Keylogging is one of the most insidious threats to a user’s personal information that includes passwords, credit card numbers, etc. A keylogger can potentially expose the pesonal information about the user and the incidence of keyloggers in-the-wild is apparently growing rapidly. Unlike Phishing, this is not an attack that alert and sophisticated users can avoid.
Writing a keylogger software is a trivially easy task.There are numerous freeware offerings, and many of them make efforts to conceal their presence. For example, they will not show up in the Task Manager process list. There’s even a feature comparison site for those interested in the hardest to detect keyloggers. Home and enterprise users may be able to trust their systems if they maintain good firewall, anti-virus (I personally recommend Kaspersky internet security.Works fine on my PC) and update strategies. However roaming users have no control over what is installed in the computer they browse from. Certain internet kiosks restrict input access to the machine to prevent software installation. This makes it less likely that another user of the machine has installed a keylogger, so long as the administrator has set good policies. But we need to be sure if the administrator is both competent and trustworthy. As things stand a user has no reliable way to determine if a machine is running a keylogger or not.In this environment is there anything a user can do to protect themselves from the possibly catastrophic loss of data and personal info?
Yes! here it is..
A SIMPLE TRICK
We assume that the machine we use has a keylogger running. We’ll also assume that it’s not discoverable by the user, and that we wish to primarily protect any password the user types (we’re less concerned about other keyboard typings). In Windows user32.dll provides event handlers that any application can invoke to trap every keyboard and mouse event. Thus the keylogger gets a string that grows in length as keys are typed. For convenience, some keyloggers generate different strings for the keys that are intended for different applications. This just involves checking which window has focus at the time of the key event. It is now very easy for the keylogger to harvest passwords. The string of keys sent to the browser will often contain domain names (at an internet cafe most people will type domains since they are not in “favorites”) , followed by user id and passwords.
For example the segment:
www.hotmail.comannahh@hotmail.compingpong
tells the logger that annahh@hotmail.com has password “pingpong” at hotmail.
By parsing the string for common domains such as hotmail, paypal, amazon, fi-delity, the task is made even easier. At first our task may seem impossible: if the keylogger sees everything how can we hide the password from it? Rather than hide the password our approach is to embed it in a sequence of random characters. So we seek a way of entering random keys so that they will be seen by the keylogger, but will not affect normal login. The trick lies in the fact that keyloggers employ very low level OS calls. The keylogger sees everything, but it doesn’t understand what it sees. The browser also sees everything, but it doesn’t use everything that it sees: it does not know what to do with keys that are typed anywhere other than the text entry fields, and lets them fall on the floor. The keylogger has no easy way to determine which keys are used by the browser and which fall on the floor. It is very easy to record all of the keys or mouse events (this is true both for Windows and Linux based systems). It is also very easy to determine which application had focus at the time of the event (e.g. this key went to the browser). But it is very hard to determine what the application did with those events.Between successive keys of the password we will enter random keys. In the spirit of chaffing and winnowing, the string that the keylogger receives will contain the password, but embedded in so much random junk that discovering it is infeasible (Now howz that!;))
Observe that we are not exploiting a particular feature of any particular browser.This trick works with all versions of Internet Explorer,Netscape Navigator and Mozilla Firefox. We are exploiting the difficulty from the OS layer of determining how the GUI of an an application handles events.
THE METHOD
1.Navigate to the login page desired
2.Type in the user id;
3.For each password(pwd) character
Give focus to anywhere but the pwd field;
Type some random characters;
Give focus to the pwd field;
Type the next character of the pwd
4.Submit;
It involves typing random characters between successive characters of the password, and changing focus to and from the password field using the mouse. Instead of the password "pingpong" the keylogger now gets:
hotmail.comppqmlaoisdgsnsdgfsgdgfppuouuynhy2g
wherein lies ur password undetected:
hotmail.comppqmlaoisdgsnsdgfsgdgfppuouuynhy2g
Here a total of 26 random characters have been inserted among the 7 characters of the actual password. In general a total of n extra characters in a length k password will yield so many possible passwords that attack is infeasible (recall the password that can only be tested by attempting login). There are various attacks on this method too. However, most of the keyloggers appear to have no functionality to defeat this simple trick.
Hope it was a useful one...
Ur comments are welcome:)
No comments:
Post a Comment