Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Protecting myself from a keylogger


  • Please log in to reply
17 replies to this topic

#1 downloaderfan

downloaderfan

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 31 January 2017 - 05:23 AM

Hi, I was doing research to secure my devices and came across this forum. The scenario is that sometimes, I have to share access of my windows 10 laptop with friends for work purposes. But I only give them access to a non admin account. So, someone who really knows a lot about key loggers, I wanted to know if there are key logger programs that can be installed on a non admin account and then be activated for all users(including the main admin account)? If so, how could something like that be prevented? Otherwise am I safe by just giving them access to a non admin account? Thanks.


Edited by hamluis, 31 January 2017 - 06:12 AM.
Moved from AV/AM Software to Gen Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:01 PM

Posted 01 February 2017 - 04:54 PM

 

key logger programs that can be installed on a non admin account and then be activated for all users(including the main admin account

Iam sure there is. Besides a competent person with physical access could have a field day. 

 

 

how could something like that be prevented

Keep the AV and anti-malware up to date

 

 

non admin account

Safer than full blown privileges


How Can I Reduce My Risk to Malware?


#3 downloaderfan

downloaderfan
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 01 February 2017 - 09:02 PM

 

 

Iam sure there is. Besides a competent person with physical access could have a field day. 

 

 

I guess full disk encryption is the best  I can at the moment do to prevent anyone with physical access from breaking in. Are there any known exploits which do allow installation of programs on an admin account while being on a non admin account? 

 

 

Keep the AV and anti-malware up to date

 

I wonder if anti malware like malwarebytes is actually necessary along with an anti virus like kaspersky internet security.(You know, most people just install one security program after the other after reading a bunch of security stuff on the internet without ever knowing about the actual effectiveness of the additional security programs they have installed) Although malwarebytes website states that they do protect against key loggers, I can't find any tests performed via google. I performed my own tests where I installed 2 key loggers on my laptop for testing purposes. Malwarebytes neither warned me of the installation nor stopped the functioning of those key loggers. All this happened with real time protection of malwarebytes On.


Edited by downloaderfan, 01 February 2017 - 09:13 PM.


#4 ichito

ichito

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 02 February 2017 - 04:13 AM

Hi, I was doing research to secure my devices and came across this forum. The scenario is that sometimes, I have to share access of my windows 10 laptop with friends for work purposes. But I only give them access to a non admin account. So, someone who really knows a lot about key loggers, I wanted to know if there are key logger programs that can be installed on a non admin account and then be activated for all users(including the main admin account)? If so, how could something like that be prevented? Otherwise am I safe by just giving them access to a non admin account? Thanks.

Yes...there are keyloggers that can run without admin rights

https://www.google.de/search?q=keylogger+without+adminstratives&ie=utf-8&oe=utf-8&client=firefox-b&gfe_rd=cr&ei=UPSSWPC7OOra8Afos5Eg#q=keylogger+without+admin+rights

How to prevent?...one way is to install an AV that has good skills to detect/block/remove loggers...another is to use apps that can monitor system and detect strict loggers or apps with some strange/suspicious behaviour. Below you have some example

https://www.worktime.com/spydetectfree/

http://www.snapfiles.com/get/ghostpress.html

https://www.qfxsoftware.com/

and the best for me I'm using more than 6 years

https://www.spyshelter.com/


Vista: SpyShelter Firewall + Shadow Defender + Keriver 1-Click Free

XP SP3: Kerio 2.1.5 + SpyShelter Premium + NVT ExeRadar Pro + Shadow Defender + Keriver 1-Click Free


#5 downloaderfan

downloaderfan
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 02 February 2017 - 05:12 AM

 

Hi, I was doing research to secure my devices and came across this forum. The scenario is that sometimes, I have to share access of my windows 10 laptop with friends for work purposes. But I only give them access to a non admin account. So, someone who really knows a lot about key loggers, I wanted to know if there are key logger programs that can be installed on a non admin account and then be activated for all users(including the main admin account)? If so, how could something like that be prevented? Otherwise am I safe by just giving them access to a non admin account? Thanks.

Yes...there are keyloggers that can run without admin rights

https://www.google.de/search?q=keylogger+without+adminstratives&ie=utf-8&oe=utf-8&client=firefox-b&gfe_rd=cr&ei=UPSSWPC7OOra8Afos5Eg#q=keylogger+without+admin+rights

How to prevent?...one way is to install an AV that has good skills to detect/block/remove loggers...another is to use apps that can monitor system and detect strict loggers or apps with some strange/suspicious behaviour. Below you have some example

https://www.worktime.com/spydetectfree/

http://www.snapfiles.com/get/ghostpress.html

https://www.qfxsoftware.com/

and the best for me I'm using more than 6 years

https://www.spyshelter.com/

 

 

I did google search that too, but I have asked whether it is also possible to activate the key logger for an admin account from a non admin account. All those software programs which run without admin access only run for the non admin account, not the main admin account which I'm concerned with.

 

Yes, spyshelter premium worked really well in my testing against 3 different key loggers, but I just wanted to understand the safety of a non admin account.



#6 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:03:01 PM

Posted 02 February 2017 - 06:34 AM

You might consider "cocoon"-ing your data; have the original important data somewhere that cannot be accessed by anyone other than you.  Then, have a folder containing a copy of your data that you're sharing with others that can be set to SHARE, to be searched, to be used, by your designated non-admin accounts.  For example, I use WinPatrol's WinAntiRansomware utility to cocoon my data folders and files [on the OS partition] , while I have the working copy in my data partition; not a perfect solution, however, for home use, it works.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#7 ichito

ichito

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 03 February 2017 - 02:38 AM

I did google search that too, but I have asked whether it is also possible to activate the key logger for an admin account from a non admin account. All those software programs which run without admin access only run for the non admin account, not the main admin account which I'm concerned with.

 

Yes, spyshelter premium worked really well in my testing against 3 different key loggers, but I just wanted to understand the safety of a non admin account.

 

Regular software like for E.G. parental control perhaps do not touch admin account but there is a lot more malicious keyloggers that can capture keystrokes no matter from Which account ... keyboard works apart from the type of user :)

There is a lot of methods to avoid / bypass UAC what is often used for many kind of malware and we can not forget that users very often disable settings of UAC or change it to make work "easier".


Vista: SpyShelter Firewall + Shadow Defender + Keriver 1-Click Free

XP SP3: Kerio 2.1.5 + SpyShelter Premium + NVT ExeRadar Pro + Shadow Defender + Keriver 1-Click Free


#8 Carpentry

Carpentry

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:12:01 PM

Posted 03 February 2017 - 08:24 PM

You might consider "cocoon"-ing your data; have the original important data somewhere that cannot be accessed by anyone other than you.  Then, have a folder containing a copy of your data that you're sharing with others that can be set to SHARE, to be searched, to be used, by your designated non-admin accounts.  For example, I use WinPatrol's WinAntiRansomware utility to cocoon my data folders and files [on the OS partition] , while I have the working copy in my data partition; not a perfect solution, however, for home use, it works.

Would this be good for daily home computer use when working with sensitive information or even moderately sensitive info?

 

Would moving files with anything that you consider sensitive information to a flashdrive and deleting copy on the physical computer be a good idea?

Hopefully if you get infected you will know before you reconnect your device.



#9 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:03:01 PM

Posted 04 February 2017 - 08:46 AM

 

You might consider "cocoon"-ing your data; have the original important data somewhere that cannot be accessed by anyone other than you.  Then, have a folder containing a copy of your data that you're sharing with others that can be set to SHARE, to be searched, to be used, by your designated non-admin accounts.  For example, I use WinPatrol's WinAntiRansomware utility to cocoon my data folders and files [on the OS partition] , while I have the working copy in my data partition; not a perfect solution, however, for home use, it works.

Would this be good for daily home computer use when working with sensitive information or even moderately sensitive info?

Would moving files with anything that you consider sensitive information to a flashdrive and deleting copy on the physical computer be a good idea?

Hopefully if you get infected you will know before you reconnect your device.

I only mentioned WinPatrol WAR as a tool to have one copy of the shared data protected from all other accounts but yours.  I was visualizing you updating this protected pot offline after you and all the others have made the changes for the day.  The shared copy would update the protected offlimits [except to you] copy.  However, what I do not know:  if WinPatrol WAR can actually prevent a keylogging operation from affecting its protected data pot -- that answer would have to asked of and answered by Ruiware.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#10 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:03:01 PM

Posted 04 February 2017 - 08:52 AM

I think one more possible answer:  After going offline [firewall blocks all inbound/outbound access], you make a couple of copies of this data collection onto any affordable and reliable external media.  After that, all one can do is simply be vigilant for "strange behavior", keep AV, AM, anti-keylogging programs up to date.  Quietman7 has assembled one of the finest collections of advice concerning security -- consult his threads and posts -- assimilate what you believe will be workable for your situation -- and press on successfully.


Edited by RolandJS, 04 February 2017 - 09:01 AM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 04 February 2017 - 08:53 AM

 

I did google search that too, but I have asked whether it is also possible to activate the key logger for an admin account from a non admin account. All those software programs which run without admin access only run for the non admin account, not the main admin account which I'm concerned with.

 

 

No, the Windows security model does not permit these actions from a non-admin account.

 

This can only be achieved if a vulnerability on your machine would allow a privilege-escalation, or a misconfiguration of your machine would for example allow that a program used by an admin account is changed by a non-admin account.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 downloaderfan

downloaderfan
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:01:31 AM

Posted 05 February 2017 - 04:07 PM

You might consider "cocoon"-ing your data; have the original important data somewhere that cannot be accessed by anyone other than you.  Then, have a folder containing a copy of your data that you're sharing with others that can be set to SHARE, to be searched, to be used, by your designated non-admin accounts.  For example, I use WinPatrol's WinAntiRansomware utility to cocoon my data folders and files [on the OS partition] , while I have the working copy in my data partition; not a perfect solution, however, for home use, it works.

Well, when I have to share files, without complicating things, I would just copy paste files from my main administrative account to the non admin account directly (since an administrative user can modify files on a non admin account) before signing out of my main admin account and giving access of my laptop to my colleagues using the non admin account.

 

No, the Windows security model does not permit these actions from a non-admin account.

 

This can only be achieved if a vulnerability on your machine would allow a privilege-escalation, or a misconfiguration of your machine would for example allow that a program used by an admin account is changed by a non-admin account.

 

Thanks, that's precisely what I wanted to know. :)



#13 ichito

ichito

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 06 February 2017 - 03:47 AM

 

You might consider "cocoon"-ing your data; have the original important data somewhere that cannot be accessed by anyone other than you.  Then, have a folder containing a copy of your data that you're sharing with others that can be set to SHARE, to be searched, to be used, by your designated non-admin accounts.  For example, I use WinPatrol's WinAntiRansomware utility to cocoon my data folders and files [on the OS partition] , while I have the working copy in my data partition; not a perfect solution, however, for home use, it works.

Well, when I have to share files, without complicating things, I would just copy paste files from my main administrative account to the non admin account directly (since an administrative user can modify files on a non admin account) before signing out of my main admin account and giving access of my laptop to my colleagues using the non admin account.

 

No, the Windows security model does not permit these actions from a non-admin account.

 

This can only be achieved if a vulnerability on your machine would allow a privilege-escalation, or a misconfiguration of your machine would for example allow that a program used by an admin account is changed by a non-admin account.

 

Thanks, that's precisely what I wanted to know. :)

 

Realy?...you realy want to know that keyloger sometime can and sometime can not to bypass account restriction?

 

"- Knock!...knock!
- Who's there?
- Good morning...I'm keyloger and I want enter to your system
- Forget it!...I'm Windows Security Model...you can't do this
- Ok...sorry...I go back home (haha...I'll enter by window)"

:clown:


Edited by ichito, 06 February 2017 - 03:48 AM.

Vista: SpyShelter Firewall + Shadow Defender + Keriver 1-Click Free

XP SP3: Kerio 2.1.5 + SpyShelter Premium + NVT ExeRadar Pro + Shadow Defender + Keriver 1-Click Free


#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 06 February 2017 - 09:44 AM

You're welcome!


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 06 February 2017 - 12:12 PM


Realy?...you realy want to know that keyloger sometime can and sometime can not to bypass account restriction?

 

"- Knock!...knock!
- Who's there?
- Good morning...I'm keyloger and I want enter to your system
- Forget it!...I'm Windows Security Model...you can't do this
- Ok...sorry...I go back home (haha...I'll enter by window)"

:clown:

 

 

What are you doing ichito?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users