Monday, September 15, 2008

Keylogger Running Under Kaspersky 2009

The last posts clearly show It is well known that static virus detection is not something AV vendors do well enough. Now this one is quite a story. As I was researching many trojans I was moving files into and out of my Virtual PC machine used to test viruses. My computer has kaspersky 2009 installed and running with maximum security settings (including keyloggers and kernel object modifications).

I accidently executed without noticing on my host PC one of the samples I was testing in the VM. I was using my computer as usual and I began noticing some kind of tiny delays when typing a lot of text, the kind of delays I was experiencing when I first wrote my first keylogger. I was completely suprised to have this suspicous since I felt "almost safe" with my updating every 4 hours Kaspersky 2009.

Opening "Process Explorer" I began examining the running processes and noticed some wiered dll files running in all my processes.
kbdth2sys.dll
kbdvntcapi.dll
They were in system32 and these are the AV test results for these 2 files day (also 2 month ago):
























I was surprised by two things:
1) Kaspersky Anti-Keylogger "live protection" compromised all my personal information
2) Symantec was the only AV really detecting this and as a keylogger, which is very funny because their AV is a joke, I will send a few posts about that later

I can't believe this! I am now uploading the files again to virustotal to see the updated scan results for today and i notice this:



















The file was first received by virustotal in 2007.10.23 which is almost 2 years ago!!!!!!!!!
This only prooves us 3 things:
1) The malicous code writers WERE INDEED using virustotal's "don't distribute samples to AV vendors" which was lately removed!
2) All Anti-Viruses didn't detect this wide spread keylogger which is used to steal peoples information for THE LAST TWO YEARS!!!
3) Its better to write keyloggers in Delphi ;)

I here by thank the creator of the matrix for letting me find it on my PC after just 2 days.
Here are today's result for kbdth2sys.dll:
http://www.virustotal.com/en/analisis/ae172aaf34a59733d149476e4b4bcb9c























So after 2 YEARS it has been undetected and 2 MONTH after the AV vendors got my uploaded samples we get this amazing 10 of 36 result which leaves it undetected for: Kaspersky, DrWeb, McAfee, BitDefender, Microsoft, Panda, F-Secure, Fortinet and others...

As for kbdvntcapi.dll after all this, detection hasn't really changed, 4 huristic decetions and 1 symantec keylogger detection, still a sad story (at least for most people :)
http://www.virustotal.com/he/analisis/d51626cb8f0b04219b0ad4c010036f0d























Well, I uninstalled my kaspersky 2009 :)
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)