How can I determine if a file or executable has a keylogger included with it?
I had a program created for me recently and didn't really think about it being executable posing a threat since I pretty much trust the source, but not completely.
I then thought about the fact that a keylogger, or any kind of spyware or malicious software could've been possibly binded to it. This made me wonder about all the other stuff I download daily from places or people (torrents) I don't think twice about.
How can someone find out if there has been some sort of keylogger binded to the software you're running or other things binded?
What are some good ways to find out and stop these things?
Solution 1:
Some ways,
-
Signature based detection.
A good and updated anti-virus suite (yes, I know 'good' will be debated)
will help track most of the malware before it starts engaging with your system -
Anomaly based detection.
A track of outbound communication from individual applications
(this is also done by most AV/AS software)
will help identify unexpected 'mothership-calls' from applications.
Note that I do not mean analysis of communication. I mean attempts of communication be applications that are not expected to do that (say editor applications for example). Analysis of communication (say from a chat application you downloaded) might also be done, but would be quite a complex problem.
I'll quote a personal example of a good malware detection case.
One of the standard AV/AS suites on a Windows machine of mine was active when,
I tried to open a 'sample' (and malware scripted) HTML file from one of our work servers.
It was immediately caught by the suite.
Then, I tried a Cygwin scp
fetch of the same HTML file now renamed as TXT on the server.
The suite did not let the scp
land on my host disk. It was deleted as soon as it was fetched.
The detection was based on recently updated signatures for a new 'script-based-attack'.
Solution 2:
You could upload the executable file to VirusTotal.com. VirusTotal will analyze the file using about 40 different engines.
Some Firewall software will inform you when an application attempts to make outside contact and give you the opportunity to deny the request. ZoneAlarm is free and has this feature. They make it a little hard to find the free version on their website but you can quickly find the free version at Download.com.