Scan network for keystroke loggers?

  • Thread starter Thread starter Jeff Cochran
  • Start date Start date
J

Jeff Cochran

Have a management-type that read about keystroke logging as a hacking
tool in a business journal, and now he'd like to have the network
scanned for these and reported on a regular basis. Does anyone have a
suggestion for a simple tool to scan a range of IP addresses or
systems and report on the presence of keystroke loggers?
Alternatively, one that can be launched in a login script and record
results to a file?

Thanks,

Jeff
 
Very interesting situation. Keystroke logging, from the best of my
knowledge, is essentially an arbitrary piece of running code that has
made hooks into the Win32 API to perform the capture. I can imagine
that there are thousands of variants floating around, all probably have
different attack vectors.

A possible solution is to develop some sort of process scanner that is
launched from a domain script, that runs in the background that reports
a list of processes at an interval to a master server, which in turn
then compares the process list to known 'logger' trojans. The master
server can then notify an administratior of the possible threat. On top
of that, the client app can terminate the process immediately ..
Just an idea.

Sticky stuff.. mainly since there is no 'one way' to perform keystroke
logging.

HTH!
-Sean
 
Jeff said:
Have a management-type that read about keystroke logging as a hacking
tool in a business journal, and now he'd like to have the network
scanned for these and reported on a regular basis. Does anyone have a
suggestion for a simple tool to scan a range of IP addresses or
systems and report on the presence of keystroke loggers?
Alternatively, one that can be launched in a login script and record
results to a file?
Click to expand...

How would your management type person propose that a network tool to detect
keyloggers detect and report a hardware key logger that people insert
between the keyboard and computer?

If it deals with every "known" software based keylogger out there, how does
it detect something I made up myself last night with a copy of C# at home
and smuggled into work on a usb pen drive?

Rob
 
Very interesting situation. Keystroke logging, from the best of my
knowledge, is essentially an arbitrary piece of running code that has
made hooks into the Win32 API to perform the capture. I can imagine
that there are thousands of variants floating around, all probably have
different attack vectors.

A possible solution is to develop some sort of process scanner that is
launched from a domain script, that runs in the background that reports
a list of processes at an interval to a master server, which in turn
then compares the process list to known 'logger' trojans. The master
server can then notify an administratior of the possible threat. On top
of that, the client app can terminate the process immediately ..
Just an idea.

Sticky stuff.. mainly since there is no 'one way' to perform keystroke
logging.
Click to expand...

There are a few keystroke logger scanner programs out that claim to
detect them, though I've never seen one work so I couldn't tell. I
like the idea of a process scanner, that might help on a lot of
fronts, but way to much effort to develop for just what I need. I
have yet to find a keystroke logger installed on our systems, but that
doesn't mean there *aren't* any. While my main goal is to satisfy the
request, I am developing a curiosity in it myself now.

Thanks,

Jeff
 
I don't know of a simple tool but if he is willing to spend the money Pest Patrol has
a corporate version. I have not tried the corporate version myself, but they do offer
a free trial version. --- Steve
Click to expand...

I've been looking at Pest Patrol Corporate anyway to help combat
spyware/scumware/malware, just not yet convinced it's ready for prime
time. I kind of expect all the competitors to introduce similar
products in the next six months.

But Pest Patrol does advertise keystroke logger detection. I may have
to start installing a few to see if it detects it as a test.

Thanks,

Jeff
 
Back
Top