Jump to content
You are not logged in ▶️ Click to sign-up or login ×

Need Help With Keylogger Detection

Veazer

By Veazer
in IT and Computers

 Share

Recommended Posts

Farma Platinum Member

Farma

Posted
Posted

Looking at the cnet forum it appears Spybot S&D Detection rules update 2007-10-10 should do what you are after.

2007-10-10

Adware

+ Infomeca + Winzix

Keylogger

+ RevealerKeylogger

Malware

+ AntiVirGear + Nous-Tech.UCleaner + Swizzor + UtileProtection + Win32.Renos

PUPS

+ Yazzle

Trojan

+ DivoCodec + Fraud.ProtectionBar + Hookdump + Hupigon + Virtumonde + Win32.Agent.afgm + Win32.Agent.aqf + Win32.Agent.cnp + Win32.EST.avg + Win32.Small.azl + Win32.StartPage.arf + Win32.VB.ke + Win32.Virtualizer + Zlob.Downloader.oid + Zlob.Downloader.omd + Zlob.VideoActiveXAccess

Total: 453951 fingerprints in 88831 rules for 3337 products.

Link to comment
Share on other sites
Veazer Silver Member

Veazer

Posted
  • Author
Posted (edited)
Looks like it doesn't really use Virus methods to stealth itself, thus Antivirus don't think it's a virus and don't bother with it, only way in this case is to check what is loaded in memory via msconfig...

There's plenty of non-viral keyloggers that are detected by nod32 and other apps. I don't know why this one isn't included.

The main problem is that the anti-keylogging apps can't see it either. I don't think it is using keyboard hooks.

A little more background... The software is intended to 'secure' a net cafe computer as much as possible so that the user can safely work on sensitive information. The security suite is going to be used by people who are not too technically savvy, so i can't really have them looking around msconfig. They wouldn't know what to look for, and msconfig doesn't include all the startup locations anyway.

The process is rkfree.exe (in the free version :o ) so my startup scripts kill any processes with this name. Unfortunately lots of keyloggers let you randomize or change the process name during installation so that won't work if the pro version of revealer has that feature.

EDIT:

@farma, thanks for that. you posted while i was still typing. I'll see if i can convert spybot to a portable app... :D

Edited by Veazer
Link to comment
Share on other sites
Kyosuken Senior Member

Kyosuken

Posted
Posted

Oh i see well if the security suite is intended for not computer savy people, i fully understand why... :o. For securing an internet café i will go this route though :

Build up a nice W2K3 domain and active directory management, allow only a subset of applications to be run, and from a few places only-not usb keys,cdrom or whatever external peripheral plugged in. And you got pretty locked down workstations free of whatever you want. Don't allow any backdoor though if you don't want some clever chap to find workarounds.

Then just do some routine check with antivirus and spywares and you should not have too much problem, with WSUS running on the server you will have quite maintenance free computers to deal with... :D

Link to comment
Share on other sites
Steve2UK Gold Member

Steve2UK

Posted
Posted

Not a removal tool but a prevention: if you use Firefox or IE, the KeyScrambler add-on claims to make key-logging impossible.

"KeyScrambler defeats keyloggers by encrypting your keystrokes at the keyboard driver level, deep within the operating system. When the encrypted keystrokes reach your browser, KeyScrambler then decrypts them so you see exactly the keys you've typed. Keyloggers can only record the encrypted keys, which are completely indecipherable," reads KeyScrambler's product description.

QFX Software delivers two variants of the anti-keylogging software, a Personal free edition and a Professional version for $24.99. "KeyScrambler Professional gives you complete input protection. Anything you enter in the Web browser is protected against keyloggers: your login data, your important personal information such as social security number, credit card numbers, search terms and email messages you type," revealed QFX Software.

Link to comment
Share on other sites
Veazer Silver Member

Veazer

Posted
  • Author
Posted

Thanks for the replies guys, much appreciated.

@Kyosuken -

Sorry, my reply was poorly worded, when i said 'secure a cafe pc' i meant making sure any net cafe computer they use is safe [to a reasonable degree]. These USB drives are to be used in a place where few people have their own pc and net cafes cannot be trusted.

My current setup works like this:

After inserting their drive, the user starts a script which:

  • Scans current apps in memory for keyloggers, viruses and malware (ClamWin + Spybot (Thanks Farma!) )
  • Starts a memory resident app for detecting hook-based keyloggers, screen capture apps and clipboard 'thieves' (Anti-Keylogger Elite)

When the user is reasonably sure that the system is not recording their activity, then they can mount their Truecrypt volume containing all their data and applications. Only the anti-malware apps & truecrypt are on the host volume.

I have pre-setup apps for them on the truecrypt volume, like Thunderbird + Enigmail for encrypted email and Pidgin (Gaim) + OTR for encrypted IM. They just need to enter their user details. Because gmail currently offers encryption for every access method (http/smtp/pop/imap) I encourage them to use gmail accounts. I have also included PeaZipPortable so they send encrypted archives as attachents using non-secure email.

I know there is no perfect system that will detect everything, but I need to create something better than what they have now.

@Steve2UK

I intended to included KeyScrambler but unfortunately it is not portable at this time. Also, it doesn't protect them from keyloggers outside of browsing. My main concern is making sure that their truecrypt password is not compromised.

Thanks to everyone who has offered tips and advice, I appreciate your assistance with this project.

Regards,

Veazer

Link to comment
Share on other sites
Kyosuken Senior Member

Kyosuken

Posted
Posted

Oh, well i think you are very "conscious" at what you're trying to do and i see clearly where you want to get :D this would come handy for any non tech savy people.

I will give more of my thoughts on the subject there a some points you "may" need to take into account :D...

Some applications (like spy S&D, or spybot) may be easy for you to use but not the average person because these are power tools meant for power users even if they are advertised as "easy to use", it's not really the case : different gui across theses tools and detections system not always that "clear", of course some people will get to use them, but i can assure a lot of them may be stuck not knowing what to do.

I don't know what kind of scripting you will be using, i guess WSH/vbs/js scripts and these could be stopped from running at all if theses café computers got an antivirus running... and thus your customer will be unable to know what to do...

The same applies for computer protected systems like the ones in my internet café, any script/batch/exe/com/msi/pif or whatever can't be run from removable devices, though this example is not the most widespread i agree.

Most Internet café software have a "monitoring" service that can take screen shots of what users are (a sort of VNC like system) doing : it's purpose is of course to check any "misbehaviours" on the part of the customer not to spy on them of course (but well you never know isn't it ?...), and thus the advanced tools may (or may not) have unpredictable effects on the Café software, like shutting it down through process killing, or making it unstable. <= Note this is what may happen "if", it seems like though that you only need to check that the computer is cleaned from well "know" malware.

Lastly say everything went smooth and the truecrypt software "mounts" the crypted drives, i know two kind of softwares of this kind : one that just encrypt the data itself (and thus the data is "visible" to user but unless you got the key it's impossible to access the content). The second one hides and crypt a partition in your usb key then "mount" the partition in Explorer so the content is accessible to your whole system after the right key is entered.

While key "stealing" might be very important in the first case, in the second one, the internet café owner can access the usb drive remotely when the encrypted partition is "mounted" because the software gave clearance to do so... these securities are great for stolen devices but in a networked environment you will likely get access to the files !, note that this is a possible loop hole in the security of such software, but if it (the software) is well designed it may have a blocking mechanism for remote access. You may dig into this and see if i am right or not, in case of security being paranoid is what saves ones from any troubles :o !

Keep up the good work ! :D

Link to comment
Share on other sites
Veazer Silver Member

Veazer

Posted
  • Author
Posted

Sorry for the long delay, I had to take a trip out of town.

Oh, well i think you are very "conscious" at what you're trying to do and i see clearly where you want to get this would come handy for any non tech savy people.

I will give more of my thoughts on the subject there a some points you "may" need to take into account ...

Thanks, I appreciate any feedback I can get. While doing this project I have found myself repeatedly over focusing on one aspect while overlooking some obvious flaws in my thinking. It’s nice for me to hear other viewpoint on the subject

Some applications (like spy S&D, or spybot) may be easy for you to use but not the average person because these are power tools meant for power users even if they are advertised as "easy to use", it's not really the case : different gui across theses tools and detections system not always that "clear", of course some people will get to use them, but i can assure a lot of them may be stuck not knowing what to do.

I totally agree. I’m doing my best to find apps that are easy to use. Likewise, I’m striving to automate as much as possible with command line switches and what not. Anytime I can reduce a process to a few clicks for them is a success. I would rather be doing the work for them than teaching them what to do. There will be some training for users, but I still want the whole process to be as simple as possible.

I don't know what kind of scripting you will be using, i guess WSH/vbs/js scripts and these could be stopped from running at all if theses café computers got an antivirus running... and thus your customer will be unable to know what to do...

The same applies for computer protected systems like the ones in my internet café, any script/batch/exe/com/msi/pif or whatever can't be run from removable devices, though this example is not the most widespread i agree.

My scripts at this point are extremely simple .cmd files for moving files and adding registry entries as needed, as well as shutdown scripts that reverse the changes. I need to still test them without admin rights however… On a side note, I could probably get around the scripts on removable drive limitation you mentioned because truecrypt can mount drives as local disks instead of removable media.

Most Internet café software have a "monitoring" service that can take screen shots of what users are (a sort of VNC like system) doing : it's purpose is of course to check any "misbehaviours" on the part of the customer not to spy on them of course (but well you never know isn't it ?...), and thus the advanced tools may (or may not) have unpredictable effects on the Café software, like shutting it down through process killing, or making it unstable. <= Note this is what may happen "if", it seems like though that you only need to check that the computer is cleaned from well "know" malware.

More good points. The AKE utility I use fully blocks VNC but that might cause the café owner to come around and checkup on the user. Also, it requires administrator rights, and any café that is reasonably well setup won’t allow that. I agree that there is a potential for my software to mess up innocuous software intended for other legit purposes like timing internet sessions, etc. The best way to avoid that would be to use the drive in as many cafes as possible and whitelist every application like that.

Lastly say everything went smooth and the truecrypt software "mounts" the crypted drives, i know two kind of softwares of this kind : one that just encrypt the data itself (and thus the data is "visible" to user but unless you got the key it's impossible to access the content). The second one hides and crypt a partition in your usb key then "mount" the partition in Explorer so the content is accessible to your whole system after the right key is entered.

While key "stealing" might be very important in the first case, in the second one, the internet café owner can access the usb drive remotely when the encrypted partition is "mounted" because the software gave clearance to do so... these securities are great for stolen devices but in a networked environment you will likely get access to the files !, note that this is a possible loop hole in the security of such software, but if it (the software) is well designed it may have a blocking mechanism for remote access. You may dig into this and see if i am right or not, in case of security being paranoid is what saves ones from any troubles !

TrueCrypt uses the second approach by mounting it to a drive letter. By default, removable drives are not assigned default shares in my experience but as a precaution my script immediately disables the default share of the removable drive if it exists. Any file sharing dependant on that should fail. Unfortunately removing shares requires admin access as well.

If the C: drive of the host pc is NTFS I could also just remap the drive letter to a folder on C, like C:\Windows\Temp\Thumbdrive. It’s not rock solid security, but it’s much harder to find than an extra drive in explorer and very few people would expect to find the contents of the flashdrive there.

Even if there is no access across the network, I’m fearful that a local script could be configured to suck the contents of any attached drive. Because of this, I’ve considered using encrypted archives to store documents instead of folders but it is certainly far less convenient and it still isn’t 100% effective. Once the archive is opened, the contents are likely stored unencrypted in some temp folder.

Another option is TCExplorer that opens TrueCrypt volumes but doesn’t mount them anywhere, you only open the file(s) you need and the rest remain encrypted. It can also be configured to run Eraser immediately after to remove traces of the file in the temp folder. Pretty smart.

Yet another option is using Google documents. This would mean that the documents are never stored locally and can’t be recovered using un-erase programs, etc. The main problems with this is that it requires a connection to do anywork or access the documents, and internet access is often not reliably available for these users. Also, compromised gmail/google accounts are a problem to deal with. Even if you see that someone is in your account and change your password they still have access! I thought it would immediately cause them to logout but when I tested it they had access so long as they stay logged in. I hope google address this in the future, I see it as a security flaw.

Keep up the good work !

Thanks! I appreciate you thoughts on this.

Link to comment
Share on other sites
Kyosuken Senior Member

Kyosuken

Posted
Posted

That TCExplorer is the way to go i think, much more security, and if it works "a la" windows encrypting feature (the temp file is in the same place as the encrypted one) it's even better, so you don't have any trace anywhere on the system... well you could find some in the swap file, but most likely it's a little too far fetched.

I don't know about other place but in phuket very very "few" internet cafés have advanced management for computers, usually they don't even setup a server to filter the connections, it's more or less direct access through the router. Moreover the people working in these cafés are students on the "girl" part most of the time that have very very little knowledges of what is going on, the very few that have real network infrastructure usually have their computers cleaned as well... because any bad publicity... is bad publicity over there. I mean by that the chances that the owner of the shop doing wrong is quite small, but well as for the credit card fraud... you never know, though depending on the content it's very unlikely they could find something worth exploiting... (this is debatable).

But nonetheless the idea is worth digging in because it has much more applications than internet cafés sanity !

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.






×
×
  • Create New...