Keylogger defeater

[Guest]

[Luketan]

The point about the inherent shortcomings of a prevention strategy had some validity though.The weakest point of such a method will always be the user that insists on running or installing 'abc.exe' or '123 codec' in order to run a game or video for example,despite warnings about unknown processes flashing up.

Examples are not always as clearcut as this. How about a security program, someone tells you is the newest hottest anti-rookit? You see warning about drivers installing and all that, but that's usual for this kind of program right?

How about a trusted software site being hacked and replaced with a trojanised copy (happened more than once before), or a case where something malicious accidently slipped into the code of a trusted updated program?

Also there is nothing inherently dangerous in an "unknown process". What is REALLY keying you off that something is wrong is not the "unknown" factor, but rather you are not expecting the process to run.

If you just double clicked a exe, there is nothing inherently dangerous about this "unknown process", after all you wanted it to run, so it runs.....

[andyman35]

Categorically.

"To find out if something is truly fool-proof, first add a fool." 

Quite so,I like that one 

[Thunderbear]

Do it fool-proof? We don't construct things for fools 

Sry, I couldn't resist.

[Luketan]

Do it fool-proof? We don't construct things for fools 

Sry, I couldn't resist.

The problem with fools is that they are so 100% adamantly sure that they aren't fools...

[Thunderbear]

Yes, indeed

[gibran]

Talk sense to a fool and he calls you foolish.

[Luketan]

Yes, indeed

Well, the nice thing of not being a "moderator" or "hero" is that one doesn't have to pretend that he knows everything or is always right....

It's smart to be a bit unsure, which explains why i'm unsure if i will definitely be up to using complex hips like D+ correctly.... Compare it to the attitudes of the people in this thread, who love to thumb their noses down at people who they consider "fools" because they express doubt...

[panic]

[at] luketan,

I think you may have misunderstood me. When I said

"To find out if something is truly fool-proof, first add a fool."

I was not implying that anyone was a fool, merely that no matter how well designed a product is (software, car, coffee grinder or whatever), there are always the unforseen circumstances that will arise when that product is used in an uncontrolled environment.

A lot of things work perfectly in the lab, but fail when used in the real world. This real world failure may be due to a design flaw not detected or predicted in the lab. Alternatively it could be caused by an unexpected mode of operation. Neither of these makes the user a fool.

OK?

edit : minor typo

[gibran]

As for me I simply reworded Luketan sentence:

The problem with fools is that they are so 100% adamantly sure that they aren't fools...

which share the same meaning as

Talk sense to a fool and he calls you foolish.

Anyway all forum members should know by now that Luketan usually is much more willing to point out something to blame than engage in an honest and profitable discussion.


that's why anyone can often read something like this in his posts:

Well, the nice thing of not being a "moderator" or "hero" is that one doesn't have to pretend that he knows everything or is always right....

As for what panic posted I guess Luketan should be able to agree if he wrote :

Well honestly i think most security software are quite useless if you know what you are doing. 

Anyway if we really have to contuinue further this OT I guess it would be useful to split this thread in two-three new ones.

[tetsuo55]

I too think that comodo should have dedicated anti-keylogging, i think as part of the firewall.

It should have a list of known keyloggers, and detect any and all activity(on all levels) that looks like keylogging/screenshots. 

Thers is a method of keylogging that can easiliy bypass every protection on the market that i currently know of

Script uses unknown exploit in browser, exploit allows script to run keylogger as part of the browser. Keylogging data is sent together with www data to keylogger creator. There is currently no way to block this behaviour other than parsing out the bad script before it reaches the browser.


Because all this happens in memory without any hooks, all the correct priveladges and no files being modified this easiliy slips pasts hips like defence+

NB: i don't have any actual samples of this kind of attack

[andyman35]

I too think that comodo should have dedicated anti-keylogging, i think as part of the firewall.

It should have a list of known keyloggers, and detect any and all activity(on all levels) that looks like keylogging/screenshots. 

Thers is a method of keylogging that can easiliy bypass every protection on the market that i currently know of

Script uses unknown exploit in browser, exploit allows script to run keylogger as part of the browser. Keylogging data is sent together with www data to keylogger creator. There is currently no way to block this behaviour other than parsing out the bad script before it reaches the browser.


Because all this happens in memory without any hooks, all the correct priveladges and no files being modified this easiliy slips pasts hips like defence+

NB: i don't have any actual samples of this kind of attack

Do you have any links to information about this malware? You say it defeats all known methods to block the behaviour however the use of something like Keyscrambler,which encrypts the keystrokes before they reach the browser,would mean that all it'd 'log' would be scrambled data.It seems to me that something similar should be added to CFP,rather than attempting to detect loggers after the fact.

[tetsuo55]

Do you have any links to information about this malware? You say it defeats all known methods to block the behaviour however the use of something like Keyscrambler,which encrypts the keystrokes before they reach the browser,would mean that all it'd 'log' would be random data.It seems to me that something similar should be added to CFP,rather than attempting to detect loggers after the fact.

Sorry i don't have any links, its information i gathered from several forums especially wilderssecurity.
i'm not even sure if a proof-of-concept actually exists for it.

Keyscrambler works on a certain level, many tests/forumposts have revealed taht keyscrambler can be bypassed to get the real keys. There is a working proof of concept, its called "how to impress girls vista" or something google it.

The exploit loads a malware into ram, regardless of user rights the malware will have admin rights, admin rights ARE needed to defeat keyscrambler (i doubt a limited running malware can defeat keyscrambler)

[andyman35]

Another great way to defeat keyloggers is to use Neo's Safekeys when entering sensitive data.It's portable too ideal for using in internet cafes 

http://www.aplin.com.au/?page_id=246

[tetsuo55]

Another great way to defeat keyloggers is to use Neo's Safekeys when entering sensitive data.It's portable too ideal for using in internet cafes 

http://www.aplin.com.au/?page_id=246

that won't be able to defeat hardware loggers

[andyman35]

that won't be able to defeat hardware loggers

Since you're not using the physical keyboard to enter the data there'd be nothing for the logger to log so it'll certainly make those redundant.Anyway hardware loggers are a different issue,since we're concerned in this case with preventing generic malware rather than specifically targetted attacks.I have to say though that there are a lot of 'proof of concept' threats brought to the attention at various black hat conferences,etc.The majority tend to be impractical in a real world situation,where there are so many more variables.Having said that it's always a good idea to take notice of these things...just in case   

[Tags:]