Keystroke Logging Increases 204
JamesAlfaro writes "Hackers are likely to release more than 6000 keylogging programs this year--up 65 percent from the number in 2004--according to Reston, Virginia, security vendor iDefense." From the article: "Each variant could lead to anything from a few to several thousand infections, Ken Dunham, senior engineer at iDefense, said. Keylogger software typically tracks keystrokes on infected computers and is used to try to steal sensitive information such as user names and credit card data. The biggest problem with keyloggers, which silently relay data to attackers, is that they often go undetected, easily slipping past firewalls and antivirus software, iDefense, a division of VeriSign, said. "
Bundled with spyware? (Score:5, Interesting)
For the moment it's fairly easy to find out when a machine has spyware. What would scare me is when a decent programmer will start to write such programs so that it is completely stealth and doesn't bring the machine to a grinding halt. After all, basically all spyware seems to be badly written and performance not an issue at all. A decent programmer, using all his skills could write a stealth spyware/keylogger that doesn't bog down the computer and goes undetected for a very long time. It shouldn't do popups, but just log the keys... A small background prcess could do this, and store locally, detect when a big download is started to camouflage its own traffic to the server by sending it while the big file gets downloaded. The day that that happens: we'll be all screwed.
Re:Bundled with spyware? (Score:3, Insightful)
Re:Bundled with spyware? (Score:5, Insightful)
And what make you think it's not aldready happenned ? Maybe you're just not aware of it now.
The Sony rootkit has been running on thousands of computers for months without anyone to notice it
Re:Bundled with spyware? (Score:2, Insightful)
Of course there are programs out there doing exactly this - custom made, highly targeted atta
Re:Bundled with spyware? (Score:2)
Since more and more internet connections come over an RJ45 straight from the modem, or a wireless network, could the motherboard not switch into a 'self update' mode when the PC is off, which would connect to an update server (Since it doesn't need to involve the OS), grab the latest definitions, flash the antivirus with the ne
Re:Bundled with spyware? (Score:3, Informative)
Connecting to the internet requires a lot more than an RJ45 connection. I'm not saying it's impossible, since as you say the physical connectivity is there, but all your motherboard (or NIC) knows how to do is send and receive "layer 2" datagrams to and from MAC addresses. All the data abstraction and interpretation that follows is done by software, usually one's operating sys
Re:Bundled with spyware? (Score:2)
As for having a virus re-flash things, just have the virus guard system switch to a read-only once the system is powered up normally. If a virus can intercept before IDE boot (Or floppy/CD boot, depending on what's in the machine at the ti
Re:Bundled with spyware? (Score:2)
An alternative would be to boot up a VM first, then have that load your OS kernel. Something like a stripped-down version of VMware, or Xen. The idea being that virus / rootkit detection can go into one VM, and all your day-to-day stuff goes in a another session. Then as long as there isn't any way to breach the VM's sandbox the detection code can have it's own access to the drives without being influenced by any virus running in your main
Re:Bundled with spyware? (Score:2, Interesting)
That's what I keep saying. Unfortunately, I have people above me who insist on only using Microsoft's Windows Defender (aka antispyware). Poor misinformed souls. They seem to be anti-firefox too. Must burn their bottoms everytime they see me logging a call or ordering a replacement part with good ol' Firefox. :)
Anyway, more on topic, you forgot to also suggest keeping your anti-virus program up-to-date.
Re:Bundled with spyware? (Score:3, Insightful)
If you're only going to use one, the one from MS is not such a bad choice, in my experience - it's really pretty thorough. Of course, when I'm being rewarded with beer for fixing machines from friends and relatives, I never use just one, because there doesn't seem to be one single product that can do it all. YMMV.
Re:Bundled with spyware? (Score:2)
Agreed. I've only met one person who said they had better luck with any of the other spyware killers. Every time I've used it, it's been after someone said "Oh, don't bother checking for spyware. I ran spybot and adware on it, and the machine is clean". Ten minutes later the comments are always "it found HOW MANY?!"
Re:Bundled with spyware? (Score:4, Insightful)
And using Firefox and Thunderbird helps stop popups and some of the more obvious vulnerability routes (like that invention of the devil, ActiveX) but they won't save you if a keylogger does find its way aboard via some other route. Nor will a firewall stop a keylogger from phoning home, since to get around firewalls, they send their data via ordinary email in the background
And imagine a keylogger that uses, say, the Sony rootkit to stealth itself... people who believe themselves safe because they did all the recommended updates and run all the "safe" apps may still encounter something this devious (Sony doubtless isn't alone, they just got caught!) and this easily exploited, that even current protection measures don't yet stop.
** Occurs to me that a good feature for an email client is a "check destination" function where if the recipient wasn't entered by some essentially manual route (address book, hit reply, type into TO field) it stops and asks if you really want to send mail to Unknown Recipient X.
Re:Bundled with spyware? (Score:2)
Re:Bundled with spyware? (Score:2)
Re:Bundled with spyware? (Score:5, Interesting)
Next step was to send the DarkSingh chap an email telling him what a cunt he is
In any case, the method is useful for detecting unknown non-rootkit loggers that don't encrypt their data. Works on all the corporate spyware our company install to make our PCs behave like 486s.
Re:Bundled with spyware? (Score:5, Insightful)
That'll teach him. Filing an incident report with the authorities to MAYBE get him caught (so he cannot compromise other people's computers) would have had a bit more long term vision.
Re:Bundled with spyware? (Score:3, Interesting)
Real vision would have been to send him what looked like a normal batch of keylogged information, but that was actually a trap.
There are all sorts of options that come to mind:
Re:Bundled with spyware? (Score:2)
You'd still be able to detect it, right?
Re:Bundled with spyware? (Score:2)
So, never fear, using Hotmail (or Yahoo, or mailasia.com or any of the other thousands of free anonymous email services) will allow people to mail keylogger files from infected machines.
Contact the authorities? Sure, as soon as you find
Re:Bundled with spyware? Newbie Question (Score:2)
Linux:
Install Windows.
Because that is the only way 'C: drive' has any meaning.
Its about the exploit (Score:3, Insightful)
Part of the problem with computers getting bogged down and popups coming out the wazoo is that more than one program can (and probably will) slip in through the same IE exploit.
So it doesn't really matter how many uber-l33t pieces of crapware are out there, because there will always be people exploiting
Re:Bundled with spyware? (Score:2)
I am using Mac OS X, is there any danger for me? I mean, I don't have any antispyware tools, and several times I had to use sudo to install some open source software... I am too lazy and incompetent to check the source (or even Makefile) to be sure it is safe. Certain closed source software asked for admin privileges upon installation as well... How can I be sure I am safe from keyloggers? Yes, Mac zealots claim Macs are safe, but it may be false.
Re:Bundled with spyware? (Score:2)
First, make sure that you do your day to day computing on OSX on a standard, non-admin account. That means that if anything wants to install in the system or in the applications folder, you will be asked for a password for an admin. If you KNOW for sure where the software comes from, trust that source and it was YOU that purposefully initiated an install, then giving the password minimizes, but doesn't completely eliminate the chance of getting hit by mal
Re:Bundled with spyware? (Score:2)
Ok, here's an attack: I make a binary which, when run, adds a line into your users bash (or whatever shell) config file instructing it to run a phoney bash binary. So, every time you bring up a command prompt, the phoney bash runs instead, which is patched to "overlook" file
Re:Bundled with spyware? (Score:2)
I'm gonna... (Score:5, Funny)
Will there be a firefox plugin for one of those babies? Or am I still gonna be missing out on all the fun this year also?
Re:I'm gonna... (Score:3, Insightful)
Phew... (Score:5, Funny)
ßöôÝà!
Re:Phew... (Score:2)
Charmap? (Score:5, Informative)
Re:Charmap? (Score:2)
I was trying too hard to be funny, I know... but I figured I'd toss that out there.
Re:Charmap? (Score:2)
You're +5 funny.
While my quote still matters to the discussion at large, I woulda stuck it somewhere else if I had seen that tidbit of information while googling.
some enterprising mod should give you a +1 informative to go with all those +1 funnies
Re:Copy-Paste (Score:2)
But technically I think it works the same way.
Re:Phew... (Score:2)
Re:Phew... (Score:2)
I am Jack's Beans (Score:5, Funny)
But for $99.95 per system per day you can buy magic beans from iDefense that protect you against them, right?
In other news... (Score:5, Insightful)
Password Security (Score:3, Interesting)
Change your passwords regularly.
If that's too much trouble, rotate easy to remember (yet secure) passwords
While you're at it, change the password on your luggage.
Re:Password Security (Score:2)
"Change your passwords regularly. If that's too much trouble, rotate easy to remember (yet secure) passwords"
Better yet use Roboform's [roboform.com] random password generator and save your passwords to encrypted key files, and back them up often, then you do not have to remember your passwords ever, just backup your keycards
Re:Password Security (Score:2)
Exactly. So changing them, and using "good" ones don't mean shit if you're just going to give it away to someone.
People seem to think that this password security crap is something real, but they rarely if ever change the PIN on their bank card, they rarely if ever change the locks on their car and/or house, or the combination on their fireproof safe. Its cool that everybody is so much into their pass
Re:Password Security (Score:2)
Passwords are like toothbrushes:
Don't share
Change yours regularly
Just about everyone can relate to this - and if the sys admin hangs up a sign saying this in her/his office, then people tend to remember this (that is for those unfortunate souls that work somewhere where the boss thinks it is too much of a pain to require people to change their password every 30 to 90 days)
You're
No breach of security yet (Score:2)
Now that the trolls know your
Your karma is going straight to hell
Possible market for a secure e-commerce appliance? (Score:5, Interesting)
I've been considering building some sort of e-commerce appliance for my less technically-inclined family members...essentially a low-end PC that will only boot off a Puppy Linux [goosee.com] CD. All online financial transactions would take place only over this PC. Since the whole OS is on CD, it's fairly immune to the traditional spyware strategies (being Linux helps a bit as well
Re:Possible market for a secure e-commerce applian (Score:5, Insightful)
Re:Possible market for a secure e-commerce applian (Score:2)
Yes, it runs Windows. However, it's a rather obscure variant of Windows, blending WinCE and XP. Hopefully that doesn't mean that it's open on BOTH sides, instead of none.
It's $300 at RadioShack.
Re:Possible market for a secure e-commerce applian (Score:2)
I mean, it seems like a bit of a catch 22 to market an active security solution (ie, think about security before every transaction, instead of a one-time install) to a group who has security problems precicely because they don't want to concern themselves with security 24/7.
How do they know? (Score:3, Funny)
How do they know you say?
By infecting the hackers with keyloggers offcourse!
That's Open Source for you... (Score:5, Funny)
Fortunately, Microsoft Keylogger 2006 will be included with Vista, and will report all your passwords to Redmond in a convenient and user-friendly way, establishing a de-facto industry standard in modern keylogging solutions.
Re:That's Open Source for you... (Score:3, Funny)
System error 1060 has occurred.
I'm sorry Dave, I'm afraid I can't do that.
C:\Documents and Settings>
That's MS Passport for you... (Score:3, Interesting)
Reading the keys (Score:4, Insightful)
The first line of defense against these things is avoiding the trap of downloading things that may contain them. Same old saw: don't download anything from people you don't know or trust. Don't open suspicious emails. Problem is, no matter how much you say it, the common computer-user doesn't heed the warnings. People are too gullible for their own good and there are so many get-rich-quick, boy-that-sounds-interesting types out there that its only a matter of time before one of these things spreads
Of course, what the article fails to mention is the corporate use of keyloggers, to see just what you've been saying on Slashdot, or worse, the number of people who install them on purpose [widestep.com] to trap an unwary spouses or their mischievous kids.
Ultimately, we should all be installing anti-keylogging software [filehungry.com] right along with our anti-virus. That will work, until the forces of evil come up with the next generation of spyware.
Re:Reading the keys (Score:2)
Well, if Sony did nothing else for the world, they did get the AV companies in an uproar about detecting rootkits, which hadn't previously been in their purview.
Re:Reading the keys (Score:2)
It seems that you should not trust global corporations, such as Sony, any more either. In the end, who can you trust? Your own fart?
Re:Reading the keys (Score:2)
The software you linked appears quite dodgy. The vendor's main site provides no description whatsoever of how it works. There's no FAQ, or support forum. Other that the description that it "doesn't rely on signatures". And "It became possible due to the newly developed solutions and algorithms that allow distinguishing spy program activities from those of any other application installed in the system." That sounds like Snake Oil to me.
If you're going to continue shilling for RaySoft, you should let them kn
The most undetectable keylogger (Score:5, Informative)
http://www.stockmarketgarden.com/ [stockmarketgarden.com]
Re:The most undetectable keylogger (Score:2)
Furthermore, you can't remotely install hardware keyloggers.
Re:The most undetectable keylogger (Score:2, Insightful)
Re:The most undetectable keylogger (Score:4, Insightful)
Then you sir, have never helped a non-tech friend/relative 'fix their broken computer' only to discover that something was unplugged. Its mind boggling, but the sheer volume of cables behind the average PC (despite being simple and color-coded) means that the user pays little attention to them. Though I haven't seen one, I don't imagine a hardware key logger is hugely different in size/shape than a PS/2-USB converter. Plenty of people have those on their machines, don't know what they are, and don't question them.
Re:The most undetectable keylogger (Score:2)
Re:The most undetectable keylogger (Score:2)
It's also theoretically possible to make equipment sensitive en
Re:The most undetectable keylogger (Score:4, Insightful)
Once again emphasizing that if you don't have physical security of the system, little else matters.
I've been doing some network consulting for a Dr's office (to help their HIPAA compliance), and the physical security of their systems is completely out of their heads. The hardest thing to do in the whole project is convince them to (and how to) harden the boxes in case the black hat is sitting RIGHT THERE (or steals a box to take with them).
Re:The most undetectable keylogger (Score:2)
Has anybody checked... (Score:2)
Idea (Score:2, Funny)
Re:Idea (Score:3, Funny)
no worry for the paranoid... (Score:2, Funny)
Sure this post took me 10 minutes to type (or copy and paste I should say), but those hackers won't have a clue!
Likely? (Score:3, Insightful)
They're also likely to release more than 6,000,000 keylogging programs this year. They're also likely to release more than 1 keylogging program this year.
What a stupid statement. oh wait, its from a vaporous, dot-bombish, DC-metro "computer security" company looking for page hits, blogs, and "press release" publicity on Yahoo! Finance.
Re:Likely? (Score:2)
As to
FCheck or anti-keylogger may help? (Score:5, Informative)
http://security.resist.ca/keylog.shtml [resist.ca]
Anti-Key logger:
http://www.anti-keylogger.net/ [anti-keylogger.net]
FCheck: http://www.geocities.com/fcheck2000/fcheck.html [geocities.com]
I don't know if will stop a keystroke logger, but it is a cool idea, nonetheless: http://www.kittytech.com/defaultx.html [kittytech.com]
to be effective (Score:2)
No laughing matter... (Score:5, Interesting)
One of our employees decided it would be a brilliant idea to install a key logger on a handful of our computers. Our security software would have easily detcted/prevented the installation, but this employee had administrator passwords, allowing him to bypass the security software (since then, passwords have been restricted, which leads to massive inefficiency but higher security). He quietly disabled the security - especially anti-virus - software on these computers and let the program do its work.
The key logger was discovered approximately 6 weeks later when an icon for it randomly popped up on the desktop (I do not know the name of the key-logger software). A patron reported the strange icon, and the lab assistant reported it to management.
All 600 people who had used these computers in the last 6 weeks were notified almost immediately of the breach and instructed to change all their passwords and monitor their credit reports for suspicious activity. A lengthy FBI investigation began, and finally one employee was singled out. Luckily, there is no evidence he used any of the information he had gleaned from these computers.
This employee faced jail time, but ended up accepting a plea bargain for 5 years probation and a $5,000 fine. He has since fled the country.
Moral of the story - these things are quite serious when installed on the right computer, and those that install them in person could receive jail time. Now, even one hint of a key logger appearing on a computer in the labs is enough to drag in all of our technical staff at any hour to heavily investigate and reimage all nearby computers. We'd rather not have to go through any more investigations with the FBI.
Re:No laughing matter... (Score:2)
Obvious solution (Score:2, Funny)
Alternatively, you may just simply store all your passwords in a
Re:Obvious solution (Score:2)
A surprisingly good idea, in a way; sure it allows anyone who has physical access you your machine to get access to your passwords, but all the keyloggers'll detect is "ctrl-c, ctrl-v"
Egress rules (Score:2)
Especially at small organizations, people think they are protected if they just have some ingress rules that (supposedly) stop the bad people getting in. However, you've got to stop your PCs from making connections *out* to random addresses.
Re:Egress rules (Score:2)
If you want any semblence of security, you don't even route to the internet from your normal office especially where there is confidential information. You absolutely use a proxy *with authentication*. The fact it's authenticated will frustrate all but highly targeted and determined attackers. They are very difficult to defend from (especially as the achilles heel is more likely your staff's susceptibility to social engineering).
We have a network at work where financ
Re:Egress rules (Score:2)
That is in addition to blocking all executable attachments and not allowing unauthorized software installation.
Who needs software? (Score:5, Informative)
for PS/2 Keyboards [thinkgeek.com]
or for USB Keyboards [thinkgeek.com]
Anti-virus and anti-spyware won't protect you from this kind of technology.
Re:Who needs software? (Score:2)
Help from Microsoft (Score:4, Insightful)
When I open the task manager to view all my running processes, there are usually a ton of programs running. Some I recognize (explorer.exe, System, firefox.exe, etc.) but some I have no idea what they are. Some are from my firewall (BlackIce), some are anti-virus (mcshield.exe), some are other system processes (mdm.exe: the machine debugger), and some I just plain do not know what they are. There are various sites where I can search for these programs, but when there are 50-60 in the list, it gets quite tedious. What would be nice is if the task manager actually produced a mouse-over popup (much like an 'alt' tag in HTML) that gives information about the process. Now this would have to be part of task manager, and not a factor of the application, or malware could just say that its some important legitimate file. I don't know if this is possible, feasible, or even necessary, but I know it would make it a whole lot easier for me to examine all of my currently running processes.
Just a though in light of the keystroke logging article.
Re:Help from Microsoft (Score:2)
Re:Help from Microsoft (Score:2)
Yeah, because it's not like unix rootkits ever install their own versions of ps, top, et al, right ?
Stopped Reading When I Saw IDefense Said... (Score:3, Informative)
--Remember when they were in hot water for simply rewriting other people's materials and not citing original author or when Jericho and the Attrition crew started to campaign against them...
(I will give them credit for a few decent vulnerability discoveries though, but I tend to stay away from their reporting of cyber news...)
Who needs Carnivore!? (Score:2)
Gilmore's law ('The internet treats censorship as damage and routes around it') apparently also applies to free-market pressures to subvert security, even if it is white-hat security goals that are preventing something like Carnivore's back-door.
PR Plant (Score:2, Interesting)
Other planted articles that are startlingly similar:
The actual verisign press release [verisign.com] with a cute graph
PC World [idg.com.au] with a seemingly verbatim copy of the press release
Again [technewsworld.com] from Tech News World
And C|Net's news.com.com [com.com] even copies the fun and [extreme sarcasm]ever so statistically meaningful[/extreme sarcasm] graph
It is nice to note that VerisSign's Nasdaq abbreviation a
Use a tablet PC then :) (Score:2)
Re:News stories like this... (Score:3, Insightful)
Unless the attacker has replaced ps with a version that will not show the keylogger. And, of course, you always run 'ps' first of all when you log in and before you type in any important passwords, don't you?
Re:News stories like this... (Score:2)
And... if you have to log in to run it, doesn't any resident keylogger already have the single most important password?
Re:News stories like this... (Score:2)
Here's [ss64.com] a man page for a version of it.
Re:News stories like this... (Score:2)
Re:News stories like this... (Score:2)
Well, ps lists all the processes running on the computer, and in theory should reveal any keylogger lurking in memory.
However, regarding the login password itself: in order to install the keylogger, the attacker has presumably already compromised your own machine. Thus he doesn't need your login password for that box - he already has full access there, otherwise he couldn't have install
Re:News stories like this... (Score:2)
Now I'm wondering... are there attacks that can install on *NIX at a point before the system reaches any login point at all?
Re:News stories like this... (Score:2)
Re:News stories like this... (Score:2)
Unless /bin/ps gets replaced with a version that is blind to the evil deeds, as any reasonable rootkit would do. I was rooted back in 2001 and that's one of the very first things that it did.
Re:News stories like this... (Score:2)
Unless, of course, you've been rooted. It's very common for rootkits to copy hacked versions of ps, ls and other system tools that hide themselves.
A couple of years ago, I got a little behind on upgrading ssh on one of our servers. It got a rootkit installed, and ps did not show anything. It was discovered when the system rebooted (so we caught it RIGHT AWAY).
chkrootkit [chkrootkit.org] is your friend in the Linux world.
Re: Make sure you use famd then! (Score:2)
Re:News stories like this... (Score:2)
Re:unix admin passwords (Score:2, Informative)
But to my knowledge there are few programs that actually do it. I am aware of three: xterm - when you ctrl-click on the window you can ask for "secure keyboard" which does that. gpg-agent's passphrase request window can also activate that feature.
And xscreensaver, when asking for your password to unlock the screen (other screensavers probably too)
One
I find no link to an online scanner. (Score:2)
Re:*Hem-hem* (Score:2)