Keylogger Detection

DetectX v1.22+ and, to a lesser extent, FastTasks 2 v.1.67+ offer detection of some popular keylogging software. Currently, those detected are:


AMAC / AMK (DetectX)
AOBO (DetectX)
BackTrack (DetectX)
com.apple.iCloudSync.app (DetectX)
Elite Keylogger (DetectX, FastTasks 2)
Refog Hoverwatch (DetectX, FastTasks 2)
LogKext (DetectX)
Perfect Keylogger Lite (DetectX)
Specter Pro (apparently discontinued, but possibly still being distributed by 3rd parties) (DetectX)
WebWatcher (DetectX)

We intend to add more definitions going forward. However, it is imperative that users understand that there are many more kinds of keyloggers than we can ever hope to catalogue. The keyloggers DetectX recognises are some of the most popular and/or more readily available ones, typically used by parents and partners to track family members’ computer-use with either free or low-cost keylogger software. Enterprise-grade and custom-built keyloggers of the type used by employers and state agencies are beyond the scope of DetectX’s abilities.

Thus, DetectX can do no more than confirm that you have an infection if it finds tell-tale files belonging to the small number of keyloggers it knows about. It cannot (and nor can any other software), categorically confirm that your system does not have a keylogger installed.

Moreover, DetectX cannot be relied on to effectively remove a keylogger installation. It can show you where the files it found are located, but it must be understood that DetectX does not attempt to locate all files belonging to any particular keylogger. Rather, we look for signs that a keylogger has been installed as evidence that you should treat your system as compromised if found. In that event, see the next section.

 

In the case where DetectX (v1.22 or higher) alerts you that a keylogger has been detected:

  1. If DetectX does not show the name of the suspected keylogger in the main Detector window, open the Log Drawer and scroll down to see further information. Alternatively, open the Console.app (/Applications/Utilities/Console.app), select ‘All Messages’ and filter for ‘DetectX’ in the search bar.
  2. Check the name against the keyloggers listed at the top of this page. If the name of the suspected file does not seem to be related to any of the above, or if you know that the file belongs to a legitimate program that you use, DetectX may have found a ‘false positive’. Please check the current list of known false positives (see below). If the item is not on the current list, please contact us so that we can resolve the issue.
  3. If the name of the keylogger is clearly related to one of the keylogger applications listed above, we recommend you cease using your computer until you have taken appropriate action to deal with the keylogger infection.

 

Appropriate action may include:

Contacting the police or other authorities in case you wish to file criminal charges against whoever installed the keylogger.
Under these circumstances, you should not attempt to remove any keylogger software as doing so could potentially tamper the evidence.

Ensuring you have a back up of your personal files (documents, photos, emails, music etc), and then reinstalling the operating system.
In this case, it is imperative that you do not restore any application specific data or files, any Shared folders, or any User Library folders. If in doubt, seek professional help.

Using DetectX to locate and remove the keylogger files.
In this case, DetectX can show you the files it found, but it is IMPERATIVE that you understand DetectX cannot reliably uninstall keylogger software. Removing the files found by DetectX will probably NOT remove all of the files belonging to a keylogger infection. Keyloggers are, by their nature, intended to defeat attempts to remove them, and neither DetectX nor any other software can reliably identify all the hidden files belonging to keyloggers. At most, DetectX can warn you that it has found some specific files it knows about that belong to some kinds of keylogger. However, the producers of keylogger software are undoubtedly using many other secret files that DetectX does not recognise.

You can view the information DetectX logs about keyloggers it finds in the Console.app. Choose “All Messages” in Console’s sidebar, and filter the results with the term ‘DetectX’.

EXAMPLE:

Keylogger example

 

Further help:
The developers of DetectX are not able to offer personal support in tracing and removing confirmed keyloggers. This is a task that ideally requires on-site help. We recommend you take your machine to an Apple store or an Apple-certified technician.

Help us improve DetectX:
If you suspect DetectX has erroneously flagged a file as a keylogger (a ‘false positive’), please email us.

If you have confirmed a file on your computer as belonging to a keylogger but which DetectX did not find, please report it.

Many Thanks!

Known or Suspected False Positives (false positives will be removed in the next update):

/var/folders/.../.Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/PrivateFrameworks/WiFiCloudSyncEngine.framework/Versions/A/WiFiCloudSyncEngine.tbd

3 thoughts on “Keylogger Detection

Comments are closed.