Today I stumbled on a tool called Anti-KeyLogger Tester (AKLT) which is used to test the efficiency of anti-keylogger software. Most trojans includes keylogging functionalities that can steal confidential information you are typing and also capture screenshot of your desktop. To fight this threat, there are anti-keyloggers software which claims to detect and disable keyloggers found on your computer. However, there is also many ways to monitor the keyboard and AKLT covers 7 keylogging and 2 screenshot taking methods.
Out of curiosity, I’ve decided to put some anti keyloggers to the test to see how safe can we be if we have them on our computer. Moreover, a lot of anti keylogger software are shareware and it’s important to test which is the best so you won’t be wasting your money on security software that doesn’t work well.
I will be testing the anti keyloggers with an anti keylogger tester (AKLT) developed by Firewall Leak Tester and also 5 other firewall bypass, reverse connection trojans which is commonly used by many hackers.
1. AKLT (Anti Keylogger Tester)
2. Bifrost (Trojan)
3. Nuclear RAT (Trojan)
4. Bandook (Trojan)
5. Poison Ivy (Trojan)
6. sharK (Trojan)
The anti keyloggers that will be put to the test are:
1. [FireLion] Anti Keyloggers. Price: US$ 89.99.
AKLT – All keylogging BLOCKED. Screenshot 2 test ALLOWED.
Bifrost – Keylogging and Screen capture ALLOWED.
Nuclear RAT – Keylogging and Screen capture ALLOWED.
Bandook – Keylogging and Screen capture ALLOWED.
Poison Ivy – Keylogging and Screen capture ALLOWED.
sharK – Keylogging and Screen capture ALLOWED.
Note: It seems like [FireLion] Anti Keyloggers is built for passing blocking all AKLT tests. However, when tested it on trojans, it is useless. This confirms that there are more keylogging and screen capture methods than what AKLT has.
2. Anti-Keylogger Elite. Price: US$ 39.95.
AKLT – 3 out of 7 Keylogging and Screenshot 1 ALLOWED.
Bifrost – Screen capture and keylogging DETECTED and can be blocked.
Nuclear RAT – Keylogging and Screen capture ALLOWED.
Bandook – Keylogging BLOCKED and Screen capture ALLOWED.
Poison Ivy – Keylogging and Screen capture ALLOWED.
sharK – Screen capture detected but looks legitimate. Keylogger detected and can be blocked.
Note: Anti-Keylogger Elite is able to give you 50% chance of protecting your computer against screen capture and keylogger. Not the best nor the worst.
3. I Hate Keyloggers. Price: $US 30.
AKLT – 1 out of 7 Keylogging and Screenshot ALLOWED.
Bifrost – Keylogging BLOCKED. Screen capture ALLOWED.
Nuclear RAT – Keylogging BLOCKED. Screen capture ALLOWED.
Bandook – Keylogging BLOCKED. Screen capture ALLOWED.
Poison Ivy – Keylogging BLOCKED. Screen capture ALLOWED.
sharK – Keylogging BLOCKED. Screen capture ALLOWED.
Note: I Hate Keyloggers seems to be a very powerful anti keylogger software which is able to block all keylogs but it won’t detect if there’s any installed. It also doesn’t protect against screen capture.
4. PrivacyKeyboard. Price: US$ 119.95.
AKLT – All Keylogging and Screen capture BLOCKED.
Bifrost – Keylogging ALLOWED. Screen capture BLOCKED.
Nuclear RAT – Keylogging and Screen capture BLOCKED.
Bandook – Keylogging and Screen capture BLOCKED.
Poison Ivy – Keylogging and Screen capture BLOCKED.
sharK – Keylogging and Screen capture BLOCKED.
Note: PrivacyKeyboard is able to block all screen capture and keylogging methods except Bifrost keylogger. The best and also most expensive. It also includes a virtual on screen keyboard which is the safest way to prevent your information from being logged.
5. Artificial Dynamics SafeSpace. Price: FREE.
AKLT – All Keylogging and Screen capture ALLOWED.
Bifrost – Keylogging and Screen capture ALLOWED.
Nuclear RAT – Keylogging and Screen capture ALLOWED.
Bandook – Keylogging and Screen capture ALLOWED.
Poison Ivy – Keylogging BLOCKED. Screen capture ALLOWED.
sharK – Keylogging and Screen capture ALLOWED.
Note: SafeSpace is used by many people and it has an option to block keyloggers which in my opinion doesn’t work really well. It is only able to block Poison Ivy’s keylogging method. Well, it’s free…
6. Elite Anti Keylogger. Price: US$ 99.
AKLT – 3 out of 7 Keylogging ALLOWED and Screen capture ALLOWED.
Bifrost – Keylogging and Screen capture ALLOWED.
Nuclear RAT – Keylogging and Screen capture ALLOWED.
Bandook – Keylogging and Screen capture ALLOWED.
Poison Ivy – Keylogging and Screen capture ALLOWED.
sharK – Keylogging and Screen capture ALLOWED.
Note: I have to set the security level of this software to the highest and it can only block 4 out of 7 keylogging methods from AKLT. As for Trojans, it didn’t even block the screen capture and keylogging. It’s a BIG rip off to pay $99 for this software.
7. DefenseWall HIPS. Price: US$ 29.95.
AKLT – All Keylogging and Screen capture ALLOWED.
Bifrost – Keylogging and Screen capture BLOCKED.
Nuclear RAT – Keylogging and Screen capture BLOCKED.
Bandook – Keylogging BLOCKED. Screen capture ALLOWED.
Poison Ivy – Keylogging and Screen capture ALLOWED.
sharK – Keylogging and Screen capture BLOCKED.
Note: Only Poison Ivy was able to get through it’s keylogging and screen capture protection. As for AKLT, I believe it was smart enough to detect that it’s not a threat, so it did not block it. HIPS offers protection against adware, spyware, keyloggers and rootkits. So it’s worth paying US$ 29.95 for all that protection.
8. GeSWall. Price: FREE
AKLT – All Keylogging and Screen capture ALLOWED.
Bifrost – Keylogging BLOCKED. Screen capture ALLOWED.
Nuclear RAT – Keylogging BLOCKED. Screen capture ALLOWED.
Bandook – Keylogging BLOCKED. Screen capture ALLOWED.
Poison Ivy – Keylogging and Screen capture ALLOWED.
sharK – Keylogging and Screen capture ALLOWED.
Note: Quite similar to DefenseWall but not as good. I can’t even terminate isolated applications with the free version.
There are many other security software that is able to detect and block keyloggers but I can only go this far as I’ve spent hours on this article. I’d say that the best anti keylogger and anti screen capture software is PrivacyKeyboard. If I don’t have the budget to spend US$ 119.95 on PrivacyKeyboard, DefenseWall HIPS at the price of US$ 29.95 would be my second choice.
What about keyscrambler o similar software?
Zemana crashed my system – be careful
Why don’t you try Zemana Antikeylogger?
Kaspersky Internet Security 7 & above, Outpost Firewall Pro have very good HIPS in them. The above apps should be used only if the proactive defense is disabled in KIS and Host protection in outpost firewall pro 2009. By far Outpost hooks the maximum number of APIs!!!
Como puedo incorporar en un programa de VB una rutina para bloquear la cpatura de pantalla?
Raymond, from your description of the test I understand that sandboxes are out of the game, because you didn\’t launch malware as untrusted/sandboxed/isolated… To do correct test with sandboxes, you need do following:
1. Install sandbox software.
2. Mark any folder as untrusted/sandboxed/isolated/wherever
3. Move all the tests and malware samples there.
4. Launch and test.
This case, it will be correct for sandboxes- they cover threat-gate apps like browsers, e-mailers, IM, P2P,… with bubble protection and, you malware runs with it, it will be covered by this bubble.
I’ve just tested PrivacyKeyboard and it didn’t worked on my system.
Installed correctly but didn’t started (it shows an error when try to start).
Also I couldn’t uninstall it.
Even more – Internet Explorer 7 stopped working.
So I had to manually remove the PrivacyKeyboard DRIVER from c:\Windows\\ystem32\Drivers:
The file is krnl_akl.sys – you can remove it and the problem is gone.
Zemana AntiLogger, new and very powerful a software.
zemana.com/list/list.asp?ktgr_id=417
Great post.
Added to Top Stumbles:
topstumbles.com/software/what-is-the-best-anti-keylogger-and-anti-screen-capture-software/
Denying iexplorer and firefox can cause the user unable to browser the internet, isn’t that so?
===
no, iexplorer & firefox can work normally. It just disable for two processes from logging keystores.
Ok, as far as I can remember, this is what I did. I infect a clean windows with all 5 trojans then I installed the security software. When I start to capture keylogs, SafeSpace did not detect the threat and did not block the keylogging activity.
As for [FireLion] Anti Keyloggers, like I said, it infects itself to legitimate process and can fool a normal computer user. Denying iexplorer and firefox can cause the user unable to browser the internet, isn’t that so?
Please do understand that I am not trying to bash your programs but the results for all 8 security softwares is tested the same way.
@Raymond: As I said above, trojan injected their code into iexplorer.exe and firefox.exe. Those applications become to zombie and logging the keystores. So, you just need to go to Options, deny Keylogging for those applications. It will be ok.
I appreciate what you are testing, but you are misrepresenting the benefits of using SafeSpace.
SafeSpace is a solution for protecting internet facing applications against the affects of internet borne malware. The anti keylogger functionality we developed is specifically for stopping key logger activity inside the virtual environment.
SafeSpace does not claim to block keylogger activity outside of the environment, and so testing it in any other way is a poor representation of our solution, and invalidates your test.
Kris, I am sure that if the trojans are being run inside SafeSpace, the keylogging and screen capturing will be blocked.
What I am testing here is to see if the security programs able to STOP keylogging and screen capturing IF it is not able to detect it.
I can confirm that SafeSpace successfully blocks ALL of the AKLT methods, while it is run inside SafeSpace.
I am attempting to obtain the other keyloggers used in the test so I can try these too, but any assistance in prividing them will be of great help.
Raymond. Would you be able to help here? Perhaps you would be willing to test these again, whilst they are running inside SafeSpace?
Best regards,
Kris.
Artificial Dynamics.
@sk, no where in the article did I mention the software is designed to detect hardware keyloggers.
Hi,
The software that you mentioned are can\’t detect hardware keyloggers,normally this kind of keyloggers are install in public computer.
@Hoang Vu Le, why would people deny iexplore.exe and firefox.exe process? A normal computer user would definitely allow this process.
My test is to see whether the application CAN BLOCK keylogging and screen capture when trojans are active. Not detect trojans.
Raymond, I\’m using GeSWall Free and I have differant result\’s.
With the AKLT, I pass all with the exception of the last screen capture test.
And of course, aklog is FREE!!!
I\\\’m personally using aklog myplanetsoft.com/free/antikeylog.php. It\\\’s tiny, doesn\\\’t require installation and they say it deactivates all existing system-wide keyloggers. Hopefully, it\\\’s true…
Hmm, the results are obvious, i wouldn\’t have worried if all of them failed. In my opinion the best defense a user can have is common sense. Just don\’t use or open untrusted softwares and always take precautions. This has worked for me for years.
Thanks for your interesting test but I\’m afraid that you still not know how to use [FireLion] Anti Keyloggers correctly.
The reason which [FireLion] Anti Keyloggers can not detect trojan because it is injected its code into *verified* Microsoft Process: Internet Explorer.
As my test, [FireLion] Anti Keyloggers worked perfect as it is.
First, [FireLion] Anti Keyloggers could detect the autorun installation:
After that, when I denied iexplorer.exe process (Internet Explorer process), It could not capture anymore:
img252.imageshack.us/img252/5783/deniedry9.png
In currently, screen capture still not implemented in the beta version. But MOST OF keylogging actions are detected as you see
PS: [FireLion] Anti Keyloggers price is just $39.99, not $89.99. You can check its price here:
I can not find Bifrost, Poison Ivy and sharK but I think they work as the same type. If you can send me all of them, I\’m very please to test. My application passed Bandook test also.
News: I tested with sharK trojan also. It injected into firefox.exe process like Bandook or Nuclear RAT. Just deny the process and you\’re protected. This test is passed .
Let I try to find other trojans.
Hello Raymond.
Please can you advise if the tests with SafeSpace were performed with the key logger applications inside the SafeSpace environment?
@CogitoErgoSum, sorry, I can’t provide the link for the trojan samples.
Hello Raymond,
I would very much appreciate it if you would send me or provide a link(s) to the five trojan samples that you used for the test. Thanks in advance.
Well really nice test raymond, i was testing last itmethis software a-squared anti-malware that i get from you here, and works really good so it is worthy also, i tested and put some keyloggers and also trojans and detected all so thank you ray.
Comodo passed all tests
Thank you Raymond, for the informative review.
Hi Raymond!
It is very strange results about DefenseWall. All the AKLT test should be blocked with it. Did you run AKLT as untrusted? Also, I would be highly appreciate if you could send me Bandook and Poison Ivy trojans.
Another great article from Raymond. Very informative. Thank you
Hey Raymond! Thanks man!
Got GeSWALL (Freeware) Pls post when you can get the othes\’ serials from websites!
Thanks!
Hello,
Why ther is no test for Kaspersky Internet Security ? As I know this software can block all kinds of keyloggers and Screen capture software.