Re: Key Loggers

[Eric Hagen <eric () sandpile net>]

> I would first (in doubt) disconnect the machine from the network and 
> start analysing the traffic, then search for any changing file each 
> time you press a key !
> also writing a strange word and searching for it can be useful sometimes
> ivan hernandez


Well, I would say that if it's not sent directly to the network, it's 
probably saved in an encrypted format.  There aren't too many keyloggers 
that would save their files in plaintext.  The trick is that saving the 
file in plaintext means that it comes up as a search result EVERY time 
you shearch for text (because you have to type the search string in 
order to search!!).

I've done a bit of research in this topic, but have yet to find anything 
solid.  There are some anti-keylogger countermeasures, but they are 
mostly based on signature detection.  There are some that monitor for 
running processes watching the keyboard buffer, but the word is that 
kernel hooks are almost impossible to detect in software.   Again, I'm 
no expert, but this is what I"ve found while reading about the topic.  
The only way I can think of detecting it is to both watch the network 
traffic AND watch the I/O traffic to the disc.

Eric Hagen

---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about 
network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that 
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021
----------------------------------------------------------------------------