Click here to get back home

How to detect keylogging / screen captuer software
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
How to detect keylogging / screen captuer software Mark Siler 09-06-2007
Get Chitika Premium
Posted by Richard Urban on September 7, 2007, 12:29 pm
Please log in for more thread options
 It sounds as if one, or more, people in your organization bear watching -
and "are" being watched.

Nothing you can do legally if it was installed due to corporate policy.
Remove it at your own risk. Believe me, you "will" be found out.

--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)


> The person who did this was the network admin. not a "standard" user.
>
>> Some anti-spyware products can detect certain loggers, if they've been
>> updated to look for the particular signatures of them.
>>
>> Certainly if you format the drive and reinstall Windows, then the malware
>> will be gone. Then it's important to think about how to lessen the
>> likelihood of another infection occurring. The best thing you can do is
>> run as standard user, not administrator. Loggers typically need admin
>> privileges to install and function correctly. By running as standard
>> user, these things won't work.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>>I believe one or more of our computers in our corporate network have
>>>keylogger/screen capture software installed. What software can detect
>>>these? I contacted http://www.spectorsoft.com and they claim there is
>>>nothing that can detect their software. This is very troubling if not?
>>>
>>>
>>>
>>> Does anyone know if the hard drive is re-formatted will that remove
>>> these applications or are they put someplace harder to get rid of?
>>>
>>>
>>>
>>> Thanks!
>>>
>>>
>
>


Posted by Mark Siler on September 8, 2007, 9:03 am
Please log in for more thread options
 I'm the new network admin. The owner of the company is the only other person
above me and he didn't authorize the installation of any such software. It
was not due to company policy. It was a bad network admin. Removing it isn't
at my risk... removing it is a due of my job!



Steve Riely got it right with the articles he referenced. How do you secure
the network from the person in charge of overseeing that it's secure? What
steps do you take when network admin leaves to make sure he/she didn't leave
backdoors, keyloggers, software bombs, etc.??



What I need now is to find a company that can come in with special
equipment/software that can detect such software/packets, etc. log it, track
it, remove it and then be willing to present the evidence in court. How does
one go about find a *good* company like this? Does anyone have any article
that reference picking such a company... what questions to ask, etc.


> It sounds as if one, or more, people in your organization bear watching -
> and "are" being watched.
>
> Nothing you can do legally if it was installed due to corporate policy.
> Remove it at your own risk. Believe me, you "will" be found out.
>
> --
>
>
> Regards,
>
> Richard Urban
> Microsoft MVP Windows Shell/User
> (For email, remove the obvious from my address)
>
>
>> The person who did this was the network admin. not a "standard" user.
>>
>>> Some anti-spyware products can detect certain loggers, if they've been
>>> updated to look for the particular signatures of them.
>>>
>>> Certainly if you format the drive and reinstall Windows, then the
>>> malware will be gone. Then it's important to think about how to lessen
>>> the likelihood of another infection occurring. The best thing you can do
>>> is run as standard user, not administrator. Loggers typically need admin
>>> privileges to install and function correctly. By running as standard
>>> user, these things won't work.
>>>
>>> --
>>> Steve Riley
>>> steve.riley@microsoft.com
>>> http://blogs.technet.com/steriley
>>> http://www.protectyourwindowsnetwork.com
>>>
>>>
>>>>I believe one or more of our computers in our corporate network have
>>>>keylogger/screen capture software installed. What software can detect
>>>>these? I contacted http://www.spectorsoft.com and they claim there is
>>>>nothing that can detect their software. This is very troubling if not?
>>>>
>>>>
>>>>
>>>> Does anyone know if the hard drive is re-formatted will that remove
>>>> these applications or are they put someplace harder to get rid of?
>>>>
>>>>
>>>>
>>>> Thanks!
>>>>
>>>>
>>
>>
>



Posted by Mathieu CHATEAU on September 8, 2007, 9:13 am
Please log in for more thread options
So you already pushed the red button...
Change all password (admins one at least)
check firewall for opened back door
close all traffic except the really needed one

You may go faster by building again workstations from a trusted source.

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


> I'm the new network admin. The owner of the company is the only other
> person above me and he didn't authorize the installation of any such
> software. It was not due to company policy. It was a bad network admin.
> Removing it isn't at my risk... removing it is a due of my job!
>
>
>
> Steve Riely got it right with the articles he referenced. How do you
> secure the network from the person in charge of overseeing that it's
> secure? What steps do you take when network admin leaves to make sure
> he/she didn't leave backdoors, keyloggers, software bombs, etc.??
>
>
>
> What I need now is to find a company that can come in with special
> equipment/software that can detect such software/packets, etc. log it,
> track it, remove it and then be willing to present the evidence in court.
> How does one go about find a *good* company like this? Does anyone have
> any article that reference picking such a company... what questions to
> ask, etc.
>
>
>> It sounds as if one, or more, people in your organization bear watching -
>> and "are" being watched.
>>
>> Nothing you can do legally if it was installed due to corporate policy.
>> Remove it at your own risk. Believe me, you "will" be found out.
>>
>> --
>>
>>
>> Regards,
>>
>> Richard Urban
>> Microsoft MVP Windows Shell/User
>> (For email, remove the obvious from my address)
>>
>>
>>> The person who did this was the network admin. not a "standard" user.
>>>
>>>> Some anti-spyware products can detect certain loggers, if they've been
>>>> updated to look for the particular signatures of them.
>>>>
>>>> Certainly if you format the drive and reinstall Windows, then the
>>>> malware will be gone. Then it's important to think about how to lessen
>>>> the likelihood of another infection occurring. The best thing you can
>>>> do is run as standard user, not administrator. Loggers typically need
>>>> admin privileges to install and function correctly. By running as
>>>> standard user, these things won't work.
>>>>
>>>> --
>>>> Steve Riley
>>>> steve.riley@microsoft.com
>>>> http://blogs.technet.com/steriley
>>>> http://www.protectyourwindowsnetwork.com
>>>>
>>>>
>>>>>I believe one or more of our computers in our corporate network have
>>>>>keylogger/screen capture software installed. What software can detect
>>>>>these? I contacted http://www.spectorsoft.com and they claim there is
>>>>>nothing that can detect their software. This is very troubling if not?
>>>>>
>>>>>
>>>>>
>>>>> Does anyone know if the hard drive is re-formatted will that remove
>>>>> these applications or are they put someplace harder to get rid of?
>>>>>
>>>>>
>>>>>
>>>>> Thanks!
>>>>>
>>>>>
>>>
>>>
>>
>
>


Posted by Bogwitch on September 8, 2007, 1:01 pm
Please log in for more thread options
Mark Siler wrote:

> I'm the new network admin. The owner of the company is the only other person
> above me and he didn't authorize the installation of any such software. It
> was not due to company policy. It was a bad network admin. Removing it isn't
> at my risk... removing it is a due of my job!
>
> Steve Riely got it right with the articles he referenced. How do you secure
> the network from the person in charge of overseeing that it's secure? What
> steps do you take when network admin leaves to make sure he/she didn't leave
> backdoors, keyloggers, software bombs, etc.??
>
> What I need now is to find a company that can come in with special
> equipment/software that can detect such software/packets, etc. log it, track
> it, remove it and then be willing to present the evidence in court. How does
> one go about find a *good* company like this? Does anyone have any article
> that reference picking such a company... what questions to ask, etc.

Nasty situation. Getting in a contract organisation is going to be the
quickest and best fix. It is not going to be cheap.

It really depends on your infrastructure, number of severs, number of
workstations, etc. Re-installing from known good media will possibly be
your best bet. If you think there will possibly be a prosecution
pending, you will need to make a good forensic copy of any and all
affected media beforehand. Preservation of evidence is key in this and
is best left to trained personnel - it may already be too late to persue
a successful prosecution - it depends how knowledgable the previous
admin was.

It is possible to reference all the executables installed on the system
against something like the National Software Reference Library and that
is something that can be done quite simply to ensure system integrity.
(it won't check for misconfigurations, that's up to you!)

I can't make any recommendations for companies to provide the service in
the US. If you were in the UK, it would be a different story.

Bogwitch.

Posted by Dana on September 8, 2007, 2:16 pm
Please log in for more thread options

> The person who did this was the network admin. not a "standard" user.

So this changes things. Maybe it was done on purpose to track inappropiate
usage of work computers.
Or was the admin person acting on his own.
>
>> Some anti-spyware products can detect certain loggers, if they've been
>> updated to look for the particular signatures of them.
>>
>> Certainly if you format the drive and reinstall Windows, then the malware
>> will be gone. Then it's important to think about how to lessen the
>> likelihood of another infection occurring. The best thing you can do is
>> run as standard user, not administrator. Loggers typically need admin
>> privileges to install and function correctly. By running as standard
>> user, these things won't work.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>>I believe one or more of our computers in our corporate network have
>>>keylogger/screen capture software installed. What software can detect
>>>these? I contacted http://www.spectorsoft.com and they claim there is
>>>nothing that can detect their software. This is very troubling if not?
>>>
>>>
>>>
>>> Does anyone know if the hard drive is re-formatted will that remove
>>> these applications or are they put someplace harder to get rid of?
>>>
>>>
>>>
>>> Thanks!
>>>
>>>
>
>



Similar ThreadsPosted
How to Detect All Connections? October 19, 2005, 2:34 pm
CTRL-ALT-DEL SCREEN VANISHES February 22, 2006, 5:50 pm
Turning off auto-screen-lock? March 10, 2006, 11:02 am
File Screen only send out email once September 6, 2007, 4:32 am
Enable Automatic Screen Lock Group Policy May 30, 2006, 1:41 pm
Firewall Software and ASP .NET February 14, 2006, 3:10 pm
cannot install software January 10, 2007, 6:44 pm
restricting software installation July 27, 2005, 10:41 am
Windows software inventory? Is there a way? February 28, 2006, 3:47 pm
Quick Software Audit March 1, 2006, 6:02 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap