Best R.A.T/Keylogger protection?

Ink

Administrator
Verified
Jan 8, 2011
22,490
Keyscrambler is the best shot, since it doesnt care if you are infected by a keylogger or not , it just encrypt your keystrokes so they will be unreadable for the attacker.
What about HitmanPro Alert 3 (licensed)?
 

floalma

Level 4
Verified
Apr 5, 2015
182
Or Spyshelter + hitman Pro Alert

Keylogger paranoids? Use this combo:

CIS + spyshelter + keyscrambler

It encrypt all the keystrokes as do KeyScrambler, SpyShelter and Zemana

Yes. I was wondering about that one too... I'm not sure how good anti-keylogging actually is though. No one has tested it as far as I know.
 
Last edited by a moderator:
  • Like
Reactions: Deleted member 178

mal1

Level 4
Thread author
Verified
Well-known
Oct 1, 2015
183
I found this article about R.A.Ts on an IT website called "acunetix.com", it suggests that port-scanning is more helpful than AV-scanning whenever a R.A.T is suspected



Having a good antivirus solution gives a warm, fuzzy feeling of safety: you know that your assets are virus free and that your network is secure. However, most antivirus solutions cannot detect Remote Administration Tools (akaRemote Access Trojans or just RATs), because their structure does not generally fit the virus/worm profile. They are simple programs that run in the background and do nothing else than open a connection to a predefined host managed by the attacker, and wait for instructions. The damage they can cause, however, may be much more important than the damage caused by normal worms. Let’s have a look at the main features of remote access Trojans and explore ways to defend against them.

Client – server architecture and modus operandi
Remote Access Trojans (RATs) are usually designed as client-server components with the aim of providing the attacker with convenient ways of interacting in real-time with the compromised assets. The client part runs on the compromised machine and sends information to the attacker via email or by establishing a direct connection to the server component, which runs on the attacker’s machine. The attacker would be running the RAT server component, which allows him to manage multiple infected machines at the same time. He will be able to see in real-time the machines that are currently available, the services and applications that they are running, the currently logged on users, security configurations, etc. Further on, the attacker can send commands to be executed by the client component on the compromised machines and receives the results in real time, using the RAT as a fully-fledged remote control.

This architecture also has advantages when it comes to spreading the malicious code to other machines on the network, because it gives the attacker control over the entire process. Instead of having code that automatically proliferates and attacks other machines, like a Worm has (detected by antivirus heuristics), the RATs spread at a click of a button or key stroke on the server side. Like that, the attacker chooses the next target and the time of attack, rather than allowing the malicious code to randomly spread whenever possible, or constantly.

Stealth
The key differentiator between a Worm and a RAT is stealth. Worms are designed for constant and quick mass proliferation, execution of hardcoded malicious activity, and possibly calling back home. Their strength is in numbers. RATs, on the other hand, are designed for stealthy deployment and their main purpose is to infect critical assets for as long as possible, and allow the attackers to manipulate them. The main attributes of the RATS that grants them stealth are: no virus signature, ability to bind on legitimate processes, mimicking behavior of legitimate remote access applications and no code to automatically infect other assets.

Not having a virus signature avoids detection through antivirus scans that rely on virus signature databases. The ability to bind to legitimate processes and run in the background enables RATs to avoid detection when the victims analyze the list of running processes. Mimicking the behavior of legitimate remote access application, and not having code that automatically and randomly tries to spread, enables RATs to avoid detection by antivirus engines that run heuristic or sandbox analysis that looks for behavior patterns that are unusual.

Damage
Another difference between RATs and Worms is the damage they cause. Worms deliver a series of predefined, hardcoded payloads. They will execute the tasks they were designed for, and try to spread. The attacker cannot interact with the compromised machines. On the other hand, RATs open a door into the network, or into a compromised machine. Through the door, attackers can take over the asset, steal data, gain access to other assets in the network, cause performance degradation or deliver other malicious payloads. The RATs enable execution of custom payloads with real time feedback, while keeping everything stealthy and allowing the attacker to be flexible when selecting targets, or the actions to execute. The payloads to execute may be sent from the attacker’s server in encrypted format, so that antivirus engines that scan network traffic in real time cannot detect virus signatures.

Defending against RATs
Depending on the complexity of their implementation, the amount of stealth features and outside communication methods, some remote access Trojans may be detected by the normal antivirus solutions. However, a better way to detect them, is to look for the backdoor they open. This door is essential for the functionality of the RAT, so using it as the primary mean of detection grants adequate accuracy, better than the one offered by antivirus engines. In essence, running port scans against internet facing machines, or even machines inside the DMZ would yield the best results. Since some RATs may not keep the ports open persistently, running such scans often, based on a schedule, would increase the chances of detection. For best results, you would need a tool capable of scanning for open ports regularly, detect the applications / services that are listening on the open ports, and point out the ports used by unsafe applications, or unknown services. Once suspicious ports are identified, they can be closed from the firewall, the executable opening the ports can be quarantined, and a new port scan can be triggered, to confirm that the backdoor is gone. Read more to find out the importance of port scanning.

In conclusion
RATs escape signature scanning, heuristics, sandbox technology and pretty much everything antivirus software throws at them. They are your silent, well-oiled backdoors – unknown to you or your security applications. They are more devastating than viruses. Only way to accurately detect them, is port scanning! SANS maintain a list of ports which are known to be used by RATS and Trojans. Scan your Open Ports with Acunetix Online Vulnerability Scanner.

Source Danger: Open Ports - Remote Access Trojans (RATs) vs Worms - Acunetix
 

Terry Ganzi

Level 26
Verified
Top Poster
Well-known
Feb 7, 2014
1,540
I found this article about R.A.Ts on an IT website called "acunetix.com", it suggests that port-scanning is more helpful than AV-scanning whenever a R.A.T is suspected



Having a good antivirus solution gives a warm, fuzzy feeling of safety: you know that your assets are virus free and that your network is secure. However, most antivirus solutions cannot detect Remote Administration Tools (akaRemote Access Trojans or just RATs), because their structure does not generally fit the virus/worm profile. They are simple programs that run in the background and do nothing else than open a connection to a predefined host managed by the attacker, and wait for instructions. The damage they can cause, however, may be much more important than the damage caused by normal worms. Let’s have a look at the main features of remote access Trojans and explore ways to defend against them.

Client – server architecture and modus operandi
Remote Access Trojans (RATs) are usually designed as client-server components with the aim of providing the attacker with convenient ways of interacting in real-time with the compromised assets. The client part runs on the compromised machine and sends information to the attacker via email or by establishing a direct connection to the server component, which runs on the attacker’s machine. The attacker would be running the RAT server component, which allows him to manage multiple infected machines at the same time. He will be able to see in real-time the machines that are currently available, the services and applications that they are running, the currently logged on users, security configurations, etc. Further on, the attacker can send commands to be executed by the client component on the compromised machines and receives the results in real time, using the RAT as a fully-fledged remote control.

This architecture also has advantages when it comes to spreading the malicious code to other machines on the network, because it gives the attacker control over the entire process. Instead of having code that automatically proliferates and attacks other machines, like a Worm has (detected by antivirus heuristics), the RATs spread at a click of a button or key stroke on the server side. Like that, the attacker chooses the next target and the time of attack, rather than allowing the malicious code to randomly spread whenever possible, or constantly.

Stealth
The key differentiator between a Worm and a RAT is stealth. Worms are designed for constant and quick mass proliferation, execution of hardcoded malicious activity, and possibly calling back home. Their strength is in numbers. RATs, on the other hand, are designed for stealthy deployment and their main purpose is to infect critical assets for as long as possible, and allow the attackers to manipulate them. The main attributes of the RATS that grants them stealth are: no virus signature, ability to bind on legitimate processes, mimicking behavior of legitimate remote access applications and no code to automatically infect other assets.

Not having a virus signature avoids detection through antivirus scans that rely on virus signature databases. The ability to bind to legitimate processes and run in the background enables RATs to avoid detection when the victims analyze the list of running processes. Mimicking the behavior of legitimate remote access application, and not having code that automatically and randomly tries to spread, enables RATs to avoid detection by antivirus engines that run heuristic or sandbox analysis that looks for behavior patterns that are unusual.

Damage
Another difference between RATs and Worms is the damage they cause. Worms deliver a series of predefined, hardcoded payloads. They will execute the tasks they were designed for, and try to spread. The attacker cannot interact with the compromised machines. On the other hand, RATs open a door into the network, or into a compromised machine. Through the door, attackers can take over the asset, steal data, gain access to other assets in the network, cause performance degradation or deliver other malicious payloads. The RATs enable execution of custom payloads with real time feedback, while keeping everything stealthy and allowing the attacker to be flexible when selecting targets, or the actions to execute. The payloads to execute may be sent from the attacker’s server in encrypted format, so that antivirus engines that scan network traffic in real time cannot detect virus signatures.

Defending against RATs
Depending on the complexity of their implementation, the amount of stealth features and outside communication methods, some remote access Trojans may be detected by the normal antivirus solutions. However, a better way to detect them, is to look for the backdoor they open. This door is essential for the functionality of the RAT, so using it as the primary mean of detection grants adequate accuracy, better than the one offered by antivirus engines. In essence, running port scans against internet facing machines, or even machines inside the DMZ would yield the best results. Since some RATs may not keep the ports open persistently, running such scans often, based on a schedule, would increase the chances of detection. For best results, you would need a tool capable of scanning for open ports regularly, detect the applications / services that are listening on the open ports, and point out the ports used by unsafe applications, or unknown services. Once suspicious ports are identified, they can be closed from the firewall, the executable opening the ports can be quarantined, and a new port scan can be triggered, to confirm that the backdoor is gone. Read more to find out the importance of port scanning.

In conclusion
RATs escape signature scanning, heuristics, sandbox technology and pretty much everything antivirus software throws at them. They are your silent, well-oiled backdoors – unknown to you or your security applications. They are more devastating than viruses. Only way to accurately detect them, is port scanning! SANS maintain a list of ports which are known to be used by RATS and Trojans. Scan your Open Ports with Acunetix Online Vulnerability Scanner.

Source Danger: Open Ports - Remote Access Trojans (RATs) vs Worms - Acunetix

Shields UP!! — System Error
So shields up port scan can work?
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Well still if RAT symptoms are already activated then port scan may use however part of a prevention to thoroughly analyze the file before execution, cloud may help this as long the information gathered is enough to be malicious.
 
H

hjlbx

Using a port scanner mean it is already too late...the RAT shouldnt be in your system at first place.

You have to run a port scan from another computer using a LAN. @Umbra is correct.

That article, while correct, isn't really meant for home users. If you even suspect RAT\keylogger\rootkit infection, best thing for home user is to clean install OS.

If it comes back after that, well then, you have to reach out and get some expert opinions...
 

Online_Sword

Level 12
Verified
Honorary Member
Top Poster
Well-known
Mar 23, 2015
555
Hi, I hope to ask a problem on the license of KeyScrambler here.
It is said in the website of KeyScrambler that:
Your KeyScrambler License Provides at least 1 year of free upgrades and online tech support
Does this mean:
A). The license is a life-time license. But software updates and tech support are only provided in the first year. If you want to update the software in the next year, you have to renew the license.​
OR
B). The license is just a one-year license. If you want to continue to use the software, you need to renew the license.​
Thanks.
 
H

hjlbx

Hi, I hope to ask a problem on the license of KeyScrambler here.
It is said in the website of KeyScrambler that:

Does this mean:
A). The license is a life-time license. But software updates and tech support are only provided in the first year. If you want to update the software in the next year, you have to renew the license.​
OR
B). The license is just a one-year license. If you want to continue to use the software, you need to renew the license.​
Thanks.

A.
 
  • Like
Reactions: Online_Sword
L

LabZero

It depends on the RAT.
We consider the @hjlbx :p Spy Net RAT.
It is written in Delphi and it is among the most popular at present. About 25% of the botnet in circulation are based on the structure of this RAT. Properly encrypted.
It works in "back connection"/"reverse connection" (able to bypass the router's firewall and routing rules) is capable of capturing images from the web-cam, screen shots of remote desktop, kill the processes, keylogging functionality, file manager, DDoS attacks (now common practice to use with these types of RAT), registry editor, ability to execute HTML scripts/BASH/VB ... and many other features.
I recommend extreme caution if you are curious and interested in downloading this malware!!
 
  • Like
Reactions: frogboy
L

LabZero

Hi, I hope to ask a problem on the license of KeyScrambler here.
It is said in the website of KeyScrambler that:

Does this mean:
A). The license is a life-time license. But software updates and tech support are only provided in the first year. If you want to update the software in the next year, you have to renew the license.​
OR
B). The license is just a one-year license. If you want to continue to use the software, you need to renew the license.​
Thanks.
According to KS faq

A: "Since August 2006, users who bought KeyScrambler Pro or Premium have received free upgrades without having to pay annual renewal fees. That practice is to change beginning with KeyScrambler 3.0: For the same $29.99 for Pro and $44.99 for Premium, you can now install KeyScrambler on up to 3 computers instead of 1 computer in the past. And you are guaranteed free upgrades for one year. By the end of one year, you can either pay a renewal fee (50% of the purchase price) for another year of upgrades, or continue to use the version you bought for as long as you like."
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top