I suspect a keylogger on a client's PC, but cannot isolate it. My fear is that this keylogger transmits data outbound to an indeterminate location.

So I am seeking a tool which may allow me to look at any outbound activity, and then isolate destinations and take it from there.

Time is of the essence, so I only have a limited time to familiarize myself with a tool.

Will Wireshark address my needs? Thanks!

asked 29 Jan '11, 12:34

lastditch's gravatar image

lastditch
1111
accept rate: 0%


Yes, Wireshark can help but depending on the usage pattern of the PC it can be difficult to determine which traffic is harmless and which is malicious.

This is what I would do if I suspect a keylogger transmitting data:

  1. If you can, put Wireshark on a 2nd PC and use a Hub/SPAN Port to capture the suspicious PC's data. If you can't you might have to go with installing Wirehark on the actual client's PC which has some drawbacks but sometimes can't be helped.
  2. Start the client's PC and let Wireshark capture the data coming and going to it's network card
  3. Close as much programs that use the network as you can, so make sure that there is as little valid network traffic created as possible
  4. Open a text editor and start typing. Now if there's a keylogger it should at some point start to send out the captured data. You should see that as communications coming from the PC that have no other reason to be there. You can filter on that by using something like "ip.src==X.X.X.X" where X.X.X.X is the PC's IP address. This way you see everything that goes out. If there is something that you have no explanation for you can filter on this communication bidirectionaly, for example by using the "Follow TCP stream" filter (if it is in fact a TCP session). Then you need to determine what is happening and if this is in fact a keylogger.
  5. You may have to monitor the PC for a while because not all keyloggers send their data out right away. If you have a Wireshark on a 2nd PC you can try to shut down the suspicious PC and see if there is a transmission right before the keylogger is terminated.

BTW, if you suspect a keylogger you should also check the PC for physical dongles - nobody checks the back of the PC for PS/2 or USB keyloggers in hardware unless it's a notebook ;-)

link

answered 30 Jan '11, 05:19

Jasper's gravatar image

Jasper ♦
14.7k338200
accept rate: 16%

Well, it may. You'll have to be prepared to chew on some raw data packets, the keylogger most likely tries to conceal its communications. Still Wireshark should show them, and allows some higher level view on the connections. Take a stroll through the User's Guide to get an idea what's possible.

link

answered 30 Jan '11, 05:09

Jaap's gravatar image

Jaap ♦
6.4k774
accept rate: 11%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×8
×3
×2

Asked: 29 Jan '11, 12:34

Seen: 3,250 times

Last updated: 30 Jan '11, 05:19

powered by OSQA