG. ("I Am Not A Windows Geek.")
     
    Last edited: Jul 1, 2014
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Sure go ahead.What coud be so contentious ?
     
  19. FOXP2

    FOXP2 Guest

    I was hoping we'd know how Zemana AntiLogger (um, Free) works, exactly, by now. ;)

    Free (and PRO, currently v1.9.3.525, installed on Win8x64 systems) uses their Keystrokes Encryption SDK.
    http://zemana.com/product/antilogger/modules/keycrypt.aspx

    A HIPS but not just a HIPS. Not plain. Not simple. But yes, decent. Very decent.
    http://zemana.com/product/antilogger/overview/

    DO IT!
     
    Last edited by a moderator: Jul 7, 2014
  20. controler

    controler Guest

  21. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @FOXP2: I used GMER to look at what system calls were being hooked, what DLLs were being injected into things, etc.

    The pro version hooks common system calls, and some uncommon ones (or at least, uncommon last time I looked at HIPS software this way).

    The free version OTOH loads a driver, and then injects stuff into some DLLs which in turn are typically loaded by Windows programs. So presumably the driver encrypts keyboard input and the userspace code decrypts.

    I was iffy about posting this because it might, maybe, qualify as reverse engineering by their EULA.

    Edit: anyway re the free version, point is that's obfuscation. I would bet on it against many userspace keyloggers; but not against anything sieving through program memory, or anything south of ring 3.

    (There may be other tricks involved in the free one, but figuring such things out would really be reverse engineering.)
     
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    @ Gullible Jones

    Can you perhaps check if the Pro version injects code into the browser? I want to know how the anti-SSL logger works, that´s why I´m asking. I always read bad stuff about Trusteer Rapport, but I never read that Zemana causes problems, so I wonder if they have implemented it in a different way. :)
     
    Last edited: Jul 8, 2014
  23. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @Rasheed187, I didn't see Pro messing with DLLs; but being a HIPS it would probably block attempts to inject some strange DLL into the browser. Not sure about blocking shell code. I would have to run some tests with Metasploit vs. man-in-the-browser stuff (and right now I just don't have the time or inclination).
     
  24. FOXP2

    FOXP2 Guest

    Thanks for your post, Gullible Jones. I've used Pro on several systems since 2008 and I can not be convinced anything else out there has a feature set of equal competence. Editorial content and popular acclaim over the years tend to back that up.

    Truth is, I don't really want to know how ZAL works as much as I like your findings. I apologize for what is a somewhat facetious tone to my post #19 above.

    [soapbox]I couldn't help myself, though, when at Wilders the forum posts consist largely of sentence fragment studies and reading comprehension trials by native-English members, whining about tray icon colors and UIs, who is paying what service to suppress and/or enhance threat test results and post count boosting blather, your posts are actual cohesive threads examining... technology. :eek: A while back (and my all time favorite), in response to criticism of a 100% backend break down, one of the incredibly massive posers here dismissed that failure of his sweetheart AV by responding that "it just works," period. I don't know if you've been around long enough to remember how it was on Computer/Castle Cops; I sure miss those days...[/soapbox]

    Cheers.
     
  25. FOXP2

    FOXP2 Guest

Loading...