Is there a way to guarantee no keylogging/screen capture is taking place?

Discussion in 'malware problems & news' started by connect4, Oct 9, 2010.

Thread Status:
Not open for further replies.
  1. connect4

    connect4 Registered Member

    Joined:
    May 20, 2008
    Posts:
    101
    Since discovering SuRun/LUA/SRP/KAFU, I've felt a lot more secure about malware problems especially with implementing it correctly.

    However there has always been a vulnerability in key logging malware that can possibly become activated through running programs like firefox. I am aware that a simple restart would flush out any such malware but now I'm trying to find a more convenient way. (Sandboxie you just terminate processes but I now only rely on SuRun/LUA)

    For example, is there any way that we can guarantee no key logging is taking place? And how would we achieve this?

    These are methods that work, but they are a little inconvenient:


    1) First the "restart method", which you restart your computer and handle all your sensitive information before running whatever program was infected. This method is very inconvenient. I believe a "Log off" and "Log back on" will do the same trick but I am not 100% sure.

    2) Sandboxie method. Just run any programs in question through sandboxie and terminate the sandbox and handle your sensitive info. I no longer use Sandboxie because programs are much faster without.


    I've mapped out a few different possibilities of better methods:


    3) What about a method way to Block Off a running key logger/screen capture? Let's say firefox is infected with a keylogger/screen capture and it is running. Is there any program, or method like a SuRun pop up, or a secure blocked off VM, that will allow you to view and type into any document while blocking any key logger/screen capturer 100%, while they are running? This would be IDEAL if it existed.... anyone know how to pull this off?

    4)Now this method is a better version of the sandboxie method but I am unaware of how to implement it in a streamlined way. When you run lets say firefox through sandboxie, if there were attached programs they would all be seen in your sandbox and a simple terminate sandbox shuts all programs associated with firefox. Now is there a way to do this without sandboxie and running via a sandbox? And would it work?

    5)I believe you can block internet access except for specific safe programs, but I also believe there will be a vulnerability when you allow internet access again.


    If anyone knows how to pull these methods off, please share them. Also if you have a better simpler 100% effective method also please share it, Thanks!
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I'm not sure what you mean by "vulnerability in key logging malware" ? The vulnerability you speak of wouldn't be in the KL, but rather in your system etc not detecting the KL and it's actions.

    Any browser/program etc used to input data could have that info KL'd, if one is active and undetected.

    It's not a question of "whatever program was infected" but if your comp/system is infected with a KL etc.

    If someone has a KL installed it will more than likely run at boot, so thinking you can run safe before launching whatever is the wrong way of looking at the situation. Also if you knew that whatever program was infected, why would you then run it anyway and not uninstall it, and/or go about detecting/removing it ?

    There are a number of very good AntiKL apps available, some free.

    Zemana, Spyshelter, PrevxSOL, TrusteerRapport, KeyScrambler, to name a few.
     
  3. connect4

    connect4 Registered Member

    Joined:
    May 20, 2008
    Posts:
    101

    From what I understand, after studying LUA/SuRun very thoroughly and discussions with Cosmo.... Please correct me if I am wrong:

    Well if you are utilizing SuRun/LUA/KAFU/SRP and correctly implement this security approach. It will be VIRTUALLY IMPOSSIBLE to infect your system with malware, so a simple restart will flush out any malware (including KL) that are running. Now, I am wondering if a "Log off" will be just as effective as a restart.

    The only way you can infect yourself with this approach, is user error. OR you can infect an LUA trusted program such as firefox, but this malware could never penetrate your system since it is LUA and will only be only active when you are running that trusted process. And thus a simple restart will flush anything out.

    So this is why I am trying to figure this KL dilemna on a application level, vs a system level.



    Well what combination, or method can I use to eliminate KL activity 100%? I used to rely on sandboxie and control KL activity 100% with that method ("Tzuk's 100% silver bullet method"), but I've realize how much slower it makes my applications.
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ connect4

    I can't possibly guarantee for you to "eliminate KL activity 100%?" But i would suggest you try some of those apps listed in my last post :thumb: Then run the Zemana/Spyshelter etc tests and see how well they do ;)

    Post back afterwards and let us know :thumb:
     
  5. connect4

    connect4 Registered Member

    Joined:
    May 20, 2008
    Posts:
    101

    K yeah sure thanks, if I do find out a method that is 100% myself I will post it here.
     
  6. forty

    forty Guest

    I feel I guarantee it by running Bluepoint Security 2010. But if I had to use any other anti-virus program I would definitely run Zemana Anti-Keylogger along side it.
     
  7. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    FWIW... Just tried to look over Bluepoint's site and it has some "issues". If you go to the support link, it says their https certificate has been revoked. Not a good thing for a computer security company. :(
     
  8. tlu

    tlu Guest

    I think you're mixing up different situations:

    1. The "restart method" as you call it applies to a LUA + Kafu combo. In this situation a user-mode keylogger (e.g. a mail attachment) could execute and change the autostart locations where a limited user has write permission. Kafu prevents that by withdrawing the user's write permission for those autostarts. This means that after a reboot the keylogger won't be executed anymore.
    2. In a LUA + SRP combo the keylogger would NOT be able to execute (unless you deliberately installed it with admin rights because you considered it a trustworthy software) and thus would NOT be able to infect anything or change autostarts. You are perfectly safe in 99.999% of all cases. In this situation kafu only protects you against cases where you load as a limited user, e.g., a word or pdf document that contains a script which wants to manipulate your autostarts where you normally would have write permission. That's why it's important to keep scripting protection enabled in Word/Excel and to disable scripting in your pdf reader (as this was the cause of quite a lot of vulnerabilities in the past). Just to clarify: Since such a script executed with limited rights would not be able to install anything in the Windows or Program Files folders, manipulating the autostarts would not serve a purpose in a SRP environment. That's why kafu is actually superfluous here.
     
    Last edited by a moderator: Oct 10, 2010
  9. forty

    forty Guest

    HAN

    You are right! I jumped on them on their forum over that. I apologize , this program is better than that and deserves more respect. Once more I apoligize.
     
  10. katio

    katio Guest

    connect4,
    what you have in mind is an exploit that bypasses SRP, but not LUA and resides in RAM. It's not a very realistic scenario (unless we are talking targeted attack). But anyway, you don't need to restart to kill it, logging out and in again is enough.
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  12. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    I have had a similar concern to this.
    i.e. I'm browsing the net somewhere, and execute a malicious script. In that script is a keylogger which will log any keystrokes I type into my browser (firefox in my case) and send back to it's evil authors. I then go do my online banking and find out shortly thereafter that I'm broke.

    I know you weren't directing this to me, but is my concern unlrealistic? I don't see where either SRP or LUA come into play, since I'm not saving or running an executable. I'm running java, which is already installed and available to firefox.

    My scenario requires a browser exploit to be discovered, but is there anything else about XP/LUA/SRP/firefox (or IE) which would prevent it?

    If I were using srware iron, and went to a new tab, their sandbox should prevent it, but what prevents this with firefox or IE?
    As always, if I get conned into installing something malicious and I ignore any warnings from my HIPS, all bets are off, but lets assume, for now, that I have an otherwise clean system.

    p.s. I guess I'm assuming a browser exploit of some kind is required. I honestly haven't looked deeply enough into the specs of any browser to see if they would happily allow keylogging, but I'm assuming they at least try to prevent it.
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You could define the browser only to allow plugins on per-site basis. This would reduce the attacking vector.

    There's also, and I'm talking about simple things to achieve for the Jane and Joe (not saying you are! :D) such as using AVG LinkScanner or maybe/also PC Tools Browser Defender (which seems to be kind of dead) which will prevent exploits.

    Assuming that, I'd say the steps are to keep it clean, using an in-depth security approach, which includes common sense from the user.

    The second part of the in-depth security approach, IMO, is the web browser. I find it easier, for example, to have multiple profiles for different tasks. For daily browsing I have a Chromium profile which forbids plugins, java, javascript and some other stuff. This, by itself, pretty much nullifies any attacking vectors, unless they require me to be stupid. ;)
     
  14. katio

    katio Guest

    All the browser exploits in the wild (or POC for that matter) I ever heard about first drop a malware (exe) and then execute it. A correctly configured SRP would usually stop them.

    Java, Javascript, Flash and Silverlight are by default confined by their own Sandbox or VM no matter what browser you use. Therefore a browser exploit is absolutely required for such a keylogger attack. Chrome/ium only adds another sandbox as an additional layer.
     
  15. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,103
    Hi connect4,

    Perhaps the following article will answer your question:

    KeyScrambler: How keystroke encryption works to thwart keylogging threats.

    -- Tom
     
Loading...
Thread Status:
Not open for further replies.