Monitoring Suite

[Orethrius]

Okay, so I've had a paranoid client approach me because he's "worried that hackers are somehow remotely using his computer while he's at work, and his work computer when he's at home."  I can't seem to shake him of that notion (thank you, Ms. Bullock), so I need to ask the following, as Orwellian as it may sound.

I'm looking into meshing RealVNC with some sort of remote keylogger (preferably one that can be run as transparently to the user as VNC can, or better) - can anybody name a good open-source project, preferably C/C++?  Thanks for the help.

[Refalm]

You should check SF.net more often  

RegLoad Keylogger This is written in the script kiddie language Visual Basic. But we forgive him/her, as it's meant for Windows  

[Orethrius]

Thanks for the link Refalm.  The reason why I ask for a C/C++ source project is because VNC has GPL C/C++ source, so I figure I could just save myself the time (and effort   ) of recoding the VB to mesh with VNC for a viable system whereby I can have some form of keylogger report the exact keys pressed from the server to the remote viewer (perhaps in an incorporated text box) at any given time.  Think: VNC followed out to its logical end.   :cool:

[TheQuirk]

Couldn't you use something along the lines of Back Orfice or SubSeven (or Sub7)? What you're describing is a trojan horse without the trojan part.

I guess what you REALLY need is a horse, then.  

[Orethrius]

Indeed.  Like I said, the man is paranoid, not stupid.  He's running BitDefender every single day against all both of his hard drives.  That's why I need to make a little something that's privatized source that's not supposed to ever see the light of day outside these two boxes.   :cool:

[flap]

How does he think people are using his computer? Does he already have some kind of remote control software installed?

[Refalm]

quote:flap: How does he think people are using his computer? Does he already have some kind of remote control software installed?

Windows XP has remote desktop software standard installed.

[flap]

So why doesn't he turn it off? Or install a firewall?

[Orethrius]

quote:Originally posted by flap:
So why doesn't he turn it off? Or install a firewall?

I'm being paid here; mine is not to ask why, but merely to do what the customer wants.  Again, he's a tad on the paranoid side (read: "even if I have a firewall, they can still hack me") and no amount of rhetoric has convinced him otherwise.

[flap]

If I were you I wouldn't encourage him. And surely installing VNC is only going to make it less secure, if anything. Even if he has a keylogger installed he can't trust the information it's reporting if he thinks his machine has been compromised.

If he thinks he can be hacked while running a firewall that blocks all incoming connections then tell him the only way to secure it absolutely is to disconnect his machine from the internet.

[Orethrius]

That would be precisely the reason why I'm looking at taking some open source and meshing it together into a closed-group one-off (of sorts), so that only somebody with prior knowledge of the ports in use would know where to hack when.  Even the VNC source port can be changed at the server program level.  This is the kind of person that I have no doubt would disconnect his box from the Internet for security's sake, in which case I'm out of a job.  I understand security issues as much as the next guy, but when it comes to somebody who wants to stay connected at the cost of some security, my bottom line is affected.  It's my job to make these guys feel secure (as if he's not running Mandrake already   ), not to write my own revisionist history of their stupid moves.  Now please stop telling me how I'm doing my job wrong and at least try to help me, not the guy that's beyond all help.

[flap]

I don't really understand how VNC comes into this at all. What does that have to do with (and for that matter what's the point of) keylogging? Depending on how a cracker breaks into a system that's unlikely to record anything. If anything he probably just wants an intrusion detection system.

[Orethrius]

quote:Originally posted by flap:
I don't really understand how VNC comes into this at all. What does that have to do with (and for that matter what's the point of) keylogging? Depending on how a cracker breaks into a system that's unlikely to record anything. If anything he probably just wants an intrusion detection system.

Okay, I'll answer this in three points.
(1)  VNC is not the program here, but a mainstream code concept that will likely be the framework for a later monitoring system.
(2)  I chose VNC for its (as of the current version, improperly implemented) ability to prevent users on the server from noticing that they're being monitored through "connection sharing" and the option to prevent the server from receiving mouse and/or keyboard events from the remote client.
(3)  I'm not looking at keylogging in the traditional "let's take a sampling from the keyboard" method.  I'm talking about something that logs the local box at the system level, so that ANY keys entered into it through any vaild terminal at any point in time will be recorded.  If this makes it more along the lines of a more conventional IDS, then so be it.  That's what I'm gunning for anyways.      :cool:  

EDIT:  I suppose it would help somewhat if I said that he trusts firewalls to prevent DoS attacks, but precious little else.   :rolleyes:  

[ July 06, 2004: Message edited by: Midnight Candidate ]

[flap]

The point is that logging "keys" would only work if his machine was being accessed via some kind of remote control software, such as VNC, that (presumably) generates keyboard/mouse events. If he's not even running anything like VNC in the first place then there's no way that approach could work. Is he specifically concerned about someone using only that kind of software to access his computer?

 

quote:EDIT: I suppose it would help somewhat if I said that he trusts firewalls to prevent DoS attacks, but precious little else.

...which, considering firewalls don't prevent DoS attacks, suggests he is actually an idiot. If I were you I'd give him a placebo solution, like installing Winamp and telling him that it definitely logs/prevents all intrusion attempts. Or you could just install an ids.

[ July 06, 2004: Message edited by: flap ]