Data Loggers Disguised As Add-Ons / Plugins

Discussion in 'malware problems & news' started by metalforlife, May 15, 2009.

Thread Status:
Not open for further replies.
  1. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    http://www.sandboxie.com/index.php?DetectingKeyLoggers#msg.
    Right at the bottom of the page -
    My question is, are there any security softwares (HIPSs, Behaviour Blockers...) which can detect such attempts?
     
  2. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    EQS, Malware Defender, Defensewall, Online Armour, CIS.
     
  3. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Which browser do you use metalforlife?

    In Firefox you can tick in Tools > Options > Security and check the box "Warn me when sites try to install add-ons".

    I think it would also help to keep Windows and your programs updated. See the link in my siggy and do an online scan at Secunia's site. When finished you'll want to update everything it recommends.

    It's also important that you don't install any "bad" add-ons yourself. If installed during a sandboxed session it could possibly record keystrokes until terminating all programs in the sandbox. You also want to make sure that everything you install on your computer is a clean program/app. If you unknowingly install a keylogger outside of the sandbox and your security apps. miss it then Sandboxie won't help you.
     
  4. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    I use Firefox. "Warn me when sites try to install add-ons" is enabled by default.

    What I would like to know is, what happens when a JavaScript installs an add-on? Would my HIPS prevent the installation?
    Since an add-on is not an executable - I guess I wouldn't be getting an alert for a keylogger embedded add-on attempting to install itself.

    Whichever file extension it maybe, and whatever data it maybe, wouldn't it be residing somewhere on my PC? In that case, just protecting that particular location from unauthorized write access should be enough, shouldn't it?
     
  5. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    I didn't know it was default so I thought I would mention it. I tried installing 2 add-on from the Mozilla site to see what would happen. On both occassions I got the add-on warning from Firefox.

    addonpopup.JPG

    I'm not sure what would happen if JavaScript would try to install the add-on. In my case I use NoScript. As far a HIPS go, when I installed FlashGot, I received a warning and when I installed DownThemAll I didn't get a warning.

    OAalert.JPG

    I guess that would depend from the above examples. If anyone knows of a legit add-on that has keylogger like behaviors I would try it out.

    I would assume the add-on would be somewhere on the hard drive. I can't help with the write access question.

    I also use Sandboxie and the add-ons were gone after deleting the sandbox. Also note that I only have a few programs that are allowed to run in the sandbox and it didn't stop the FlashGot.exe from running. That sorta proves what you quoted in your first post. Now whether or not a javascript distributed add-on would give the FireFox add-on alert remains a mystery.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Note it said circumvent the internet restriction by hijacking the browser. True, But first the keylogger has to install. If it has to install a driver or service, it's going to have a problem. Also you can restrict what runs in the sandbox to just the browser. Then just be sure to empty the sandbox before going to sensitive sites.

    Pete
     
  7. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Probably because not all add-ons are stand-alone executables. HIPS would treat such add-ons as componential appendages of the web-browser. Hence, no alerts. I presume that configuring a HIPS to monitor the folder where add-ons would most likely store their data would prevent installation of said add-ons without user permission.
     
  8. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    You are basing your view on the presumption that add-ons cannot be non-executable files. Installation of an non-executable add-ons isn't installation per se. Therefore the execution restriction wouldn't intercept / stop the "installation".
     
  9. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Ok, I found an experimental add-on called Keylogger 1.1. hxxps://addons.mozilla.org/en-US/firefox/addon/8261

    I installed it in Firefox 3.0.10 and I got the usual Firefox add-on warning. Of course a restart is necessary so I did that and as you can see, it does log the keys as well as the url. I did not get a single HIPS warning. I'm using a slightly older beta version of OA and it has the default HIPS configuration. I also have Sbie setup to only allow a few apps to start and the Drop Rights feature on.

    addonkeylog.JPG

    Please keep in mind I'm doing this for fun. I do realize that I get a pop-up from Firefox and have to restart the browser for the add-ons to install. I also realize that the bad guys have easier targets.
     
  10. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Firefox seems to handle it expertly, then. Nice.

    Have you tested with Firefox sandboxed, to see whether the add-on is able to install or not?
     
  11. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Yes, I installed in Sandboxie in my everyday sandbox which has run/start access restrictions and I also had the Drop Rights feature on. Deleting the contents erased the add-on.

    Remember, Sandboxie was meant to be installed on a clean computer. If you get infected outside of the sandbox it can do nothing to help you. This is where other security programs and your own policies need to step in.

    It does look like FF does a good job of alerting to an new add-on. Every plug-in I've installed has an off line installer which means you can be discreet in selecting a reputable one from a "safe" source. I also scan everything I download before running it.
     
  12. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Sandboxie's "Start/Run Access" function will not block launching of add-ons that aren't stand-alone executables. So, you cannot completely rely on Sandboxie for protection against keyloggers. Since Firefox will alert prior all such installations, it should be nothing to worry about.

    I know. That is why I have CIS guarding my real system.
     
Loading...
Thread Status:
Not open for further replies.