Anti-Keylogger Myths

Over the last few years, several technologies have been

suggested in order to strengthen or replace the
traditional password input field, as a result of its
vulnerability to keyloggers. This whitepaper surveys the
myths of anti-leylogger technologies, and pinpoints
material flaws in each such technology.

2007© All Rights Reserved.

Trusteer makes no representation or warranties, either express or implied by or
with respect to anything in this document, and shall not be liable for any
implied warranties of merchantability or fitness for a particular purpose or for
any indirect special or consequential damages. No part of this publication may
be reproduced, stored in a retrieval system or transmitted, in any form or by
any means, photocopying, recording or otherwise, without prior written consent
of Trusteer. While every precaution has been taken in the preparation of this
publication, Trusteer assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
Anti-keylogger myths

Table of Contents
Introduction ....................................................................................................3
1. Virtual Keyboard/keypad/PIN-pad ...........................................................3
2. Graphical Passwords ...............................................................................4
3. Password Managers.................................................................................5
4. Keystroke Dynamics ................................................................................6
5. One Time Passwords ...............................................................................7
6. Keystroke Encryption ..............................................................................8
Summary ........................................................................................................8

2
Anti-keylogger myths

Introduction
The Anti Phishing Working Group, a global pan-industrial and law enforcement
association, defines keyloggers as “crimeware code which is designed with the
intent of collecting information on the end-user in order to steal those users'
credentials.” According to the Anti Phishing Working Group there are between 200
and 300 new unique variants of keyloggers each month. The SANS Institute, a
group that trains and certifies computer security professionals, estimated that at
a single moment last year, as many as 9.9 million machines in the United States
were infected with keyloggers of one kind or another, putting as much as $24
billion in bank account assets — and probably much more — literally at the
fingertips of fraudsters. According to the Anti Phishing Working Group, there were
3,353 unique websites hosting keyloggers in May 2007.
It is of no wonder then that many technologies were suggested as an effort to
overcome keyloggers. Most of them involve changing the way consumers sign
into web applications and usually avoiding keystrokes altogether. However, the
technology used by keyloggers is not limited to tapping the keyboard and can be
easily adapted to evade various anti-keylogger techniques. Thus, most anti-
keylogger technologies can be easily defeated using slightly more advanced
keyloggers. This paper reviews the common anti-keylogger technologies and
determines whether their claims are myth or reality; Or in other words, how easy
it is for fraudsters to bypass each technology.

1. Virtual Keyboard/keypad/PIN-pad Stop Keyloggers

Myth or Reality: Myth

The most wide-spread measure against keyloggers is replacing the physical
keyboard with a virtual keyboard (a.k.a. keypad or pinpad). The virtual keyboard
is drawn on the screen and instead of keystrokes, the user points at the visual
key with the mouse and clicks the mouse. There are several variations to this
scheme, including replacing the mouse-click with “hovering” (meaning, the user
is supposed to leave the cursor over the key for several seconds instead of
clicking the mouse), randomly changing the key positions and keyboard layout,
etc.

Virtual Keyboard Example1

1
Screenshot of the Microsoft Windows On-Screen Keyboard

3
Anti-keylogger myths

Virtual keyboards are very easily bypassed using screen capturing. Instead of
capturing keystrokes, the attacker captures the vicinity of the mouse pointer,
each time the mouse is clicked. This provides the attacker with the image of the
key the user clicked. If the designation method is hovering (for few seconds), the
malware can detect lack of mouse motion, and record the mouse pointer’s
surrounding. This counter attack against virtual keypads is in fact already found
in the wild:
• http://www.hispasec.com/laboratorio/cajamurcia_en.swf (video
demonstrating a trojan attack against Caja Murica bank of Spain)
• http://www.tracingbug.com/index.php/articles/view/23.html (demo of an
attack against Citi Bank India)

2. Graphical Passwords Stop Keyloggers

Myth or Reality: Myth

Another method that obviates password typing is “graphical passwords” (or
Graphical User Authentication – GUA). This is a name for a family of solutions,
whose common theme is a password whose representation is graphical. The user
is then required to identify the password (or parts thereof) in graphics provided
by the server as a “challenge”. This challenge changes with each login attempt. In
most practical solutions the user is required to identify a part of the password (an
object) inside a set of graphical objects (one correct and many decoys). Choosing
the correct object is typically done by clicking over it with the mouse.

Example screenshot2 requiring the user to choose the password picture

2
From “Picture Password: A Visual Login Technique for Mobile Devices” (NIST
publication NISTIR 7030) by Wayne Jansen, Serban Gavrila, Vlad Korolev, Rick
Ayers and Ryan Swanstrom, July 2003
http://csrc.nist.gov/publications/nistir/nistir-7030.pdf

4
Anti-keylogger myths

Security-wise, this is conceptually identical to the virtual keyboard. Here too, a

combination of mouse-click detection with mouse pointer proximity screen
recorder can easily uncover the graphical password.

3. Password Managers Stop Keyloggers

Myth or Reality: Myth

Another way to avoid actual password typing is the use of a “password manager”
or “password vault” software. Instead of typing the password into a form, the
password manager automatically fills in the form with the correct password. The
password manager stores the user’s password in a vault to keep fraudsters from
accessing stored passwords.
Password managers can be easily bypassed using keyloggers that reside inside
the browser. While inside the browser the keylogger can see the password
immediately after the password manager enters it into the login form. Keyloggers
that reside inside the browser are also known as man-in-the-browser malware or
malicious browser plug-ins. Browser plug-ins are very popular, both for legitimate
uses (e.g. Google’s toolbar) and consequently, for non-legitimate uses (spyware
and malware), piggybacking on the extensibility of the browser and the popularity
of plug-ins.
The browser plug-in technology grants the plug-in a lot of privileges, such as full
access to the DOM (which is the internal representation of the page currently
displayed), and subscription to browser events (such as “navigation”, “page load”
and “form submission”). This makes it very easy for a malicious plug-in to get
hold of the credentials. A malicious plug-in can access the credentials in the DOM,
where they are injected by the password manager. Or, a malicious plug-in can
wait for the submit event and capture the credentials during submission.
Examples:
• “Spy-Agent.ba” (McAfee malware description page)
http://vil.nai.com/vil/content/v_139621.htm
• (unnamed document) by Tom Liston, see bottom of page 4 to top of page
6. http://isc.sans.org/presentations/banking_malware.pdf
Additionally, unless implemented very carefully and with security as its #1 goal, a
password manager can turn out to be a security vulnerability in itself. This is due
to the complexity of correctly identifying which form qualifies to be automatically
populated. A phisher can exploit a flaw in the decision algorithm and present a
form that will be automatically populated. The phisher can also include a
Javascript code in that page that, once the form is (automatically) populated,
reads the credentials and sends them to the phisher. The user in such case is
kept out of the loop and the attack occurs automatically. Another concern with
password vaults is the vault’s strength. If it can be easily broken, attackers would
gain immediate access to all the passwords inside the vault.
Examples for such flaws:
• “Firefox vulnerable to Password Manager flaw”, Tom Espiner (ZDNet UK),
November 22nd, 2006
http://news.zdnet.co.uk/security/0,1000000189,39284818,00.htm

5
Anti-keylogger myths

• A two part article titled “Password Management Concerns with IE and

Firefox” in SecurityFocus (by Mikhael Felker, December 11th, 2006)
discusses several classes of flaws in password managers:
http://www.securityfocus.com/infocus/1882
http://www.securityfocus.com/infocus/1883

4. Keystroke Dynamics Stop Keyloggers

Myth or Reality: Myth

Keystroke dynamics looks at the way a person types on a keyboard. Specifically,
keyboard dynamics measures two distinct variables: "dwell time" which is the
amount of time you hold down a particular key and "flight time" which is the
amount of time it takes a person to move between keys. Research
(http://avirubin.com/fgcs.pdf) shows that each individual has a keystroke pattern
that can be used to differentiate between the users. Keystroke dynamics
authentication checks the user’s keystroke pattern, in addition to the password. If
the pattern matches, access is granted.
From security stand-point, keystroke dynamics is inherently flawed since it relies
on a user property which can be measured and mimicked by attackers. An
attacker can study the user’s keystroke dynamics and then replay or imitate
them. Two ways of executing such an imitation include the following methods: a
keylogger that sits on the user’s machine can record keystrokes, dwell time and
flight time and then transfer this information to the attacker. Once the attacker
signs into the website on behalf of the victim, the same keystroke dynamic is
used. The second method involves a phishing website. The attacker can set up a
phishing website that not only grabs the user’s username and password but also
records the user’s keystroke dynamics using a very simple JavaScript code. The
attacker can then use this information to sign into the real website using the
correct password and the correct keystroke dynamics.
Here is an example of how keystroke dynamics can be recorded via a simple web
page (standard HTML+Javascript, tested with Microsoft Internet Explorer 6 and
Mozilla FireFox 2.0):

<script>
var t_start=(new Date()).getTime()/1000;
function record(code,type)
{
document.getElementById("foo").innerHTML=
document.getElementById("foo").innerHTML+
"t="+((new Date()).getTime()/1000-
t_start).toFixed(3)+
" : "+
"ASCII code 0x"+code.toString(16)+
" "+
(char '"+String.fromCharCode(code)+"')"+
" "+
"("+type+")"+
"<br>";
return true;
}
</script>
Type some text in the following box:<br>
<textarea
onkeydown="return record(event.keyCode,'KEY-DOWN')"

6
Anti-keylogger myths

onkeyup ="return record(event.keyCode,'KEY-UP')">

</textarea>
<br>
<br>
Your keystroke dynamics:<br>
<div id=foo></div>

Moreover, there are several usability drawbacks to keystroke dynamics:

• Keystroke dynamics require a learning period, in which the individual
signature needs to be recognized by the algorithm. This usually requires
numerous keystrokes. If only the password “signature” is needed, then
about a dozen repetitions of password typing may suffice. This means that
the user will either be required to type the password a dozen times during
a dedicated learning session (which is intrusive and annoying), or the
learning will occur during normal logins, i.e. be spread over several
months (maybe even a year), during which time the user is still exposed
to attacks (since the signature is not yet extracted).
• The user’s keystroke dynamics may change in time (aging), or due to
sickness (tremor), weakness, slowness (fatigue), and so forth.
• The user’s keystroke dynamics may change due to a different input device
(different keyboard). For example, using a different computer (cyber-
café), or different keyboard layout (US vs. some European countries),
using the user’s laptop vs. his/her desktop.
• Keystroke dynamics, and biometrics at large, have a fundamental problem
of revocation. That is, once the user’s biometrics are compromised
somehow (maybe at the user’s side, maybe at the server’s side), it’s
impossible to revoke the current user’s biometric signature, and assign the
user a new signature.

5. One Time Passwords Stop Keyloggers

Myth or Reality: Reality (almost)

One Time Passwords (OTP) replace the traditional static password. Websites that
use OTP require that users enter a different password on each login. The user can
get the password from a software installed on the computer (a.k.a. soft tokens),
which is a hardware device that generates a new password upon request or on
each time interval. Such new password is sent via SMS or email each time the
user tries to sign into the website, or is provided as a scratch card to the user by
the website.
Theoretically OTP do block keyloggers. If a keylogger tries to log the user’s
password, it would log the OTP which is useless on the next login. The attacker
cannot use this information to gain constant access to the user’s account. The
attacker can attempt to break the OTP algorithm and anticipate new passwords
however most OTP algorithms are very forceful and cannot be easily broken.
However, the attacker can use a very simple attack against OTP systems that do
provide access to the victim’s account. This attack works as follows: when the
user tries to sign into the website the keylogger logs the OTP and immediately
sends it to the attacker. The keylogger also prevents the user from logging in
either by stalling the connection or reporting an error and asking the user to
retry. In the same time, the attack uses the OTP it received from the keylogger to
sign in on behalf of the victim and perform fraud. The victim then tries to sign in

7
Anti-keylogger myths

again using a new OTP and succeeds. This attack can be executed each time the
user tries to sign into the website. Thus the attacker gains constant, long-time
access to the victim’s account, only without being able to control access times.

6. Keystroke Encryption Stops Keyloggers

Myth or Reality: Reality

A totally different kind of solution against keyloggers consists of preventing
keyloggers from capturing keystrokes (or at least, the “correct” keystrokes) by
encrypting the keystrokes while they travel from the keyboard.
Theoretically this is the strongest solution available against keyloggers. The
keylogger is unable to read the correct password. The encrypted password is
useless and cannot be used by the attacker to access the website.
However, keystroke encryption solutions differ from one to another. Most
solutions only encrypt traffic from the keyboard driver to the browser. When the
traffic enters the browser it is decrypted and stays in the clear from this moment
on. Thus an attacker can place a keylogger inside the browser (a.k.a. man-in-the-
browser or malicious plug-in) and read the password after it has been decrypted.
Rapport from Trusteer implements a more vigorous keystroke encryption using its
patent pending technology. It encrypts the password at the keyboard driver level
but decrypts the password outside the browser, at the network level, at the same
place where the traffic is being SSL encrypted and submitted to the website. This
generates an end-to-end encryption, from the keyboard and all the way to the
website. A keylogger cannot read the password even if it resides inside the
browser as the password is kept encrypted the entire time.

Summary
Keyloggers are a serious threat which requires a tough solution. Many anti-
keylogger technologies can be easily defeated by slightly more advanced
keyloggers that are already in the wild. Virtual keyboards and graphical
passwords can be easily bypassed using screen capturing. Password managers
and semi-encryption technologies can be bypassed using keyloggers that sit
inside the browser. Keystroke dynamics can be bypassed by keyloggers that log
typing patterns. The only real solutions against keylogging are One Time
Passwords (OTP) and end-to-end keystroke encryption. OTP allows the attacker
to grab one-time-passwords and enter the account occasionally while end-to-end
encryption provides a robust solution that genuinely protects passwords from
stealth.

8
Anti-keylogger myths

About Trusteer Rapport

The Rapport Protection Layer from Trusteer takes a revolutionary new approach
to consumer security by eliminating the root cause for all client-side attacks. The
Rapport Protection Layer is a very "lightweight", small "footprint" application
(330k) which requires no user interaction. Once downloaded, Rapport runs
completely in the background, and effectively disables the "last mile" attacks
which cannot be directly controlled by existing conventional applications on the
desktop or by remote fraud-detection and authentication systems. Rapport
protects against: phishing, pharming, keyloggers, man-in-the-middle, man-in-
the-browser, and session hijacking attacks.

www.trusteer.com
sales@trusteer.com
+1(646)247-5669