Anti-Spyrus Software and the Keylogger Conundrum
Today we posted a story about the threat from keystroke logging programs and the increasingly sophisticated methods criminals are using to sort through the mountains of stolen password and financial information these eavesdropping devices are phoning home.
I contacted dozens of people around the country whose data turned up in some of these vast stores of keylogged data. Many of the victims I attempted to reach had computers that had been seeded with a keystroke logging program or "keylogger" known as Winlrda.exe, a nasty piece of malware written by "Smash & SARS," the deceptive duo behind the RatSystems.org Web site.
As usual, very few people returned my phone calls and e-mails. I can't say I blame them exactly; I'm not sure I'd call back someone claiming to be a reporter whose voice mail message said hackers had just made off with my most cherished financial and personal data. I did manage to reach maybe a half-dozen keylogger victims directly, and each of them by the end of the conversation said they were thankful for the call.
In the course of interviewing the victims, a couple of things became clear. First, many regular computer users do not understand the difference between an anti-spyware program and anti-virus software. Second, on some levels it doesn't really matter whether they grasp the distinction or not -- anti-spyware programs currently don't do a terribly good job at detecting the presence of keystroke logging programs.
One woman I spoke with from Alabama whose information was transmitted by a keylogger to the attackers' Web site said she was surprised by the news because she had Ad-Aware and a couple of other anti-spyware programs on her computer. I told her that anti-spyware programs were a good first step, but was she also using anti-virus? She asked me to explain the difference.
As it turned out, she wasn't using anti-virus software. But it's not hard to understand why she was confused. After all, how much more spyware-ey can you get than a piece of software designed to read your every keystroke? Why shouldn't anti-spyware software detect keyloggers?
I put calls in to Ed Skoudis and Tom Liston, both from Washington- based security consultancy Intelguardians and each an incident handler for the SANS Internet Storm Center, which monitors hacking trends. These two guys have spent the past several months testing the differences between the responses that anti-spyware programs and anti-virus programs have to malicious software, and so far they've found some rather interesting results.
"The biggest difference ... is that the whole anti-spyware thing is based on a philosophical 'line in the sand' while anti-virus is generally cut-and-dried," Liston said. "Anti-spyware vendors tend to have to come up with a set of criteria for the things that they're going to call spyware. And sometimes it gets them into trouble."
While there are are special-purpose keylogger-detection programs -- such as Spycop and SnoopFree -- Liston said detecting keyloggers is not something that anti-spyware software generally does very well.
Skoudis says most anti-virus software can be thought of as file-detectors. "If you have this evil file on your system, anti-virus will stop it from being written to the hard drive or running in memory. You'd think that anti-spyware would be more than just a glorified file-detector, but what we've found is that most anti-spyware tools have very limited behavior-based detection."
Skoudis and Liston have written a suite of tools they plan to release in May that users can fiddle with to test the robustness of the security software on their PCs. Among the tools they wrote was a simple keystroke logger program, which none of the anti-spyware programs detected as malicious.
March 16, 2006; 1:15 PM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips
Save & Share: Previous: Adobe Issues Critical Macromedia Flash Update
Next: March Mac Security Updates, Part 3
Posted by: Bartolo | March 16, 2006 1:55 PM | Report abuse
Posted by: S. H. | March 16, 2006 4:01 PM | Report abuse
Posted by: a.z. | March 16, 2006 4:12 PM | Report abuse
Posted by: Ken L | March 16, 2006 4:14 PM | Report abuse
Posted by: Tony | March 16, 2006 4:57 PM | Report abuse
Posted by: Tony | March 16, 2006 4:58 PM | Report abuse
Posted by: tabdelgawad | March 16, 2006 5:02 PM | Report abuse
Posted by: BZ | March 16, 2006 5:24 PM | Report abuse
Posted by: Helene | March 16, 2006 5:32 PM | Report abuse
Posted by: Bk | March 16, 2006 5:39 PM | Report abuse
Posted by: Bk | March 16, 2006 5:46 PM | Report abuse
Posted by: Bk | March 16, 2006 5:50 PM | Report abuse
Posted by: BZ | March 17, 2006 8:58 AM | Report abuse
Posted by: Nathan | March 17, 2006 11:17 AM | Report abuse
Posted by: gary | March 17, 2006 11:19 AM | Report abuse
Posted by: Todd Follansbee | March 17, 2006 12:13 PM | Report abuse
Posted by: Clifton | March 17, 2006 2:45 PM | Report abuse
Posted by: Dominique | March 17, 2006 3:11 PM | Report abuse
Posted by: Mike | March 17, 2006 3:41 PM | Report abuse
Posted by: Dave | March 17, 2006 6:25 PM | Report abuse
Posted by: BZ | March 17, 2006 9:05 PM | Report abuse
Posted by: Louann Oravec | March 18, 2006 10:46 AM | Report abuse
Posted by: Bucky | March 18, 2006 6:59 PM | Report abuse
Posted by: Howard | March 19, 2006 5:54 PM | Report abuse
Posted by: phillip cooper | July 20, 2006 11:47 PM | Report abuse
The comments to this entry are closed.