Prevx SafeOnline against "Advanced Keylogger"

View previous topic View next topic Go down

Prevx SafeOnline against "Advanced Keylogger"

Post by ssj100 on 24/10/2010, 05:57

Can anyone here help me confirm that SafeOnline is bypassed by "Advanced Keylogger"?

I've tested on Windows XP, SP3, 32-bit and Windows 7 Professional, 32-bit (freshly installed, run in VirtualBox with no other security software).

Here's how to reproduce the bypass:
1. Download "Advanced Keylogger" here, install it, and activate it (press Ctrl + Shift + Alt + R, and leave the window open):
http://www.eltima.com/products/keylogger/

2. Download Prevx SafeOnline here, and install it:
http://www.prevx.com/safebook.asp

3. Go to any banking web-site (or just any site which involves the entering of a username and password). I used IE 6 as the browser (but I'm going to test it with Firefox next).

4. Type in your username and password etc.

5. Open up the "Advanced Keylogger" log ("View all new logs" button) and note that SafeOnline has allowed your username and password to be logged. Therefore, it is bypassed.

Note that I tested the Zemana logger test in exactly the same environment and Prevx SafeOnline passed it. Therefore, this makes me more certain that SafeOnline is bypassed by "Advanced Keylogger".

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by noorismail on 24/10/2010, 06:30

ssj100,I have downloaded and installed the software,
it is going to take awhile to write down my steps/results in a way that makes sense.


noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by ssj100 on 24/10/2010, 06:32

No need to write down your steps mate (they're described above anyway). You can just post the result: PASS or FAIL?

By the way, Firefox 3.6.11 is bypassed too for me.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by noorismail on 24/10/2010, 07:01

After getting both soft wares installed,in shadowmode,I at first had problems getting the Key-logger GUI to open.
When it did,under key strokes,it had logged my ctl+shift+alt+R.
So far so good.

I open a unsandboxed Firefox,disabled KeyScrambler free,
and logged into Sandboxie forum.

I reopened the Key logger GUI,and found under key strokes,
only the second set of ctl+shift+alt+R were logged.
Under websites visited,the sandboxie site was shown.

Repeated the same with ShadowDefender forum,same results.
Just to check,I opened a note pad and typed my name.
It was logged.
So I guess I cant reproduce.

I will try once more just to be sure.

noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by noorismail on 24/10/2010, 07:05

by the way,did you notice a change in color of the SOL "floater" from when you
opened your home page,till you went to the page you logged into?

For me it started out green,but when I surfed to the ShadowDefender forum,it turned blue.
I hit on the floater,and hit 'start" or enable,or something,and it reverted to green.

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by ssj100 on 24/10/2010, 08:03

That's very bizarre. Apparently (according to PrevxHelp), if you have KeyScrambler installed (even if you disable it), SafeOnline will automatically switch itself off against keylogging.

Therefore, the fact that SafeOnline may be protecting you (since you couldn't reproduce the bypass) with KeyScrambler installed doesn't make any sense at all! Crazy stuff haha.

Can you test to see if anything you type in the browser is actually logged (without SafeOnline/KeyScrambler installed/enabled)?

And yes, I've always been putting protection to maximum too, if the "floater" is blue coloured - by doing this, the "floater" becomes green coloured, indicating "maximum" protection.

Anyway, I think I've wasted enough time on this haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by noorismail on 24/10/2010, 08:16

Without Prexv safeonline instaled,and with KeyScrambler disabled,
I get Login Sandboxie.com. No password or user name.

I am wondering if this blocking could be the result of some other tweak on my system,and a more or less default install of XP,such as in a VM is required to produce the bypass.

Do you close the GUI of the Keylogger prior to trying logging into a site?

At first I was reluctant to do so,as I had a problem getting it to open,and just cleared the existing logs,returned to the main GUI,and reopened firefox and tried logging in another site.

I might also add that things done in Windows Explorer,wordpad,notepad,ect,are logged with precision.

noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by ssj100 on 24/10/2010, 08:20

noorismail wrote:Without Prexv safeonline instaled,and with KeyScrambler disabled,
I get Login Sandboxie.com. No password or user name.
That's what I thought would happen. Bizarre isn't it?

noorismail wrote:Do you close the GUI of the Keylogger prior to trying logging into a site?
I've tried it both ways. As I said, I've wasted too much time on this haha. I'm never going to use Prevx anyway (unless they employ tzuk or something haha), but it's just interesting to see something which gets such "good press" (due mostly to clever marketing strategies) get bypassed so easily by old logging software.

By the way, aigle has now reproduced the bypass on Windows 7 too (albeit in VirtualBox too).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by noorismail on 24/10/2010, 08:39

Well,as always,it has been fun!!

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by MrBrian on 24/10/2010, 13:30

I saw this topic and decided to test Advanced Keylogger against the secure desktop method presented at http://www.wilderssecurity.com/showthread.php?t=285096. If anyone here is interested in testing that method, I'll link to your results in that thread.

MrBrian
Member
Member

Posts : 14
Join date : 2010-07-01

View user profile

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by ssj100 on 24/10/2010, 13:58

Sorry, I skimmed through the article and I still have no idea how to load up a "secure desktop". Maybe you can simplify things and put a nice clear step by step guide for us? Cheers.

EDIT: never mind, I figured it out. Seems interesting. I might test it out some time against some loggers. Unfortunately, real-world malicious loggers are not easy to find. In fact, I've never found one.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by ssj100 on 25/10/2010, 00:44

Just an update with Prevx SafeOnline. It appears there is a conflict with VirtualBox and other virtualisation software.

This proves once again that the more security software you use, the higher chance of conflicts. The scary thing is that these conflicts may be hidden and not discovered yet. Food for thought.

EDIT: also keep in mind that noorismail ran this test with Shadow Defender installed and couldn't reproduce the bypass. Therefore it's safe to say that Prevx SafeOnline is very prone to conflicts, and that it's very hard to predict if a conflict will occur. So the question at the end of the day is - would you be willing to use it with your security setup?
PrevxHelp himself admitted that "Advanced Keylogger" uses the same method to log key-strokes as Zemana's testing tool. As I described above, Prevx SafeOnline passes the Zemana test in VirtualBox, but fails against "Advanced Keylogger". I have no idea how to explain that one.
Prevx SafeOnline conflicting with virtualisation software shouldn't come as a surprise - remember, it doesn't work with Sandboxie, and according to how much they've done about it, it probably never will.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by ssj100 on 9/11/2010, 14:59

Another note - I'm yet to come across a keylogger that can log keys in a VirtualBox guest session (when the keylogger is run from the host machine). I've tried the Zemana and Spyshelter test tools and they are both unable to log anything.

Also, according to "truthseeker", none of the following programs are able to log inside a guest session either:

1. Spytech SpyAgent Stealth Edition 6.30.08
2. All In One Keylogger 3.1
3. KGB Spy 4.55
4. Stealth Keylogger 4.9 build 137
5. SpyBuddy 3.7.5
6. Elite Keylogger Pro 4.1
7. CyberSpy 2.7
8. Perfect Keylogger 1.68
9. Powered Keylogger 2.2.1.1981
10. XPC Spy Pro 3.25

So the question is whether these testing tools really give a fair reflection of a "real-world" "in-the-wild" keylogger? It's been written many times that Virtual Machines don't always protect you from keyloggers. I suspect that keyloggers that install themselves deeper and eg. loads a system-level driver would be the ones that can log keys in Virtual guest sessions. Therefore another question is whether software like Prevx SafeOnline would block such keyloggers?

Also, I found this haha:
http://www.sandboxie.com/phpbb/viewtopic.php?p=49529#49529

Scoobs72, can you test Prevx SafeOnline against these Firefox add-on Key-loggers?:
https://addons.mozilla.org/en-US/firefox/addon/13713/
https://addons.mozilla.org/en-US/firefox/addon/220858/
I tested them in a VM, and SafeOnline was bypassed by both. Didn't you say you were fearful of rogue Firefox extensions? Well, it doesn't look like SafeOnline is doing anything for you here?

Finally, SafeOnline fails against this if the keylogger is installed before installing SafeOnline:
http://www.lostpassword.com/asterisk.htm
Interestingly, running a sandboxed browser with Sandboxie in default configuration blocks it.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by Scoobs72 on 12/11/2010, 02:52

ssj100 wrote:

Scoobs72, can you test Prevx SafeOnline against these Firefox add-on Key-loggers?:
https://addons.mozilla.org/en-US/firefox/addon/13713/
https://addons.mozilla.org/en-US/firefox/addon/220858/
I tested them in a VM, and SafeOnline was bypassed by both. Didn't you say you were fearful of rogue Firefox extensions? Well, it doesn't look like SafeOnline is doing anything for you here?


Hi SSJ, I don't think I'm going to be able to test this, because I'd have to do it in my VM and Prevx SOL is somewhat temperamental in VMs as you know. It wouldn't surprise me if SOL was bypassed by those however because they become a legitimate extension of the browser itself (no pun intended). By all accounts Prevx SOL appears to be very successful against real-world malware, particularly the Zeus variety that goes after banking details. It did very well in MRG's testing as well. However, I have myself observed considerable 'flakiness' when testing SOLs functionality against keylogger tests - usually it's perfect and blocks everything, but then occasionally it will let everything through for no apparent reason....before reverting back to blocking everything again. For this reason I cannot recommend it as a 'set and forget' on complex security setups, but I have no hesitation in running it on simple setups (e.g. just a resident AV), and do so on two other PCs in the family that I manage.

Scoobs72
Member
Member

Posts : 28
Join date : 2010-11-05

View user profile

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by ssj100 on 12/11/2010, 09:16

Good points, and also to emphasise/repeat, there's this:
Finally, SafeOnline fails against this if the keylogger is installed before installing SafeOnline:
http://www.lostpassword.com/asterisk.htm
Interestingly, running a sandboxed browser with Sandboxie in default configuration blocks it.
As noted, simply running a sandboxed web browser blocks it, while Prevx SafeOnline fails it (I think PrevxHelp confirmed this bypass too).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by ssj100 on 12/12/2010, 00:11

I must say, I'm quite surprised that no one has followed up or commented on this issue.

I just tested KeyScrambler 2.7.1 and it is also bypassed by "Asterisk Key":
http://www.lostpassword.com/asterisk.htm

Would appreciate it if someone can confirm this. Very interesting that both Prevx SafeOnline and KeyScrambler are both bypassed by this, and that no one across the internet (publically at least) has mentioned it.

However, by simply using a sandboxed web browser (Sandboxie) with absolutely no configuration, the logging is blocked.

Again, if you're going to "mistakenly" install malicious software into your system, it's most likely all over red rover haha. For the home user who is already using Sandboxie, I'm not convinced that there is any empirical/anecdotal implication or scientific evidence that using software like Prevx SafeOnline or KeyScrambler will lessen your chances of getting your passwords stolen from "mistakenly" installed malicious software. In fact, the reverse may be true, as with the example of "Asterisk Key" (since people who use Sandboxie and Prevx SafeOnline use one or the other, and when they're not sandboxing their web-browser because they want to use the SafeOnline component, they will be bypassed).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by blues on 12/12/2010, 00:22

Interesting stuff, to be sure.

One of the reasons I abandoned SOL after a day or so, (the free edition which I downloaded months ago), was because I just couldn't stomach entrusting my browser (for banking or secure browsing) to an unsandboxed (and highly restricted) environment. It entailed a level of faith and trust in a product that was outside my comfort zone.

Now, this is not to disparage SOL or Prevx, it's merely to state that I feel safer online via the sandbox (with the real-time backups listed in my sig).

I do employ add-ons in Firefox such as NoScript, KeyScrambler etc, but I perceive them more as adjuncts to the protection that Sandboxie affords as the first line of defense.

(I would rate myself as an intermediate level user. One who is somewhat comfortable with security software but short of the level of expertise to edit the registry or program .ini files without tutelage.)

blues
Member
Member

Posts : 42
Join date : 2010-11-25

View user profile

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by ssj100 on 31/12/2011, 04:00

MrBrian wrote:I saw this topic and decided to test Advanced Keylogger against the secure desktop method presented at http://www.wilderssecurity.com/showthread.php?t=285096. If anyone here is interested in testing that method, I'll link to your results in that thread.
Finally got round to testing this. Seems to be effective against keylogging, but clipboard logging got bypassed with the first tool I tested it with:
www.spyshelter.com/download/AntiTest.exe

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Prevx SafeOnline against "Advanced Keylogger"

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum