lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 09 Dec 2010 12:07:03 +0000
From: mrx <mrx@...pergander.org.uk>
To: Christian Sciberras <uuf6429@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Firefox Addon: KeyScrambler

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2010 10:26, Christian Sciberras wrote:
>> I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3)
> environment and it is incompatible.
>> I may wait for an update to the plugin and analyse its behaviour,
> providing my curiosity doesn't wane in the meantime.
> 
> Alternatively, you can just decompress the XPI (it's in fact a zip) and
> inspect the js files and/or decompress any binaries.
> I suppose they are distributing some form of driver, so you'd find
> IDA/ollydbg useful.
> 
> 
> 
> Chris.
> 

I extracted the files (various .js files and an exe) from the xpi.
The .js files version check and create an instance of keyscrambler.sys with the current firefox window passed to it as an argument.

I also extracted the contents of the executable; setup.exe.
Setup.exe contained various dll's and one sys file. I presumed this sys file; keyscrambler.sys, is the driver and main component of this addon.
To confirm I monitored the running of setup.exe.

My preumption was correct keyscrambler.sys is installed in system32 folder and is registered as an autostarting service, although it is hidden
from the services pane in computer management.

This is where my "skills" bottom out. ASM is something I have not yet got my head around.
I have a clue, but that's about all I do have... in time ;-)

Thanks for your advice and input
regards
Dave

> 
> On Thu, Dec 9, 2010 at 11:23 AM, mrx <mrx@...pergander.org.uk> wrote:
> 
> On 08/12/2010 11:30, Tim Gurney wrote:
>>>> Hi
>>>>
>>>> This seems to contradict itself somewhat. A plugin to firefox should
>>>> have no way to encrypt things at a driver level within the kernel, that
>>>> would require installing seperate software at the root level, a plugin
>>>> should not be able to do this and i would be VERY worried and surprised
>>>> if it could as it would mean bypassing the security of the OS.
> 
> I tried installing this plugin to Firefox 3.6.12 in a virtualbox XP32(SP3)
> environment and it is incompatible.
> I may wait for an update to the plugin and analyse its behaviour, providing
> my curiosity doesn't wane in the meantime.
> 
> I am not a professional, I do this kind of research as a hobby and for
> educational purposes, when I have some free time.
> 
> 
>>>> Also if the driver is encrypting the key strokes and the plugin is
>>>> decrypting, what about all the keystrokes that are not in firefox, like
>>>> email, word processing, programming, there is nothing to decrypt these
>>>> so you would end up only ever being able to use firefox on the machine
>>>> and nothing else every again.
> 
> The devs do state that it only encrypts keystrokes in Firefox and not other
> applications, although they do sell a version that supposedly works
> "in over 160 browsers and applications".
>>>>
>>>> personally I would not touch this with a barge pole and I would do a lot
>>>> more more digging and checking into this.
> 
> Yes, I am sceptical of claims, hence the post to this list.
> 
> 
> 
>>>> regards
>>>>
>>>> Tim
> 
> 
> Thanks for your input
> Dave.
> 
> 
>>>>
>>>> On 08/12/10 11:12, mrx wrote:
>>>>> Hi list,
>>>>
>>>>> Is anyone familiar with the firefox addon KeyScrambler? According to
> developers this encrypts keystrokes.
>>>>
>>>>> Quote:
>>>>> "How KeyScrambler Works:
>>>>> When you type on your keyboard, the keys travel along a path within the
> operating system before it arrives at your browser. Keyloggers plant
>>>>> themselves along this path and observe and record your keystrokes. The
> collected information is then sent to the criminals who will use it to
>>>>> steal from you.
>>>>
>>>>> KeyScrambler defeats keyloggers by encrypting your keystrokes at the
> keyboard driver level, deep within the operating system. When the encrypted
>>>>> keystrokes reach your browser, KeyScrambler then decrypts them so you
> see exactly the keys you've typed. Keyloggers can only record the
>>>>> encrypted keys, which are completely indecipherable."
>>>>
>>>>> Can this be trusted? As in trusted I mean not bypassed.
>>>>
>>>>> Input from the professionals on this list would be much appreciated.
>>>>
>>>>> Thank you
>>>>> regards
>>>>> Dave
>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> 
>>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
>>

- -- 
Mankind's systems are white sticks tapping walls.
Thanks Roy
http://www.propergander.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTQDGZrIvn8UFHWSmAQKuQgf/anyexT49oGKy7rvr0orBtSnPSAyhIoh9
tF0kwb6odcmF7WXW1NHi54ztuTwg7Ue0iJ4FNYSYedAhstJQuQRC6A6En76+xRe9
b5psFqongyeqnvA+nUAuO/TagxlA8fiAZSu8VNr1yOx3y0030jrOnUgDdwmOcMIV
lefxk87YV9PKRFlgts7FVN4aqlEFsyQfYgyq7Z5NhBcAO6BnvAtbSro3rCZIhYt4
kWi4UdjpszqI+uYJFWv4r/ZwOVjXEZzFbqJUU4qcN24q8X0GyFXxs/4I0evBwMyI
tYZ4gpCJ9ocYI+A11fRpeX1z3k0xnh/HguvsNae5nLLjrDUE6cws/Q==
=7GDE
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ