Full Disclosure mailing list archives
Re: Firefox Addon: KeyScrambler
From: "Elazar Broad" <elazar () hushmail com>
Date: Thu, 09 Dec 2010 14:33:08 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just lightly scratching the surface, KeyScrambler.sys is signed by GlobalSign, strings reveals nothing interesting other than OpenSSL 0.9.8a is used. elazar On Thu, 09 Dec 2010 09:26:49 -0500 Gary Baribault <gary () baribault net> wrote:
Call me paranoid, but that sure would be a good way to spread a key logger! Gary B On 12/09/2010 07:25 AM, Christian Sciberras wrote:Dave, That's ok. Glad to have helped out :) Cheers, Chris. On Thu, Dec 9, 2010 at 1:07 PM, mrx <mrx () propergander org uk<mailto:mrx () propergander org uk>> wrote:On 09/12/2010 10:26, Christian Sciberras wrote:I tried installing this plugin to Firefox 3.6.12 in avirtualboxXP32(SP3)environment and it is incompatible.I may wait for an update to the plugin and analyse itsbehaviour,providing my curiosity doesn't wane in the meantime.Alternatively, you can just decompress the XPI (it's in fact azip) andinspect the js files and/or decompress any binaries. I suppose they are distributing some form of driver, so you'dfindIDA/ollydbg useful.Chris.I extracted the files (various .js files and an exe) from thexpi.The .js files version check and create an instance ofkeyscrambler.syswith the current firefox window passed to it as an argument. I also extracted the contents of the executable; setup.exe. Setup.exe contained various dll's and one sys file. I presumedthissys file; keyscrambler.sys, is the driver and main component ofthisaddon. To confirm I monitored the running of setup.exe. My preumption was correct keyscrambler.sys is installed insystem32folder and is registered as an autostarting service, although itis hiddenfrom the services pane in computer management. This is where my "skills" bottom out. ASM is something I havenot yetgot my head around. I have a clue, but that's about all I do have... in time ;-) Thanks for your advice and input regards DaveOn Thu, Dec 9, 2010 at 11:23 AM, mrx <mrx () propergander org uk<mailto:mrx () propergander org uk>> wrote:On 08/12/2010 11:30, Tim Gurney wrote:Hi This seems to contradict itself somewhat. A plugin tofirefox shouldhave no way to encrypt things at a driver level within thekernel, thatwould require installing seperate software at the rootlevel, apluginshould not be able to do this and i would be VERY worriedandsurprisedif it could as it would mean bypassing the security of theOS.I tried installing this plugin to Firefox 3.6.12 in avirtualboxXP32(SP3)environment and it is incompatible. I may wait for an update to the plugin and analyse itsbehaviour,providingmy curiosity doesn't wane in the meantime.I am not a professional, I do this kind of research as a hobbyand foreducational purposes, when I have some free time.Also if the driver is encrypting the key strokes and theplugin isdecrypting, what about all the keystrokes that are not infirefox, likeemail, word processing, programming, there is nothing todecrypttheseso you would end up only ever being able to use firefox onthemachineand nothing else every again.The devs do state that it only encrypts keystrokes in Firefoxandnot otherapplications, although they do sell a version that supposedlyworks"in over 160 browsers and applications".personally I would not touch this with a barge pole and Iwoulddo a lotmore more digging and checking into this.Yes, I am sceptical of claims, hence the post to this list.regards TimThanks for your input Dave.On 08/12/10 11:12, mrx wrote:Hi list,Is anyone familiar with the firefox addon KeyScrambler?According todevelopers this encrypts keystrokes.Quote: "How KeyScrambler Works: When you type on your keyboard, the keys travel along apathwithin theoperating system before it arrives at your browser. Keyloggersplantthemselves along this path and observe and record yourkeystrokes. Thecollected information is then sent to the criminals who willuse it tosteal from you.KeyScrambler defeats keyloggers by encrypting yourkeystrokes at thekeyboard driver level, deep within the operating system. Whentheencryptedkeystrokes reach your browser, KeyScrambler then decryptsthemso yousee exactly the keys you've typed. Keyloggers can only recordtheencrypted keys, which are completely indecipherable."Can this be trusted? As in trusted I mean not bypassed.Input from the professionals on this list would be muchappreciated.Thank you regards Dave_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQECAAYFAk0BLvQACgkQi04xwClgpZjORgP+NtHSIZnh3/JTmaAVrEqjQs+x+6k2 3xd8jjSmIE3H61m4pWiMTxqe5gGod4DlqdwlIUjSMvmLsFastAuQeCrNF7QATr0tr6xo xL+JsEmn0IWP08RFJ5mgbb1EoYT2goVU/HRWQMJ19dJI0CDQAiXO2vSX+2qtSxjZ9ShP sNsXXiM= =7lCB -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Firefox Addon: KeyScrambler, (continued)
- Re: Firefox Addon: KeyScrambler Dan Kaminsky (Dec 08)
- Re: Firefox Addon: KeyScrambler mrx (Dec 08)
- Re: Firefox Addon: KeyScrambler Tim Gurney (Dec 08)
- Re: Firefox Addon: KeyScrambler mrx (Dec 09)
- Re: Firefox Addon: KeyScrambler Christian Sciberras (Dec 09)
- Re: Firefox Addon: KeyScrambler mrx (Dec 09)
- Re: Firefox Addon: KeyScrambler Christian Sciberras (Dec 09)
- Re: Firefox Addon: KeyScrambler Gary Baribault (Dec 09)
- Re: Firefox Addon: KeyScrambler mrx (Dec 09)
- Re: Firefox Addon: KeyScrambler Dan Kaminsky (Dec 08)
- Re: Firefox Addon: KeyScrambler mrx (Dec 09)
- Re: Firefox Addon: KeyScrambler mrx (Dec 09)