lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 09 Dec 2010 14:33:08 -0500
From: "Elazar Broad" <elazar@...hmail.com>
To: full-disclosure@...ts.grok.org.uk, gary@...ibault.net
Subject: Re: Firefox Addon: KeyScrambler

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just lightly scratching the surface, KeyScrambler.sys is signed by
GlobalSign, strings reveals nothing interesting other than OpenSSL
0.9.8a is used.

elazar

On Thu, 09 Dec 2010 09:26:49 -0500 Gary Baribault
<gary@...ibault.net> wrote:
>Call me paranoid, but that sure would be a good way to spread a
>key logger!
>
>Gary B
>
>
>On 12/09/2010 07:25 AM, Christian Sciberras wrote:
>> Dave,
>>
>> That's ok. Glad to have helped out :)
>>
>> Cheers,
>> Chris.
>>
>>
>>
>> On Thu, Dec 9, 2010 at 1:07 PM, mrx <mrx@...pergander.org.uk
><mailto:mrx@...pergander.org.uk>> wrote:
>>
>> On 09/12/2010 10:26, Christian Sciberras wrote:
>> >> I tried installing this plugin to Firefox 3.6.12 in a
>virtualbox
>> XP32(SP3)
>> > environment and it is incompatible.
>> >> I may wait for an update to the plugin and analyse its
>behaviour,
>> > providing my curiosity doesn't wane in the meantime.
>>
>> > Alternatively, you can just decompress the XPI (it's in fact a
>zip) and
>> > inspect the js files and/or decompress any binaries.
>> > I suppose they are distributing some form of driver, so you'd
>find
>> > IDA/ollydbg useful.
>>
>>
>>
>> > Chris.
>>
>>
>> I extracted the files (various .js files and an exe) from the
>xpi.
>> The .js files version check and create an instance of
>keyscrambler.sys
>> with the current firefox window passed to it as an argument.
>>
>> I also extracted the contents of the executable; setup.exe.
>> Setup.exe contained various dll's and one sys file. I presumed
>this
>> sys file; keyscrambler.sys, is the driver and main component of
>this
>> addon.
>> To confirm I monitored the running of setup.exe.
>>
>> My preumption was correct keyscrambler.sys is installed in
>system32
>> folder and is registered as an autostarting service, although it
>is hidden
>> from the services pane in computer management.
>>
>> This is where my "skills" bottom out. ASM is something I have
>not yet
>> got my head around.
>> I have a clue, but that's about all I do have... in time ;-)
>>
>> Thanks for your advice and input
>> regards
>> Dave
>>
>>
>> > On Thu, Dec 9, 2010 at 11:23 AM, mrx <mrx@...pergander.org.uk
>> <mailto:mrx@...pergander.org.uk>> wrote:
>>
>> > On 08/12/2010 11:30, Tim Gurney wrote:
>> >>>> Hi
>> >>>>
>> >>>> This seems to contradict itself somewhat. A plugin to
>firefox should
>> >>>> have no way to encrypt things at a driver level within the
>> kernel, that
>> >>>> would require installing seperate software at the root
>level, a
>> plugin
>> >>>> should not be able to do this and i would be VERY worried
>and
>> surprised
>> >>>> if it could as it would mean bypassing the security of the
>OS.
>>
>> > I tried installing this plugin to Firefox 3.6.12 in a
>virtualbox
>> XP32(SP3)
>> > environment and it is incompatible.
>> > I may wait for an update to the plugin and analyse its
>behaviour,
>> providing
>> > my curiosity doesn't wane in the meantime.
>>
>> > I am not a professional, I do this kind of research as a hobby
>and for
>> > educational purposes, when I have some free time.
>>
>>
>> >>>> Also if the driver is encrypting the key strokes and the
>plugin is
>> >>>> decrypting, what about all the keystrokes that are not in
>> firefox, like
>> >>>> email, word processing, programming, there is nothing to
>decrypt
>> these
>> >>>> so you would end up only ever being able to use firefox on
>the
>> machine
>> >>>> and nothing else every again.
>>
>> > The devs do state that it only encrypts keystrokes in Firefox
>and
>> not other
>> > applications, although they do sell a version that supposedly
>works
>> > "in over 160 browsers and applications".
>> >>>>
>> >>>> personally I would not touch this with a barge pole and I
>would
>> do a lot
>> >>>> more more digging and checking into this.
>>
>> > Yes, I am sceptical of claims, hence the post to this list.
>>
>>
>>
>> >>>> regards
>> >>>>
>> >>>> Tim
>>
>>
>> > Thanks for your input
>> > Dave.
>>
>>
>> >>>>
>> >>>> On 08/12/10 11:12, mrx wrote:
>> >>>>> Hi list,
>> >>>>
>> >>>>> Is anyone familiar with the firefox addon KeyScrambler?
>According to
>> > developers this encrypts keystrokes.
>> >>>>
>> >>>>> Quote:
>> >>>>> "How KeyScrambler Works:
>> >>>>> When you type on your keyboard, the keys travel along a
>path
>> within the
>> > operating system before it arrives at your browser. Keyloggers
>plant
>> >>>>> themselves along this path and observe and record your
>> keystrokes. The
>> > collected information is then sent to the criminals who will
>use it to
>> >>>>> steal from you.
>> >>>>
>> >>>>> KeyScrambler defeats keyloggers by encrypting your
>keystrokes at the
>> > keyboard driver level, deep within the operating system. When
>the
>> encrypted
>> >>>>> keystrokes reach your browser, KeyScrambler then decrypts
>them
>> so you
>> > see exactly the keys you've typed. Keyloggers can only record
>the
>> >>>>> encrypted keys, which are completely indecipherable."
>> >>>>
>> >>>>> Can this be trusted? As in trusted I mean not bypassed.
>> >>>>
>> >>>>> Input from the professionals on this list would be much
>appreciated.
>> >>>>
>> >>>>> Thank you
>> >>>>> regards
>> >>>>> Dave
>> >>>>
>> >>>>
>> >>>> _______________________________________________
>> >>>> Full-Disclosure - We believe in it.
>> >>>> Charter: http://lists.grok.org.uk/full-disclosure-
>charter.html
>> >>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>> >>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>> >>
>>
>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAk0BLvQACgkQi04xwClgpZjORgP+NtHSIZnh3/JTmaAVrEqjQs+x+6k2
3xd8jjSmIE3H61m4pWiMTxqe5gGod4DlqdwlIUjSMvmLsFastAuQeCrNF7QATr0tr6xo
xL+JsEmn0IWP08RFJ5mgbb1EoYT2goVU/HRWQMJ19dJI0CDQAiXO2vSX+2qtSxjZ9ShP
sNsXXiM=
=7lCB
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ