close

Privacy guaranteed - Your email is not shared with anyone.

Spyware, Key loggers and other such programs....

Discussion in 'Tech Talk' started by OXCOPS, Jul 26, 2006.

  1. OXCOPS

    OXCOPS

    Joined:
    Dec 31, 2000
    Messages:
    13,045
    Likes Received:
    1
    Location:
    AZ
    I was having a conversation with a friend the other day. The topic of these programs came up.

    We both started wondering if it was possible for someone (whether remotely or not) to secretly install such programs on a certain machine. As we all know, it is VERY easy to do.

    Now, the main question came up of how to detect them. With most 'info-gathering' type programs, the object is to remain secret. So, how can one detect them on their computer? I am fairly confident that some will be missed, even when running a standard Spybot or Adaware type check.

    So, is there a way to go into a specific file listing on your computer and see them? Opening the "Add/Remove Programs" list? Processes list under the Task Manager? If so, what would they be called? I would think that whoever designed a program, say a key logger, would be wise enough to mask the title as something harmless.

    What say the experts (and the rest of ya :supergrin:)?
     
  2. Kalmah

    Kalmah Supreme Member

    Joined:
    Feb 22, 2006
    Messages:
    2,078
    Likes Received:
    855
    Location:
    Colorado
    My fiancee's ex-husband put a keylogger program on her home computer. He was able to get all her passwords for everything. He regularly read her email and would delete emails he didn't want her to see - he paid special attention to those between her and her lawyer.

    It was just a fluke that she discovered he'd done this, otherwise it might still be going on. She doesn't know how to get it off, so she can't use her home computer for anything she doesn't want him to see. But at least he doesn't have access to her accounts anymore.

    If anyone knows how to delete these programs, I'm all ears.
     

  3. nothing

    nothing Advertisement

    Joined:
    Feb 24, 2002
    Messages:
    815
    Likes Received:
    0
    Location:
    Brandon, MS
    Can't go wrong with FDISK and then reinstall everything.
     
  4. Soybomb

    Soybomb Optimistic Fool

    Joined:
    Aug 25, 2005
    Messages:
    95
    Likes Received:
    0
    Location:
    Low
    Most antivirus software will detect these programs as they start. The problem is if the software actually installs, I would never trust the computer again without formatting. While one key stroke logger may show up as a running process in task manager, a really good keystroke logger would change the task manager program to not show the process, it would change explorer to not display the files. In short they would modify the operating system and make it lie to cover their own existance. The keystroke logger would run but you'd never know it. This is why with servers if you ever have a machine get hacked you must never try to repair it, only format and reinstall. I personally feel the same way about desktops and malicious spying software.
     
  5. HerrGlock

    HerrGlock Scouts Out CLM

    Joined:
    Dec 28, 2000
    Messages:
    23,796
    Likes Received:
    214
    No. None of the above. The best you can do is to reformat and reinstall, using ONLY known good install disks, never go online and never let anyone use your computer.

    Other than that, get a handful of good scanners for such things, keep them up to date and keep them on a thumb drive and write protect your thumbdrive. Run the lot of them (three or four at least) about once a week.

    Then again, if it's a hardware keystroke logger, nothing will show it.

    Sorry, this is not something that can be really sugar coated.

    Use a number of them and you'll catch over 99% of what's out there, though.
     
  6. HerrGlock

    HerrGlock Scouts Out CLM

    Joined:
    Dec 28, 2000
    Messages:
    23,796
    Likes Received:
    214
    (to the tune of Camptown Races)

    Fdisk, format, reinstall
    win-dows, win-dows
    ...
    :clown:
     
  7. vote Republican

    vote Republican White and nerdy Moderator

    Joined:
    Aug 23, 2002
    Messages:
    11,212
    Likes Received:
    2,219
    Location:
    OAF Mecca, MD
    http://news.zdnet.com/2100-1009_22-6095762.html

    Rootkits get better at hiding
    By Joris Evers, CNET News.com
    Published on ZDNet News: July 18, 2006, 6:35 PM PT

    A new Trojan horse is so good at hiding itself that some security researchers claim a new chapter has begun in their battle against malicious-code authors.

    The new pest, dubbed "Rustock" by Symantec and "Mailbot.AZ" by F-Secure, uses "rootkit" techniques crafted to avoid the detection technology used by security software, Symantec and F-Secure said in recent analyses.

    "It can be considered the first born of the next generation of rootkits," Elia Florio, a security response engineer at Symantec, wrote in a blog late last month. "Rustock.A consists of a mix of old techniques and new ideas that when combined make a malware that is stealthy enough to remain undetected by many rootkit detectors commonly used."

    Rootkits are considered an emerging threat. They are used to make system changes to hide software, which may be malicious. In the case of Rustock or Mailbot.AZ, rootkit technology was used to hide a Trojan horse that opens a backdoor on an infected system, putting it at the beck and call of an attacker, according to Symantec.

    In their continuing race with security software makers, the creators of this latest rootkit appear to have looked closely at the inner workings of detection tools before crafting their malicious code, said Craig Schmugar, virus research manager at McAfee, which calls the pest "PWS-JM."

    "Security companies are trying to stay one step ahead of the bad guys, but the bad guys already have the technology that is available from the security vendors," he said. "A number of techniques have been combined to really strengthen and harden this particular threat. They have done a pretty good job at closing all the doors."

    The mixture of cloaking methods makes Rustock "totally invisible on a compromised computer when installed," including on a PC running an early release of Windows Vista, Symantec's Florio wrote. "We consider it to be an advanced example of stealth by design malicious code."

    To avoid detection, Rustock runs no system processes, but runs its code inside a driver and kernel threads, Florio wrote. It also uses alternate data streams instead of hidden files and avoids using application programming interfaces (APIs). Today's detection tools look for system processes, hidden files and hooks into APIs, according to Florio's post.

    Additionally, Rustock defeats rootkit detectors' checks for the integrity of some kernel structures and the detectors' efforts to detect hidden drivers, Florio wrote. Furthermore the SYS driver the rootkit uses is polymorphic and changes its code from sample to sample, according to the blog posting.

    Still, chances of people being attacked by this rootkit and its malicious Trojan horse payload are slim, experts said. "People are blogging about it not because it is highly prevalent, but because of the challenges it poses to existing rootkit detection tools," Schmugar said. Symantec and F-Secure also both state the threat is not widespread.

    F-Secure updated its BlackLight rootkit detection tool that can detect current versions of the pest, the company said in a blog. Symantec and McAfee are still working on tools to detect and remove rootkits from computers.
     
  8. Random

    Random AtticRat

    Joined:
    May 27, 2001
    Messages:
    3,710
    Likes Received:
    1,768
    Location:
    New Orleans
    Here's a lazier alternative. Not 100%, but if you don't want to do the complete reinstall try these.

    Download HijackThis and untick unnecessary startup items. If you don't know what you can untick type it into dogpile. Guaranteed if it's bothering you someone else has been there before.
    Run Spybot in advanced mode and click on tools/system startup. Untick the non-essentials there too.
    You've got one more spot in the control panels Administrative Tools section under SERVICES where you can stop and disable stuff.

    Check those three places and even if there is a logger it won't start. Now if you wanna be a jerk like me you can try to trace the log folders location. That would have some nifty info in it. If he is sending it remote he has to specify an email address for it to be sent to. Most recreational snoops don't make an "anonymous" address simply to check on an ex. You find that you may just find his address and his password.
     
  9. Soybomb

    Soybomb Optimistic Fool

    Joined:
    Aug 25, 2005
    Messages:
    95
    Likes Received:
    0
    Location:
    Low
    And how do you ensure the services tool isn't lying to you about all the services running on the machine? If you've just got some spyware you might be able to assume they didn't put alot of work into hiding it from you. If you've gotten a keystroke logger somehow from someone who plans on snooping on you its probably written by someone who is going to take the steps necessary to really make it hidden. Such is the protective IT guy take on it at least.
     
  10. RWBlue

    RWBlue Mr. CISSP, CISA CLM

    Joined:
    Jan 24, 2004
    Messages:
    23,660
    Likes Received:
    890
    I have used many methods to keylog systems. It all depends on what I have, where they are, where I am, how secure does it need to be.

    I mean it can be as easy as attaching a device inbetween the keyboads and the computer or as complicated as adding special functionality to an already well known program or installing a new seperate program. It is a matter of knowing the right tool for the job.

    As far as I know I never was busted. No one ever uninstalled the key logger.

    There are times when I wish I could go back and be an IT security guy. It was fun. They were doing dumb things and I had the pleasuer of nailing them.
     
  11. Random

    Random AtticRat

    Joined:
    May 27, 2001
    Messages:
    3,710
    Likes Received:
    1,768
    Location:
    New Orleans

    You're never SURE of anything. How do you ENSURE the Windows installation disk doesn't have spyware on it? You don't. You take a multi-pronged approach and lessen the probability that it slipped by you. I've played with some keyloggers. I can tell you with no small amount of confidence that in Kalmahs scenario unless her ex was an IT guy, or had good help there's a good chance it can be found. An HKLM/Run or a Winlogon Notify .dll will probably show in Hijack This, Spybots list of startups, or both. Common sense and cross-referencing this with what you should have on your computer is an excellent approach and at least offers a peace of mind no one else seems to want to address.
    What if there is no keylogger. There are other ways to get computer info. Maybe she just has really weak passwords. No one said she was tech saavy. Reinstalling is fine and dandy, but if she doesn't change the password afterward or her "I forgot my password" hint is her mothers name her ex-lover "MIGHT" know that.

    Back to the original question though.
    Yes, are relatively easy to install and/or send to someone.
    Yes, most that I've come across or used are easy to detect. With almost all keyloggers as of late the snoop has the ability to rename the exe or dll file so you have to look for something that doesn't belong. Common sense prevails in this area. If you have an ATI process going and you're an Nvidia man trace it back.
    Those processes that I mentioned earlier I stand by.
    Reformatting in the original posters scenario makes no sense.