the rise and rise of the keyloggers
TRANSCRIPT
Network Security June 20074
So keyloggers, phishing and spamming are alternative attractions. They are lower risk and the network is likely to survive and provide a steady income. However, people are becoming increasingly sophisticated in their form of attacks. Phishing now has to be well conceived, with good websites and handsome emails and targeted informa-tion. The public is getting wise to spam, and anti-spam techniques are getting bet-ter. Keylogging on the other hand is less publicised, can bring in a good return and is relatively easy to implement. Between 2002 and 2005, there has been a 1300% increase in the number of keylogging inci-dents.
Keyloggers were initially created to try and help with a number of legitimate monitoring issues. Ensuring employees did not type in sensitive information, paren-tal monitoring of children’s activities and other innocent surveillance activities. In 2002, the FBI used a keylogger to obtain the password of the leader of an illegal gambling operation. Using this, the FBI were able to catch the leader, Nicodemo Scarfo, who then pleaded guilty to the charges put to him.
The problem now is that keyloggers lend themselves to criminal activity. Some companies claim that the main use of key-loggers these days is the gathering of sensi-tive financial information. Keyloggers can be easily developed and used to gather all the data that can be entered into the key-board. The only two flies in the ointment are installing the software without being caught and more importantly, getting that information back to the controller. It is not
simple to get the data back without being caught. Logging on to the victim is a vul-nerable moment for the hacker and send-ing the data back to a destination whether by email or by IP address, leaves traces for law enforcement agencies to follow.
Installation depends on the type of key-logger that is going to be installed. There are two main types: hardware and software.
Hardware installationHardware-based keyloggers can be broken down into two subcategories: direct and indirect.
Indirect methods include video surveil-lance, planting a web camera or some-thing similar where the keystrokes can be observed. Or, with the prevalence of wire-less keyboards, monitoring the airwaves for keyboard signals and recording them in premises or a vehicle outside of the organi-sation.
More direct methods involve hardware devices in the keyboard or in the cabling.
The problem with this is that they are difficult to plant and require physical pres-ence. This increases the danger and reduces the number of possible victims to those that can be visited. Direct hardware key-loggers are commercially available devices and come in different configurations: inline devices, and embedded keyloggers.
Inline devices are actually part of, or attached to, the cable from the keyboard to computer. They can be connectors that the keyboard cable plugs into. These days you can get them either as PS2 or USB connectors. Alternatively, they can be new
cables with the keylogger included as a part of the cable.
Embedded keyloggers are small electron-ic modules that can be soldered into the keyboard themselves. Alternatively, you can buy keyboards with them already installed.
While these keyloggers are easy to install, the inline versions can be easily spotted and removed. Embedded versions are more difficult to spot (being inside the key-board) but can be either harder to install or more expensive than inline devices.
One problem that can occur is that some hardware keyloggers can show up if the operator happens to type in the pass-word of the keylogger.
SoftwareSoftware keyloggers are where it gets interesting, as these tend to be the types of keyloggers that are used by criminal gangs. Hence, they tend to be by far the most common. They can be broken down into kernel-level loggers, system hooks and function methods.
Kernel levelThese use filter drivers written in C and requiring a good level of knowledge. These are difficult to write and are bur-ied deep within the operating system. This makes them difficult to detect. They are designed to gain direct access to the hardware, and could for instance replace the keyboard driver itself becom-ing central to the OS.
System hookSystem hook keyloggers sit slightly fur-ther up the software stack. This ploy intercepts OS notifications that a key on the keyboard has been pressed. Again written in C, it requires knowledge of the OS API.
Function methodThis method uses API function calls like GetAsyncKeyState from the WinAPI. They can be written in higher level lan-guages like Visual Basic but they do put an additional load on the CPU which can be detected by the user in some cases.
The rise and rise of the keyloggers Simon Heron, managing director, Network Box
The attractions of making money through extor-tion by carrying out denial of service (DoS) attacks are diminishing. The criminals who control botnets do not want to risk their network if a company calls their bluff. It takes some time and effort to create a botnet and if you are forced into launching an attack, you expose that botnet to discovery and decapitation.
Simon Heron
KEYLOGGERS
June 2007 Network Security5
InstallationIf we exclude ‘legitimate’ installation where the owner of the computer installs the keylogger, how do illegal installations take place? This is fairly straightforward:• An end-user clicks on an attach-
ment sent by the hacker and it installs itself in the same way as a virus
• The end-user might already be infected by a trojan that has the ability to download new programs. If the hacker owns a botnet, for example, he might instruct that bot-net to download a keylogger of his choice.
• A keylogger might be launched when the end user executes a file on his P2P open-access directory. This is one of many reasons for compa-nies to be very cautious about using P2P products.
• When an end-user visits an infected website that exploits a browser vulnerability, these can be drive-by downloads which the user will not be aware of. This is a good case for keeping browsers up to date.
A number of keyloggers are now using
root kit technology to hide their pres-ence from the end user. In fact, many malware implementations these days are multifunctional, incorporating tro-jan, keylogging and worm features.
Accessing the dataThe main problem facing hackers with keyloggers is getting the data back. There are a number of ways of doing this. The first two were proposed by Young and Yung as far back as 1997:
Using an IRC backchannelIf the keylogger is controlled by the use of a Usenet or IRC channel then the keylogger encrypts the data using an asymmetric key (otherwise known as public/private key) and posts it to the IRC channel as shown in figure 1. The controller picks up what looks like gar-bage and decrypts the data as only he or she has the key. The concern for the controller is that the IRC channel can be detected and deactivated and the whole botnet has been lost.
Writing to diskWriting to the last few sectors of any disc that the program can get to. The data is
encrypted and rarely overwritten. So if anybody puts in a USB key then it will write to that. Most people won’t know the information is there and those that do won’t have the key to decrypt it. It also gives a plausible deniability if the hacker is caught as many others will also have the same information and he can claim to be a victim too. The trouble is that the site has to be visited to reap the data.
Posting to a web siteSend the information directly to a website in a country where it will be difficult to take the site down. Create a number of zombies so that if the site is taken down, you simply move the destination. The downside is that it is not so easy to hide.
Combining keyloggers with P2PAnother philosophy is to use P2P net-works. In a similar way to the Sinit Trojan, a new P2P protocol is created that allows infected machines to com-municate with each other. Figure 2 briefly outlines the method. The first
KEYLOGGERS
Figure 1: Using an IRC backchannel to communicate harvested keylogger data.
Figure 2: Using P2P networks to retrieve harvested data.
Network Security June 20076
phase is to find other infected machines. Once found, query them for the infor-mation they have logged. This might be returned as an encrypted file. Add the new information to its local file and start looking for a new peer. The advantage is that the harvester appears as an infected machine and only the owner knows the key to decrypt the information.
Case studyBack in 2006, Graeme Frost responded to an email telling him that an unusual purchase had been made to his credit card and that he had to visit a web site to get more information. The site was designed to make use of a vulnerability in the way that Microsoft’s IE handled digital images. Using this exploit, the site was able to install a trojan keylog-ger in the background while Mr Frost searched for information. Microsoft subsequently patched this vulner-ability but by then many people had been infected, as the hackers had also hacked into badly protected websites to introduce their ‘modification’. Once installed, the keylogger, went to
work recording information such as eBay usernames and passwords, subse-quently sending them to a website in Russia. In this case, the scam was so successful that the hackers had to cre-ate quite sophisticated tools to dig out the information they were interested in from the vast amount of data being sent to them.
ConclusionThere seems little evidence that key-logging is going to disappear very soon. There are already keyloggers that are Vista-ready and there are some legitimate uses for these in terms of parental control and monitoring. However, as operating systems become more secure, it will become increasing-ly difficult to install them. Obviously a lot is riding on Vista and its ability to transcend the faults of its predecessors and this is still open to discussion. The new architecture should make it harder for these programs to be installed unwittingly but it is likely that in the early days there will be vulnerabilities that will be exploited.
The criminals that are writing malicious software are getting more sophisticated and there is a lot of evidence that they are working in groups to get their features to market. In the case of the exploit that caught Graeme Frost, there was evidence of infected sites two weeks before Microsoft brought out its patch. Even when the right tools are bought to bear to solve this problem, the securi-ty industry is likely to be engaged in a game of cat and mouse with those in the keylogging underground for some time to come.
About the authorSimon Heron is the managing director of Network Box (UK) Ltd, a unified threat management company, where he is responsible for developing the overall business strategy and growth. Heron has over 16 years experience in the IT industry, including eight years experi-ence in internet security. During this time he has developed and designed technologies ranging from firewalls, anti-virus, LANs and WANs.
KEYLOGGERS
WIRELESS WORMS
These ad hoc connections were con-sidered to be an interesting gimmick, however we’ve shown that they create an extremely dangerous attack vector into corporate laptops and other wire-less devices. Using this, an attacker could gain access to your network,
bypassing firewalls and other security devices.
The ad hoc network is the wireless equivalent of peer to peer network-ing; in essence it’s a wireless crossover cable. It’s included in the operating system in order to allow file transfer
etc wirelessly between wireless devices. HP includes an ad hoc network by default on some of its wireless printers to allow wireless printing by clients.
The danger of ad hoc wireless networksTo appreciate the severity of this issue, we need to recap some wireless fundamentals. Windows caches wireless associations, whether they be with access points or ad hoc networks. This allows you to easily rejoin wireless networks when you come back into wireless range. It would be a lit-tle irritating if every time you wanted to join your home wireless network you had to search for the access point and re-enter your encryption key. Hence Windows stores this information, and will automati-cally join the network for you.
Ken Munro, managing director, SecureTest
Have you ever noticed ad hoc connections in your Windows wireless client when looking for a hotspot to connect to? They’re easy to spot; the graphic next to the connection name (SSID) is an image of two laptops, rather than the aerial image for a hotspot. Common connection names for adhoc networks include ‘HPSetup’, ‘Free Internet Connection’ and many others.
Wireless worms
Ken Munro