PC monitoring - detecting the detectives

[goombawaho]

I was given the job of finding a solution to monitor some employee computer activity (never mind that) and came across this description of a product:

"Don't forget that our keyloggers are 100% invisible. With unparalleled invisibility technology, developed by ex-NSA (National Security Agency) programmers, we promise that you won't find a trace of our monitoring on any computer. Our keylogger software doesn't appear in the Registry, the Process List, the System Tray, the Task Manager, on the Desktop, or in Add/Remove Programs. There aren't even visible files that can be seen - which is why it is being used by Law Enforcement agencies across the country!"

That's great for when the "good guys" (businesses, parents, etc.) are using the software. But I'm wondering whether this software would be detectable if I was trying to detect it. Does MalwareByte's or Combofix or GMER detect this type of software or would they be ignorant to their presence as well?

Thinking of a past instance when an ex-wife was thinking her ex-husband was spying on her...... I found NOTHING.

 

[IPGuru]

If this product does indeed work then a lot of the advert is probably marketing hype.

Thinking it through logicaly the key logger infor must be going somewhere.
If it is a file on the PC then ist should be findable (althogh I suppos it could be writen as raw data in sectores that are marked as bad if you wanted to hide it from the os badly enough)

otherwise it is being set via the network to a server, monitoring the network traffic should be able to detect this.


I do not Have A.D.D. im just easily, Hey look a Squirrel!

 

[2ffat]

I agree with IPGuru. What they probably meant was undetectable by the user.


James P. Cottingham
^{I'm number 1,229!
I'm number 1,229!}

 

[goombawaho]

What they probably meant was undetectable by the user" I guess that's what they mean.

I just wonder if any of the standard malware detection tools might find it. It's got to be a driver loading up when the PC starts (something like TDSS malware), in which case something like GMER would flag it.

 

[MasterRacker]

They might be using a rootkit to mask it. Even in that case though, LiveCD with a good rootkit scanner should see it.

Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]

 

[goombawaho]

I've never gotten a chance to try to detect one of those products. I'd like to find a machine where someone wants one of those "parental control or business snooper" softwares uninstalled.

Then I would run some scans on it to see what gets detected. I'm not going to BUY one though to quench my curiosity.

 

[goombawaho]

Well, I installed SpectorSoft Pro on the PC to be monitored and nothing was visible when running Process Explorer.

You have to tell your Anti-virus to EXCLUDE certain files (named randomly when you install the product and you are given a list). Sooooooooo.... that means that if you were to scan the computer with a different anti-virus or as a slave drive, you would probably detect the program via "normal" means.

If I get around to it, I'm going to install the program on a test PC and see if it is detectable by a few of the anti-nasty programs I use on a regular basis.

 

[satrow]

Take a look using Autoruns too, look for files/drivers logged as 'file not found' in the image path column.

 

[goombawaho]

Yeah - I understand. This is kind of a tutorial after asking my question. I'm filling in the blanks myself.

 

[kjv1611]

Sounds interesting. Please post back with your findings.

 

[goombawaho]

Follow up on this. The employee being monitored by the software got fired after the boss viewed what she was doing. I feel bad for the person, but he/she was definitely not doing their work and piddling on the internet/looking for a new job.

Makes me more paranoid in case I ever get another "real" job where I use a work-owned computer.

BTW - Product highly recommended.

 

[stduc]

Makes me more paranoid in case I ever get another "real" job where I use a work-owned computer.

Quite simple really, use work computer for work - use own computer for everything else! That goes for the phones and fax as well. Simples!

 

[goombawaho]

I think we all know that NOBODY uses a work PC exclusively for work. I wouldn't even ask my employees to do so (if owned a company or was in "in charge" at a corp) because they can do things in 5 minutes (communicate with spouse/kids, order something needed, etc.) that improves their quality of life AND make them happier employees and more efficient during the day (not running out during lunch to buy said product or leaving early).

If anyone thinks it's an all or nothing proposition, that company is likely hurting employee morale, making people more likely to leave and DECREASING job performance.

It's a two way street. Of course, employees shouldn't be on gambling/adult/social media/job hunting sites all day, but a little piddling around never hurt anybody. And you can quote me on that.

Sometimes, the harder you try to hold something, the easier it slips out of your fingers.

 

[stduc]

Whilst I take your point - and it is well made - these days I see no need to use office equipment at all for personal use. Office time is another matter - if you need to make an urgent phone call or send an urgent email or respond to a text message use your 'phone'. It's just not worth the risk of even accidentally causing yourself problems using the office PC. It's one thing to get 'caught' by a bad website googleing for say, "Server update failing" and another to be googleing for cheap holidays!

[navy]When I married "Miss Right" I didn't realise her first name was 'always'. LOL[/navy]

 

[goombawaho]

Yeah, I guess it just depends upon how nazi-like the general management and/or IT management is where you work.

There's a good balance somewhere, but I have seen where the CEO sent the HR person out (hiding) in the parking lot to see who was arriving late. I understand the importance of being on time, but that made so many people so mad that people started tripping over themselves to look for new jobs. Thus: exodus of good people.

Then, the dude (CEO) hires his brother-in-law's IT company to do the IT work. He was a real pip. Thanks Chuck. If he had turned up dead, there would have been a lot of suspects.

 

[lionelhill]

If one employee is looking at job-hunting websites, occasionally, then fine. If lots of employees are doing it, a lot, then maybe there's a message there for anyone who's listening.

Also, if management start firing people on what look like unnecessarily harsh grounds, guess what: everyone who thinks they have a chance of finding a better job is going to start looking for one. To be honest, if I were you, I'd be hunting already. But using my own PC.

 

[goombawaho]

This thread has nothing to do with me - it's a company that I service. It's their employee that got monitored and then fired.

Other commentary is from my personal experiences at other jobs.