RE: Defeating Citibank Virtual Keyboard protection using screenshot method

["Jim Harrison" <Jim () isatools org>]

Without getting into SMTP latency comparisons...

Perhaps I missed something, but where is the threat demonstrated sans
code installation?
I'm not trying to disparage anyone's work, but as you yourself pointed
out, there is nothing demonstrated here that doesn't qualify as common
malware.

-----Original Message-----
From: Gadi Evron [mailto:ge () linuxbox org] 
Sent: Wednesday, May 09, 2007 1:42 PM
To: Jim Harrison
Cc: Int3; bugtraq () securityfocus com
Subject: RE: Defeating Citibank Virtual Keyboard protection using
screenshot method

On Wed, 9 May 2007, Jim Harrison wrote:
> Granted, it's an interesting methodology, but until you can
demonstrate
> circumvention of the CitiBank keylogger without installing code on the
> victim host, a threat is not indicated and cannot be taken seriously.

Even though I was the first to point out this is old news for the
malware
scene in online/e fraud, I'd be the first to bow down before Int3 and
say
"thank you for sharing your work with us". Many don't.

But your point above:
"without installing malware on the victim host"

Although true on some level, is bogus for the purpose of this work, as
it
being written makes an automatic assumtion on working only after malware
is installed.

Although you are right, in practice this is already an heavily abused
technology, and.. 
'Getting malware on a system', who ever heard of such a ridiculous
idea? :)

        Gadi.

> -----Original Message-----
> From: Int3 [mailto:yashks () gmail com] 
> Sent: Wednesday, May 09, 2007 11:14 AM
> To: Jim Harrison
> Cc: bugtraq () securityfocus com
> Subject: Re: Defeating Citibank Virtual Keyboard protection using
> screenshot method
>
>  
> This is not malware, it will only help people to experiment and see
the
> result without writing one for themself. 
>  
> Regards,
> Yash K.S
>  
> On 5/9/07, Jim Harrison <Jim () isatools org> wrote: 
>
>       (copied here without permission)
>       Step by Step Demo:
>       
>       - Download POC from http://tracingbug.com/downloads/citihook.zip
> <http://tracingbug.com/downloads/citihook.zip>  and
>       unzip to some directory
>       - Launch citihook.exe, this will watch only
>       https://www.online.citibank.co.in/ URL
>       
>       Effectively, "Let me install my malware on your machine to
> demonstrate
>       how vulnerable it is."
>       
>       P-p-p-p-p-p-leeeze (three anti-social points for that quote)!
>       The "problem" ceases to be a vulnerability at this point. 
>       
>       -----Original Message-----
>       From: yashks () gmail com [mailto:yashks () gmail com]
>       Sent: Monday, May 07, 2007 3:03 AM
>       To: bugtraq () securityfocus com <mailto:bugtraq () securityfocus com>
>
>       Subject: Defeating Citibank Virtual Keyboard protection using
> screenshot
>       method
>       
>       Severity: Critical
>       
>       Platforms Affected:
>       
>       Microsoft Corporation: Windows 98 Any version 
>       Microsoft Corporation: Windows Me Any version
>       Microsoft Corporation: Windows XP Any version
>       Microsoft Corporation: Windows 2000 Any version
>       Microsoft Corporation: Windows 2003 Any version
>       Microsoft Corporation: Windows NT 4.0 Any version
>       Citi-Bank: Citi-Bank Virtual Keyboard Any version
>       
>       Browsers:
>       Microsoft Internet Explorer Any version
>       Mozilla FireFox Any version
>       Any browser runs on Win32 platform ( With slight modification ) 
>       
>       Original URL :
> http://www.tracingbug.com/index.php/articles/view/23.html
>       
>       Regards,
>       Yash K.S <yashks () gmail com > | www.tracingbug.com
>       
>       All mail to and from this domain is GFI-scanned.
>       
>       
>
>
>
> All mail to and from this domain is GFI-scanned.


All mail to and from this domain is GFI-scanned.