BlazingTools.PerfectKeylogger

[Guest]

Three times now in the past month, WD has found some form of
BlazingTools.PerfectKeylogger. The latest is joined to this message at
the end.

My question: How do I know if this is WD being smarter (and that the
keylogger has been there for a while) or it's a recent install of
spyware. In all three of the cases, they were detected after a security
update (once/month). Coincidence?

I run McAfee On-Access scan and it never has seen these keyloggers, so
I'm wondering. Either it's because McAfee doesn't know about them (no
signature), or it's been duped into thinking they're OK.

WD doesn't say these are running processes, but I wonder if that's also
the keylogger being smart and not appearing in the list of running
processes. There's a whole web site dedicated to "support" of this
keylogger and hacking:

http://forum.keylogger.org/

Pretty scary to think that the hackers on a .org site are doing a better
job than Microsoft!

Here's the log from the latest detection of BlazingTools.PerfectKeylogger:

Category:
Monitoring Software

Description:
This program monitors user activity, such as keystrokes typed.

Advice:
Review the alert details to see why the software was detected. If you do
not like how the software operates or if you do not recognize and trust
the publisher, consider blocking or removing the software.

Resources:
file:
C:\WINDOWS\system32\inst.dat

file:
C:\WINDOWS\system32\pk.bin

file:
C:\WINDOWS\system32\rinst.exe

file:
C:\WINDOWS\system32\svchostwb.dll

View more information about this item online

 

[Guest]

Is this occuring in a corporate environment or on a home system/network?

When I was working from a corporate enterprise, using Symantec Enterpise
"protection", I experienced other workstations randomly pinging my
workstations (active malware). Needless to say I was a bit upset.

I demanded a separate IP address to resolve the issue. I figured if
management was so utterly clue-imparied to host a cocktail of malware on
their network, I was not going to fall victim to their idiocy! As a result,
this required my having to access the corporate servers through a Terminal
Server interface. Yes, it was less convenient, but at least I was safe from
the horrors that they seemed to encourage.

You may be wise to do the same, if that is your case. I would also
recommend a cheap router/firewall to isolate your sysstem form the fray.
They can be had for less than $50.

 

[Guest]

Scott D top-posted:

Is this occuring in a corporate environment or on a home system/network?

Yes, but I found the problem. It is due to McAfee 8.0.0 being broken, on
several machines, despite latest updates of signatures and engines on all.

I reinstalled it to no avail.

I installed Kaspersky 6.0 trial edition and it found 18 instances of
infected files. Somehow, McAfee is/was broken.

 

[Guest]

I am certainly glad that you identified the problem.

Please keep in mind that there is no single "cure all" in the fight against
malware. Consider too, that most threats begin by disabling your defenses.
Multiple opinions are always required to maintain an edge.

 

[Guest]

I installed Kaspersky 6.0 trial edition and it found 18 instances of
infected files. Somehow, McAfee is/was broken.

Ok - I finally found the most likely explanation from someone in the
McAfee forum. McAfee isn't broken, at least not from a technical point
of view.

Apparently, since 2004, McAfee VirusScan 8.0i only detects items on its
"Top 200" malware list. They are trying to get people to buy another
"spyware" product. So, I could say McAfee is broken from a "marketing"
point of view! I sure wasted a lot of time on this... Here's a reference:

http://www.pcworld.com/article/id,118593-page,1/article.html

Thanks to all who offered suggestions. I finally conclude that WD
detected this malware recently because of an update of its signatures,
not because of software I installed - I was getting paranoid because
I've only "uninstalled" software in the past few months.

In fact, the BlazingTools.PerfectKeylogger files were likely on my PC
since 2004. According to the article above on the McAfee policy, the
keyloggers should not have been "actively" sending stuff to hackers, and
that's why they' re not on the top 200 list.

Frankly, I think fixing a list of 200 worst is somewhat arbitrary. At
some point, there will be (or already are) 200+ sufficiently bad malware
items that you'd want your virus scanner to detect.

This is yet another reason why I think Microsoft owes it to everyone to
do a good job with security in Vista. When a user has to realize that a
company is going to split hairs over "what is bad" malware, the state of
security is really a mess. Companies are trying to get as rich as
possible because security on the OS is done wrong from the start. By the
way, 8.0i is a corporate product - I have a license through my employer
that covers my office computers.

Anyway, this policy is akin to an alarm company telling you that it is
limiting the motion detectors it sold you to only detect the thieves on
the top 10 FBI most wanted list.

 

[Guest]

Personally, I don't abide the politicization of essentail security. The
harsh reality is that various anti-threat software publishers have done just
that.

Encouraging pointless "cookie hysteria" is certainly one aspect. Selective
protection is another. These and other distractions are counterproductive,
if not downright dangerous.

I would like to think that McAfee is nowhere near as stupid NOW as they were
two years ago when the article was written. Perhaps they are.

Trust me on this. Vista is significantly more secure than any previous MS
operating system, but it still will require tweaking if you wish to optimize
your security. Part of the insideous trade-off is that most users expect
certain "conveniences" that mandate a specific level of insecurity. And that
is what criminals will continue to exploit.