lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <46429df1.1f90448c.18b3.ffffb34e@mx.google.com>
Date: Thu, 10 May 2007 09:51:58 +0530
From: "Debasis Mohanty" <d3basis.m0hanty@...il.com>
To: "'Gadi Evron'" <ge@...uxbox.org>,
	"'Jim Harrison'" <Jim@...tools.org>
Cc: "'Int3'" <yashks@...il.com>, <bugtraq@...urityfocus.com>,
	<websecurity@...appsec.org>
Subject: RE: Defeating Citibank Virtual Keyboard protection using screenshot method

Defeating on-screen (or so called virtual) keyboards by capturing 10 x 10
area around mouse click is known since 1997 and is used in the wild by
several *advance* keyloggers and malwares. One such demo video was available
here http://nicob.net/SSTIC05/Demo-SSTIC05.avi The link presently seems to
be down. 

One well known worm which used this technique before was W32/Dumaru family.
That was an attack against the e-Gold keypad. Similarly there are several
such malwares which is using this technique. I personally know many
Brazilian folks who have been using this technique against the banks out
there :) 


Like any other key logger the screen caputure mechanism is also not
fool-proof as a smart user can still trick it in recording wrong password.
For example if my password is - "s3curity"  

To trick the keylogger, the user can click in the following manner - 

567[clear all]3[backspace]s5[backspace]curity 

The above method can always trick the keylogger in recording wrong password
if it is not able to track the right changes and extract the exact password.


Nearly 2 years back I was intrigued to write such a PoC keylogger to capture
CitiBank virtual keyboard texts which can not be easily tricked unlike
ordinary keyloggers. All that it does is hooks into IE by making COM calls
and directly monitors the User/Password box. Hence there is no logging
before the form POST occurs. This saves a lot of diskspace and captures the
last password that was present in the password box before the FORM POST. 

You can get this POC here - 

Defeating Citi-Bank Virtual Keyboard Protection
http://hackingspirits.com/vuln-rnd/vuln-rnd.html


Also looking at your advisory draft and subject line I can smell you must
already have gone through my PoC before writing yours ;o)


Regards,
-d




-----Original Message-----
From: Gadi Evron [mailto:ge@...uxbox.org] 
Sent: Thursday, May 10, 2007 2:12 AM
To: Jim Harrison
Cc: Int3; bugtraq@...urityfocus.com
Subject: RE: Defeating Citibank Virtual Keyboard protection using screenshot
method

On Wed, 9 May 2007, Jim Harrison wrote:
> Granted, it's an interesting methodology, but until you can demonstrate
> circumvention of the CitiBank keylogger without installing code on the
> victim host, a threat is not indicated and cannot be taken seriously.

Even though I was the first to point out this is old news for the malware
scene in online/e fraud, I'd be the first to bow down before Int3 and say
"thank you for sharing your work with us". Many don't.

But your point above:
"without installing malware on the victim host"

Although true on some level, is bogus for the purpose of this work, as it
being written makes an automatic assumtion on working only after malware
is installed.

Although you are right, in practice this is already an heavily abused
technology, and.. 
'Getting malware on a system', who ever heard of such a ridiculous
idea? :)

	Gadi.

> 
> -----Original Message-----
> From: Int3 [mailto:yashks@...il.com] 
> Sent: Wednesday, May 09, 2007 11:14 AM
> To: Jim Harrison
> Cc: bugtraq@...urityfocus.com
> Subject: Re: Defeating Citibank Virtual Keyboard protection using
> screenshot method
> 
>  
> This is not malware, it will only help people to experiment and see the
> result without writing one for themself. 
>  
> Regards,
> Yash K.S
>  
> On 5/9/07, Jim Harrison <Jim@...tools.org> wrote: 
> 
> 	(copied here without permission)
> 	Step by Step Demo:
> 	
> 	- Download POC from http://tracingbug.com/downloads/citihook.zip
> <http://tracingbug.com/downloads/citihook.zip>  and
> 	unzip to some directory
> 	- Launch citihook.exe, this will watch only
> 	https://www.online.citibank.co.in/ URL
> 	
> 	Effectively, "Let me install my malware on your machine to
> demonstrate
> 	how vulnerable it is."
> 	
> 	P-p-p-p-p-p-leeeze (three anti-social points for that quote)!
> 	The "problem" ceases to be a vulnerability at this point. 
> 	
> 	-----Original Message-----
> 	From: yashks@...il.com [mailto:yashks@...il.com]
> 	Sent: Monday, May 07, 2007 3:03 AM
> 	To: bugtraq@...urityfocus.com <mailto:bugtraq@...urityfocus.com>
> 
> 	Subject: Defeating Citibank Virtual Keyboard protection using
> screenshot
> 	method
> 	
> 	Severity: Critical
> 	
> 	Platforms Affected:
> 	
> 	Microsoft Corporation: Windows 98 Any version 
> 	Microsoft Corporation: Windows Me Any version
> 	Microsoft Corporation: Windows XP Any version
> 	Microsoft Corporation: Windows 2000 Any version
> 	Microsoft Corporation: Windows 2003 Any version
> 	Microsoft Corporation: Windows NT 4.0 Any version
> 	Citi-Bank: Citi-Bank Virtual Keyboard Any version
> 	
> 	Browsers:
> 	Microsoft Internet Explorer Any version
> 	Mozilla FireFox Any version
> 	Any browser runs on Win32 platform ( With slight modification ) 
> 	
> 	Original URL :
> http://www.tracingbug.com/index.php/articles/view/23.html
> 	
> 	Regards,
> 	Yash K.S <yashks@...il.com > | www.tracingbug.com
> 	
> 	All mail to and from this domain is GFI-scanned.
> 	
> 	
> 
> 
> 
> All mail to and from this domain is GFI-scanned.
> 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ