Data Loggers Disguised As Add-Ons / Plugins

http://www.sandboxie.com/index.php?DetectingKeyLoggers#msg.
Right at the bottom of the page -

My question is, are there any security softwares (HIPSs, Behaviour Blockers...) which can detect such attempts?

 

EQS, Malware Defender, Defensewall, Online Armour, CIS.

 

Which browser do you use metalforlife?

In Firefox you can tick in Tools > Options > Security and check the box "Warn me when sites try to install add-ons".

I think it would also help to keep Windows and your programs updated. See the link in my siggy and do an online scan at Secunia's site. When finished you'll want to update everything it recommends.

It's also important that you don't install any "bad" add-ons yourself. If installed during a sandboxed session it could possibly record keystrokes until terminating all programs in the sandbox. You also want to make sure that everything you install on your computer is a clean program/app. If you unknowingly install a keylogger outside of the sandbox and your security apps. miss it then Sandboxie won't help you.

 

I use Firefox. "Warn me when sites try to install add-ons" is enabled by default.

What I would like to know is, what happens when a JavaScript installs an add-on? Would my HIPS prevent the installation?
Since an add-on is not an executable - I guess I wouldn't be getting an alert for a keylogger embedded add-on attempting to install itself.

Whichever file extension it maybe, and whatever data it maybe, wouldn't it be residing somewhere on my PC? In that case, just protecting that particular location from unauthorized write access should be enough, shouldn't it?

 

I didn't know it was default so I thought I would mention it. I tried installing 2 add-on from the Mozilla site to see what would happen. On both occassions I got the add-on warning from Firefox.

I'm not sure what would happen if JavaScript would try to install the add-on. In my case I use NoScript. As far a HIPS go, when I installed FlashGot, I received a warning and when I installed DownThemAll I didn't get a warning.

I guess that would depend from the above examples. If anyone knows of a legit add-on that has keylogger like behaviors I would try it out.

I would assume the add-on would be somewhere on the hard drive. I can't help with the write access question.

I also use Sandboxie and the add-ons were gone after deleting the sandbox. Also note that I only have a few programs that are allowed to run in the sandbox and it didn't stop the FlashGot.exe from running. That sorta proves what you quoted in your first post. Now whether or not a javascript distributed add-on would give the FireFox add-on alert remains a mystery.

 

Probably because not all add-ons are stand-alone executables. HIPS would treat such add-ons as componential appendages of the web-browser. Hence, no alerts. I presume that configuring a HIPS to monitor the folder where add-ons would most likely store their data would prevent installation of said add-ons without user permission.

 

You are basing your view on the presumption that add-ons cannot be non-executable files. Installation of an non-executable add-ons isn't installation per se. Therefore the execution restriction wouldn't intercept / stop the "installation".

 

Ok, I found an experimental add-on called Keylogger 1.1. hxxps://addons.mozilla.org/en-US/firefox/addon/8261

I installed it in Firefox 3.0.10 and I got the usual Firefox add-on warning. Of course a restart is necessary so I did that and as you can see, it does log the keys as well as the url. I did not get a single HIPS warning. I'm using a slightly older beta version of OA and it has the default HIPS configuration. I also have Sbie setup to only allow a few apps to start and the Drop Rights feature on.



Please keep in mind I'm doing this for fun. I do realize that I get a pop-up from Firefox and have to restart the browser for the add-ons to install. I also realize that the bad guys have easier targets.

 

Firefox seems to handle it expertly, then. Nice.

Have you tested with Firefox sandboxed, to see whether the add-on is able to install or not?

 

Yes, I installed in Sandboxie in my everyday sandbox which has run/start access restrictions and I also had the Drop Rights feature on. Deleting the contents erased the add-on.

Remember, Sandboxie was meant to be installed on a clean computer. If you get infected outside of the sandbox it can do nothing to help you. This is where other security programs and your own policies need to step in.

It does look like FF does a good job of alerting to an new add-on. Every plug-in I've installed has an off line installer which means you can be discreet in selecting a reputable one from a "safe" source. I also scan everything I download before running it.

 

Sandboxie's "Start/Run Access" function will not block launching of add-ons that aren't stand-alone executables. So, you cannot completely rely on Sandboxie for protection against keyloggers. Since Firefox will alert prior all such installations, it should be nothing to worry about.

I know. That is why I have CIS guarding my real system.