startkeylogger

After my post last month about the norton startkeylogger bug i've had a massive increase of visitors this month from people interested in this problem.

For those who are interested in this bug i'd like to make a few things clear...

It does work, i've tested it.
This bug has been around for about 2 years. I made the post after someone reminded me of it.
It seems you can also use stopkeylogger, both of these commands are triggers for the Spybot trojan.
You can also use these commands in the topic and as a nickname, it will also have the same effect.
This command only appears to work when you're connected to a server on port 6667-7000 such as an IRC server, by norton doing this it is meant to protect you from the Spybot trojan.

I would also like to point out that I didn't make the post so people would abuse it, I simply made it as it was an interesting bug, and i've yet to find out how to report bugs to symantec, so I wanted to let people aware of the issue.

The original startkeylogger post.

27 Feb 2006 by HM2K

12 comments

Note: Comments are disabled.

by hm2k @ 03 Aug 2006 06:00 pm

It's people like jeroen_77 that keep me in a job. Thanks.

by jeroen_77 @ 19 Mar 2006 03:51 am

dont disable anything in norton, just get a new ip adress and hide it before you log on, since i did that i never got the message by norton saying i got atacked by spybot keylogger, with this information i know that someone is trying to break into your computer through irc!

by HM2K @ 16 Mar 2006 11:03 am

Like I said, credit where is due, you did remind me of this, but I had discovered it 2 years previously when I had more involvement with trojans and such.

Jealousy is a terrible thing.

PS. This bandwaggon has passed, and your site is down.

by Silenz-again @ 16 Mar 2006 09:48 am

BTW: if its in a topic in any chatroom on a IRC network it disconnects the user automaticly. so say your on efnet and you have a room with the topic of 'startkeylogger' it disconnects all users with the affected software and gives them a nice warning when they connect. www.SilenZ.be / irc.rizon.net #silenz

by Silenz @ 16 Mar 2006 09:34 am

hey, i posted the latest comments with the chat of ceejay before reading the latest comment you posted in response to mine, oh well. I cant argue with it and say wether you or i originally discovered it, but im sure you got the idea based to post from me 'messing around' in your chan. oh well. Not much more to say since i want to keep my activities discreet.

by SilenZ @ 16 Mar 2006 09:30 am

<SilenZ> btw
<SilenZ> you know hm2k
<ceejay> very well
<SilenZ> yea well im mad at him
<ceejay> haha
<ceejay> what else is new
<SilenZ> check this out
<SilenZ> you know the startkeylogger shit
<ceejay> yea
<SilenZ> I FUCKING FOUND THAT OUT
<SilenZ> and was fucking with it on your chan
<SilenZ> and i guess he saw, and posted on his site
<ceejay> i rememebr when we first talked about it
<SilenZ> well it hit big on a few sites and i got what? NO CREDIT
<SilenZ> asif he discovered it
<ceejay> :(

by hm2k @ 07 Mar 2006 08:47 pm

As far as I'm aware Symantec have now released a fix for this bug.

Until next time folks!

by paranoid @ 04 Mar 2006 11:28 am

if it is of interrest for you. you are famous now (in germany):
http://www.heise.de/newsticker/meldung/70355

by HM2K @ 04 Mar 2006 01:09 am

Ah silenz,

I was wondering when you were going to come along.

Yes, you are the one that reminded me of this bug, hence why I made the original post, but sadly no, you didn't discover it, I found the problem originally a few years back, I actually did some testing in #serialz myself. heh

The reason I made the post was because even after I saw you using it again a few years on, I still found no decent results explaining the bug, or a fix so I decided to make the post and see what happens. I got more than I bargined for.

PS. There is no way of getting the related trojan from someone typing the command.

by HELLO?!! @ 04 Mar 2006 12:28 am

And risk getting the trojan?? crying

by silenz @ 03 Mar 2006 09:43 pm

i know you found this when i was fucking around in #serialz. Dont take credit like you discovered this.

by Symantec? @ 03 Mar 2006 04:29 pm

Just disable Spybot keylogger commands from intrusion prevention/advanced setup:

http://img227.imageshack.us/img227/695/startkeyloggerproblem4gn.jpg