Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: KbHook.dll is Not Always Spyware SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
KbHook.dll is Not Always Spyware

I am a fan of Microsoft AntiSpyware tool for several reasons:

  1. It's relatively easy to use
  2. It's feature set is very comprehensive
  3. It's free
(There are other excellent anti-spyware tools out there, too. This story just happens to start with a Microsoft AntiSpyware scan.)

Like all malware scanners that use signatures to identify malicious code, Microsoft AntiSpyware can raise false alarms. I was recently reminded of this after a scheduled scan of a Windows workstation produced the following crticical alert:

This screen shot was modified to remove the date when the alert occured.

Whoa! Key loggers are a particularly nasty type of malware, because they are created to monitor and record keyboard activities. They are often designed to capture the victim's interactions with a login form of some kind, frequently targeting logon credentials for banking websites. NetSpy, identified by this spyware scan, is known to be able to log the victim's key strokes, take screen shots, and transmit captured data to the attacker. No wonder a spyware scanner typically categorizes it as a severe threat.

Although many malware-scanning tools identify the kbhook.dll file itself as spyware, its presence alone is not sufficient. The infected system also needs to have additional software components that make use of the DLL's key stroke-monitoring features. In case of the workstation that I was analyzing, I could not find any additional suspicious components. Although that, alone, would not be sufficient to calm me, additional evidence reinforced the theory that I was dealing with a false positive.

The creation date of the offending file c:\windows\system32\kbhook.dll matched the day when the workstation's user happened to install drivers for his BenQ keyboard. Repeating the driver installation process confirmed that the kbhook.dll file is supplied by the keyboard vendor, presumably to enable non-standard keyboard features such as hot keys.

A web search revealed several discussions of false positives associated with files named kbhook.dll. One such discussion stated that Genius Wireless Keyboard drivers used this file without malicious intent. Another discussion of an unknown-to-me keyboard reached a similar conclusion.

The kbhook.dll file on the workstation I examined was a Microsoft Visual C++ 6.0 DLL, with MD5 hash 68ef310fdb7788a8ea8841c8fe80e66e. It exported two functions: EnableHook() and DisableHook(); this is how an external program can make use of the DLL's keyboard-controlling functionality.

Personally, I am not crazy about having a DLL with this functionality installed on a system, because one never knows which program will attempt to take advantage of its EnableHook() and DisableHook() functions. I was able to delete the file from the workstation, because the user did not make use of the BenQ hot keys that the driver was meant to enable. Other reports on web forums suggest that removing the file for certain keyboards may prevent the device from working properly.

If you encounter a kbhook.dll file on your system, please remain vigilant. This file is often associated with dangerous key loggers, presence of which may require a full system reinstall. However, keep in mind that malware scanning tools sometimes mis-identify this file. Specifically, the file named kbhook.dll is sometimes used by keyboard driver authors without malicious intent.

Lenny Zeltser
ISC Handler on Duty
www.zeltser.com
Lenny

216 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!