-5

Our company schedules Security Training courses for our personnel.

In order for us to test them, we develop code such as keyloggers which we email to our personnel to detect stupid personnel, and of course we want to know whether our antiviruses detect this code.

We send keyloggers by email to all personnel and rename them to "update or service packs".

Many of them download and run them and ... We get user name and IP through a web service.

And we have noticed that our antivirus does not detect this code as malware.

Which software should we use to detect keyloggers and other similar malwares?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
saber tabatabaee yazdi
  • 1,038
  • 5
  • 16
  • 26
  • i want to have software that detect all keyloggers in my network and report me , do you know how do that? – saber tabatabaee yazdi Nov 08 '12 at 13:33
  • 2
    What you want does not exist. If your security software did not detect your program, its because the vender didn't create a signature for your application, there isn't a single security software that will detect EVERYTHING what you want is not realistic. – Ramhound Nov 08 '12 at 13:44
  • 3
    My experience is that most anti-virus programs don't detect global key hooks, which are the simplest way to write a keylogger. I distribute a program that contains such a hook, and I received almost no complaints about detections in that module. – CodesInChaos Nov 08 '12 at 15:51
  • 1
    ... And the unfortunate part is, there are legitimate 'keyloggers' that get installed - custom macro-ing programs, hardware vendor software, etc. So you can't just yell about them. It's easiest to find/trap/kill them during installation attempts (via UAC) or data exfiltration (via a firewall). – Clockwork-Muse Nov 09 '12 at 00:32
  • i want to develop it. and will develop it. by programming. if you are not a programmer please don't say "this is impossible". it is very simple program that diog other keyloggers and report to SCOM . (System Center Operation manager – saber tabatabaee yazdi Nov 09 '12 at 14:01
  • @sabertabatabaeeyazdi just because you *can* write a program to do something, doesn't mean you *should*. Moreover, and speaking as a programmer, just because you write a program that you *think* does something, doesn't mean it *does*. – AviD Nov 19 '12 at 07:30
  • @AviD thank you. everything you say is correct. i say it is very bad in security that we haven't a solution to detect any key loggers . doesn't exist any alerting software !!! this is very bad for us that we cant detect them in security department . – saber tabatabaee yazdi Nov 19 '12 at 08:48
  • If the inhouse security & IT department sent out "an update or service packs" - why do you expect people not to follow the advice given? They're not being stupid; they're doing what the inhouse security & IT department tells them to do. Why do you want to train them to _not_ follow your orders? – Torben Gundtofte-Bruun Jan 15 '13 at 20:01
  • @TorbenGundtofte-Bruun i guess you don't know anything about hack and security! because hackers phishing and email them by our mail address. we apply our rules by GPO in active directory or 100 other ways and didn't attach any virus to mails, ... i can email to anyone by your email and transfer Trojan to them... do you understand? or have more description? – saber tabatabaee yazdi Jan 16 '13 at 04:39
  • Oh I understand the tech, all right. It's your motives and methods that I am questioning. – Torben Gundtofte-Bruun Jan 16 '13 at 09:34
  • im sorry but your question better for parents. not for community of hackers . – saber tabatabaee yazdi Jan 16 '13 at 10:30

6 Answers6

20

No, anti-malware packages will not detect every form of keylogger. They will detect known ones by hashing, and some may detect certain keylogger-like behaviour via heuristic analysis.

However, I strongly advise you against this. First off, it's insulting to your employees. If I found out my employer was doing such a thing, I'd resign on the spot. Secondly, it's potentially illegal. I'd guess you're spying on people without their consent. You're opening yourself up to lawsuits. Finally, you're creating a security vulnerability - email isn't secure, and keyloggers are likely to contain company and personal credentials when users log into services. It's a security and privacy nightmare.

So, in my personal and professional opinion:

DON'T DO THIS!

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 3
    The better way to have performed the test is to create and email a fake, but safe, 'virus' that performs an innocent task. Design the email to test specific areas your employees were trained in. You could have tested keylogger detection of your antivirus in a test environment instead of distributing it in the wild. – schroeder Nov 08 '12 at 15:26
  • @Polynomial you don't have an antecedent to 'this'. What are you advising against? Testing employees? Distributing keyloggers? Detecting keyloggers? Performing an heuristic analysis? – schroeder Nov 08 '12 at 15:29
  • 2
    @schroeder *"We develop a Code in C# like keyloggers and email to our personnel to detect stupid personnel"* - I'm advising against keylogging your employees' machines. – Polynomial Nov 08 '12 at 15:31
  • we attend them in class that we test employees and want them to not open the emails that contain those attachments. – saber tabatabaee yazdi Nov 09 '12 at 14:04
  • 1
    @Polynomial - Most U.S. companies nowadays require employees to sign "Network Policy" riders to their main employment agreement, which states among other things that their use of the company's LAN/Internet connection can be monitored to ensure compliance. So, it's not *as big* a deal legally. However, creating software that is obviously malicious (is the OP *really* writing a full keylogger just to see what their clients will or won't download?) is a *huge* no-no that can get the OP's company in trouble with everyone from their employees to their ISP to the Feds. – KeithS Nov 12 '12 at 19:31
  • 3
    @KeithS Don't assume this is a US company - in many countries, it is explicity illegal, regardless of your "network policy". Also, even in the US, there are still restrictions on how you implement this. – AviD Nov 19 '12 at 07:31
  • 3
    Just want to add that there are hardware keyboard taps too which will not be picked up by any AV no matter how sophisticated it is. – Inverted Llama Dec 03 '12 at 11:50
8

I think that your question (Will Antivirus detect keyloggers?) has been answered.

I'd like to take a step back and examine the broader issues - because sometimes the answer to a question isn't really the answer you're seeking.

First, I must respectfully disagree with @Polynomial's opinion. I think your core notion is fantastic. It doesn't matter what security controls you deploy if your users aren't at least tacitly compliant. RSA was brought down because an administrative assistant reached into a sequestered email message and clicked on a link. You're trying to change user behavior by providing a clear feedback cycle; this is a technique which has been proven to be effective. I believe that a keylogger is the wrong "mission" or payload to deploy in this campaign. I believe that a sufficient payload would be a redirect to a page containing your company's policy. If you need to go beyond that, you could include one of the sample viruses used by antivirus companies to test their products. (I can't find a link to one, but if you have a legitimate need, I'm confident that you'll be able to find one).

Second, I'm not sure I understand why you're looking at antivirus. If your goal is to test the effectiveness of your antivirus, then I would suggest you rely on other people's research. There are sites that publish comparitive research. But ultimately 90% of the antivirus products are going to be adequate against 90% of the attacks you find. I don't have the current numbers, but the majority of viruses in the wild are common viruses.

Third, let me combine those two observations. Antivirus is designed to reduce the likelihood that you'll be the victim of opportunistic attack. If you want to test your reslience against opportunistic attack, you need a different test strategy. (simple scans are probably sufficient). Fake Phishing attacks like what you describe are designed to test your resilience against targeted attacks; antivirus programs are worthless against targeted attacks.

I believe you need to take a step back and decide what kind of security policy/implementation you want (what is your risk tolerance). Once you know that, then design threat scenarios and test cases against those. Confusing user behavior with keyloggers with antivirus indicates to me that you don't have a coherent risk management strategy.

MCW
  • 2,572
  • 1
  • 15
  • 26
5

No, not every keylogger will be found.

Just like viruses, Anti-Virus-Softwrae can only detect stuff they know and/or detect "strange" behaviour.

And: Hardware-Keylogger will most likely not be detected at all.

Bonsi Scott
  • 151
  • 1
  • 3
3

Custom written malware (like keyloggers) cannot be detected by anti-virus software using signatures to detect malware, because the signature of keylogger is unique so far. What some anti-virus (AV) software can detect is applications hooking up into Windows system listening for keystroke events (made by typing on a keyboard). Some AV software, if properly configured, can also block the keylogger from communicating over the network, effectively preventing it from sending the keystrokes to the attacker. There is a software called "KeyScrambler" that can protect against most keylogging malware.

Matrix
  • 3,988
  • 14
  • 25
1

Some antiviruses can detect keyloggers if you are setting mode into "Paranoid" , but in this case Antivirus take tons of resources since it hooks windows api and check for abnormal calls like for example GetAsyncKeyState , global hooks , checks injections to processes , but your station in this mode will become very slow and unresponsible.

You can get a soft that will catch 90% of keyloggers , since most of them are wtitten with same technics , keyboard hoks , and getasynkkeystate , there are some loggers that replacing default keyboard drivers , anyway , you shouldn't focused on catching keyloggers , you should focus on how to prevent data being sent from workstations to world.

user1106128
  • 149
  • 3
1

the best protection today for keyloggers is keyscrambler, it doesn't really 'block' keyboards in a sence that they keep running, but the keys will be encrypted end decrypted at the target application, while this will work against real keyloggers, other programs which read data directly for a programs input field aka are actually hacking a certain application will not be blocked, since the real application has to get the real keyboard input, but those programs are real virusses and get usually detected by antivirus and require admin privileges to run

jeroen
  • 11
  • 1