Security Basics mailing list archives
Re: Key Loggers
From: ~Kevin Davis³ <computerguy () cfl rr com>
Date: Tue, 28 Oct 2003 20:09:02 -0500
Why not just use FileMonitor from sysinternals? http://www.sysinternals.com/ntw2k/source/filemon.shtml ~Kevin Davis³ What possibly could go wrong? ----- Original Message ----- From: "Al Sez" <aer () efn org> To: "Eric Hagen" <eric () sandpile net>; "Ivan Hernandez" <ivan.hernandez () globalsis com ar> Cc: <s7726 () yahoo com>; "Security-Basics" <security-basics () securityfocus com> Sent: Monday, October 27, 2003 8:28 PM Subject: Re: Key Loggers
How about a search on all files that have been updated in the last, say, five minutes? Al ----- Original Message ----- From: "Eric Hagen" <eric () sandpile net> To: "Ivan Hernandez" <ivan.hernandez () globalsis com ar> Cc: <s7726 () yahoo com>; "Security-Basics"
<security-basics () securityfocus com>
Sent: Sunday, October 26, 2003 11:21 AM Subject: Re: Key LoggersI would first (in doubt) disconnect the machine from the network and start analysing the traffic, then search for any changing file each time you press a key ! also writing a strange word and searching for it can be useful
sometimes
ivan hernandezWell, I would say that if it's not sent directly to the network, it's probably saved in an encrypted format. There aren't too many keyloggers that would save their files in plaintext. The trick is that saving the file in plaintext means that it comes up as a search result EVERY time you shearch for text (because you have to type the search string in order to search!!). I've done a bit of research in this topic, but have yet to find anything solid. There are some anti-keylogger countermeasures, but they are mostly based on signature detection. There are some that monitor for running processes watching the keyboard buffer, but the word is that kernel hooks are almost impossible to detect in software. Again, I'm no expert, but this is what I"ve found while reading about the topic. The only way I can think of detecting it is to both watch the network traffic AND watch the I/O traffic to the disc. Eric Hagen-------------------------------------------------------------------------- -Visual & Easy-to-use are not words that you think of when talking about network analyzers. Are you sick of the three window text decodes?
Download
ClearSight Network's Analyzer and see a new network analysis tool thatmakes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021
-------------------------------------------------------------------------- ----------------------------------------------------------------------------
-
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security
to
simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 --------------------------------------------------------------------------
--
--------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- RE: Key Loggers s7726 (Oct 24)
- Re: Key Loggers Ivan Hernandez (Oct 24)
- Re: Key Loggers Eric Hagen (Oct 27)
- Re: Key Loggers Al Sez (Oct 28)
- Re: Key Loggers ~Kevin Davis³ (Oct 29)
- Re: Key Loggers Eric Hagen (Oct 27)
- Re: Key Loggers Ivan Hernandez (Oct 24)
- <Possible follow-ups>
- RE: Key Loggers Alfred . Diggs (Oct 27)
- RE: Key Loggers Scan America (Oct 27)
- RE: Key Loggers s7726 (Oct 27)
- Re: Key Loggers Rense Buijen (Oct 27)