Keyloggers

I've acquired a client with a very real issue that I've not had experience with before. She's had, in the past, a problem where someone put a keylogger on her computer.

Clearly this is a terrible thing, and I want to make sure she's protected from this happening again. This doesn't seem like something that most antiviruses would see, though, unless it was part of a virus.

I'll going over other security issues with her, like creating strong enough passwords on her email and other services, and making sure her wireless network has the proper security, but software keyloggers are something I've never dealt with before. It's easy enough to look at the back of her computer and make sure there's no hardware keyloggers, but I don't know about the software side. Granted, either one would require some sort of access to the computer, clearly physical access for the hardware variety, but I'd like to make sure there's no bad software on there.

Thanks for the help. If you can think of any other issues when it comes to protecting from specifically targeted attacks it would be much appreciated. Man, some people are real freaks...

Actually, most antivirus/antimalware will pick up the usual keyloggers. They get flagged as malware.

What you almost certainly won't detect would be rootkits. The only way to really be sure she doesn't have one of those is to do a complete new build and secure it well, in addition to all the usual steps. (you can do a bit of checking using a live CD boot disk with rootkit checkers on it, but it isn't going to be as certain)

If someone is specifically targeting her your likelihood of protecting her is dependent on how serious the attacker is. There is no way to prevent a determined attacker - all you can do is hope to make it difficult enough that you spot an attack before it is successful.

Oh - if you want a few good opinions, post the question up on security.stackexchange.com :-)

The problem with keyloggers is that it is ridiculously easy to write one. If you write one from scratch hardly any malware detector will pick it up. This for keyloggers that work when the user is logged into Windows, for ones that work when no user is logged in (thus logging the logon process) requires a rootkit/driver hack and is significantly more complex.

Any links to good live CDs that might have rootkit detectors on them?

And is there no way to check if there's a keylogger manually (not with an antivirus)? Would Hijack This see it? Would something like ComboFix kill it?

Rather than attacking the problem by trying to pick specific tools, you need to get into her threats more deeply. Fundamentally, there are three sorts of keyloggers: hardware dongles, rootkit-ish things, and regular software-ish things. Obviously, no software will detect a hardware dongle. Rootkit-ish things, which may include virtualization to get below the operating system, are again not something you're going to pick up with a scanner.

The trick is that hardware dongles require physical access, and many rootkit-ish things are relatively hard to install without either physical access or a machine that's way, way out of date on its security patches. So you have to ask what level of protection you're going after here. If the attacker is physically remote and the machine is running properly patched software and suitably configured without lots of unnecessary services, there's relatively little to actually worry about. On the other hand, if you're worried about a physically present attacker, the whole game changes and you should be looking at radically different approaches (e.g., a used government-spec security container).

These two are pretty good

http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx
http://technet.microsoft.com/en-us/sysinternals/bb897445

Not to hijack the thread, but:

Do you have any opinions on general Windows AV utilities, Rory? Especially ones with enterprise-level tools (central control, etc.). Just a general "these suck, these are okay, I'd go with this one" type list would be super, just to check my own opinions against someone with some sort of real expertise.

At an enterprise level, the leaders are all pretty much the same (Sophos, Macafee, Symantec, Kaspersky) - they are all quite good

(actually I don't like the Kaspersky UI, but that's just me:-)

At a home user level, most are actually quite poor. They do the job but are CPU and RAM hogs, so I do advise folks to go with Microsoft Security Essentials these days.

Any thoughts on Microsoft's Forefront offerings?

http://www.microsoft.com/forefront/en/us/default.aspx

Seems to be the enterprise version of their consumer offerings. I'd imagine the active directory integration and other bits coming direct from Microsoft might reduce the IT overhead, but no idea if their actual protection is any good.

Wow, we're totally on the same page, Rory. My clients are often a little confused when I express that Symantec is fine in the corporate setting (because it is, the footprint is tiny), but abysmal at home. Norton is a huge piece of garbage and McAfee isn't much better.

I've definitely been recommending MSE for home users. It does a very good job, and for free.

I haven't used the central management of McAfee's corporate offering, but I can say the end point stuff is horrible. We are constantly manually cleaning viruses, and in some instances re-imaging PC's here at my office. I don't think I've ever seen it actually catch something. We were running Symantec's offering a few years ago, and complaining about it but would now gladly go back to it over McAfee. I have played a bit with both ends of Trend Micro's corporate offering and liked it a lot. The endpoints seemed low impact, but did a good job protecting and cleaning viruses.

I also have been recommending MSE to friends & family for home use.

I wonder why you have been having such poor results with McAfee. My clients who have it love it, and a couple of the smaller ones have the DLP package too - and it really works for them.

I had a similar experience to Michael with McAfee at a previous job. It wasn't finding threats that got in, and it was killing legitimate installs. Eventually IT gave up and allowed people to disable it for 10 minutes at a time to be able to install software properly.

There was a major version update at some point though that resolved a lot of issues and did seem to be working security wise. Can't remember any version details though, but this would have been around mid to late 2009 time wise.