Will you please post a link to the free application to remove the keylogger here on your blog? The keylogger is on my system too...and like you said, firewalls, AV/AS and detailed expert help have done nothing to help.
Sidewinder | 08.10.05 - 2:03 pm | #

Yes, the fix will be up on the blog soon.
Alex eckelberry | 08.10.05 - 2:10 pm | #

>so it is generally undetectable by a >software or hardware firewall

I question this statement. Kerio Beta aswell as several others find process Injection and even Bufferoverflows and block them. DLL injection or Process Injection is an old technique detected by most software firewalls today.
ThierryZoller | 08.10.05 - 3:14 pm | #

I question this statement. Kerio Beta aswell as several others find process Injection and even Bufferoverflows and block them. DLL injection or Process Injection is an old technique detected by most software firewalls today.

^^^^^^^^^^^^^^^^^^^
Uhh, what if it's a plugin in IE? If that is the case, there's not much that any software would find. Could you imagine how annoyed everyone would get if yahoo! toolbar caused norton to pop up a warning every 5 seconds?

FROM ALEX: Yes, this is a good point. This thing hooks into IE and hence looks like normal port 80 IE traffic. Only an experienced user would know what to do, and what app to look for.

Firefox is looking better and better.

Edited By Siteowner
Edward | 08.10.05 - 4:03 pm | #

If you don't use IE, instead use Firefox, will the keylogger be useless?
Jeff | 08.10.05 - 4:48 pm | #

Could you submit the sample to:

http://www.virustotal.com/

and/or

http://virusscan.jotti.org/

??

Undetected samples received by these sites are distributed to various AV vendors, who will in turn be able to add detection and create removal tools for this keylogger too.
Tom | 08.10.05 - 5:04 pm | #

Yes, we have submitted samples of this to several of the major AV outfits. We will continue to cooperate fully with all security companies in propogating threat definitions.
Alex Eckelberry | 08.11.05 - 12:12 am | #

Got it, thanks!!

- Tom Bonner, Virus Analyst - Norman ASA
Tom | 08.11.05 - 4:58 am | #

Symantec shows this keylogger -- at least as you've id'd it -- in their database, discovered in late March.

http:// securityresponse.symantec...oor.nibu.j.html

Yet their software doesn't detect it?
Dwight Silverman | Homepage | 08.11.05 - 9:15 am | #

What you're talking about there is a variant of the Nibu trojan. This is not the one that's currently part of this theft ring. According to our tests, Symantec does NOT currently scan and remove this keylogger.
Alex Eckelberry | 08.11.05 - 12:10 pm | #

Has it been determined what specific site/s the trojan is residing on. I ran the tool last night and it found the infestation. I, the wife, or son have not done any browsing. When I got home this afternoon I scanned again and sure enough it was back. My daughter had been on the net, so I assume it was from her session. It would help greatly if we knew which sites to block and/or notify them they are spreading it.
Andy | 08.12.05 - 9:01 pm | #

Andy, if you think you have this keylogger, contact us asap Monday morning -- 877-673-1153 or email support@sunbelt-software.com. It's pretty serious if it's on your system.

One tell-tale sign is if you have the winldra.exe program on your computer. If you cannot find this executable, there is a chance it's a false positive.

Alex
Alex Eckelberry | 08.14.05 - 3:44 pm | #