Spyware, Viruses, & Security

General discussion

Detecting and Removing Key Loggers and RATs

by swede71 / January 5, 2005 11:54 AM PST

I've been doing a little reading about key loggers and RATs (Remote Access Trojans). A number of the commercial key loggers claim to be undetectable after being installed stealthily. I am guessing the hackers have versions that they feel also are undetectable.

Are there in fact some key loggers (commercial or otherwise) that are undetectable?

What's the best way to detect and remove key loggers and or RATs?

Does anyone have any tips to setting up (or even choosing) firewalls to help stop key loggers?

Any help in this area would be greatly appreciated!

Thanks!

Discussion is locked
You are posting a reply to: Detecting and Removing Key Loggers and RATs
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Detecting and Removing Key Loggers and RATs
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Re:Detecting and removing keyloggers and RATs
by badabing / January 5, 2005 8:56 PM PST
Collapse -
Here is
by roddy32 / January 5, 2005 9:21 PM PST

a link. This is what McAfee says about them. The following description is fairly generic and applicable to a wide variety of Remote Access Trojans.
http://vil.nai.com/vil/content/v_99400.htm

Some firewalls will block some of these and also some of the popular free spyware applications will block some of them including some keyloggers too. Here are 3 of them.

Spybot S&D (download, check for updates, read the tutorial and scan often, it also does some blocking)
http://www.safer-networking.org/en/home/index.html

SpywareBlaster (a blocker only, download it, check for updates, enable it and leave it alone except for checking for updates occasionally)
http://www.javacoolsoftware.com/spywareblaster.html


SpywareGuard (similiar to SpywareBlaster but works in a different way and does not update as often for that reason.
http://www.javacoolsoftware.com/spywareguard.html

Collapse -
Spybot "Advanced Users Only"
by Neo000100 / January 5, 2005 9:55 PM PST

Spybot has a lot of neat little tools in it that the standard user isn't aware of: Disclaimer: use only if you have advance knowledge...

There is an "Advanced" mode which can list all "BHO, and Services , Process list with some details, System Startup lists and such.

You can do a better search and erradicate pesky ones that most Spy detectors wont

Collapse -
The hardware keylogger.
by R. Proffitt Forum moderator / January 5, 2005 10:18 PM PST

When faced with a savvy user that needs monitoring, we just log the IP addresses that the machine accesses (web sites) as well as install a new keyboard for them.

Read http://www.keyghost.com/

The keyboard version seems to be undetectable...

Bob

Collapse -
Keyloggers ARE undetectable
by jv / January 6, 2005 4:55 PM PST

pcAnywehre is a keylogger so are other pieces of normal software.

If you install software that has been hcked well you may install a keylogger that is undetctable by any software package.

Analyzing network and file traffic on new programs in a before/after mode can be helpful in detecting this.

Collapse -
Detecting and Removing Key Loggers
by ncblessed / January 6, 2005 9:06 PM PST

I discovered there was a key logger program installed on my computer. My computer had not been shutting down properly. Periodically I look at my Internet history to see where I've been on the web. I noticed a site called Karl Marx and I knew that I had not gone to that website. As I looked more into the history for the past two weeks, I noticed that the Karl Marx website always appeared in history when I went to a site that required a login. Then I did a search on Karl Marx and found out how to remove it. I don't have the information on me, but if you ever run into this, do a search on Karl Marx keylogger and you should find information on how to get rid of this one.

Collapse -
RAT-like Program
by Tech51 / January 6, 2005 11:50 PM PST

I have zero experience with key loggers, but I have had a couple of run-ins with a RAT-like program, the last one about 6 months ago. This program used a specific port to access an external server and check for instructions/commands from a master. It would then perform the commands, go to sleep for a predetermined time and check again. The first noticable symptom was that the PC was unstable and the performance was quite bad. In reviewing the firewall log I found the PC was accessing a Web site on a schedule using a specific port. I would assume that key loggers work similarly or may even use email to send the information back to a home site. This find led me to make a change in my security policy. Originally, the policy was to block all inbound ports and block known malicious ports going outbound. Now, the policy is to block all inbound ports and block all outbound ports except the ports I know I use (20,21,25,80,113,443, and a few others). Of course, these RAT-like programs can use any of the 'good' ports for external access, but at least it is a start in the right direction. Using a firewall that can block ports in both directions and a router that can also block is a good way to mitigate the risk, but of course not a 100% solution.
Another tidbit is to review your 'hosts' file for entries that might be redirecting you to a site you don't want to go to. You can make your 'hosts' file read-only preventing all but sophisticated malicious programs from modifying this file. As mentioned in another post, Spybot has an advanced mode that can help with this, but caution is advised if you are not comfortable with the terminology used in this mode.

Hope this helps.

Collapse -
Reply....Detecting and Removing Key Loggers and RATs
by Nordstar / January 7, 2005 9:45 PM PST

1:st!!! Sorry for my bad english!!!...
Pc-Sequrity is a difficult task.Mainly all commersial Prog's have some kind of a Trojan or keylogger,spyware.
Realplayer is one known.Even hardware, such as Creative installs it via there software and updatepossibilities.Most of them are harmless.Mostly they are using cookies.You register your prog's.Don't you???You are buggd.Thats a fakt of today.HAve you heard of the so called "black boxes", on the INET-providers servers.They are logging every single bit that is tranceferd through it's network....So what can you do.Today Internet is used by all in all perposes.Information is flowing rappidly.Sivilians,military,governments,companies.Even "Terrorist's".
Name it!!!!....The last sentence "Terrorist's" opend up a new perspectiv on the Internet.How to track all the communication that was flowing in the inets cables.
Just know one thing...All you do on the internet...Regard it as if you are exposed outwords.See my profile for my pc-setup.I then keep tracking loggs over my registrysettings,installed prog's and path's,allways empties my temp-folders for internet and (windows of suspects).Empties my Cookie-folder.Cleans my "Trachcan".Even the real one.
Burn papers....Hehe.Just a joke!But i know that what ever i do..All my inetcommunications have been tracked by the black box.I know that this letter maybe triggerd the blackbox scannerdivice by the word"Terrorist"....That is a fakt.....
You can offcourse encrypt everything.But what the heck.
The best you can do is...Be suspicious to anything that you don't know of.
One more thing...Alt-Contr-Del.Check all processes.Write them down when you know that the computer is clean.Then keep track of the listed items and all the changes there.Keep tracking after every new installation.Also after every programexecution.Some are not totaly closing down.Leaving tracking prog's in the behind.Well.. hope that can help you a littlebit in the hard task of tracking down the spy's that are out there tracking down all your behaviors on the NET of Computer's.Beast's.666'es.The totalsum of the binary code by nummerology.The checksum of the beast.Ad it to your name and your trough nature will be reveald.ID-checksum..By binary code.Code-Decode......

Collapse -
Nordstar, your English is just fine...
by glenn30 / January 7, 2005 10:21 PM PST

I understand your post quite well and extend my thanks for the contribution. Looking forward to seeing more from you and other Swedish friends in the future.

Happy New Year!

Glenn

Collapse -
How to detect a keylogger
by robin732 / July 11, 2007 3:10 AM PDT

I would like to know if there is any software that can detect if someone has installed a keylogger or other software on my computer without me knowing it? I am running Windows XP Pro if that is helpful at all.

Collapse -
Detecting Keyloggers
by Blueswoman1 / January 19, 2005 3:46 AM PST

I have Ad-Aware Plus(NOT ADWARE-VERY BAD NEWS!)
With it comes Adwatch, a realtime watch dog.
I turned it off for a couple of weeks when I was doing software installs.It was a pain because every time I installed software the adwatch would block my program from the registry.Anyway,my machine was slow and my browser was constantly being hijacked. That;s when I ran Ad-Aware for spyware and malicious activity. When done I had 65 new critical objects and one of them was a keylogger. Coolwebsearch and .gator were the culprits. After the cleanup I used my Advanced System Optimizer and got the coolwebsearch crap out of my registry. My AdWatch is currently running , but I put it on manual mode so I know what and who are doing and trying to download what on my PC. SO far so good. I don't know if adwatch if on at the time would have caught the keylogger before getting into my system. I hope it would. It's gone for now!

Collapse -
Software for a MAC
by ek1359 / February 23, 2009 5:34 AM PST
In reply to: Detecting Keyloggers

I just read throught this entire thread...

What software would be good to detect those commercial (and even the remote ones) keyloggers and the RAT's?

I would like to install a detector one on my MAC.

Collapse -
Have a look...........
by Marianna Schmudlach / February 23, 2009 6:07 AM PST
In reply to: Software for a MAC
Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Tech for the holiday

Find recipes for July 4 with these foodie apps

The Fourth of July means fireworks, fun and food. If you're planning on a barbecue this weekend, we've got the apps to help you find holiday-inspired recipes.