A Software Keylogger Attack
By Daniel Shapiro
Social Engineering
Users follow “spoofed” emails to counterfeit sites
Users “give up” personal financial information
Technical Subterfuge
Software is planted on your system
Used to steal information directly from the computer
Pharming
Software that misdirects users to fraudulent sites
RCMP 2005 (http://www.charlottetown.cips.ca/LS2.ppt)
“Next Generation” Keyloggers
Today’s keyloggers incorporate “stealth” operations
Capture more than keystrokes
Screen shots
Recording of Web addresses
Free Examples: BFK, pykeylogger
RCMP 2005 (http://www.charlottetown.cips.ca/LS2.ppt)
Phishing Using Keyloggers [2]
• Definition: “A keylogger is something that records
keystrokes made on a computer. It captures every
key pressed on the keyboard and stores it down in a
file or memory bank that can be viewed by the
person performing the monitoring in real-time, or at
a later date.” [1]
• There are two types of keylogger: hardware
keylogger and software keylogger
[1] http://www.keyghost.com/keylogger/
[2] Dat Tien Nguyen and Xin Xiao
Hardware Keylogger [2]
Three types [1]:
• Inline devices that are attached to the keyboard cable
• Devices which can be installed inside standard keyboards
• Actual replacement keyboards that contain the key logger already
built-in
It only can be discovered by people and removed physically
[1] www.wikipedia.org
[2] Dat Tien Nguyen and Xin Xiao
Software Keylogger [1]
[1] Dat Tien Nguyen and Xin Xiao
Software Keylogger [2]
* Can capture both keys pressed and screen
* 2 sub-categories [1]:
– Visible in the task manager
– Invisible and stealth keyloggers
* It is true that secure I/O programs can
completely protect your computer from
software keyloggers
[1] www.keygosh.com
[2] Dat Tien Nguyen and Xin Xiao
Protecting yourself from Keyloggers
•
•
First and foremost: The best security and related policy is
always built on layers. The best way to protect a system
and network from these intrusions always starts with the
same methods one would use to prevent the spread of a
virus, but additional measures must be taken for these new
risk BEYOND those measures.
Keyloggers and Trojans often aren’t detected by Antivirus
systems, so make sure you have a good spyware detection
and removal tool OR verify your Antivirus program handles
these spyware threats as well. Make sure this software is
update and run regularly as new threats can burrow in at
any time.
Dynamic Net, Inc.
Protecting yourself from Keyloggers
•
Consider installing a personal firewall on each computer or
at least enabling a firewall built into the operating system of
the computer. Firewalls can’t save the world by themselves,
but a good personal firewall monitoring incoming AND
outgoing traffic from an individual computer will be a good
way to find out if anyone is attempting to break in. It will
also give you an idea as to whether or not anyone or thing is
attempting to have your computer send data out.
Dynamic Net, Inc.
Logoff with running keylogger
KEYLOGGER
My Ideas
1. Run keylogger
2. Log off of shared computer
3. The actions of the next user to log on are
compromised
OR
1. Run keylogger on kiosk
2. Sit back and collect infoweb accounts
3. Begin spamming activities with harvested
accounts
Other new attacks
1. Open a portal online
2. Harvest user passwords (e.g. Password = XXX)
3. Inject Trojan+keylogger into website content/service
(e.g. streaming video plugin .exe)
4. Email user saying “I know your password! Your
password is XXX! Change your passwords!”
5. User logs into banking website and gives away
password to keylogger
6. Empty the bank account and/or sell credit card
number
Other new attacks
• A low-tech approach to phishing has caught a
NSW-based organisation after its employees
were mailed CD-ROMs containing hidden
keylogging software. [1]
• More than 40,000 Web sites have been hit by
a mass-compromise attack dubbed Nine Ball
that injects malware into pages and redirects
victims to a site that will then try to download
Trojans and keylogger code... [2]
[1] http://www.zdnet.com.au/news/security/soa/
Phishing-attack-Your-keyloggers-are-in-the-mail/0,130061744,339274590,00.htm
[2] http://news.idg.no/cw/art.cfm?id=EDAD4BEC-1A64-6A71-CE6961E072D06093