Malware

KeyScrambler: How keystroke encryption works to thwart keylogging threats

If you make any kind of financial transaction online, there needs to be a keystroke-encrypting app on your computer. Find out why.

Thanks to the Internet, financial transactions and purchasing never have been easier. But, that convenience comes at a cost. We have to divulge personal financial information. That becomes a problem if our banking credentials get into the wrong hands.

One way that happens is through malware that employs keylogging applications. In fact, that's what financial malware is all about. Type in your credit-card information, the keylogger records it, sends it to the attacker, and well you know the rest. Thankfully, there is an answer.

Fight back

There are two approaches that help thwart keylogging applications. Anti-malware programs by design will remove malware including keylogging apps. We all have our favorite anti-malware program. Just make sure it is effective against keylogging malcode.

Keystroke encryption is the second approach. It uses a different methodology. It doesn't care whether a keylogging app is installed or not. The keystrokes are encrypted and all the keylogger records is gibberish.

I have tried several keystroke encryption programs and settled on KeyScrambler by QFX Software. Qian Wang developed KeyScrambler and is the President and CEO of QFX Software. Here are Qian Wang's credentials:

"Qian has been a programmer since age 12 and has had experience working on cutting edge projects at both the M.I.T. Media Lab and the M.I.T. Laboratory for Computer Science. Qian holds a B.S. and a Master's in Electrical Engineering and Computer Science from M.I.T."

Questions about KeyScrambler

Before I ran my tests on KeyScrambler I wanted to understand it better. I contacted Qian Wang and he obliged me by answering the following questions:

TechRepublic: Preventing keystrokes from being logged, stopping screen and clipboard captures, and keylogging software removal are some of the capabilities including in anti-keylogging programs. What features are included in KeyScrambler? Qian Wang: KeyScrambler, as the name implies, focuses on preventing keystroke logging by encrypting the user's keystrokes. At QFX Software, we are big believers in "Do one thing, and do it well", so we are currently concentrating on providing the best possible protection for the users' keystrokes. TechRepublic: The web site mentions says,  "KeyScrambler encrypts keystrokes at the keyboard driver level, deep in the operating system, to defeat existing and future keyloggers." Could you go into more detail on how that is accomplished? Qian Wang: To understand how KeyScrambler works, it helps to look briefly at how an operating system like Windows actually processes keystroke data. When you type on your keyboard, it looks like the keystrokes are directly sent to the application you're working on. In reality, they have to go through quite a long path to get there.

The keystrokes first arrive at a hardware controller on the computer's motherboard, which forwards them to the Windows kernel's keyboard input stack. They are then processed by the windowing system's input manager, which sends them to a queue belonging to the application window that currently has input focus.

The application then retrieves the keystrokes from the queue and interprets them according to its own context, and finally the user sees the result of the keys that are pressed. This is a simplified view of what happens, without considering such complex issues as inputting non-English languages.

Many places along this path, there are ways to intercept the keystroke data. Any of these points can be used to perform keylogging, which is why it's such a thorny problem.

What KeyScrambler does is to try to get to the keystrokes as early as possible in the Windows kernel using our encryption module. That way, as they get passed along the different layers of the OS, it won't matter if they get logged, because the keystrokes are completely indecipherable.

When these encrypted keystrokes finally arrive at the intended application, the decryption component of KeyScrambler goes to work and turns them back into the keys the user originally typed.

If you are familiar with how SSL/TLS work to encrypt network traffic, this is basically the same principal applied to your keystrokes. And because KeyScrambler isn't focused on defeating any particular technique or scanning for any particular signature, it doesn't matter if a keylogger is well-known or brand new.

TechRepublic: As KeyScrambler's developer, what do you feel makes it unique? Qian Wang: As far as I'm aware, when we released KeyScrambler in 2006, it was the first widely available keystroke-encryption product on the market. So for a while we were unique simply by being first.

More importantly, KeyScrambler is a new approach in dealing with the problem of keylogging. What we did was to look at keyloggers specifically, find out what data they're after, and how they worked to get it. Then we thought about how to protect the data instead. In a sense, KeyScrambler isn't so much focused on anti-keylogging as it is on keystroke-data protection.

Another feature is the display of the live encrypted stream of keystrokes. I think all too often security software take a "Trust us" stance and only bothers the users when something goes wrong. KeyScrambler tries to show both when and how it's working.

TechRepublic: We mentioned the two types of anti-keylogger applications used against software keyloggers. Why did you choose the encryption route? Qian Wang: The "scan and remove" method is the traditional way. It's the way most anti-malware programs work. The limitations of this approach, such as the length of time it takes to deal with new threats and the potential for false-positives are pretty well known.

Still, such software continues to be useful. In fact, we recommend it as a baseline even when you use KeyScrambler. Most of our users do have a general purpose "scan and remove" type product installed on their computers.

Having the same type of program specifically aimed at keyloggers doesn't buy you anything new, and it'll have the same limitations. KeyScrambler complements traditional defenses by providing an additional layer of security.

TechRepublic: Many anti-keylogging apps also prevent screen captures. Is that something that might be included in KeyScrambler? Qian Wang: Once we feel like we've perfected our keystroke-encryption system, we'll take a close look at some of these other problems. We have some ideas already, but we try not to lose focus. We think the world doesn't need another tool that promises to do everything, but doesn't do any one thing particularly well. TechRepublic: I noticed KeyScrambler works with several password managers including RoboForm. Are there any plans to include the password manager LastPass? Qian Wang: Since LastPass works as a browser add-on, it should already be supported if it's used in a browser that's supported by KeyScrambler. We will retest the latest LastPass version to see if anything has changed. It shouldn't be a problem to add support for it if it now has a standalone component. TechRepublic: I wanted to make sure I asked you about hardware keyloggers and if KeyScrambler was able to defeat them. Qian Wang: KeyScrambler currently does not defeat hardware keyloggers since it only starts working once the keystrokes have reached the Windows kernel. It's something that we will address with a future version of KeyScrambler, although I think for the average user the threat from hardware keyloggers is much smaller than from software keyloggers. TechRepublic: I have written several articles about financial malware such as ZeuS and Carberp. A key element of their success is the ability to log keystrokes. Will KeyScrambler prevent that from happening? Qian Wang: As you've noted in your articles, Zeus and Carberp are complex beasts with many variants. KeyScrambler should work as usual against variants that log keystrokes directly.

But, some variants steal information directly from an HTML form before it is submitted. Such attacks would fall outside KeyScrambler's protection envelope at this time. One thing users can do, as I know you've suggested, is use a browser such as Google Chrome that has better handling of user data.

Testing KeyScrambler

The first thing that concerned me was the amount of resources KeyScrambler would be using. The application is on all the time, yet it did not tax my computer as shown below:

One thing that makes KeyScrambler unique is the visual indicator of key strokes being encrypted. If so desired, KeyScrambler displays the encryption process in real-time as shown in the screenshot below:

It would not be a good test if I trusted that encryption was indeed taking place. So I enlisted the help of an application called Anti-Keylogger Tester. The test software was written by Guillaume Kaddauch of FirewallLeakTester.com. The first slide shows how Anti-Keylogger Tester is able to capture my keystrokes:

The next slide is with KeyScrambler turned on and Anti-Keylogger is not registering any recognizable keystrokes:

I would be remiss if I did not mention that KeyScrambler comes in three flavors. It is important to check out this web page if interested. It will help you decide which version fits your needs.

Final thoughts

Life today is complicated. Being able to shop and bank online helps simplify that complexity. So when that's in jeopardy, we need to fight back. Besides, we worked hard for our money and deserve to keep it.

The beauty of a program like KeyScrambler is: Once installed, that's it. Forget about it and let KeyScrambler be another layer of protection in the fight against financial malware.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

88 comments
mhenson73
mhenson73

Any malware that can grab all of ram, and there are plenty of examples such as the encase selves, will still be able to log keystrokes since they have to appear in ram in plaintext both when they are first typed and when they are passed to the application.

JCitizen
JCitizen

I was delighted to find out that when I RDP into a client that has Keyscrambler, I can't make notes on their PC using the usual methods. All my keystrokes are gibberish. I actually like this because I have had victim clients that found things written from the attacker after the fact. I think this would disrupt operations from an attacker because he can't even use the command line, for instance. I have to have the client do this, unless they turn it off, of course.

Slayer_
Slayer_

If you make a basic callback keyboard hook, will it be wrecked?

Digicruiser
Digicruiser

Hardware keyloggers "small threat!". BWahahahahahaha. Been using them in a legal sense for administration purposes for a long time, working in that type of place... Encrypt the Keyboard output first and have the Windows Kernel decrypt there. But make sure the computer will test to see if there is an encrypted keyboard attached and lock it out if it isn't. Because we know we can get the Keystroke logger keyboards as well... If I was to use it for naughtly reasons, currently I just plug it into the victims computer before they come to use it, and at the end of the day, I just unplugged and take it home for looking at. Don't need to access the machine (which would be really obvious) to take away admin passwords, websites typed in, documents typed and so on. Of course no screen dumps but that person's credit card is retrievable if typed during an online transaction via the hardware logger - don't waste time with software types unless you need to remotely be a perve of some type!

howard48906
howard48906

Will KeyScrambler work while installed on a flash drive?

JCitizen
JCitizen

as I really don't know; but I do know Keyscrambler starts at the kernel layer,so it is going to be difficult for the malware to have complete control of that process unless it runs at an even lower level, such as root kits - etc. However - no one solution can do much for the user on a PC. Only a strong blended defense will have any affect at all with modern malware. Using several kernel space solutions, and having heuristics based on behavior and not signatures is paramount. (edited) Also - if the malware is capable of somehow turning keyscramber off, you will see the green bar turn red. If you have a systray like in XP and Vista, you will see the Keyscramble icon turn red also. This doesn't even take into account that I have several file manipulation security solutions onboard that will pop up to warn me of these malicious actions and block the process responsible for it altogether. I have been impressed that several of the good kernel space solutions now work very well togther now, without blue screening, or interrupting the progress of the other. The developers have been doing their home work, and trying their best to keep up with, or stay ahead of their attackers.

Qian Wang
Qian Wang

You should take a look at the Anti-Keylogger Tester. KeyScrambler stops all 7 of the keylogging methods there, including 2 kinds of hooking. KeyScrambler also defeats other methods not tested by the AKLT.

santeewelding
santeewelding

To be the scenario of "in house". Whereas, all this here would pertain to the public outhouse.

Qian Wang
Qian Wang

Currently KeyScrambler has to be installed on a computer for it to work because the encryption module is a kernel driver. And to install a kernel component you need to have administrator rights in Windows. So it isn't yet well suited to portable use.

Michael Kassner
Michael Kassner

I emailed Qian to see what his opinion was. Here is the reply: "I think what he's saying is that his code tries to hook into the IE process and obtain a handle to the embedded browser object. Then it tries to execute a bit of Javascript that listens for Javascript keyboard events. I couldn't get the downloaded program to work due to the unhandled exceptions and I haven't looked at the code, so I don't know if it would work against KeyScrambler or not. I think it would depend on the browser implementation of Javascript events. In some browsers, these events may be generated before KeyScrambler decrypts the keystrokes and in some browsers they may be generated after. I believe IE is vulnerable since Microsoft has made the IE engine more openly accessible than most other browsers."

Qian Wang
Qian Wang

Qian Wang from QFX Software here. This looks like an interesting POC, but when attempting to test it on a vanilla install of Win7, trying to inject the keylogger lead to an unhandled exception and no keystrokes were captured. It also created a Windows Firewall alert and attempted network access was blocked by default. I'm not sure if these are inherent problems with the technique or simply a matter of bugs in the POC code. I think that what this POC highlights, along with the MitB variants of Zeus, etc., is that web browsers (particularly IE) really need to be beefed up in terms of handling of sensitive user data. The fact that values of every field, including password entry boxes, are available in the DOM is a painful legacy of design decisions made without any consideration for security.

Michael Kassner
Michael Kassner

Have you tried it against KeyScrambler. The web site does not mention which type of anti-keyloggers it works on.

Slayer_
Slayer_

Otherwise it would interfere with everything many things?

Ocie3
Ocie3

prevent KeyScrambler from installing its kernel-mode driver? As far as I know, it should and it will. Patchguard prevents any kernel-mode driver from being installed, thus it prevents an "undetectable rootkit" from being installed. However, doing that also creates problems for traditional sandbox software, and any other program that must install a kernel-mode driver for part or all of its features and functions. Which reminds me: unless software such as Patchguard prevents it, any malware program can install a kernel-mode driver not only to filter-out mentions of its processes and files from data streams (thus making it almost completely undetectable), but also to capture input and output, such as keystrokes and, perhaps, screenshots. Iff KeyScrambler is the [i]last[/i] process in a chain of hooks, it should secure the keystroke stream output by the kernel, else, it won't if there are other kernel-mode drivers that are capturing that output. It also seems likely that KeyScrambler could interfere with the kernel mode driver installed by Sandboxie. Although I have had KeyScrambler downloaded in C:\INSTALLS for the past two or three weeks, I haven't installed and tested it, [i]e.g.[/i], with using Sandboxie, yet. Kernel Patch Protection Criteria Evaluation Document: http://www.microsoft.com/downloads/en/details.aspx?FamilyId=4C7561E6-6F9D-4125-8A8C-AEAF8E3342B9&displaylang=en Kernel Patch Protection FAQ: http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx Enjoy! ;-)

robo_dev
robo_dev

This program works a lot like a virus. An obvious social engineering type of attack would be a (fake) program claiming to be a keystroke encryption application. You would post an article about it on some sort of a tech forum and lure all sorts of technically savvy people into using it. Not saying that this application falls into that category. :]

cailan.sacks
cailan.sacks

So far, the only software which we've tested which prevent this is Trusteer's Rapport. This is because this type of software doesnt protect the browser DOM, and therefore makes it possible to change the page and page content.

JCitizen
JCitizen

The scrambler process is random, so even if you see the gibberish, it isn't consistent. At least screen capture isn't a problem if you have Rapport on board with SSL activated. Of course any security solution can be deactivated or otherwise thwarted, but if you use blended defenses, you will know you are in a war with the malware. This is valuable, especially because the user is aware of the attempts to take over the desktop.

Michael Kassner
Michael Kassner

The encryption process. My second slide depicts that. In real life the each keystroke is visible. I don't leave that on much. I guess I am concerned about a possible screen capture app being able to associate it with the keystrokes. In fact, I am asking Qian about this.

Qian Wang
Qian Wang

and you'll see that even if you just hold down a single key, it'll be encrypted to a long string of random characters. And typing in the same password twice will result in completely different encrypted keys. The way KeyScrambler works is that we enable it only for applications that we have tested and that we believe need protection from keyloggers. Most offline games don't fall into this category so they're not affected. And many online games actually have a separate executable for logging in, so KeyScrambler protects the login component instead of the entire game. I think many of your questions can be answered by looking over our website.

Slayer_
Slayer_

Is each key, encrypted to be the same result? If so, a keylogger could simply force press every key on your keyboard, say for example, at the welcome screen where the password box is mysteriously not highlighted so the user wouldn't know. (In XP Without domain anyhow). Then record each key press. Each gibberish received would be the key that was sent, so you would know. If you send "QWERT" and get back ordered gibberish, you now know the gibberish for each key. Would that work maybe?

Slayer_
Slayer_

A game uses WASD for controls, each frame it asks the system (non hook) which key you pressed. Would I get the correct or wrong values? Second, a program (lets say WinAmp) can hook in and wait for someone to press the Hide key. Then, whether or not winamp is visible, it knows you pressed the hide key cause it is processing all the keys you pressed, would this get ruined because Control + Alt + H no longer has the same bit code? Wish I could just install this key scrambler and check it out, but at work, our machines need to maintain very old versions of OCX's and DLL's. To risky to install something new.

Qian Wang
Qian Wang

I think you're using "block" as in preventing the hooks from being installed altogether. When I said "block", I meant KeyScrambler prevents the hook from performing meaningful keylogging. Because KeyScrambler actually encrypts keystrokes, we don't need to individually block any of the APIs that may be used for keylogging. So a program that wants to install a hook can still do so, but any logged keys would be encrypted and therefore indecipherable. The idea is not to stop a particular keylogging behavior but to actually protect the keystroke data.

Slayer_
Slayer_

so many things wouldn't work, your Windows key wouldn't even work, as it is globally hooked into the kernel by Explorer.exe. No video game would work, as, if using direct hooks would be blocked, and apperently directX inputs would be blocked because they are basically callback hooks as well. So, it could be that it filters based on process name or something maybe... or depending on what the active window is.

Michael Kassner
Michael Kassner

I have been using KeyScrambler for 6 months now, personally purchased. I always test before talking to the developer, otherwise my mentor would disown me. I have had no problems. Other than the alert window, I forget it's there.

Qian Wang
Qian Wang

It doesn't interfere with the vast majority of functions. If you use something like AutoHotkey, you have to turn KeyScrambler off before some of the longer hotkeys can be recognized.

JCitizen
JCitizen

I can now attest that the kernel guard is near worthless in Vista x64 anyway; as many of my clients ignore my warnings and run as administrator. I have had to remove many a rootkit in these instances, so the malware authors have found a way around it. Fortunately MBAM was onboard, and after I updated it, and ran it in safemode, it got rid of the rootkit. However - even nuking the drive from space, with Kaspersky's Rescue Disc 10, didn't get rid of one particularly nasty bug called Backdoor.Win32.ZAccess.xxx - The last three values constantly changed, as this was apparently a "shape shiftier" to elude the removal process. So far, I have no evidence the bug survived the re-install process, but at least Avast kicked its ass in the recovery folder.

Who Am I Really
Who Am I Really

wasn't there recently a round of badware that was installed right under the noses of running AV because it had a stolen "signed certificate" from realtek and jmicron?

Qian Wang
Qian Wang

signed by a proper certificate authority are extremely hard to counterfeit. You would have to be able to crack a 2048-bit or 4096-bit RSA key (or equivalent) to be able to produce a counterfeit. KeyScrambler should not introduce any noticeable latency even on older systems. One of our test systems is a Dell laptop with a 433MHz Mobile Pentium and 256MB of RAM running Windows 2000, and KeyScrambler runs perfectly fine on it. Thank you for reading and commenting. I hope you'll enjoying using KeyScrambler.

Ocie3
Ocie3

Quote: [i]".... 64-bit version of Windows do require that any kernel driver be digitally signed with a valid code signing certificate, which we have done with KeyScrambler."[/i] Ah, I've always thought that Microsoft would find some way to back down from their original position. I haven't kept-up with the most recent Patchguard development features, which is to say that I should go back and re-read what has been posted on the links that I included. That said, using a digital "certificate" for security purposes always makes me feel uneasy (just how hard are they to counterfeit?). Thank-you for the news about compatibility with Sandboxie. Since November 2008, I've been using Sandboxie for almost every application which accesses the Internet. [b]One more question, please:[/b] how much latency does KeyScrambler introduce between the time that a keypress is output by the keyboard and the time that it is accessible to the process which gets it as input? This is probably irrelevant to most programs but not to all, especially to simulators and to games. Granted, maybe I should get a cheap computer that I can make secure enough to dedicate it to online shopping and banking. Or run a VM for those purposes on a more general-purpose computer. Thank-you for your interesting keypress protection research and development of KeyScrambler. I am looking forward to installing and using it.

Qian Wang
Qian Wang

from being installed. PatchGuard's aim is to prevent modification of key Windows kernel modules, which we do not do. KeyScrambler only uses documented and stable kernel APIs, so it runs fine on both 32-bit and 64-bit systems. 64-bit version of Windows do require that any kernel driver be digitally signed with a valid code signing certificate, which we have done with KeyScrambler. KeyScrambler is actually quite compatible with Sandboxie. The creator of Sandboxie has very helpfully added access to KeyScrambler's driver interface by default so that users don't even need to go through an extra manual configuration step. We have many users using both programs together happily. :)

JCitizen
JCitizen

very useful to the discussion! I've noticed that even on XP, it is difficult to get any two kernel space solutions to work at the same time. I've tried running this list with any two at a time, to no avail: Comodo Defense+ Snoopfree Privacy Shield Prevx And if memory serves me correctly Rapport conflicted with some of the top three there also. (edited) I am changing this post because the developers of all these solutions, and more, have been doing their homework and compatibility between kernel space solutions seems to be working. I am able to use any of the many now available, and they automatically make accommodations for each other.

Michael Kassner
Michael Kassner

I think that is what a lot of security types want ISPs to start doing.

AnsuGisalas
AnsuGisalas

Would be the opposite of defanged vira... have you heard about the genesplicing technique that involves retroviral injection? Basically, they take a retrovirus; scoop out the genetic material, then fill in the DNA they want to test out or multiply. The viral shell performs exactly as normal, being in effect a nanorobot; latches onto the cell and injects it's payload. That, with computer vira would be awesome... Basically, the opposite of a honeypot; it'd have to be a highly reliable site, with awesome security, and it would have the exploit parts of various current vira. And you go to the site and let it do it's thing to see if your security is up to it's task. So, no malicious payload, only the exploit and a marker to let the user know which exploits got through. I apologize if this was what you meant, and if it already exists, I want to know more! EDIT: J, if you go that way, remember to use the prevx downloadable uninstaller, as per our earlier correspondence. As I recall they hide the links to them under "support" or something. Another bad sign I guess...

Michael Kassner
Michael Kassner

I just don't like it when there is less than adequate transparency.

JCitizen
JCitizen

Good to see you here Neon! In reference to de-militarized test packs, I seem to remember those too! In my case, I'm only interested in behavior based triggers. Since my solutions are not signature based solutions, all it need is something that [b]behaves[/b] like Zues, or a combo threat like Carberp. This should set off any one of the several candidates I've been working with.

JCitizen
JCitizen

the Spyder link led me to many vulnerabilities with Prevx, and the unanswered inquiries set against this reality. I'm going to see if I can run Rapport concurrently with it; but I bet I end up uninstalling Prevx. Hopefully running Rapport and Keyscrambler will gain some kind of defense!?

robo_dev
robo_dev

it would appear you are on the right track.

Neon Samurai
Neon Samurai

"I could really use a source for de-fanged malware, so I could test these solutions that I run into." If I had to separate the two types, I'd say he's after de-weaponized malware rather than de-fanged. Something that has the detectable malware signature or otherwise appears to be a given bit of malware to the scanning software. You don't want the bit of code that actually executes the signature code though. Like a de-weaponized tank; it still looks bad from the outside but the guns don't go boom anymore. The fangs are still there for apearance but the jaws don't chomp. ClamAV (on *nix systems at least) includes two or three files which are detected as infected though they are actually benign. They are meant as test targets to confirm ClamAV is working. His comment made me differentiate due to reminding me of the old de-fanged virus pack I had back in the dos days. They simulated to visible affects of a virus without the related damages or detectable signatures. Scan fly.exe with AV and you get nothing. Run fly.exe and you get a drifting pixel that eventually "lands" on the inside of the screen as a fly. (lots of fun for pranks between friends) If the fangs are the AV detectable signature bits then these would be de-fanged virii.

Michael Kassner
Michael Kassner

But, I am not able to follow what you are referring to. You need to hold an old fart's hand.

Neon Samurai
Neon Samurai

I'd love to find an updated pack myself. I remember years ago having a dos pack of twenty or so. These where just the graphic affects with the malicious code ripped out of them. They may not trigger AV as a result but they could be fun to play with. de-weaponized virus code would be handy to. This is more what you want as I'm thinking of the test viruses that come with ClamAV. They contain the signatures to be detected but not the active code to actually run.

david.hunt
david.hunt

At the end of the day, in order to access a secure site, you have to enter the credentials in "plain text" somewhere, and that is the place to catch them. There's only one sure protection against a key logger and that is a "one-time-password", as by the time the miscreant gets it, it won't be valid anymore. I really cannot see the point of keyboard encryption, as eventually the real plain text password has to be entered into the password field variable and then transmitted.

Michael Kassner
Michael Kassner

Remember the onion and it's layers. Remember a company that is less than helpful.

JCitizen
JCitizen

It claims to use what I call "kernel space solutions" to protect the PC from the browser, and it claims to block keyloggers/and screen capture in the process. So far, that part seem to work, but I don't catch the malware that I used to with the defenses I use. I could really use a source for de-fanged malware, so I could test these solutions that I run into.

Qian Wang
Qian Wang

But those fake anti-virus programs are targeting unwary, unsophisticated users, exploiting their general fear of computers and their insecurity with their own computer skills. As far as I'm aware, no fake anti-virus program has ever managed to trick a legitimate technology publication like TechRepublic. Onscreen keyboards have their pros and their cons. They work best if they are integrated into the program that they are protecting so the keystroke data can be consumed directly. The implementation you linked to tries to work with any program. This has the problem that they must inject the keystrokes back into the OS, which makes them susceptible to keylogging. The authors try to get around this by injecting additional keys to try to obfuscate the data, but that means the original data is still there, just kind of covered up. From their test results, they generate around 7 extra keys for each real keystroke. That's really not nearly enough. We actually experimented with this approach in an early KeyScrambler prototype. At the time we were generating around 40 extra keys for each real keystroke, but we deemed even that as not secure enough since there are a number of statistical analysis attacks possible. Once we went to real encryption, we never really looked back at obfuscation again. Also, it looks like they only tested their solution against keyloggers that they themselves wrote using only one particular technique. That does not seem like very robust testing to me. Base on their implementation, I can immediately think of a couple of other techniques that can probably filter out their obfuscation completely. There's a reason why most serious data protection applications use encryption instead of obfuscation. Encryption is based on solid mathematics and has provable security properties. Obfuscation, especially the home-baked kind, is not.

Michael Kassner
Michael Kassner

That was an interesting paper. They are trying to defeat both software and hardware key loggers.

robo_dev
robo_dev

But a common attack scenario for virus writers is to masquerade as anti-virus programs and use sound-alike domains or domain-typo domains. So that the unwary person searching with Google for anti-virus software will obtain exactly the opposite. I appreciate and understand the security issue that you are trying to address. In terms of architecture, would an approach using obfuscation or on-screen keyboard for password entry be preferable to encryption? http://www.seas.ucla.edu/~chienchi/reports/CS236_keydef_pp1.pdf

Qian Wang
Qian Wang

But in real life, a far more effective social engineering attack would be to post a link titled "funny cat video" and get 100x the clicks. I don't know of any malware writer that would prefer to target a technically savvy audience when there are several orders of magnitude more naive users in the world. A dollar from a naive user is worth the same as a dollar from a savvy user, and it's far easier to get.

JCitizen
JCitizen

I suppose it doesn't matter anyway, as that old spyblocker is just too obsolete. But in its day it passed all tests. I haven't used your test tool against it. Prevx flunked the screen capture test using the tool in your article. One of the tests was foiled by the UAC! AdAware's AdWatch had to be disabled to allow the use of that cool test tool. Thank you very much for this article, the discussion and the tools. These things make for very interesting work!!! :O (edited) removed inaccurate information.

Michael Kassner
Michael Kassner

Qian made a good point. This may be web-browser specific and based on when the web browser/encryption app decrypt the traffic. Edit: Spelling

JCitizen
JCitizen

they had a review of Key Scrambler on that site; but it was written in what looked like Hindi. I couldn't find a translator button. Guess I'll have to try Babel Fish. Or whatever you call it.

JCitizen
JCitizen

Snoopfree Privacy Shield blocks intercepts to the application layer when system hooks are involved. It is obsolete now(XP only), but a real eye opener for how keyboard and screen hooks work. It almost seems to work like a rootkit, as I've never seen older malware able to thwart it, or uninstall it. It is no longer supported by the developer.

Michael Kassner
Michael Kassner

Forgive me though, you still have not answered if you tested KeyScrambler.

cailan.sacks
cailan.sacks

http://spydersecurity.wordpress.com/2010/10/15/anti-anti-keylogger-software/ because you inject Javascript into the browser document (web page itself), you get access to the unencrypted key events. Tested against a whole host of secured, and unsecured sites, using a whole host of key-scrambling, and browser protection software suites. Please, I am not trying to be rude here, but you should spend 10 minutes actually reading the blog. It is all well documented there.

Michael Kassner
Michael Kassner

But, it would not get any critical information, because that is encrypted. So you will not be able to log in.

cailan.sacks
cailan.sacks

Not exactly a man in the browser attack. It neither needs to infect the browser, nor will the user need to install any browser addons, however, it is close. It injects javascript (which acts like a keylogger) into the page content, thereby acting more like a Man in the Web Page (just made that up) attack. But looking at it from a purist perspective, as it does not install into the browser, and interacts with the system as any other application would, it is a keylogger, which has been focused on the IE object.

Michael Kassner
Michael Kassner

Unless I am misunderstanding, It seems you are referring to a MitB attack. That is something totally different.