SANS: KbHook.dll is Not Always Spyware

Although many malware-scanning tools identify the kbhook.dll file itself as spyware, its presence alone is not sufficient. The infected system also needs to have additional software components that make use of the DLL's key stroke-monitoring features. In case of the workstation that I was analyzing, I could not find any additional suspicious components. Although that, alone, would not be sufficient to calm me, additional evidence reinforced the theory that I was dealing with a false positive....

....If you encounter a kbhook.dll file on your system, please remain vigilant. This file is often associated with dangerous key loggers, presence of which may require a full system reinstall. However, keep in mind that malware scanning tools sometimes mis-identify this file. Specifically, the file named kbhook.dll is sometimes used by keyboard driver authors without malicious intent. SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Linked by shanmuga Saturday, 28th January 2006 11:26PM