How to detect keylogging / screen captuer software

[Mark Siler]

I believe one or more of our computers in our corporate network have
keylogger/screen capture software installed. What software can detect these?
I contacted http://www.spectorsoft.com and they claim there is nothing that
can detect their software. This is very troubling if not?



Does anyone know if the hard drive is re-formatted will that remove these
applications or are they put someplace harder to get rid of?



Thanks!

 

[Steve Riley [MSFT]]

Some anti-spyware products can detect certain loggers, if they've been
updated to look for the particular signatures of them.

Certainly if you format the drive and reinstall Windows, then the malware
will be gone. Then it's important to think about how to lessen the
likelihood of another infection occurring. The best thing you can do is run
as standard user, not administrator. Loggers typically need admin privileges
to install and function correctly. By running as standard user, these things
won't work.

 

[Mark Siler]

The person who did this was the network admin. not a "standard" user.

 

[Steve Riley [MSFT]]

Uh oh. Alas, you no longer have a technical problem. I think you know what
needs to happen next.

http://www.microsoft.com/technet/community/columns/secmgmt/sm0705.mspx
http://blogs.technet.com/steriley/archive/2007/05/31/when-you-say-goodbye-to-an-employee.aspx


--
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com

 

[Mathieu CHATEAU]

Since it's a "commercial" product, he may have been asked to do so ?


--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com

 

[Richard Urban]

It sounds as if one, or more, people in your organization bear watching -
and "are" being watched.

Nothing you can do legally if it was installed due to corporate policy.
Remove it at your own risk. Believe me, you "will" be found out.

--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)

 

[Mark Siler]

I'm the new network admin. The owner of the company is the only other person
above me and he didn't authorize the installation of any such software. It
was not due to company policy. It was a bad network admin. Removing it isn't
at my risk... removing it is a due of my job!



Steve Riely got it right with the articles he referenced. How do you secure
the network from the person in charge of overseeing that it's secure? What
steps do you take when network admin leaves to make sure he/she didn't leave
backdoors, keyloggers, software bombs, etc.??



What I need now is to find a company that can come in with special
equipment/software that can detect such software/packets, etc. log it, track
it, remove it and then be willing to present the evidence in court. How does
one go about find a *good* company like this? Does anyone have any article
that reference picking such a company... what questions to ask, etc.

 

[Guest]

If there were only an unhookable API that would allow you to walk the chain
of hooks for things like keyboard, file system access, etc., then it would be
easy to detect keyloggers. etc. It would instantly spell the end of
unauthorized keyloggers and even rootkits.

http://www.dalepreston.com/Blog/2005/04/rootkits-and-hooks.html#Hooks

Dale

 

[Mathieu CHATEAU]

So you already pushed the red button...
Change all password (admins one at least)
check firewall for opened back door
close all traffic except the really needed one

You may go faster by building again workstations from a trusted source.

 

[Bogwitch]

I'm the new network admin. The owner of the company is the only other person
above me and he didn't authorize the installation of any such software. It
was not due to company policy. It was a bad network admin. Removing it isn't
at my risk... removing it is a due of my job!

Steve Riely got it right with the articles he referenced. How do you secure
the network from the person in charge of overseeing that it's secure? What
steps do you take when network admin leaves to make sure he/she didn't leave
backdoors, keyloggers, software bombs, etc.??

What I need now is to find a company that can come in with special
equipment/software that can detect such software/packets, etc. log it, track
it, remove it and then be willing to present the evidence in court. How does
one go about find a *good* company like this? Does anyone have any article
that reference picking such a company... what questions to ask, etc.

Nasty situation. Getting in a contract organisation is going to be the
quickest and best fix. It is not going to be cheap.

It really depends on your infrastructure, number of severs, number of
workstations, etc. Re-installing from known good media will possibly be
your best bet. If you think there will possibly be a prosecution
pending, you will need to make a good forensic copy of any and all
affected media beforehand. Preservation of evidence is key in this and
is best left to trained personnel - it may already be too late to persue
a successful prosecution - it depends how knowledgable the previous
admin was.

It is possible to reference all the executables installed on the system
against something like the National Software Reference Library and that
is something that can be done quite simply to ensure system integrity.
(it won't check for misconfigurations, that's up to you!)

I can't make any recommendations for companies to provide the service in
the US. If you were in the UK, it would be a different story.

Bogwitch.

 

[Dana]

The person who did this was the network admin. not a "standard" user.

So this changes things. Maybe it was done on purpose to track inappropiate
usage of work computers.
Or was the admin person acting on his own.