PG blocks Asterisk Key but not AsterWin 1.20

Discussion in 'ProcessGuard' started by skbaltimore, Apr 21, 2005.

Thread Status:
Not open for further replies.
  1. skbaltimore

    skbaltimore Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    306
    Just something I thought you'd be interested in: PG/full version with everything checked except "Block New And Changed Programs" is able to detect and block Asterisk Key from revealing passes hidden behind *****, but AsterWin 1.20 slips through undetected. I tried it a couple of times just to make sure. It triggers no alert whatsoever. (Note: I have not authorized AW 1.20 to do this, and yes I do have "Block Global Hooks" checked.)

    All I have to do is have an open pass box with the ****** visible, fire up AsterWin 1.20, and click "Reveal Passwords". It not only reveals them in the AsterWin box itself; it also removes the ***** in the password dialogue box as well. I d/l'd AsterWin 1.20 from Snapfiles.com. According to Snapfiles, NirSoft makes AsterWin, but the only version I found on the NirSoft site was IE 1.03, which I haven't tried. Here are the links to both, in case anyone is interested. (I only have the program installed on my own system because as I get older, I suffer from C.R.S. (Can't remember sh*t), and I only use AW to offset my own forgetfulness. (Sometimes I even forget where I've written down the passes if I'm in a hurry.) But since AW 1.20 slipped by so easily, I thought it was something DCS needed to know.

    http://www.snapfiles.com/get/asterwin.html

    http://www.nirsoft.net/utils/asterie.html

    sk
     
  2. sick0

    sick0 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    143
    it's been posted yesterday and still no reply from the DCS team?

    can anyone with expertise about processguard verify this? i too am interested about the results...
     
  3. sick0

    sick0 Registered Member

    Joined:
    Feb 12, 2004
    Posts:
    143
    no one knows? or a fix is on its way?
     
  4. earth1

    earth1 Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    177
    Location:
    Kansas, USA
    Hi skbaltimore,

    I'm not familiar with either product, but they must be using different techniques. Since you didn't start AsterWin until after the password dialogue was filled in, it had no opportunity to set a hook early enough to do any snooping. Sounds like it must get the data directly from M$ Windows. If so, I'm glad I have PG on guard to make it harder for anyone to get far enough into my system to try starting a program like that. :)
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I have both apps and can confirm skbaltimore's experiences. I believe they just work differently and am not concerned (not a programmer though). A word of caution: at some point last year, I ran Asterisk Key (don't remember which version) and my system blue-screened. A few BSODs later, I traced it to BOClean (4.11). It turns out that unless I put Asterisk Key in BOClean's exclusion list, I would get a BSOD.

    Nick
     
  6. skbaltimore

    skbaltimore Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    306
    Thanks to Earth1 and Nick for your responses. But I would think, (along with Sick0) that after a week, it's time to hear from DCS.
     
  7. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Asterisk-protected editboxes are not truly secure, they just provide an extra level of obscurity. Obscurity is not security, and there are a variety of ways that such passwords can be obtained. Afterall, they're stored on your hard drive - Windows can read them, and consequently so can malware. Under Windows9x there is a function called WNetEnumCachedPasswords which literally lists these passwords. Needless to say it has been exploited by many trojans and other malware.

    I haven't looked at this Asterisk program (there are millions of programs out there but only 24 hours in a day), so I couldn't say if it is successful or simply your ProcessGuard setup isn't strong enough (ie. perhaps you're allowing the Asterisk program certain privileges).

    ProcessGuard can often block attempts by software to read such editboxes - this is not a direct result of us attempting to secure all asterisk-masked password textboxes, but rather an indirect result of blocking hooks, as hooking is one of the most common ways of unmasking such passwords.

    It's also important to take into consideration that these attacks are almost exclusively performed by physical users sitting at the machine, and tools such as Revelation make this easy (although ProcessGuard can block its hooks). I can't recall a single sample of malware that has ever attempted to unmask user passwords, only user-driven tools such as Revelation.

    Regards,
    Wayne
     
  8. skbaltimore

    skbaltimore Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    306
    Well, now we've heard from Wayne at DCS.
     
Thread Status:
Not open for further replies.