Usefullness of ANY Anti-Spyware Software??

[Adelphia]

First a simple assumption - key loggers can record and pass on all of your
keystrokes for later analysis.

If this assumption is true it exposes a hole in the majority, if not all,
anti-spyware software. That is, if you run the detection program and it
finds a keylogger it is too late. To support that, another assumption is
that the infection occurs without your knowledge at 9am. At 10 am you run
Quicken Financial. This gets the loggers attention and it records your
keystrokes. At midnight you run your favorite anti-spyware program and find
a keylogger. You happily quarantine it or remove it. However, the damage has
already been done! Your Quicken keystrokes have already been recorded and
passed on to some slime somewhere on the globe/earth.

The point is, that without real-time protection the anti-spyware scanners
offer a false sense of security by telling you that you have already been
recorded. If you follow common sense advice you should change all of your
passwords and logon IDs. First it may be too late and second it may be
uncomfortably too often.

An example of a keylogger that is easy to plant is to go to the new Google
Earth program that allows you to see parts of the earth from high resolution
photos. It installs a dll that is a keylogger. One can ASSume that Google is
totally honest and only records keystrokes that pertain to their software. I
will leave that decision of trust to you. Run your late night scan find and
quarantine it. However, Google runs something on a time basis that restores
the keylogger because the next day you once again detect it despite not
using the program. So it had another several hour period between scans to do
its dirty work, unless you want to fully trust Google!!!

So, can a real-time scan of downloaded software block such things from even
entering your PC. Probably not since it is easy to morph an apparently
benign dll into something else later when you run the supposedly now safe
program. You cannot block the outgoing file of your recorded keystrokes
since they come from the now trusted (real-time scanned) program. You could
try to determine what program planted the logger but they seem to be placed
in many locations, making sourcing them difficult. You could do a scan every
time you download something but morphing the logger later makes that
useless.Uninstalling the offender seems to be the only way to "keep
clean".Perhaps someone here can present a full-proof way to instantly detect
keyloggers and block them????

http://sunbeltblog.blogspot.com/2005/08/more-on-identity-theft-ring.html if
you do not believe this link you better be very lucky because you ain't
smart.

Dick

 

[Ron Chamberlin]

Hi Dick,

I view keyloggers as more of an AV issue than Spyware. It would be great if
both types of products identified and protected you from these critters
getting into a system in the first place eh?

Ron Chamberlin
MS-MVP

 

[AndyManchesta]

Ive found no way to stop Keyloggers before they get to
send out the info except for using a strong firewall, The
new ones are not written into AV Definitions untill they
are detected and as already pointed out thats too late
then, Its more a issue for AV and firewalls. If you have
them both set up correctly then it can make it easier to
know when information is sent out.

I had one last week which I can confirm MS Antispy
detected and removed called pd pinch but it still sent
the information out so again its abit late then as the
damage has been done. I used netstat by going to command
prompt and type netstat. This is a good way to see what
connections are open and what state the ports are in, Its
very suspicious if you have connections open when no IE
windows are open. With netstat you can type netstat ? to
get a list of commands I find netstat -an is usefull to
display open ports and list the IP Addresses of the
connections but this will not help you much if you feel a
keylogger is on board, All it will do is confirm your
information is being sent out but will give the IP
address of who's taking it so you can report them.With
the pd pinch I noticed alot of ports open when the file
was deleted as there was about 4 different files so it
still got to send what it wanted but this was a test
setup so no harm done.

Packet Sniffers are also a great way to see whats going
out from your machine but its not realistic to keep them
active all the time as there is many genuine packets sent
and received. Ive been using this method on Direct
Revenue and it shows when thier adware is on board it
sends everything about the system to them, Usernames and
computer number, how much space is free and used,What
version of windows, what Browser, All the programs you
have installed and the path to the files, Every page you
visit, Eveything you type in search engines,Every
download you do, the list goes on and on so they are
keylogging in a way but they can get away with it but it
would also help if you have a keylogger to record the
information they are taking but again its not really
going to work unless you know the keylogger is there and
if you did you wouldnt monitor what they take you would
just pull the network connection or internet connection
and remove the keylogger so its hard to know what the
solution is except for a strong firewall and if you think
the information has gone out then change all passwords
and notifiy the banks or ebay,paypal etc.. if you use
them regular online.

Andy