Hi, today during a computer (win xp sp2) scan Symantec AntiVirus found the dll in the subject.
It disappointed me also because I'm quite paranohic about security.
I've found a few info from a forensic point of view, specifically I'm interested in finding out what's the e-mail address to which the keylogger sends the infos sniffed.
Any advice ?
Thank you
ny
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=4496
Recent discussion about key loggers might give you some insight into how the devices work.
Not sure if you came across this on an image or on your own PC, but either way there are a couple of ways to do this…
One, and probably the easiest, is to get a live version of the computer running in an isolated environment and then use things like wireshark and TCPView to see what is happening on the network.
Another way is again to get the live machine running, see where the dll injects itself (you can use Process Explorer to search for the DLL and it will show which process owns it) and then use something like OlyDbug to dump the memory of the process. From there you can try searching through it for stings like 'http' etc.
You can also just look at the strings of the file to see if there is anything interesting, but if its packed this might not help a whole lot.
Also, if you can find the original downloader you can submit it to something like Threat Expert and it will send you an analysis. You could try this directly with the DLL too, but not sure how it would go.
Hope that helps some…
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=4496
Recent discussion about key loggers might give you some insight into how the devices work.
Wasn't that related to HARDWARE keyloggers?
@nysalsa
Remember that Google is your friend
kbhookdll.dll
http//
http//
So you should have also
i-hate-keyloggers.exe
ctfmondll.dll
but it seems as they payload Win32.KeyLogger.w can come from more than one file/type
http//
The actual status of the I hate keyloggers
http//
is not really known, but if it's the original one
http//dewasoft.com/
http//
due to it's intended scope it is as well likely that
a. it is a false alarm of some kind, and the file, whilst actually containing code of a keylogger or similar to it, does not actually log anything
OR
b. it is one of the most ingenious ways to spread a keylogger I've ever seen
jaclaz
"Wasn't that related to HARDWARE keyloggers?"
Yup. However it was leading to a train of thought that you indicated 😉 =
"@nysalsa
Remember that Google is your friend"
Between the search function for this forum and Google you might not find what you are looking for directly but will be able to gain insight into concepts to develop better search terms to find answers.
Give a man a answer and you feed him for a day. Teach him how to Google and you feed him for a lifetime.
Give a man a answer and you feed him for a day. Teach him how to Google and you feed him for a lifetime.
JFYI wink
http//
jaclaz
Thanks for the answers, I'm checking the dll even if I've limited time access to the box.
I've found another answer on processlibrary.com where kbhookdll.dll is considered as belonging to Hewlett-Packard kbhookdll (but the review process is still ongoing).
Anyway thank you so much
ny
