Network News

X My Profile
View More Activity

Anti-Spyrus Software and the Keylogger Conundrum

Today we posted a story about the threat from keystroke logging programs and the increasingly sophisticated methods criminals are using to sort through the mountains of stolen password and financial information these eavesdropping devices are phoning home.

I contacted dozens of people around the country whose data turned up in some of these vast stores of keylogged data. Many of the victims I attempted to reach had computers that had been seeded with a keystroke logging program or "keylogger" known as Winlrda.exe, a nasty piece of malware written by "Smash & SARS," the deceptive duo behind the RatSystems.org Web site.

As usual, very few people returned my phone calls and e-mails. I can't say I blame them exactly; I'm not sure I'd call back someone claiming to be a reporter whose voice mail message said hackers had just made off with my most cherished financial and personal data. I did manage to reach maybe a half-dozen keylogger victims directly, and each of them by the end of the conversation said they were thankful for the call.

In the course of interviewing the victims, a couple of things became clear. First, many regular computer users do not understand the difference between an anti-spyware program and anti-virus software. Second, on some levels it doesn't really matter whether they grasp the distinction or not -- anti-spyware programs currently don't do a terribly good job at detecting the presence of keystroke logging programs.

One woman I spoke with from Alabama whose information was transmitted by a keylogger to the attackers' Web site said she was surprised by the news because she had Ad-Aware and a couple of other anti-spyware programs on her computer. I told her that anti-spyware programs were a good first step, but was she also using anti-virus? She asked me to explain the difference.

As it turned out, she wasn't using anti-virus software. But it's not hard to understand why she was confused. After all, how much more spyware-ey can you get than a piece of software designed to read your every keystroke? Why shouldn't anti-spyware software detect keyloggers?

I put calls in to Ed Skoudis and Tom Liston, both from Washington- based security consultancy Intelguardians and each an incident handler for the SANS Internet Storm Center, which monitors hacking trends. These two guys have spent the past several months testing the differences between the responses that anti-spyware programs and anti-virus programs have to malicious software, and so far they've found some rather interesting results.

"The biggest difference ... is that the whole anti-spyware thing is based on a philosophical 'line in the sand' while anti-virus is generally cut-and-dried," Liston said. "Anti-spyware vendors tend to have to come up with a set of criteria for the things that they're going to call spyware. And sometimes it gets them into trouble."

While there are are special-purpose keylogger-detection programs -- such as Spycop and SnoopFree -- Liston said detecting keyloggers is not something that anti-spyware software generally does very well.

Skoudis says most anti-virus software can be thought of as file-detectors. "If you have this evil file on your system, anti-virus will stop it from being written to the hard drive or running in memory. You'd think that anti-spyware would be more than just a glorified file-detector, but what we've found is that most anti-spyware tools have very limited behavior-based detection."

Skoudis and Liston have written a suite of tools they plan to release in May that users can fiddle with to test the robustness of the security software on their PCs. Among the tools they wrote was a simple keystroke logger program, which none of the anti-spyware programs detected as malicious.

By Brian Krebs  |  March 16, 2006; 1:15 PM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Adobe Issues Critical Macromedia Flash Update
Next: March Mac Security Updates, Part 3

Comments

I wonder if the new Windows Defender will be better than some at finding this malware. The first time I ran it after upgrading from the old MS product, it found one pest that had not been previously found by Ad-Aware, Spybot, Pest Patrol, and the MS beta product it replaced.

Posted by: Bartolo | March 16, 2006 1:55 PM | Report abuse

Maybe slightly off-topic, but has anyone (esp. Brian) used the "SnoopFree" program? Is it any good? I'd love to have some additional anti-keylogger functionality on my machines.

Posted by: S. H. | March 16, 2006 4:01 PM | Report abuse

I wonder if there is any relunctance on the part of anti-viral vendors to catch keyloggers since the police/FBI etc. might be using them in the course of an investigation?

Posted by: a.z. | March 16, 2006 4:12 PM | Report abuse

Install a two-way software firewall, like Zonealarm, to keep the keylogger from dialing out without your explicit permission. The one-way firewall offered by Windows XP only blocks incoming traffic, not outgoing.

If you have a software firewall, re-check the list of allowed programs carefully. Perhaps you've given permission, carelessly or accidently, to a keylogger.

To prevent any contact with known distributors of keyloggers, use a customized HOSTS file and keep it up to date.
http://www.mvps.org/winhelp2002/hosts.htm

Posted by: Ken L | March 16, 2006 4:14 PM | Report abuse

This program uses special protected Virtual Keyboard, which neither software nor hardware keyloggers can cope with. The program also blocks ALL software keyloggers and has anti-screenshoting function.

See http://www.anti-keylogger.com

Posted by: Tony | March 16, 2006 4:57 PM | Report abuse

This program uses special protected Virtual Keyboard, which neither software nor hardware keyloggers can cope with. The program also blocks ALL software keyloggers and has anti-screenshoting function.

See http://www.anti-keylogger.com

Posted by: Tony | March 16, 2006 4:58 PM | Report abuse

Security is an ongoing process. Installing security software (anti-virus, firewalls, IDS, anti-spyware) gives a false sense of security. Most of the time, this software degrades performance, is buggy, and is unable to handle new threats fast enough.

It's much better to learn a little about the OS you're running. Keep up to date on patches, and learn to use one of these free programs to monitor what runs when you start your system:

http://www.snapfiles.com/Freeware/system/fwstartup.html

I especially recommend Autoruns or Starter (or both!). Be careful about phishing scams and about the software you download and install (make sure that some trusted source has certified it to be spyware-free), and you should be clear of most security threats on the net.

Posted by: tabdelgawad | March 16, 2006 5:02 PM | Report abuse

I was about to purchase SpyCop, when I noticed out of the corner of my eye that siteadvisor (mentioned earlier on this blog) had gone yellow and was warning me about this site. According to siteadvisor, the regnow site that SpyCop redirects you to (http://www.siteadvisor.com/sites/regnow.com?safe) had a tendency to download adware or other unwanted programs.

Posted by: BZ | March 16, 2006 5:24 PM | Report abuse

Brian. You made no recommendations. The posters have. Any suggestions on which to follow?

Posted by: Helene | March 16, 2006 5:32 PM | Report abuse

BZ -- I'm not sure what you mean. SiteAdvisor says the Spycop site is hunky-dory green. Weird.

Posted by: Bk | March 16, 2006 5:39 PM | Report abuse

BZ -- I see what you mean now. When you go to the purchase page, SiteAdvisor turns yellow. It appears that flag was raised due a single report from a SiteAdvisor beta user who had problems purchasing a copy of a DVD-ripping program that someone purchased through RegNow , which is what SpyCop and a bunch of other software makers use as their order site.

Posted by: Bk | March 16, 2006 5:46 PM | Report abuse

Helene,

I've not tried either of those programs yet, but I plan to do so soon. While they're not perfect, most anti-virus programs will detect the bulk of keyloggers, though they may not call them keyloggers per se. For instance, the Winlrda keylogger I mention earlier is detected by Sunbelt's anti-spyware program as Srv.SSA-KeyLogger, but some anti-virus programs flag it as a variant of the Dumaru worm.

Posted by: Bk | March 16, 2006 5:50 PM | Report abuse

Bk,

I thought it might be something like that, so I contacted SpyCop and asked them about it. Rather than give me the kind of information that you gave, SpyCop responded with a sarcastic and dismissive reply, so I decided to look elsewhere.

Posted by: BZ | March 17, 2006 8:58 AM | Report abuse

Brian,

These articles which you have recently placed here on Security Fix and in the Post are excellent, and so timely and revealing for All Computer Users! You have done a "superb job"!!! Thanks a TON!!

I refer to the WWW as the Wild Wild Web and just like in the USA's old west those folks who were unprepared ..., well they often got ... killed. Although the odds are a little better on "the web" or internet, the unprepared or lazy or just unlucky can get hurt badly.

Your series of articles puts real names of "real people" to these issues rather than just cold facts which few want to believe.

I stumbled over this website for your blog in December of last year as I followed the "WMF vulnerability"; and now your site is one of my "First Reads" of every day.

Please keep this up and THANKS A TON for all your hard and timely work.

Nathan in Maryland
Just another Security Guy

Posted by: Nathan | March 17, 2006 11:17 AM | Report abuse

Anti-virus, anti-spyware, anti-trojan, anti-rootkit. All smoke and mirrors. Symantec reported 10,000+ new viruses the first half of 2005. Nothing signature based is going to keep up and it gives people a false sense of security.

Run as a non-privileged user. Yeah, the computer can still get infected but not with a rootkit and it will be a lot harder to hide. (Same goes for Linux and MacOS in that regard).

Behavior based software is better than signature based. The AV companies say they do that with heuristics but I haven't seen any evidence of it working. The Windows Defender product seems a step in the right direction - prevent undetected writes to registry startup keys (not accessible to regular user account anyway!!!), prevent undetected browser helper object installs.

Regardless of what you do, the user of a general purpose, prgrammable computer will always be able to compromise themselves but in this day and age, they need to be able to work at it. :)

Posted by: gary | March 17, 2006 11:19 AM | Report abuse

I went to the "virtual keyboard" site but every link went nowhere even with ctrl held down. Immediately assumed it was a scam to install malware on my machine. It appears not.
We are in the security business and are looking at virtual keyboards but I wonder if they actually are keystroke logger secure. Is it just a matter of time before event loggers beat it and capture the messages virtual keystroke messages?
One solution is a cut and paste password login manager though admittedly at some point a password must be entered by keystroke, hence our interest in virtual keyboards. Anyone actually used them successfully? Also we are concerned about screen captures tools; if the keys in a virtual keyboard "show" a click then they entered then they are useless in this event.

Posted by: Todd Follansbee | March 17, 2006 12:13 PM | Report abuse

Thanks for sharing the info on keylogers. I just now downloaded the SnoopFree program. When the computer rebooted, there were 3 attempts to start keylogers and two of them were very severe. I have Clamwin,Mcafee suite, zonealarm and spyware blaster. The Snoopfree sofeware picked it first thing. I had no idea that my computer was infested.
I don't keep any Bank accounts or personal informatin on my computer, so I was quite surprised. Thank for the info.
Thank again . You may have saved my life.

Posted by: Clifton | March 17, 2006 2:45 PM | Report abuse

A keylogger isn't just a keylogger. There are Rootkit based keyloggers that Snoopfree is oblivious to. A rootkit keylogger is one that is actually a fake Windows device driver.

Posted by: Dominique | March 17, 2006 3:11 PM | Report abuse

Would a keylogger run as a program that pops up in the toolbar for a second and then goes away, and then comes back every 10-15 minutes or so? I have something like that on my XP machine, and even if I sit wait and click on it when it pops up, nothing appears to be running. It does this whether I am online or not (I live in a place where there is only dial-up. Backwoods to be sure, but my blood pressure is low). It'll come up while I'm running a game even and either crash it or pause it, which is pretty annoying.

It could just be one of the zillions of extensions that HP has running or it could be my expired Symantec subscription trying to get me to sign up. Or it could be worse.

Has anyone else had this come up? I am running Norton Internet Security, firewall and antivirus (expired in Feb.). Also, SpyBot and AdAware. If anyone can recommend a great free anti-virus program, I'm all ears. Lots of people like AVG, but I had real trouble with it hanging up my machine, especially with e-mail.

Posted by: Mike | March 17, 2006 3:41 PM | Report abuse

You know... after reading all this and the Wash post article... I knew there was a reason I've never entered Credit card #s or my SS into any machine I've owned.

But what I read is still spooky. We really don't have enough money to start with that anyone could get... hard to get blood out of a turnip. But on principle it irritates me to no end.

I run Nortons Firewall and Anti-V/Spywr as well as ad-aware. Symantec's update automatically and I manually do ad-aware evry time I run it.

I use netscape for the browser but have to set it to use the IE engine for some sites (businees site... for job applications etc.). Does this also mean the now the netscape browser is also subject to IE pitfalls on security?

Given the FW and anti's that I use is there also any tool/utility out there that will let me see realtime the packet info? I have setelite internet so had to set this up as a network ... kinda... even though its really a standalone. I confess I do not know much about networks.

I am also (or at least was) the "adminitrator" but now seems to tell me I don't have access to some things... Sometimes I think I'm too old school... to me this machine should NEVER do anything without MY permission...but XP made that a little difficult. I just love it when the drive gets busy doing something and I have not told it anything! I keep saying its the "goback" or the other backup stuff XP has... or its autoupdating.... but seems to me it needs to tell me its doing so. Drives me wild.

But anyway... great set of responses and a great article to start with.


Posted by: Dave | March 17, 2006 6:25 PM | Report abuse

Update: SpyCop contacted me and apologised about being dismissive of my concerns regarding the siteadvisor warning about regnow site. My previous negative experience with them was probably an aberation.

Posted by: BZ | March 17, 2006 9:05 PM | Report abuse

To find out if these .exe files exist in my comuter, I usually search for them using the search tool. Does this work, or does the .exe file disappear after it installs itself?

Posted by: Louann Oravec | March 18, 2006 10:46 AM | Report abuse

Downloaded Snoop Free and it detected a keylogger in my Logitech keyboard program. My Zone Alarm Firewall had previously detected it and prevented it from broadcasting.
Wondering why Logitech would have this in their program.

Posted by: Bucky | March 18, 2006 6:59 PM | Report abuse

Snoopfree will show you all keyboard hooks on your system...some of which are benign and are used for hotkeys, like with the logitech example above. Run the spycop program alongside snoopfree and if both alert on the same file, bad news.

Posted by: Howard | March 19, 2006 5:54 PM | Report abuse

i cant get internet explorer yahool e mail

Posted by: phillip cooper | July 20, 2006 11:47 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company