How to detect keylogging / screen captuer software

M

Mark Siler

I believe one or more of our computers in our corporate network have
keylogger/screen capture software installed. What software can detect these?
I contacted http://www.spectorsoft.com and they claim there is nothing that
can detect their software. This is very troubling if not?



Does anyone know if the hard drive is re-formatted will that remove these
applications or are they put someplace harder to get rid of?



Thanks!
 
S

Steve Riley [MSFT]

Some anti-spyware products can detect certain loggers, if they've been
updated to look for the particular signatures of them.

Certainly if you format the drive and reinstall Windows, then the malware
will be gone. Then it's important to think about how to lessen the
likelihood of another infection occurring. The best thing you can do is run
as standard user, not administrator. Loggers typically need admin privileges
to install and function correctly. By running as standard user, these things
won't work.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Mark Siler" <john.doe@domain.com> wrote in message
news:#ShJbGP8HHA.3400@TK2MSFTNGP03.phx.gbl...
>I believe one or more of our computers in our corporate network have
>keylogger/screen capture software installed. What software can detect
>these? I contacted http://www.spectorsoft.com and they claim there is
>nothing that can detect their software. This is very troubling if not?
>
>
>
> Does anyone know if the hard drive is re-formatted will that remove these
> applications or are they put someplace harder to get rid of?
>
>
>
> Thanks!
>
>
 
M

Mark Siler

The person who did this was the network admin. not a "standard" user.

"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
news:Otxk2RP8HHA.5012@TK2MSFTNGP02.phx.gbl...
> Some anti-spyware products can detect certain loggers, if they've been
> updated to look for the particular signatures of them.
>
> Certainly if you format the drive and reinstall Windows, then the malware
> will be gone. Then it's important to think about how to lessen the
> likelihood of another infection occurring. The best thing you can do is
> run as standard user, not administrator. Loggers typically need admin
> privileges to install and function correctly. By running as standard user,
> these things won't work.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
> "Mark Siler" <john.doe@domain.com> wrote in message
> news:#ShJbGP8HHA.3400@TK2MSFTNGP03.phx.gbl...
>>I believe one or more of our computers in our corporate network have
>>keylogger/screen capture software installed. What software can detect
>>these? I contacted http://www.spectorsoft.com and they claim there is
>>nothing that can detect their software. This is very troubling if not?
>>
>>
>>
>> Does anyone know if the hard drive is re-formatted will that remove these
>> applications or are they put someplace harder to get rid of?
>>
>>
>>
>> Thanks!
>>
>>
 
A

Aaron

Mark Siler wrote:
> The person who did this was the network admin. not a "standard" user.
>
>> Some anti-spyware products can detect certain loggers, if they've been
>> updated to look for the particular signatures of them.
>>
>> Certainly if you format the drive and reinstall Windows, then the malware
>> will be gone. Then it's important to think about how to lessen the
>> likelihood of another infection occurring. The best thing you can do is
>> run as standard user, not administrator. Loggers typically need admin
>> privileges to install and function correctly. By running as standard user,
>> these things won't work.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>> I believe one or more of our computers in our corporate network have
>>> keylogger/screen capture software installed. What software can detect
>>> these? I contacted http://www.spectorsoft.com and they claim there is
>>> nothing that can detect their software. This is very troubling if not?
>>>
>>> Does anyone know if the hard drive is re-formatted will that remove these
>>> applications or are they put someplace harder to get rid of?
>>>
>>> Thanks!


From your posts here it sounds as though the owner, or authorized
representative of the owner, has installed the possible keylogger(s).

If you did manage to remove it, would they take punitive action against
you for doing so?

If they are not responsible for its presence, are they responsible for
its removal?

Remember, if they own it, they may be legally allowed to take actions to
monitor its use. It is their resource they can be held responsible in a
legal proceeding for actions performed using their computer: libelous
email, surfing to bad websites, inappropriate pictures found on the
computer, etc.

In short: IF it is the corporation's property, and the corporation is
responsible for the presence of monitoring software, they can probably
legally monitor what you do with their property. Where I work, when I
log into the company network there is a large splash screen saying, in
about ten sentences, "Big Brother IS watching YOU".

--
I'm glad my Mom named me Aaron,
That's what everybody calls me.
 
S

Steve Riley [MSFT]

Uh oh. Alas, you no longer have a technical problem. I think you know what
needs to happen next.

http://www.microsoft.com/technet/community/columns/secmgmt/sm0705.mspx
http://blogs.technet.com/steriley/archive/2007/05/31/when-you-say-goodbye-to-an-employee.aspx


--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Mark Siler" <john.doe@domain.com> wrote in message
news:eHd#hnP8HHA.1208@TK2MSFTNGP05.phx.gbl...
> The person who did this was the network admin. not a "standard" user.
>
> "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
> news:Otxk2RP8HHA.5012@TK2MSFTNGP02.phx.gbl...
>> Some anti-spyware products can detect certain loggers, if they've been
>> updated to look for the particular signatures of them.
>>
>> Certainly if you format the drive and reinstall Windows, then the malware
>> will be gone. Then it's important to think about how to lessen the
>> likelihood of another infection occurring. The best thing you can do is
>> run as standard user, not administrator. Loggers typically need admin
>> privileges to install and function correctly. By running as standard
>> user, these things won't work.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>> "Mark Siler" <john.doe@domain.com> wrote in message
>> news:#ShJbGP8HHA.3400@TK2MSFTNGP03.phx.gbl...
>>>I believe one or more of our computers in our corporate network have
>>>keylogger/screen capture software installed. What software can detect
>>>these? I contacted http://www.spectorsoft.com and they claim there is
>>>nothing that can detect their software. This is very troubling if not?
>>>
>>>
>>>
>>> Does anyone know if the hard drive is re-formatted will that remove
>>> these applications or are they put someplace harder to get rid of?
>>>
>>>
>>>
>>> Thanks!
>>>
>>>

>
>
 
M

Mathieu CHATEAU

Since it's a "commercial" product, he may have been asked to do so ?


--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Mark Siler" <john.doe@domain.com> wrote in message
news:eHd%23hnP8HHA.1208@TK2MSFTNGP05.phx.gbl...
> The person who did this was the network admin. not a "standard" user.
>
> "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
> news:Otxk2RP8HHA.5012@TK2MSFTNGP02.phx.gbl...
>> Some anti-spyware products can detect certain loggers, if they've been
>> updated to look for the particular signatures of them.
>>
>> Certainly if you format the drive and reinstall Windows, then the malware
>> will be gone. Then it's important to think about how to lessen the
>> likelihood of another infection occurring. The best thing you can do is
>> run as standard user, not administrator. Loggers typically need admin
>> privileges to install and function correctly. By running as standard
>> user, these things won't work.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>> "Mark Siler" <john.doe@domain.com> wrote in message
>> news:#ShJbGP8HHA.3400@TK2MSFTNGP03.phx.gbl...
>>>I believe one or more of our computers in our corporate network have
>>>keylogger/screen capture software installed. What software can detect
>>>these? I contacted http://www.spectorsoft.com and they claim there is
>>>nothing that can detect their software. This is very troubling if not?
>>>
>>>
>>>
>>> Does anyone know if the hard drive is re-formatted will that remove
>>> these applications or are they put someplace harder to get rid of?
>>>
>>>
>>>
>>> Thanks!
>>>
>>>

>
>
 
R

Richard Urban

It sounds as if one, or more, people in your organization bear watching -
and "are" being watched.

Nothing you can do legally if it was installed due to corporate policy.
Remove it at your own risk. Believe me, you "will" be found out.

--


Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)


"Mark Siler" <john.doe@domain.com> wrote in message
news:eHd%23hnP8HHA.1208@TK2MSFTNGP05.phx.gbl...
> The person who did this was the network admin. not a "standard" user.
>
> "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
> news:Otxk2RP8HHA.5012@TK2MSFTNGP02.phx.gbl...
>> Some anti-spyware products can detect certain loggers, if they've been
>> updated to look for the particular signatures of them.
>>
>> Certainly if you format the drive and reinstall Windows, then the malware
>> will be gone. Then it's important to think about how to lessen the
>> likelihood of another infection occurring. The best thing you can do is
>> run as standard user, not administrator. Loggers typically need admin
>> privileges to install and function correctly. By running as standard
>> user, these things won't work.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>> "Mark Siler" <john.doe@domain.com> wrote in message
>> news:#ShJbGP8HHA.3400@TK2MSFTNGP03.phx.gbl...
>>>I believe one or more of our computers in our corporate network have
>>>keylogger/screen capture software installed. What software can detect
>>>these? I contacted http://www.spectorsoft.com and they claim there is
>>>nothing that can detect their software. This is very troubling if not?
>>>
>>>
>>>
>>> Does anyone know if the hard drive is re-formatted will that remove
>>> these applications or are they put someplace harder to get rid of?
>>>
>>>
>>>
>>> Thanks!
>>>
>>>

>
>
 
M

Mark Siler

I'm the new network admin. The owner of the company is the only other person
above me and he didn't authorize the installation of any such software. It
was not due to company policy. It was a bad network admin. Removing it isn't
at my risk... removing it is a due of my job!



Steve Riely got it right with the articles he referenced. How do you secure
the network from the person in charge of overseeing that it's secure? What
steps do you take when network admin leaves to make sure he/she didn't leave
backdoors, keyloggers, software bombs, etc.??



What I need now is to find a company that can come in with special
equipment/software that can detect such software/packets, etc. log it, track
it, remove it and then be willing to present the evidence in court. How does
one go about find a *good* company like this? Does anyone have any article
that reference picking such a company... what questions to ask, etc.


"Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message
news:OFy7GxW8HHA.3716@TK2MSFTNGP03.phx.gbl...
> It sounds as if one, or more, people in your organization bear watching -
> and "are" being watched.
>
> Nothing you can do legally if it was installed due to corporate policy.
> Remove it at your own risk. Believe me, you "will" be found out.
>
> --
>
>
> Regards,
>
> Richard Urban
> Microsoft MVP Windows Shell/User
> (For email, remove the obvious from my address)
>
>
> "Mark Siler" <john.doe@domain.com> wrote in message
> news:eHd%23hnP8HHA.1208@TK2MSFTNGP05.phx.gbl...
>> The person who did this was the network admin. not a "standard" user.
>>
>> "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
>> news:Otxk2RP8HHA.5012@TK2MSFTNGP02.phx.gbl...
>>> Some anti-spyware products can detect certain loggers, if they've been
>>> updated to look for the particular signatures of them.
>>>
>>> Certainly if you format the drive and reinstall Windows, then the
>>> malware will be gone. Then it's important to think about how to lessen
>>> the likelihood of another infection occurring. The best thing you can do
>>> is run as standard user, not administrator. Loggers typically need admin
>>> privileges to install and function correctly. By running as standard
>>> user, these things won't work.
>>>
>>> --
>>> Steve Riley
>>> steve.riley@microsoft.com
>>> http://blogs.technet.com/steriley
>>> http://www.protectyourwindowsnetwork.com
>>>
>>>
>>> "Mark Siler" <john.doe@domain.com> wrote in message
>>> news:#ShJbGP8HHA.3400@TK2MSFTNGP03.phx.gbl...
>>>>I believe one or more of our computers in our corporate network have
>>>>keylogger/screen capture software installed. What software can detect
>>>>these? I contacted http://www.spectorsoft.com and they claim there is
>>>>nothing that can detect their software. This is very troubling if not?
>>>>
>>>>
>>>>
>>>> Does anyone know if the hard drive is re-formatted will that remove
>>>> these applications or are they put someplace harder to get rid of?
>>>>
>>>>
>>>>
>>>> Thanks!
>>>>
>>>>

>>
>>

>
 
D

Dale

If there were only an unhookable API that would allow you to walk the chain
of hooks for things like keyboard, file system access, etc., then it would be
easy to detect keyloggers. etc. It would instantly spell the end of
unauthorized keyloggers and even rootkits.

http://www.dalepreston.com/Blog/2005/04/rootkits-and-hooks.html#Hooks

Dale

"Steve Riley [MSFT]" wrote:

> Some anti-spyware products can detect certain loggers, if they've been
> updated to look for the particular signatures of them.
>
> Certainly if you format the drive and reinstall Windows, then the malware
> will be gone. Then it's important to think about how to lessen the
> likelihood of another infection occurring. The best thing you can do is run
> as standard user, not administrator. Loggers typically need admin privileges
> to install and function correctly. By running as standard user, these things
> won't work.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
> "Mark Siler" <john.doe@domain.com> wrote in message
> news:#ShJbGP8HHA.3400@TK2MSFTNGP03.phx.gbl...
> >I believe one or more of our computers in our corporate network have
> >keylogger/screen capture software installed. What software can detect
> >these? I contacted http://www.spectorsoft.com and they claim there is
> >nothing that can detect their software. This is very troubling if not?
> >
> >
> >
> > Does anyone know if the hard drive is re-formatted will that remove these
> > applications or are they put someplace harder to get rid of?
> >
> >
> >
> > Thanks!
> >
> >

>
 
M

Mathieu CHATEAU

So you already pushed the red button...
Change all password (admins one at least)
check firewall for opened back door
close all traffic except the really needed one

You may go faster by building again workstations from a trusted source.

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Mark Siler" <john.doe@domain.com> wrote in message
news:Ofc3xih8HHA.5504@TK2MSFTNGP02.phx.gbl...
> I'm the new network admin. The owner of the company is the only other
> person above me and he didn't authorize the installation of any such
> software. It was not due to company policy. It was a bad network admin.
> Removing it isn't at my risk... removing it is a due of my job!
>
>
>
> Steve Riely got it right with the articles he referenced. How do you
> secure the network from the person in charge of overseeing that it's
> secure? What steps do you take when network admin leaves to make sure
> he/she didn't leave backdoors, keyloggers, software bombs, etc.??
>
>
>
> What I need now is to find a company that can come in with special
> equipment/software that can detect such software/packets, etc. log it,
> track it, remove it and then be willing to present the evidence in court.
> How does one go about find a *good* company like this? Does anyone have
> any article that reference picking such a company... what questions to
> ask, etc.
>
>
> "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message
> news:OFy7GxW8HHA.3716@TK2MSFTNGP03.phx.gbl...
>> It sounds as if one, or more, people in your organization bear watching -
>> and "are" being watched.
>>
>> Nothing you can do legally if it was installed due to corporate policy.
>> Remove it at your own risk. Believe me, you "will" be found out.
>>
>> --
>>
>>
>> Regards,
>>
>> Richard Urban
>> Microsoft MVP Windows Shell/User
>> (For email, remove the obvious from my address)
>>
>>
>> "Mark Siler" <john.doe@domain.com> wrote in message
>> news:eHd%23hnP8HHA.1208@TK2MSFTNGP05.phx.gbl...
>>> The person who did this was the network admin. not a "standard" user.
>>>
>>> "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
>>> news:Otxk2RP8HHA.5012@TK2MSFTNGP02.phx.gbl...
>>>> Some anti-spyware products can detect certain loggers, if they've been
>>>> updated to look for the particular signatures of them.
>>>>
>>>> Certainly if you format the drive and reinstall Windows, then the
>>>> malware will be gone. Then it's important to think about how to lessen
>>>> the likelihood of another infection occurring. The best thing you can
>>>> do is run as standard user, not administrator. Loggers typically need
>>>> admin privileges to install and function correctly. By running as
>>>> standard user, these things won't work.
>>>>
>>>> --
>>>> Steve Riley
>>>> steve.riley@microsoft.com
>>>> http://blogs.technet.com/steriley
>>>> http://www.protectyourwindowsnetwork.com
>>>>
>>>>
>>>> "Mark Siler" <john.doe@domain.com> wrote in message
>>>> news:#ShJbGP8HHA.3400@TK2MSFTNGP03.phx.gbl...
>>>>>I believe one or more of our computers in our corporate network have
>>>>>keylogger/screen capture software installed. What software can detect
>>>>>these? I contacted http://www.spectorsoft.com and they claim there is
>>>>>nothing that can detect their software. This is very troubling if not?
>>>>>
>>>>>
>>>>>
>>>>> Does anyone know if the hard drive is re-formatted will that remove
>>>>> these applications or are they put someplace harder to get rid of?
>>>>>
>>>>>
>>>>>
>>>>> Thanks!
>>>>>
>>>>>
>>>
>>>

>>

>
>
 
B

Bogwitch

Mark Siler wrote:

> I'm the new network admin. The owner of the company is the only other person
> above me and he didn't authorize the installation of any such software. It
> was not due to company policy. It was a bad network admin. Removing it isn't
> at my risk... removing it is a due of my job!
>
> Steve Riely got it right with the articles he referenced. How do you secure
> the network from the person in charge of overseeing that it's secure? What
> steps do you take when network admin leaves to make sure he/she didn't leave
> backdoors, keyloggers, software bombs, etc.??
>
> What I need now is to find a company that can come in with special
> equipment/software that can detect such software/packets, etc. log it, track
> it, remove it and then be willing to present the evidence in court. How does
> one go about find a *good* company like this? Does anyone have any article
> that reference picking such a company... what questions to ask, etc.


Nasty situation. Getting in a contract organisation is going to be the
quickest and best fix. It is not going to be cheap.

It really depends on your infrastructure, number of severs, number of
workstations, etc. Re-installing from known good media will possibly be
your best bet. If you think there will possibly be a prosecution
pending, you will need to make a good forensic copy of any and all
affected media beforehand. Preservation of evidence is key in this and
is best left to trained personnel - it may already be too late to persue
a successful prosecution - it depends how knowledgable the previous
admin was.

It is possible to reference all the executables installed on the system
against something like the National Software Reference Library and that
is something that can be done quite simply to ensure system integrity.
(it won't check for misconfigurations, that's up to you!)

I can't make any recommendations for companies to provide the service in
the US. If you were in the UK, it would be a different story.

Bogwitch.
 
D

Dana

"Mark Siler" <john.doe@domain.com> wrote in message
news:eHd%23hnP8HHA.1208@TK2MSFTNGP05.phx.gbl...
> The person who did this was the network admin. not a "standard" user.


So this changes things. Maybe it was done on purpose to track inappropiate
usage of work computers.
Or was the admin person acting on his own.
>
> "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
> news:Otxk2RP8HHA.5012@TK2MSFTNGP02.phx.gbl...
>> Some anti-spyware products can detect certain loggers, if they've been
>> updated to look for the particular signatures of them.
>>
>> Certainly if you format the drive and reinstall Windows, then the malware
>> will be gone. Then it's important to think about how to lessen the
>> likelihood of another infection occurring. The best thing you can do is
>> run as standard user, not administrator. Loggers typically need admin
>> privileges to install and function correctly. By running as standard
>> user, these things won't work.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>> "Mark Siler" <john.doe@domain.com> wrote in message
>> news:#ShJbGP8HHA.3400@TK2MSFTNGP03.phx.gbl...
>>>I believe one or more of our computers in our corporate network have
>>>keylogger/screen capture software installed. What software can detect
>>>these? I contacted http://www.spectorsoft.com and they claim there is
>>>nothing that can detect their software. This is very troubling if not?
>>>
>>>
>>>
>>> Does anyone know if the hard drive is re-formatted will that remove
>>> these applications or are they put someplace harder to get rid of?
>>>
>>>
>>>
>>> Thanks!
>>>
>>>

>
>
 
Back
Top Bottom