PART 2: IN THE WILD WITH REAL MALWARES
1) Protection during the boot and before the shutdown
a) keylogging protection with WinlogonHijack : P1/P2
P2 ("accès refusé"="access denied"):
b) New program running at the boot:
-keylogger: with Ardamax Keylogger. The code injection is blocked, with the run key in startup :
Then despite the hook used by the keylogger, it is unable to record keystrokes, and to restart after a reboot : P 1/P2.
-new service :with the proactive module disabled, we create an automatic service for a trusted process (stealth backdoor); then we reboot the computer and note if the product detects the new service: F1/F2:
there's no indication that a new service is running and that a backdoor is listening on 666 port, and the backdoor is not known by kav (P2), neither by other AV on Virus total.
-Eeye BootRoot: F1/F2
Only detected by Sunbelt on Virus Total:
From the Readme.txt:
" What is it ?
is a bootable CD-ROM, with full FAT32, NTFS v4 (Windows NT),
NTFS v5 (Windows 2000/XP) support. Its main purpose is to plant a
backdoor or change the Administrator pas"
NB. "These boot backdoor" failed results should be moderated: since someone has a physical access to a computer, there's no security anymore....as it is the case for Vista Kernel with VBootkit "rootkit".
c) program running before the shutdown: The AppInits_Dll access by RunatExit is detected, therefore the rootkit can't be loaded : P1/ P2.
2) Keyloggers/Message hooks protection
a) We install a keylogger with the HIPS disabled ( or in DOS mode for instance) and reboot the computer to take not of the keylogging protection.
-KGBKeylogger, installed with the stealth mode activated. After the reboot, Kav detects the dll injection attempt, and once prevented, the keylogger is not hidden anymore (seen in Task Manager, see 3rd pic) :
Therefore the keylogger is unable to record keystrokes : Only the titles of opened windows is recorded. The web activity (headers) is recorded, though :
Since keyboard strokes can't be recorded by the keylogger : P1/ P2 .
-Quick Keylogger (we install it, and reboot to see if detected) : Nothing is detected by Kav here, then the keylogger is working : F1/F2.
-ChatWatch: installed in Safe mode, and configured to run at startup in stealth mode with loging for all users: F1/F2
The gui is not seen in the systray (stealth mode) and all conversations are spyied:
-with free keylogger: F1/P2
The scan result for Kaspersky and Fortinet is a false positive
This is not Over-Spy keylogger as it is displayed by the scanner engine:
The keylogging activity is not detected and all what is typed is logged.
We only have an alert that something unusual is happening when we launch the browser (hook.dll is injected).
Example of log (webmail password was recorded for instance, and are censored in this image by the DST, the Direction of Security Testing, and not this DST :)):
b) Virtual keyboard keylogging :
-With VirKeylog: P1/P2
-With a virtual keylogger demonstration tool: F1/F2
*With the virtual keyboard tool: F1/F2
*with Windows Virtual keyboard (OSK): F1/F2
See also Part 3 for online virtual keyboard keylogging.
c) with PC Audit 6.3 (leaktest): P1/P2
d) with Sreencap : F1/F2
Here's the screenshot captured by screencap:
e) with Sklog: P1/P2
Here's the changes done by Sklog:
f) Martin's the best keylogger: F1/F2
We can run the file and spy the keyboard and the mouse without any kind of alert (F1), and the file is not known from KAV malwares database (F2).
NB. Only a very few HIPS are able to detect the message hooks like OnlineArmor, one of the most effective HIPS against spy softwares.
g) with ZKeylog: P1/P2
The log is empty (we can't spy):
h) with PCFlank new Leaktest: P1/P2