Archived from groups: microsoft.public.win2000.security (
More info?)
On Tue, 17 Aug 2004 11:53:58 -0400, Sean Aitken
<sean.aitken@tekelec.spamtrap.com> wrote:
>Very interesting situation. Keystroke logging, from the best of my
>knowledge, is essentially an arbitrary piece of running code that has
>made hooks into the Win32 API to perform the capture. I can imagine
>that there are thousands of variants floating around, all probably have
>different attack vectors.
>
>A possible solution is to develop some sort of process scanner that is
>launched from a domain script, that runs in the background that reports
>a list of processes at an interval to a master server, which in turn
>then compares the process list to known 'logger' trojans. The master
>server can then notify an administratior of the possible threat. On top
>of that, the client app can terminate the process immediately ..
>Just an idea.
>
>Sticky stuff.. mainly since there is no 'one way' to perform keystroke
>logging.
There are a few keystroke logger scanner programs out that claim to
detect them, though I've never seen one work so I couldn't tell. I
like the idea of a process scanner, that might help on a lot of
fronts, but way to much effort to develop for just what I need. I
have yet to find a keystroke logger installed on our systems, but that
doesn't mean there *aren't* any. While my main goal is to satisfy the
request, I am developing a curiosity in it myself now.
Thanks,
Jeff
>HTH!
>-Sean
>
>Jeff Cochran wrote:
>
>> Have a management-type that read about keystroke logging as a hacking
>> tool in a business journal, and now he'd like to have the network
>> scanned for these and reported on a regular basis. Does anyone have a
>> suggestion for a simple tool to scan a range of IP addresses or
>> systems and report on the presence of keystroke loggers?
>> Alternatively, one that can be launched in a login script and record
>> results to a file?
>>
>> Thanks,
>>
>> Jeff