Page 1 of 4 1234 LastLast
Results 1 to 15 of 50

Thread: Widestep keylogger detection

  1. #1
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415

    Widestep keylogger detection

    Since the (spam) thread was deleted I will repost my findings:

    I haven't tried many anti-keylogger apps but Security Task manager, TaskInfo could not pick up "Elite Keylogger" (widestep) unless unhidden. I ran a scan of windows folder with NOD32 but nothing found. However, Unhackme picked it up immediately

    I thought this might be an interesting test. Yes, it's well hidden. Unless you unhide it (windump view), it's hiddden - it already picked up my login password and screenshots. However, Unhackme detected it immediately on boot (Screenshot) while hidden. However this app could not delete it (I tried all options). The only way to rid it was to uninstall it. I am sure about Unhackme's find because I rebooted immediately after uninstalling and Unhackme reported nothing this time.

    *edit - another interesting bit of info was the fact that somehow internet connection was prevented by any means (FTP, browser) something prevented CPU access so that connection was impossible. Upon uninstalling keylogger, connection has been returned to normal - **edit - this is probably unrelated as the cpu problem persists (another thread)



    Someone, at another board, also ran a test. Here are his results:

    I also tested the Elite Widestep keylogger, and boy is that a tricky one to detect. Nearly every security program I tested against it, failed to detect it! Including MSAS, Ewido, A2, Pest Patrol, Spybot, Ad-aware, BlackLight, and a few others.

    The only programs that were able to find it were Unhackme (as Lynchknot posted) and Rootkit Revealer 1.32 (I haven't downloaded the latest version of RR yet).

    I would have liked to test Spycop against it but I don't have the $50. to do so. They really should have a trial version available of Spycop. But anyway at least we have some free tools available to detect this junk.
    Last edited by lynchknot; April 8th, 2005 at 04:08 AM.

  2. #2
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    i get hackerdefender100 found but only when i click demo.

    if i click check it it says nothing found

    so do i have a rootkit or not?

    when i click demo i get this and the next screen shows the rootkit.
    ------------------------------------------------------------



  3. #3
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    Demo gives you an example of what it will look like if it found something. When it found that keylogger, it kept popping up - repeatedly.

  4. #4
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    so the pic you posted is what it found or was that the demo?
    ------------------------------------------------------------



  5. #5
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    That was found as "invisible software"

  6. #6
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    Quote Originally Posted by lynchknot
    That was found as "invisible software"
    My understanding is that rootkits cannot be removed as they replace many key system files.

    You will need to think about who you are accepting email and files from as hackerdefenfer is a serious trojan that makes "the beast" look tame.

    Is that on your restore disc?

    What is UnHackMe?
    UnHackMe allows you to detect and remove a new generation of Trojan programs - invisible Trojans. They are called "rootkits".

    UnHackMe is not a usual Trojan's scanner like RegRun or HijackThis.

    It's used to detect Invisible Trojans (rootkits) only!

    A rootkit is a collection of programs that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network. The intruder installs a rootkit on a computer using a user action or by exploiting a known vulnerability or cracking a password. The rootkit installs a backdoor giving the hacker a full control of the computer. It hides their files, registry keys, and process names, and network connections from your eyes.

    Your antivirus could not detect such programs because they use compression and encryption of its files. The sample software is Hacker Defender rootkit.

    get it here,
    http://greatis.com/unhackme/
    ------------------------------------------------------------



  7. #7
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    right but this is also detecting this keylogger as, I guess, it appears to have some resemblance to rootkit characteristics in the way it's hidden or perhaps even it's method(?)
    Last edited by lynchknot; April 8th, 2005 at 08:13 AM.

  8. #8
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    Quote Originally Posted by lynchknot
    right but this is also detecting this keylogger as, I guess, it appears to have some resemblance to rootkit characteristics in the way it's hidden or perhaps even it's method(?)
    I would be trying to find out who is hacking your computer and who you allowed or trusted to download and accept the file.

    Something you must be alerted to is the fact that many trojans now include reverse connection tobypass your hardware routers and firewall.

    The trojan program finds a way out of your computer without alerting you and contacts a specific ip that is pre-determined. Many hackers use no-ip for this as they can mask and re-direct the ping to any computer anywhere on the net.

    You could try to determne where the keylogger is sending the info to. find out who is connecting to your computer and do ip traces.

    If you can get more info about the trojan program you may be abble to diassemble the server dll or exe and you may be able to get the ip it is sending your desktop images to.

    If it is no-ip then they may not release that info to you however they will investigate and if they determine it is used for trojans they will close the account and the program will send your info to a url that no longers exists and one that can no longer be used by the person who is survelliancing you.
    Last edited by egghead; April 8th, 2005 at 08:23 AM.
    ------------------------------------------------------------



  9. #9
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    Egghead. This is a well known and widely used commercial keylogger that people purposely install on their computers to spy on their spouse, employees, kids, ect. I installed it myself to test my security apps. http://www.widestep.com/ It is practically undetectable - but I found something that discovered it.
    Last edited by lynchknot; April 8th, 2005 at 08:50 AM.

  10. #10
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    Quote Originally Posted by lynchknot
    Egghead. This is a well known and widely used commercial keylogger that people purposely install on their computers to spy on their spouse or employees. I installed it myself to test my security apps. http://www.widestep.com/

    ok. i didn't read where you said that it detected it as widestep.

    I thought it found the rootkit hackerdefender on your computer and that someone slipped it into your backdoor.....

    :runs:
    ------------------------------------------------------------



  11. #11
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    It did not detect it as widestep. It only detected something that appeared to be a rootkit.

  12. #12
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    Quote Originally Posted by lynchknot
    It did not detect it as widestep. It only detected something that appeared to be a rootkit.
    So what do you think of the program?

    Microsoft is working on a similar program yet they report that repairing rootkit infections is extremely difficult and that it is best to format.
    ------------------------------------------------------------



  13. #13
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    I think it's great that it picked up the keylogger because, it appears, not much will.
    More important than detecting for rootkits though, would be preventing them.

  14. #14
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    The microsoft thing is not really that great - something like creating a list of directory entries inside windows then you boot to a bootable cdrom and do same and compare - so hidden files will show up as differences. I am sure it works but it isn't something you will want to be doing very often - ProcessGuard is your best defence.

    Sorry your PM doesn't point to anything Lynch thread must have been deleted. I would be dubious about installing any application that was based on a rootkit - you see the whole thing about rootkits is you don't know what they are hiding or what they are doing. There is only one thing to do if you have a rootkit on your system and that is wipe and reload it. Even if you installed it yourself how do you know it doesn't send your passwords off to a database somewhere - I said it before and I will say it again rootkits are naughty.
    I'm using Windows 7 - you got a problem with that?

  15. #15
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    The thread was deleted. It was spam by the developer of Elite Keylogger "are your children safe" I think the thread was entitled. This keylogger delivered via Trojan would be a scary thought. It's gone - unhackme no longer picks anything up - besides, I'm on a clean True Image now since......

    There may be a time in the near future that I might use Winrollback (I have it installed)
    Last edited by lynchknot; April 8th, 2005 at 18:08 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •