Re: Question about malware research

[Bill Brinkley <wbbrinkley () GMAIL COM>]

Are you looking for the research or the actual malware, source/binaries?

I have seen several of these techniques used, but not in the form of a
spyware application. In most cases a machine was compromised by  a trojan
and/or rootkit first. My understanding is that these capabilities are
becoming quite common in new rootkits. It is also common for dropper and
downloader viruses to install rootkits. I recommend the book
**<http://www.amazon.com/Rootkits-Subverting-Addison-Wesley-Software-Security/dp/0321294319>
*Rootkits: Subverting the Windows Kernel*.

If you have control of the machines the application will run on, then
defending the application will be easier. If you don't, then my
understanding is that two factor authentication will be needed to reduce the
risk.

The team at SecureWorks have some research, but it may not include the
quantitative data you want.
http://secureworks.com/research/threats/bankingprg/
http://secureworks.com/research/threats/prgtrojan/

Other research:
http://handlers.dshield.org/jbambenek/keylogger.html
http://www.eeye.com/html/resources/newsletters/versa/VE20070921.html

--
Bill Brinkley
Cell 678.877.5145
wbbrinkley () gmail com



On Jan 10, 2008 2:56 PM, Justin Klein Keane <jukeane () sas upenn edu> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello and thank you for your response.  I think I should clarify my
> question.  Our developers are more than happy to follow whatever
> security guidelines we issue, and while I have certainly heard of
> keystroke loggers with all sorts of capabilities I'm finding it
> incredibly difficult to actually find hard evidence of the existence of
> such malware.
>
> I suppose what I mean to ask is, where can I find hard evidence of
> malware that does things like grabs keystrokes, mouse clicks, sniffs
> traffic, etc?  I hate to point to unreferenced articles or analysis of
> commercial products that have these capabilities.  The engineer in me
> has a hard time recommending actions based only on anecdotal evidence of
> the existence of certain threats.
>
> Justin C. Klein Keane
>
> Sr. Information Security Specialist
> Information Security and Unix Systems
> University of Pennsylvania
> School of Arts and Sciences
> 3600 Market St.
> Room 512
> Philadelphia, PA 19104
> 215.898.0236(p)
> 215.573.3166(f)
>
> Valdis Kletnieks wrote:
> | On Thu, 10 Jan 2008 11:25:15 EST, Justin Klein Keane said:
> |
> |> ~  I've recently had some questions from developers about the
> |> capabilities of 'typical' keystroke loggers as pertain to malware
> |> installed on client computers (can they do screen scrapes, do mouse
> |> driven user inputs defeat them, etc.?).  In particular the developers
> |> were interested in knowing how serious the threat was and what sort of
> |> features they could implement to mitigate the threats.
> |
> | OK, I'll say this once, in small words your developers can hopefully
> | understand:
> |
> | If any sort of spyware gets on the box, it's essentially "game over".
> It *does
> | not matter* that "only 0.17% of systems got compromised by the
> Klicker-roo
> | keystroke logger" if the user's system is one of those 0.17%.
> |
> | Malware has been seen in the wild that sniffs keystrokes (both
> grabbing *all*
> | keystrokes, and looking for strings likely to be passwords), grabs mouse
> | clicks, defeats banks that put up "click on the image of numbers to
> enter your
> | PIN" by snagging a screenshot of the pixels around the mouse, grabs the
> | contents of HTTP GET/POST requests *before* they go into the SSL
> encryption
> | routines, and a lot of other stuff.  The fact that there isn't a good
> way
> | to get a 'Secure Attention Key' in Windows (at least in a way that end
> users
> | can understand) so that the user *knows* they're talking to the
> software they
> | expect to be talking to, and no other software, is why there's a lot of
> | interest in smart cards and USB tokens....
> |
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
>
> iD8DBQFHhnhdR4a3EW2yjlQRAlM6AJ91ud9GBv4Kjw1HH7RyxwXnBymUeQCeJOUq
> Ua63r9CKAqHOe+juG5xDm8c=
> =D8nj
> -----END PGP SIGNATURE-----



--
Bill Brinkley
Cell 678.877.5145
wbbrinkley () gmail com