Results 1 to 9 of 9
  1. #1
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts

    A cautionary tale - one tool is not enough!

    Last night I decided to test Microsoft Security Essentials v4 Beta agasint a "safe" threat. The results I achieved resulted in running tests on other products then and finally to this post.

    Let me start by adding a caveat to this report: I am not a security industry expert. I do not have the tools or time available to thoroughly test. I do have many years of field experience across a range of platforms & systems and although (among other services) I resell various Antimalware tools, this report is neither intended to endorse any one tool nor to compare the absolute performance of one against another.

    I should also say that I have checked with the mod team here before posting the results.

    Summary

    OK, now I have your attention, what got me so bothered?

    To my surprise the majority of tools recommended by posters in this forum (including myself) failed to detect the threat. Those few that did detect failed to fully contain all of it's features in the first pass.

    Test Details:

    The host machine was a fully patched Vista 32bit SP2 running under VirtualBox (I do not advise trying this type of test unless you can safely hose your system - a virtual platform is a good start). The OS had a pre-existing MSE v2 (production release) installed.

    The attacking tool was the All-in-One Keylogger from Relytec. The keylogger is a commercial tool offered for business and residential customers. In residential uses it is most often used for parental control, child protection and "marriage breakup" scenarios. I installed the 7-day trial version.

    The tool appears to obfuscate itself in an randomly named executable in a hidden directory and registers a randomly named service that links to a dll located in the System32 directory. The tool comes with ample help, good vendor support, plus an easy to use uninstaller. It's not malware pushed by criminals.

    Upon downloading, I installed it using the least stealthy settings so as to leave entries in the start menu and on the desktop, plus a quick launch icon in the taskbar. I had intended to progress from least stealthy toward most stealthy until the tool could not be discovered.

    Where possible, for each tool used, I enabled realtime file system and spyware protection, plus used scanning on maximum settings in each case. If there was any detection during real-time use or scanning, I rebooted the virtual machine check for start-up detection.

    After each test run, I reverted the VM to its original state, removed the pre-existing MSE v2 and installed the next test candidate.

    Test Results

    I'll try to summarise the results here rather than end up with a huge ammount of detail in the first post, if anyone wants more detail, let me know.

    MSE v2 : No detection in real-time or in full scan

    MSE v4 Beta: No detectrion in real-time or full scan

    MalwareBytes AntiMalware Pro Trial: No detection in real-time or in full scan

    SuperAntiSpyware Trial: No detection in full scan - real-time not available in the trial

    AVG 2012 Free: No detection in real-time or in full scan

    Avast Free v6: No detection in real-time or in full scan

    Avira Free: No detection in real-time or deepest system scan

    Windows Defender: No detection in real-time or full scan

    Spybot S&D: Detection of the Start Menu entry and Desktop Shortcut only. No detection of registry entries, nor of active keylogging, screen capture or application tracking.

    TDSS Killer: No detection during scan.

    Online Armor ++ 30-day Trial: Detection of the Start Menu item. Detection of the randomly named hidden executable, but no initial detection of the keylogging. After reboot, OA++ detected the randomly named start-up service as a keylogger and offered to block. Blocking was successful for the keylogger, but the screen capturing and application tracking and logging were still active. This may have been because of the way to tool launches

    Autoruns: Ability to disable the randomly named start up service, which prevented the tool from launching any logging - this was different from the behaviour when OA++ offered to block the start-up service. However, it should be noted that for most people, it would have been nearly impossible to locate the obfuscated service in the autorun report and there would have been no reason to run autoruns unless suspicious activity had already been noted - in other words, I knew what I was looking for by then.

    Bundled uninstaller: Removed the tool completely.


    Conclusion

    The Keylogger used is a genuine tool which serves a valid and useful purpose. It clearly states restrictions of use in its T's and C's. However, in the wrong hands, tools such as this could be used maliciously and evade detection.

    More specifically, there are classes of Malware that can evade most commonly used tools that are recommended here - by myself included.

    Most importantly, no single tool can detect all malware. If any single tool gives a positive result, it should be carefully investigated with a range of other tools - some antimalware only found the shortcuts, not the active components.

    Finally, just to re-iterate: this is not an advert for any specific tool or product, and not to compare absolute performance, but to highlight the dangers of complacency and illustrate a class of potential malware that can go undetected by many common AV tools.

  2. The Following 4 Users Say Thank You to Tinto Tech For This Useful Post:

    Dick-Y (2011-12-05),harrodsyd (2011-12-19),I.M.O.G. (2011-12-06),ruirib (2011-12-02)

  3. #2
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    Very interesting analysis. I will state this is no big surprise for me, because the stealth techniques some of these tools use are usually not detected by most AVs.

    I am a believer and practitioner of a multilayer defense. Additionally to my AV, I use an HIPS (one that you actually tested too). The HIPS, also known as an OS firewall, can detect certain types of behavior that AVs usually do not and avoid such infections. They aren't simple network firewalls and the Windows firewall does not replace them.

    We started talking about this on a different thread, yesterday, so I gave it a test too. With my HIPS running, this thing wouldn't install stealthly. Even after disabling two of the HIPS protections, I kept getting notices about software that wanted to start automatically and such. The only way to complete the install while avoiding multiple objections by my OA, was to shut it down. When the install completed, and OA was restarted, OA complained about several things, from the executable to dlls. Can't be sure about the screen capture part you described, but OA gave me enough warnings about this, both during the installation and then when restarted with the keylogger running, to make me aware that a "rogue" app was in play.

    This is reassuring in a way, as my multiple layer strategy would provide info on this threat, enough to raise my attention. Regardless of the HIPS in question, I do think this shows the value of HIPS as another tool in your arsenal to fight malware. HIPS like OA, Comodo, ZoneAlarm or others (probably NIS should be included here too) provide types of protection that the Windows firewall does not and people should know that. Whether everybody should use them or not, it's their choice, but clearly they are not the same thing that you get with the regular software firewalls - even today I read someone suggesting the replacement of ZA by the Windows firewall, which I advised against, precisely for this reason - they don't provide the same types of protection.

    Thanks again for taking the time to do this and write about it.

  4. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    It would not surprise me if the makers of those antispyware products were well aware of this one and had made a decision not to ring any alarm bells. Vendors often do not classify monitoring tools as spyware if the software is designed to require users to click through a (non-deceptive) license agreement or otherwise give affirmative consent to install it. This kind of exception puts a premium on securing physical access to your computer (and of course preventing unauthorized access from the internet) so that such undetected software doesn't get installed.

  5. #4
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Vermont
    Posts
    131
    Thanks
    1
    Thanked 11 Times in 10 Posts
    I have always been under the impression that many keyloggers would not be detected by anti-virus or spyware programs, that the good ones were far harder to detect and required specific keylogger software to detect and remove. That said, all keylogger detection software is not the same, as is anti virus and malware software. Some are bad, some are good, some are pretty good and some are great. I am not surprised anti vius and anti spyware software didn't detect a keylogger.

  6. #5
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    There are legitimate keyloggers made by reputable software companies and then there are malicious ones created by criminal hackers.

    Keyloggers themselves don't necessarily fall under the category of malicious software. Your employer may have one installed on your work computer
    right now and it would be perfectly legitimate. With the right permissions and administrative credentials, they're also perfectly uninstallable too.

    The issue would be the type of malicious software installed on a system you own without your consent or knowledge. That type of malicious software is, more often than not,
    "bundled" into a form of trojan or rootkit with other malicious code present. This type of malicious code you could inadvertently install yourself and by it's nature
    would not typically see an installation, as it would be hidden.

    Back Orifice or SubSeven are a few that come to mind that may contain a keylogger.

  7. #6
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    I tend to agree with all the above comments.

    The layered approach advocated by ruirib has many advantages. In particular a HIPS behavioural OS Firewall is arguably pretty much essential these days.

    In line with jscher2000's comments, I did wonder while on the original line of investigation {started last night in the MSE v4 Beta thread} whether the keylogger had been white-listed by some of the AV programs that I tested. The main reason for that was the failure of Malwarebytes to identify the attack.

    However, as James S observes, not all keyloggers are built the same and not all AV software will come anywhere close to finding them.

    The primary reason for posting this thread therefore was to help visitors understand that there is a class of "malware" that remains virtually undetectable by many mainstream products. When I say "malware" I do not mean this tool has criminal in intent, but that keyloggers can be used to mount such an attack.

    I also thought (and consulted) quite carefully about publicising the results firstly because the tests are very limited, but more importantly, because they suggest that a freely available security tool can be used to attack a target with near impunity if that target is not equipped with sufficient protection. The keylogger I used is a clean and valid tool, but that does not mean it could not be installed and used without the owner or users permission. In a business, this capability is often allowed under the terms and conditions of the IT security policy, but for a residential machine it is a different matter.

    Without additional layers of protection, users may feel that their systems are secure, when in fact there is a potential hole in their systems.
    Last edited by Tinto Tech; 2011-12-02 at 18:58. Reason: clarification of legitimate business use

  8. #7
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    One of the biggest tip-offs to malicious software issues can be felt by a user who is well familiar with his/her system;
    Network activity where/when there should be limited activity, slowdowns or buggy behavior that are atypical to one's normal operation.
    These are quite often the first discernable signs of an existing problem that AV/AM applications may report later on.

  9. #8
    5 Star Lounger RussB's Avatar
    Join Date
    Dec 2009
    Location
    Grand Rapids, Michigan
    Posts
    803
    Thanks
    10
    Thanked 50 Times in 49 Posts
    Quote Originally Posted by CLiNT View Post
    One of the biggest tip-offs to malicious software issues can be felt by a user who is well familiar with his/her system;
    Network activity where/when there should be limited activity, slowdowns or buggy behavior that are atypical to one's normal operation.
    These are quite often the first discernable signs of an existing problem that AV/AM applications may report later on.
    This is why the novice and/or casual user are the ones who get hit so often. They do not notice the changes and typically are naive to the threats.
    This is all great information, but how do we get the people who really need it to understand it? My guess is that most of the members here do not have problems figuring this out but know people who do.
    Do you "Believe"? Do you vote? Please Read:
    LEARN something today so you can TEACH something tomorrow.
    DETAIL in your question promotes DETAIL in my answer.
    Dominus Vobiscum <))>(

  10. #9
    4 Star Lounger I.M.O.G.'s Avatar
    Join Date
    Mar 2011
    Location
    Rootstown, OH
    Posts
    589
    Thanks
    11
    Thanked 28 Times in 23 Posts
    Nice testing Tinto, interesting results!
    Matt Bidinger
    Online Community Engagement

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •