So sniffing out keyloggers is pretty simple, you just install a packet sniffer, open the application you find suspiciousand then check the packets for ftp connections or any other suspicious connections. Trouble is, if you open the application and it does contain a keylogger then you just infected your computer.... what an idiot
So a workaround from this infecting yourself problem is to trap the keylogger. You can do this by using a sandbox, the program I use is http://www.virtualbox.org/, basically it creates a virtual machine on your computer, you can then install an os to it and run it while logged onto your computer..
eg. You're on vista, you install virtualbox, you install xp on the vm that virtualbox creates.. You can then run windows xp while in vista.
If you have no spare cds hanging about then check around on the forum and download the os you want, you can install it to the vm by iso so you don't need to burn it to a disk.
Right so now you have your os installed (hopefully you do?) and now if you open a malicious application, it will stay inside your virtual machine and will not escape into your main hdd, so now you're safe!
Right once on your 'other os' via virtualbox, download a packet sniffer, I've attached a good one which I use which is EtherDetect Packet Sniffer.
Okay so sandbox and packet sniffer is installed, all the tools to sniff out a keylogger safely. Now you'll need that suspicious application, once you have it *** the packet sniffer ready and open the application, after opening it, click to start logging packets and stop after around 2-5 minutes or so, you then will need to look for any suspicious ips, best thing to look for is the protocol 'ftp' this could mean that the application is sending logs to an ftp account. A nice little tip if you do find a keylogger sending logs to an ftp, if you look at the packets of it then there is a high chance that you'll see the ftp username and password
That's basically all you have to do, it is also good to use a packet sniffer if you think you may have a keylogger, just log the packets and look for suspcious things
+1 if you find this helpful please
Download: EtherDetect Packet Sniffer v1.4.rar
Google is your answer for it
So a workaround from this infecting yourself problem is to trap the keylogger. You can do this by using a sandbox, the program I use is http://www.virtualbox.org/, basically it creates a virtual machine on your computer, you can then install an os to it and run it while logged onto your computer..
eg. You're on vista, you install virtualbox, you install xp on the vm that virtualbox creates.. You can then run windows xp while in vista.
If you have no spare cds hanging about then check around on the forum and download the os you want, you can install it to the vm by iso so you don't need to burn it to a disk.
Right so now you have your os installed (hopefully you do?) and now if you open a malicious application, it will stay inside your virtual machine and will not escape into your main hdd, so now you're safe!
Right once on your 'other os' via virtualbox, download a packet sniffer, I've attached a good one which I use which is EtherDetect Packet Sniffer.
Okay so sandbox and packet sniffer is installed, all the tools to sniff out a keylogger safely. Now you'll need that suspicious application, once you have it *** the packet sniffer ready and open the application, after opening it, click to start logging packets and stop after around 2-5 minutes or so, you then will need to look for any suspicious ips, best thing to look for is the protocol 'ftp' this could mean that the application is sending logs to an ftp account. A nice little tip if you do find a keylogger sending logs to an ftp, if you look at the packets of it then there is a high chance that you'll see the ftp username and password
That's basically all you have to do, it is also good to use a packet sniffer if you think you may have a keylogger, just log the packets and look for suspcious things
+1 if you find this helpful please
Download: EtherDetect Packet Sniffer v1.4.rar
Google is your answer for it
0 comments:
Post a Comment