[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTi=+DksP8dY9nVVVYgUJyswH9inZ8xL15Dvq_aj1@mail.gmail.com>
Date: Thu, 9 Dec 2010 13:25:25 +0100
From: Christian Sciberras <uuf6429@...il.com>
To: mrx <mrx@...pergander.org.uk>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Firefox Addon: KeyScrambler
Dave,
That's ok. Glad to have helped out :)
Cheers,
Chris.
On Thu, Dec 9, 2010 at 1:07 PM, mrx <mrx@...pergander.org.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/12/2010 10:26, Christian Sciberras wrote:
> >> I tried installing this plugin to Firefox 3.6.12 in a virtualbox
> XP32(SP3)
> > environment and it is incompatible.
> >> I may wait for an update to the plugin and analyse its behaviour,
> > providing my curiosity doesn't wane in the meantime.
> >
> > Alternatively, you can just decompress the XPI (it's in fact a zip) and
> > inspect the js files and/or decompress any binaries.
> > I suppose they are distributing some form of driver, so you'd find
> > IDA/ollydbg useful.
> >
> >
> >
> > Chris.
> >
>
> I extracted the files (various .js files and an exe) from the xpi.
> The .js files version check and create an instance of keyscrambler.sys with
> the current firefox window passed to it as an argument.
>
> I also extracted the contents of the executable; setup.exe.
> Setup.exe contained various dll's and one sys file. I presumed this sys
> file; keyscrambler.sys, is the driver and main component of this addon.
> To confirm I monitored the running of setup.exe.
>
> My preumption was correct keyscrambler.sys is installed in system32 folder
> and is registered as an autostarting service, although it is hidden
> from the services pane in computer management.
>
> This is where my "skills" bottom out. ASM is something I have not yet got
> my head around.
> I have a clue, but that's about all I do have... in time ;-)
>
> Thanks for your advice and input
> regards
> Dave
>
> >
> > On Thu, Dec 9, 2010 at 11:23 AM, mrx <mrx@...pergander.org.uk> wrote:
> >
> > On 08/12/2010 11:30, Tim Gurney wrote:
> >>>> Hi
> >>>>
> >>>> This seems to contradict itself somewhat. A plugin to firefox should
> >>>> have no way to encrypt things at a driver level within the kernel,
> that
> >>>> would require installing seperate software at the root level, a plugin
> >>>> should not be able to do this and i would be VERY worried and
> surprised
> >>>> if it could as it would mean bypassing the security of the OS.
> >
> > I tried installing this plugin to Firefox 3.6.12 in a virtualbox
> XP32(SP3)
> > environment and it is incompatible.
> > I may wait for an update to the plugin and analyse its behaviour,
> providing
> > my curiosity doesn't wane in the meantime.
> >
> > I am not a professional, I do this kind of research as a hobby and for
> > educational purposes, when I have some free time.
> >
> >
> >>>> Also if the driver is encrypting the key strokes and the plugin is
> >>>> decrypting, what about all the keystrokes that are not in firefox,
> like
> >>>> email, word processing, programming, there is nothing to decrypt these
> >>>> so you would end up only ever being able to use firefox on the machine
> >>>> and nothing else every again.
> >
> > The devs do state that it only encrypts keystrokes in Firefox and not
> other
> > applications, although they do sell a version that supposedly works
> > "in over 160 browsers and applications".
> >>>>
> >>>> personally I would not touch this with a barge pole and I would do a
> lot
> >>>> more more digging and checking into this.
> >
> > Yes, I am sceptical of claims, hence the post to this list.
> >
> >
> >
> >>>> regards
> >>>>
> >>>> Tim
> >
> >
> > Thanks for your input
> > Dave.
> >
> >
> >>>>
> >>>> On 08/12/10 11:12, mrx wrote:
> >>>>> Hi list,
> >>>>
> >>>>> Is anyone familiar with the firefox addon KeyScrambler? According to
> > developers this encrypts keystrokes.
> >>>>
> >>>>> Quote:
> >>>>> "How KeyScrambler Works:
> >>>>> When you type on your keyboard, the keys travel along a path within
> the
> > operating system before it arrives at your browser. Keyloggers plant
> >>>>> themselves along this path and observe and record your keystrokes.
> The
> > collected information is then sent to the criminals who will use it to
> >>>>> steal from you.
> >>>>
> >>>>> KeyScrambler defeats keyloggers by encrypting your keystrokes at the
> > keyboard driver level, deep within the operating system. When the
> encrypted
> >>>>> keystrokes reach your browser, KeyScrambler then decrypts them so you
> > see exactly the keys you've typed. Keyloggers can only record the
> >>>>> encrypted keys, which are completely indecipherable."
> >>>>
> >>>>> Can this be trusted? As in trusted I mean not bypassed.
> >>>>
> >>>>> Input from the professionals on this list would be much appreciated.
> >>>>
> >>>>> Thank you
> >>>>> regards
> >>>>> Dave
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Full-Disclosure - We believe in it.
> >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>>> Hosted and sponsored by Secunia - http://secunia.com/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >
> >>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> >>
>
> - --
> Mankind's systems are white sticks tapping walls.
> Thanks Roy
> http://www.propergander.org.uk
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEVAwUBTQDGZrIvn8UFHWSmAQKuQgf/anyexT49oGKy7rvr0orBtSnPSAyhIoh9
> tF0kwb6odcmF7WXW1NHi54ztuTwg7Ue0iJ4FNYSYedAhstJQuQRC6A6En76+xRe9
> b5psFqongyeqnvA+nUAuO/TagxlA8fiAZSu8VNr1yOx3y0030jrOnUgDdwmOcMIV
> lefxk87YV9PKRFlgts7FVN4aqlEFsyQfYgyq7Z5NhBcAO6BnvAtbSro3rCZIhYt4
> kWi4UdjpszqI+uYJFWv4r/ZwOVjXEZzFbqJUU4qcN24q8X0GyFXxs/4I0evBwMyI
> tYZ4gpCJ9ocYI+A11fRpeX1z3k0xnh/HguvsNae5nLLjrDUE6cws/Q==
> =7GDE
> -----END PGP SIGNATURE-----
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists