STEALTH KEYLOGGERS TEST

Publié le par SSTA



C) Stealth keyloggers:


Here only the detection is concerned : these commercial programs needs to be installed first with administrator privileges.

Some keyloggers hide their own folders (not seen in Program Files folder).







The result are often:

F1: fail result for the Proactive module: no "hidden object" alert of the hidden object (process mostly);

P2: The scan or the antivirus resident has detected "something suspicious" (a module, a driver etc) that warns the user.

Detection of the "keylogger behaviour": see kavtest2.

PDM: proactive module.


1) Overspy: F1/P2



Detection with IceSword, McAfee Rootkit Detective:













Kav does not detect the hidden process (F1), but as this commercial keylogger is integrated in its riskware database, the file antivirus reports the event (P2).


2) Beyond Keylogger: F1/F2

Kav does not detect the stealth keylogger (PDM or AV scan and resident).

For comparison, here's the detection with IceSword, Darkspy, Gmer, McAfee Rootkit Detective and Unhackme:













As usual Unhackme likes to play its stupid game (AFX2005 or FU rootkit?): we highly suggest to Dimitry and Greatis to take a look at this rootkit test and to update seriously their keylogger database (Elite is out of date now).


3) Family keylogger: F1/F2


Detection with IceSword:




4) Advanced Invisible keylogger: F1/P2:

Here Kav does not detect the hidden process (F1).








5) AceSpy: F1/P2





Kav is one the rare antivirus which integrates this keylogger on its database (P2).

Detection with IceSword and Gmer:








6) PC Inspector: F1/P2:



Detection with McAfee Rootkit Detective:






7) ActualSpy: F1/P2:



Detection (hidden process) with IceSword, RKU and SecurityTaskManager:









The scan of critical objects (fast) gives no result of infection: the stealth keylogger's objects are seen but not reported as hidden and malicious (even if Kav has a pattern file for this keylogger):




8) Powered Keylogger: F1/P2

This is one of the most interesting example of stealth keyloggers.



Detection of hidden objects with some detectors:

















R.Revealer:









But RKU like some other Task detectors does not display the driver as hidden ("from Windows API"):





 9) Wiretap Pro: F1/P2:



Like most stealth keyloggers, the hidden method is here basic and the process is even detected by Process Explorer (but not by Task Manager clones!):



Like some other rootkits (MsSync) or stealth keyloggers, the hidden process takes advantage of terminology of system's processes (here svchost.exe/scvhost.exe related to many system services and familiar for most users).

Detection by RKU, SysCheck, IceSword and McAfee RKDetective:












In this case again Kaspersky proactive module does not detect the hidden object (F1), and a fast scan (critical sector) can't be considered as very reliable:

The hidden process is not displayed as hidden, neither detected as malicious:



Some module are detected as OverSpy Monitor/Keylogger:



And other ones as Wiretap:





10) Elite Keylogger: F1/P2











11) Metakodix Keylogger: F1/F2





Detection with McAfee Rootkit Detective, DarkSpy, RKU, Panda, HeliosLite and System Repair Engineer:






















Even with a quick scan of critical object, Kav does not detect that a stealth keylogger is running:




An example of log:





12) Local Keylogger Pro: F1/F2


This keylogguer os not known from Kav:


Local keylogger hides from the Task Manager but not from task tools:




klg.exe is not displayed as hidden by rootkit detectors:




If we run Security Task Manager, there's an indication that the process is hidden:








13) Mini keylogger: F1/F2





In this case again most detectors does not display the process as hidden (it is hidden from the task manager).



Some scanner detectors like McAfee Rootkit detective and F-Secure BlackLight  and even Process Monitor (bu not Process Explorer) detect the hidden objects:






For Kaspersky, all is OK:

Startup registry scan:




Critical sectors scan (running appalications, Windows folder etc): all is OK:









                                  

Publié dans KASPERSKY 6 TEST

Commenter cet article

Target Stores Online 15/01/2010 20:28


Thank you for this great blog information!I'm finding this whole blogging world a great resource for any topic, and really inspirational.
____________________

Target Stores Online