A Software Keylogger Attack

By Daniel Shapiro

Social Engineering

Users follow “spoofed” emails to counterfeit sites

Users “give up” personal financial information

Technical Subterfuge

Software is planted on your system

Used to steal information directly from the computer

Pharming

Software that misdirects users to fraudulent sites

RCMP 2005 (http://www.charlottetown.cips.ca/LS2.ppt)

“Next Generation” Keyloggers

Today’s keyloggers incorporate “stealth” operations

Capture more than keystrokes

Screen shots

Recording of Web addresses

Free Examples: BFK, pykeylogger

RCMP 2005 (http://www.charlottetown.cips.ca/LS2.ppt)

Phishing Using Keyloggers [2]

• Definition: “A keylogger is something that records keystrokes made on a computer. It captures every key pressed on the keyboard and stores it down in a file or memory bank that can be viewed by the person performing the monitoring in real-time, or at a later date.” [1]

• There are two types of keylogger: hardware keylogger and software keylogger

[1] http://www.keyghost.com/keylogger/[2] Dat Tien Nguyen and Xin Xiao

Hardware Keylogger [2]

Three types [1]: • Inline devices that are attached to the keyboard cable • Devices which can be installed inside standard keyboards• Actual replacement keyboards that contain the key logger already

built-in It only can be discovered by people and removed physically

[1] www.wikipedia.org[2] Dat Tien Nguyen and Xin Xiao

Software Keylogger [1]

[1] Dat Tien Nguyen and Xin Xiao

Software Keylogger [2]

* Can capture both keys pressed and screen* 2 sub-categories [1]:– Visible in the task manager– Invisible and stealth keyloggers

* It is true that secure I/O programs can completely protect your computer from software keyloggers

[1] www.keygosh.com[2] Dat Tien Nguyen and Xin Xiao

Protecting yourself from Keyloggers

• First and foremost: The best security and related policy is always built on layers. The best way to protect a system and network from these intrusions always starts with the same methods one would use to prevent the spread of a virus, but additional measures must be taken for these new risk BEYOND those measures.

• Keyloggers and Trojans often aren’t detected by Antivirus systems, so make sure you have a good spyware detection and removal tool OR verify your Antivirus program handles these spyware threats as well. Make sure this software is update and run regularly as new threats can burrow in at any time.

Dynamic Net, Inc.

Protecting yourself from Keyloggers

• Consider installing a personal firewall on each computer or at least enabling a firewall built into the operating system of the computer. Firewalls can’t save the world by themselves, but a good personal firewall monitoring incoming AND outgoing traffic from an individual computer will be a good way to find out if anyone is attempting to break in. It will also give you an idea as to whether or not anyone or thing is attempting to have your computer send data out.

Dynamic Net, Inc.

Logoff with running keylogger

KEYLOGGER

My Ideas

1. Run keylogger2. Log off of shared computer3. The actions of the next user to log on are

compromisedOR

4. Run keylogger on kiosk5. Sit back and collect infoweb accounts6. Begin spamming activities with harvested

accounts

Other new attacks

1. Open a portal online2. Harvest user passwords (e.g. Password = XXX)3. Inject Trojan+keylogger into website content/service

(e.g. streaming video plugin .exe)4. Email user saying “I know your password! Your

password is XXX! Change your passwords!”5. User logs into banking website and gives away

password to keylogger6. Empty the bank account and/or sell credit card

number

Other new attacks

• A low-tech approach to phishing has caught a NSW-based organisation after its employees were mailed CD-ROMs containing hidden keylogging software. [1]

• More than 40,000 Web sites have been hit by a mass-compromise attack dubbed Nine Ball that injects malware into pages and redirects victims to a site that will then try to download Trojans and keylogger code... [2][1] http://www.zdnet.com.au/news/security/soa/

Phishing-attack-Your-keyloggers-are-in-the-mail/0,130061744,339274590,00.htm[2] http://news.idg.no/cw/art.cfm?id=EDAD4BEC-1A64-6A71-CE6961E072D06093