Publié le par SSTA

C) Stealth keyloggers:

Here only the detection is concerned : these commercial programs needs to be installed first with administrator privileges.

Some keyloggers hide their own folders (not seen in Program Files folder).

The result are often:

F1: fail result for the Proactive module: no "hidden object" alert of the hidden object (process mostly);

P2: The scan or the antivirus resident has detected "something suspicious" (a module, a driver etc) that warns the user.

Detection of the "keylogger behaviour": see kavtest2.

PDM: proactive module.

1) Overspy: F1/P2

Detection with IceSword, McAfee Rootkit Detective:

Kav does not detect the hidden process (F1), but as this commercial keylogger is integrated in its riskware database, the file antivirus reports the event (P2).

2) Beyond Keylogger: F1/F2

Kav does not detect the stealth keylogger (PDM or AV scan and resident).

For comparison, here's the detection with IceSword, Darkspy, Gmer, McAfee Rootkit Detective and Unhackme:

As usual Unhackme likes to play its stupid game (AFX2005 or FU rootkit?): we highly suggest to Dimitry and Greatis to take a look at this rootkit test and to update seriously their keylogger database (Elite is out of date now).

3) Family keylogger: F1/F2

Detection with IceSword:

4) Advanced Invisible keylogger: F1/P2:

Here Kav does not detect the hidden process (F1).

5) AceSpy: F1/P2

Kav is one the rare antivirus which integrates this keylogger on its database (P2).

Detection with IceSword and Gmer:

6) PC Inspector: F1/P2:

Detection with McAfee Rootkit Detective:

7) ActualSpy: F1/P2:

Detection (hidden process) with IceSword, RKU and SecurityTaskManager:

The scan of critical objects (fast) gives no result of infection: the stealth keylogger's objects are seen but not reported as hidden and malicious (even if Kav has a pattern file for this keylogger):

8) Powered Keylogger: F1/P2

This is one of the most interesting example of stealth keyloggers.

Detection of hidden objects with some detectors:


But RKU like some other Task detectors does not display the driver as hidden ("from Windows API"):

 9) Wiretap Pro: F1/P2:

Like most stealth keyloggers, the hidden method is here basic and the process is even detected by Process Explorer (but not by Task Manager clones!):

Like some other rootkits (MsSync) or stealth keyloggers, the hidden process takes advantage of terminology of system's processes (here svchost.exe/scvhost.exe related to many system services and familiar for most users).

Detection by RKU, SysCheck, IceSword and McAfee RKDetective:

In this case again Kaspersky proactive module does not detect the hidden object (F1), and a fast scan (critical sector) can't be considered as very reliable:

The hidden process is not displayed as hidden, neither detected as malicious:

Some module are detected as OverSpy Monitor/Keylogger:

And other ones as Wiretap:

10) Elite Keylogger: F1/P2

11) Metakodix Keylogger: F1/F2

Detection with McAfee Rootkit Detective, DarkSpy, RKU, Panda, HeliosLite and System Repair Engineer:

Even with a quick scan of critical object, Kav does not detect that a stealth keylogger is running:

An example of log:

12) Local Keylogger Pro: F1/F2

This keylogguer os not known from Kav:

Local keylogger hides from the Task Manager but not from task tools:

klg.exe is not displayed as hidden by rootkit detectors:

If we run Security Task Manager, there's an indication that the process is hidden:

13) Mini keylogger: F1/F2

In this case again most detectors does not display the process as hidden (it is hidden from the task manager).

Some scanner detectors like McAfee Rootkit detective and F-Secure BlackLight  and even Process Monitor (bu not Process Explorer) detect the hidden objects:

For Kaspersky, all is OK:

Startup registry scan:

Critical sectors scan (running appalications, Windows folder etc): all is OK:


Publié dans KASPERSKY 6 TEST

Commenter cet article

Target Stores Online 15/01/2010 20:28

Thank you for this great blog information!I'm finding this whole blogging world a great resource for any topic, and really inspirational.

Target Stores Online