Re: Question about malware research

[Justin Klein Keane <jukeane () SAS UPENN EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello and thank you for your response.  I think I should clarify my
question.  Our developers are more than happy to follow whatever
security guidelines we issue, and while I have certainly heard of
keystroke loggers with all sorts of capabilities I'm finding it
incredibly difficult to actually find hard evidence of the existence of
such malware.

I suppose what I mean to ask is, where can I find hard evidence of
malware that does things like grabs keystrokes, mouse clicks, sniffs
traffic, etc?  I hate to point to unreferenced articles or analysis of
commercial products that have these capabilities.  The engineer in me
has a hard time recommending actions based only on anecdotal evidence of
the existence of certain threats.

Justin C. Klein Keane

Sr. Information Security Specialist
Information Security and Unix Systems
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Room 512
Philadelphia, PA 19104
215.898.0236(p)
215.573.3166(f)

Valdis Kletnieks wrote:
| On Thu, 10 Jan 2008 11:25:15 EST, Justin Klein Keane said:
|
|> ~  I've recently had some questions from developers about the
|> capabilities of 'typical' keystroke loggers as pertain to malware
|> installed on client computers (can they do screen scrapes, do mouse
|> driven user inputs defeat them, etc.?).  In particular the developers
|> were interested in knowing how serious the threat was and what sort of
|> features they could implement to mitigate the threats.
|
| OK, I'll say this once, in small words your developers can hopefully
| understand:
|
| If any sort of spyware gets on the box, it's essentially "game over".
It *does
| not matter* that "only 0.17% of systems got compromised by the Klicker-roo
| keystroke logger" if the user's system is one of those 0.17%.
|
| Malware has been seen in the wild that sniffs keystrokes (both
grabbing *all*
| keystrokes, and looking for strings likely to be passwords), grabs mouse
| clicks, defeats banks that put up "click on the image of numbers to
enter your
| PIN" by snagging a screenshot of the pixels around the mouse, grabs the
| contents of HTTP GET/POST requests *before* they go into the SSL
encryption
| routines, and a lot of other stuff.  The fact that there isn't a good way
| to get a 'Secure Attention Key' in Windows (at least in a way that end
users
| can understand) so that the user *knows* they're talking to the
software they
| expect to be talking to, and no other software, is why there's a lot of
| interest in smart cards and USB tokens....
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHhnhdR4a3EW2yjlQRAlM6AJ91ud9GBv4Kjw1HH7RyxwXnBymUeQCeJOUq
Ua63r9CKAqHOe+juG5xDm8c=
=D8nj
-----END PGP SIGNATURE-----