Escolar Documentos
Profissional Documentos
Cultura Documentos
Table of Contents
Introduction ....................................................................................................3
1. Virtual Keyboard/keypad/PIN-pad ...........................................................3
2. Graphical Passwords ...............................................................................4
3. Password Managers.................................................................................5
4. Keystroke Dynamics ................................................................................6
5. One Time Passwords ...............................................................................7
6. Keystroke Encryption ..............................................................................8
Summary ........................................................................................................8
2
Anti-keylogger myths
Introduction
The Anti Phishing Working Group, a global pan-industrial and law enforcement
association, defines keyloggers as “crimeware code which is designed with the
intent of collecting information on the end-user in order to steal those users'
credentials.” According to the Anti Phishing Working Group there are between 200
and 300 new unique variants of keyloggers each month. The SANS Institute, a
group that trains and certifies computer security professionals, estimated that at
a single moment last year, as many as 9.9 million machines in the United States
were infected with keyloggers of one kind or another, putting as much as $24
billion in bank account assets — and probably much more — literally at the
fingertips of fraudsters. According to the Anti Phishing Working Group, there were
3,353 unique websites hosting keyloggers in May 2007.
It is of no wonder then that many technologies were suggested as an effort to
overcome keyloggers. Most of them involve changing the way consumers sign
into web applications and usually avoiding keystrokes altogether. However, the
technology used by keyloggers is not limited to tapping the keyboard and can be
easily adapted to evade various anti-keylogger techniques. Thus, most anti-
keylogger technologies can be easily defeated using slightly more advanced
keyloggers. This paper reviews the common anti-keylogger technologies and
determines whether their claims are myth or reality; Or in other words, how easy
it is for fraudsters to bypass each technology.
1
Screenshot of the Microsoft Windows On-Screen Keyboard
3
Anti-keylogger myths
Virtual keyboards are very easily bypassed using screen capturing. Instead of
capturing keystrokes, the attacker captures the vicinity of the mouse pointer,
each time the mouse is clicked. This provides the attacker with the image of the
key the user clicked. If the designation method is hovering (for few seconds), the
malware can detect lack of mouse motion, and record the mouse pointer’s
surrounding. This counter attack against virtual keypads is in fact already found
in the wild:
• http://www.hispasec.com/laboratorio/cajamurcia_en.swf (video
demonstrating a trojan attack against Caja Murica bank of Spain)
• http://www.tracingbug.com/index.php/articles/view/23.html (demo of an
attack against Citi Bank India)
2
From “Picture Password: A Visual Login Technique for Mobile Devices” (NIST
publication NISTIR 7030) by Wayne Jansen, Serban Gavrila, Vlad Korolev, Rick
Ayers and Ryan Swanstrom, July 2003
http://csrc.nist.gov/publications/nistir/nistir-7030.pdf
4
Anti-keylogger myths
5
Anti-keylogger myths
<script>
var t_start=(new Date()).getTime()/1000;
function record(code,type)
{
document.getElementById("foo").innerHTML=
document.getElementById("foo").innerHTML+
"t="+((new Date()).getTime()/1000-
t_start).toFixed(3)+
" : "+
"ASCII code 0x"+code.toString(16)+
" "+
(char '"+String.fromCharCode(code)+"')"+
" "+
"("+type+")"+
"<br>";
return true;
}
</script>
Type some text in the following box:<br>
<textarea
onkeydown="return record(event.keyCode,'KEY-DOWN')"
6
Anti-keylogger myths
7
Anti-keylogger myths
again using a new OTP and succeeds. This attack can be executed each time the
user tries to sign into the website. Thus the attacker gains constant, long-time
access to the victim’s account, only without being able to control access times.
Summary
Keyloggers are a serious threat which requires a tough solution. Many anti-
keylogger technologies can be easily defeated by slightly more advanced
keyloggers that are already in the wild. Virtual keyboards and graphical
passwords can be easily bypassed using screen capturing. Password managers
and semi-encryption technologies can be bypassed using keyloggers that sit
inside the browser. Keystroke dynamics can be bypassed by keyloggers that log
typing patterns. The only real solutions against keylogging are One Time
Passwords (OTP) and end-to-end keystroke encryption. OTP allows the attacker
to grab one-time-passwords and enter the account occasionally while end-to-end
encryption provides a robust solution that genuinely protects passwords from
stealth.
8
Anti-keylogger myths
www.trusteer.com
sales@trusteer.com
+1(646)247-5669