Keylogger

Topic

New Reply

The July 18 ABC newscast had a feature on keyloggers, a clear threat to computer security: “At least a third of online crimes can now be traced to keylogging.” What’s particularly frightening is the availability of such “stealth” programs, as illustrated in a Google search. Common sense suggestions are given at the end of the article. Nevertheless, something else to be concerned about.

Reply | Quote

Replies

(Edited by jscher2000 on 19-Jul-05 13:17. )

In addition to the suggestions in the article (referenced in post 500,749), you can foil many simple keyloggers by inserting non-keyboard navigation into your key stream. Example:

If your password were DesperateHousehusband you might type and mouse as follows:
 
    House {appears as *****}
    click at the beginning of *****
    Desperate
    click at the very end (might need to select across with
      the mouse, but don't press End)
    husband

I do this when using public computers to access secure sites.

Notes: Follow-on posts and General Paranoia inspire the following additional comments

Reply | Quote

That is so simple – it’s brilliant!

Reply | Quote

Very cunning.
I don’t follow the “might need to select across with the mouse” part though.

Alan

Reply | Quote

To take Jefferson’s example: you start by typing House.
Click at the beginning, then type Desperate.
If the password box is narrow, this may have pushed the end of the word House beyond the right edge of the box, so you cannot click after House at this moment
You should NOT press End to get to the end since this would be detected by the Key Logger.
Instead, drag the mouse across the password to the right until the word House scrolls into view, then click after the word.

Reply | Quote

Ah, got it now.

cheers
Alan

Reply | Quote

Wow. That’s quite ingenious. I think I’ll just never use a public computer

Reply | Quote

> I think I’ll just never use a public computer.

That is safer, but it can limit one’s access to email.

Reply | Quote

I don’t tend to use public computers. On my PC I have the references and passwords I need in an encrypted Word document, compiled while offline. Then, if I want to enter a secure site, I open the encrypted document and cut-and-paste the User ID and password. This also encourages me to choose passwords I may not readilly remember, (i.e. random combinations of letters, numbers and, if the site allows then, punctuation characters), thus making the thing harder to crack.

Am I fooling myself that this is in any way more secure than filling in the fields in the normal way,? The name “keylogger” suggests that, in my circumstance, the only key sequence they’ll capture is “Ctrl-V”.

Reply | Quote

Slightly off the track here, but I have read some concerns relating to password managers being used in conjunction with clipboard extenders; namely the indefinite retention of the password “somewhere” on the system. Some such managers do things like clearing the clipboard X seconds after the password is copied, but I don’t think there’s any way for them to override a running clipboard extender.

Alan

Reply | Quote

Do not save passwords for sites that matter, e.g. financial sites such as banks and mutual funds.

Reply | Quote

I certainly wouldn’t let Windows “remember” them for future use, but I’m quite confident storing them in a password database like Oubliette that uses strong encryption.

Alan

Reply | Quote

‘Indefinite’ for the clipboard being until the system is re-booted. There may still be some track in pagefile.sys which would be considered indefinite until overwritten.

Joe

--Joe

Reply | Quote

But for a clipboard extender utility (like Yankee Clipper), clips are stored between reboots too.

Alan

Reply | Quote

If the keylogger simply records the keyboard buffer, Ctrl+V would not give anything away. A crafty spy would have other techniques, but this thread really focuses on keyloggers.

Reply | Quote

Just out of curiosity, if the keylogger had access to the machine (which obviously he does, since he’s recording the keystrokes performed on it) would the log not record the opening of the document, selecting, and copying as well as the pasting of the password?

Okay as long as you do it using the mouse, presumably, but not if you use keypresses to get to it …?

Reply | Quote

Even if you used the keyboard to copy and paste a password from a document into a password box in the browser, the keylogger would only record that some text was copied and pasted, not the actual text itself.

Reply | Quote

Yes, but my point was that if the keyboard was used to open the document (to which the keylogger has access) the keypresses used to open it would be recorded and the logger would then be able to repeat the process – opening the correct document and highlighting the word which is the password?

Reply | Quote

A keylogging app could be installed behind the user’s back, but that does not mean that the “spy” can play back the keystrokes on the user’s PC – I hope…

Reply | Quote

I guess it depends on whether we’re still talking basic key loggers, or have drifted across to more sophistocated backdoors/ trojans, like Sub Seven. This Trojan Horse Demo page shows quite a frightening inventory of the capabilities of such malware.

Alan

Reply | Quote

A keylogger doesn’t even have to be an “app”, there are very simple hardware devices which can be connected between your keyboard and the back of your PC for a few days, and then taken away again and browsed at the hackers leisure.

StuartR

Reply | Quote

I find this interesting, but I am not sure why it works. If you type in House the key logger picks up the keys. When you click in front of the word and then type Desperate, the key logger picks this up. What exactly would be recorded on the key logger? Doesn’t it have House and Desperate or even DesperateHouse, or does the non keyboard movement of the cursor ‘confuses’ the logger in some way?

Reply | Quote

Jefferson’s (hypothetical) password is DesperateHouseHusband. The keylogger records only keystrokes, not mouse clicks, so it registers Jefferson typing HouseDesperateHusband, which is *not* the correct password.

Reply | Quote

The best choice would be to type what appears to be a correct phrase but which you typed out of order. If the example had been HouseDesperateHusband, typing Desperate first, then House, then Husband, it would have made more sense and the spy probably would not pick up the deception.

I should add: after using a lot of public computers, it is a good idea to change your password!

Reply | Quote

(Edited by charlotte on 14-Aug-05 21:24. to activate link)

This is from the Trojan Horse Demo by Hacker Eliminator, at:

http://tinyurl.com/8yl5f%5B/url%5D

“In testing we have tried several other firewall programs and ran the SubSeven server without raising any alarm whatsoever. The reason is that SubSeven will open a port on the computer as soon as it starts up ready and listening for the hacker to connect. As the port is already open when the standard firewall opens, it simply trusts it and ignores the Trojan.”

Sooo, does this mean that my firewall (ZA) is NOT protecting me from outbound requests?

Reply | Quote

I’m presuming your post was intended as a reply to me, not DenGar.

It may very well be possible that ZA could be “tricked” into thinking that SubSeven is just running a “business as usual” port communication. The moral here being not to put your trust in a single (type of) anti-malware program. Most AV programs will detect and remove this malware – see here for example.

Alan

Reply | Quote

Edited by HansV to correct URL (it contained http: twice)

Thanks Alan, yes I was trying to reply to your message (as I am to this last one, but I can’t see anywhere how to quote??).

That’s a nice article from McAfee, thanks, but of course with all that technical talk I’m not sure I’m not more confused.

For instance in the Method of Infection section, I have a bunch of security software installed (see my post at Wilder’s with all the various programs I’m running http://www.wilderssecurity.com/showthread/?t=93257%5B/url%5D ) and some of these methods seem to be ones I’m protected against by them. I’m hoping I have layers of protection.

The more you know the more you know you don’t know.

Callie

Reply | Quote

Callie,

Although I’m no expert in the area, it sounds like you’re doing pretty much everything “right”, as also indicated in the replies you had at Wilders. As somebody there also noted, there’s no specific “right” way to go; the general idea being to cover all the bases you can, with trusted and up-to-date software. More important than anything else (IMO) is to be consciously aware of what nasties are out there and how they might get onto your system in the first place… and “compute” accordingly. Also, if they do manage to penetrate your software defences and your safe surfing, what’s available to detect their presence (either as active processes or dormant files) and clean them out.

Sounds like you’re on the right track with all of these aspects. You’ll find lots of posts in this forum, recommending various “suites” of defences, similar to what you already use. All I can add is, like the s say, be careful out there.

Alan

Reply | Quote

Have read this topic with much interest and it brings to mind something I read many years ago. In IE, navigating to Internet Options/Security/Custom Level, and scrolling down is a button marked ‘Allow Paste Operations Via Script’. My understanding of this is that this enables internet sites and appplications with internet access to literally grab clipboard contents via a paste script if they desire. I guess I class this as a form of keylogging if ‘Enabled’. Can anyone confirm if this is correct and if it is, may be something to check on one’s machine.

Reply | Quote

If I recall correctly, you can set that to “prompt.” Over the course of a few years, the only prompts I received were when I inserted pictures into HTML messages in Outlook. So this seems to be a little used feature that could be disabled without much loss of functionality. As for what malicious uses it might permit, I haven’t read up on it.

Reply | Quote