Hosting Provided By

Re: Keystroke logger detection

From: Abhisek Datta <nomadic(at)hotpop.com>
Date: Sat Mar 22 2003 - 13:14:07 EST

well to check weather ur system is running a phantom keylogger first check for the running process..
obviously the key stroke logger programs wont come up in add remove programs section cause its not a part of windows installation, its just running as a process or a windows service (be it user priviledged or local system priviledged)... if u find out the process of the keylogger then just by terminating the process it wont remove the key logger from your system... obviously the keylogger is hooked with some windows start up methods, either through system registry or through user's start up folder... note: if the keylogger is running with local system rights (in Win NT environment) then you may not be able to terminate its task cause Windows NT doesnt allows users even with administrative rights to control some process running under local system priviledges...in that case u need to use some third party tools or code programs calling APIs from PSAPI.dll

if u manage to terminate the keylogger process then check for common startup methods to remove the start up entries for the keylogger.. common startup methods in windows registry :

HKEY_CLASSES_ROOT\exefile\shell\open\command "Default" = "%1"%*
a malicious code can hook this key and modify it to "Default" = "%s""%1"%* where [%s] is the full path of the malware's location in local system.. this hooking results execution of %s whenever any .exe file is executed in the local system..

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\*Key

Created by Malware*
StubPath = "%s" [%s is full path of the malware]

regards,
Abhisek Datta
abhisek@gamebox.net
http://www.abhisekdatta.tk

Original Message ----- From: "steve baker" <stephenbbaker@hotmail.com> To: <focus-virus@securityfocus.com> Sent: Friday, March 21, 2003 10:56 AM Subject: Keystroke logger detection

> My client has recently requested that we verify the security on each of
our
> machines - especially concerning 'phantom keylogger software'.
and
> do not show up in the 'add/remove programs' of windows 2000/xp.
Received on Mon Mar 24 10:18:03 2003

This message: [ Message body ]
Next message: Judd Cook: "GroupWise vs Exchange"
In reply to: steve baker: "Keystroke logger detection"
In reply to securityfocus(at)att.net: "Re: Keystroke logger detection"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:38 EDT