Several Keylogger files use the .dat format so the user wont be suspicious
of this files in his sistem. This files are later sent to the intruder via
mail. I you open the file with notepad you get all the keystrokes.
-----Original Message-----
From: Brunner, Mark [mailto:MBrunner (at) tor.fasken (dot) com [email concealed]]
Sent: Thursday, November 25, 2004 7:41 AM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: System Spy -- Key Logger
The online description at Pest Patrol states:
* Captured data is stored encrypted, in dated files (ex. '01.20.99.DAT') and
can be deleted through System Spy interface.
This is probably what is causing the false positive. I have performed a
scan on a system that has been freshly imaged. You will have a fair number
of .DAT files on every standard Windows system. Pretty ineffective scan if
it relies on file names only and doesn't try to validate content. Pretty
effective marketing tool if your target audience is the average home user...
Mark Brunner
Security Manager
Fasken Martineau DuMoulin LLP
This communication is solicitor/client privileged and contains confidential
information intended only for the person(s) to whom it is addressed. Any
unauthorized disclosure, copying, other distribution of this communication
or taking any action on its contents is strictly prohibited. If you have
received this message in error, please notify us immediately and delete this
message without reading, copying or forwarding it to anyone.
-----Original Message-----
From: David Wright [mailto:dkwsecurity (at) nelmezzo (dot) net [email concealed]]
Sent: Wednesday, November 24, 2004 11:40 AM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Re: System Spy -- Key Logger
On Mon, 22 Nov 2004, Roger Padilla Jr wrote:
> All,
> I was wondering if anyone has some information on a particular
> piece of spyware called "System Spy -- Key Logger". It is not
> detected by either Ad-aware or Spybot -- it is being identified by
> Pest Patrol's free online scanner. I have tried numerous searches to
> isolate the nature of the payload and delivery mechanism. There are a
> number of Spyware companies that do have it registered in their threat
> databases, and they all classify System Spy as a key logger. So far
> my research has typically resolved to gambling sites and a number of
> Spying software programs that can be purchased or downloaded. There
> are at least three computers I have come across that have been
> identified as having this particular spyware. Any help would be
> appreciated.
>
Your post piqued my interest, so I ran PestScan myself. I got quite a few
false positives.
I combed through the results and it seems to me that PestScan will give a
positive when it finds a file of the same name as a file used by a piece of
spyware.
For example, I got a positive for System Spy, too. The only thing I could
find on my system that matched with Pest Patrol's descriptive data for this
spyware was under "File Analyses". The file name was setup.inf.
It's not surprising that I
had a file of this name on my system. And it wasn't the System Spy file.
Can anyone help to confirm this "false positive by file name only"
scenario?
Thanks!
--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
of this files in his sistem. This files are later sent to the intruder via
mail. I you open the file with notepad you get all the keystrokes.
-----Original Message-----
From: Brunner, Mark [mailto:MBrunner (at) tor.fasken (dot) com [email concealed]]
Sent: Thursday, November 25, 2004 7:41 AM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: RE: System Spy -- Key Logger
The online description at Pest Patrol states:
* Captured data is stored encrypted, in dated files (ex. '01.20.99.DAT') and
can be deleted through System Spy interface.
This is probably what is causing the false positive. I have performed a
scan on a system that has been freshly imaged. You will have a fair number
of .DAT files on every standard Windows system. Pretty ineffective scan if
it relies on file names only and doesn't try to validate content. Pretty
effective marketing tool if your target audience is the average home user...
Mark Brunner
Security Manager
Fasken Martineau DuMoulin LLP
This communication is solicitor/client privileged and contains confidential
information intended only for the person(s) to whom it is addressed. Any
unauthorized disclosure, copying, other distribution of this communication
or taking any action on its contents is strictly prohibited. If you have
received this message in error, please notify us immediately and delete this
message without reading, copying or forwarding it to anyone.
-----Original Message-----
From: David Wright [mailto:dkwsecurity (at) nelmezzo (dot) net [email concealed]]
Sent: Wednesday, November 24, 2004 11:40 AM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Re: System Spy -- Key Logger
On Mon, 22 Nov 2004, Roger Padilla Jr wrote:
> All,
> I was wondering if anyone has some information on a particular
> piece of spyware called "System Spy -- Key Logger". It is not
> detected by either Ad-aware or Spybot -- it is being identified by
> Pest Patrol's free online scanner. I have tried numerous searches to
> isolate the nature of the payload and delivery mechanism. There are a
> number of Spyware companies that do have it registered in their threat
> databases, and they all classify System Spy as a key logger. So far
> my research has typically resolved to gambling sites and a number of
> Spying software programs that can be purchased or downloaded. There
> are at least three computers I have come across that have been
> identified as having this particular spyware. Any help would be
> appreciated.
>
Your post piqued my interest, so I ran PestScan myself. I got quite a few
false positives.
I combed through the results and it seems to me that PestScan will give a
positive when it finds a file of the same name as a file used by a piece of
spyware.
For example, I got a positive for System Spy, too. The only thing I could
find on my system that matched with Pest Patrol's descriptive data for this
spyware was under "File Analyses". The file name was setup.inf.
It's not surprising that I
had a file of this name on my system. And it wasn't the System Spy file.
Can anyone help to confirm this "false positive by file name only"
scenario?
Thanks!
--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
[ reply ]