lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 09 Dec 2010 09:26:49 -0500
From: Gary Baribault <gary@...ibault.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Firefox Addon: KeyScrambler

Call me paranoid, but that sure would be a good way to spread a key logger!

Gary B


On 12/09/2010 07:25 AM, Christian Sciberras wrote:
> Dave,
>
> That's ok. Glad to have helped out :)
>
> Cheers,
> Chris.
>
>
>
> On Thu, Dec 9, 2010 at 1:07 PM, mrx <mrx@...pergander.org.uk
<mailto:mrx@...pergander.org.uk>> wrote:
>
> On 09/12/2010 10:26, Christian Sciberras wrote:
> >> I tried installing this plugin to Firefox 3.6.12 in a virtualbox
> XP32(SP3)
> > environment and it is incompatible.
> >> I may wait for an update to the plugin and analyse its behaviour,
> > providing my curiosity doesn't wane in the meantime.
>
> > Alternatively, you can just decompress the XPI (it's in fact a zip) and
> > inspect the js files and/or decompress any binaries.
> > I suppose they are distributing some form of driver, so you'd find
> > IDA/ollydbg useful.
>
>
>
> > Chris.
>
>
> I extracted the files (various .js files and an exe) from the xpi.
> The .js files version check and create an instance of keyscrambler.sys
> with the current firefox window passed to it as an argument.
>
> I also extracted the contents of the executable; setup.exe.
> Setup.exe contained various dll's and one sys file. I presumed this
> sys file; keyscrambler.sys, is the driver and main component of this
> addon.
> To confirm I monitored the running of setup.exe.
>
> My preumption was correct keyscrambler.sys is installed in system32
> folder and is registered as an autostarting service, although it is hidden
> from the services pane in computer management.
>
> This is where my "skills" bottom out. ASM is something I have not yet
> got my head around.
> I have a clue, but that's about all I do have... in time ;-)
>
> Thanks for your advice and input
> regards
> Dave
>
>
> > On Thu, Dec 9, 2010 at 11:23 AM, mrx <mrx@...pergander.org.uk
> <mailto:mrx@...pergander.org.uk>> wrote:
>
> > On 08/12/2010 11:30, Tim Gurney wrote:
> >>>> Hi
> >>>>
> >>>> This seems to contradict itself somewhat. A plugin to firefox should
> >>>> have no way to encrypt things at a driver level within the
> kernel, that
> >>>> would require installing seperate software at the root level, a
> plugin
> >>>> should not be able to do this and i would be VERY worried and
> surprised
> >>>> if it could as it would mean bypassing the security of the OS.
>
> > I tried installing this plugin to Firefox 3.6.12 in a virtualbox
> XP32(SP3)
> > environment and it is incompatible.
> > I may wait for an update to the plugin and analyse its behaviour,
> providing
> > my curiosity doesn't wane in the meantime.
>
> > I am not a professional, I do this kind of research as a hobby and for
> > educational purposes, when I have some free time.
>
>
> >>>> Also if the driver is encrypting the key strokes and the plugin is
> >>>> decrypting, what about all the keystrokes that are not in
> firefox, like
> >>>> email, word processing, programming, there is nothing to decrypt
> these
> >>>> so you would end up only ever being able to use firefox on the
> machine
> >>>> and nothing else every again.
>
> > The devs do state that it only encrypts keystrokes in Firefox and
> not other
> > applications, although they do sell a version that supposedly works
> > "in over 160 browsers and applications".
> >>>>
> >>>> personally I would not touch this with a barge pole and I would
> do a lot
> >>>> more more digging and checking into this.
>
> > Yes, I am sceptical of claims, hence the post to this list.
>
>
>
> >>>> regards
> >>>>
> >>>> Tim
>
>
> > Thanks for your input
> > Dave.
>
>
> >>>>
> >>>> On 08/12/10 11:12, mrx wrote:
> >>>>> Hi list,
> >>>>
> >>>>> Is anyone familiar with the firefox addon KeyScrambler? According to
> > developers this encrypts keystrokes.
> >>>>
> >>>>> Quote:
> >>>>> "How KeyScrambler Works:
> >>>>> When you type on your keyboard, the keys travel along a path
> within the
> > operating system before it arrives at your browser. Keyloggers plant
> >>>>> themselves along this path and observe and record your
> keystrokes. The
> > collected information is then sent to the criminals who will use it to
> >>>>> steal from you.
> >>>>
> >>>>> KeyScrambler defeats keyloggers by encrypting your keystrokes at the
> > keyboard driver level, deep within the operating system. When the
> encrypted
> >>>>> keystrokes reach your browser, KeyScrambler then decrypts them
> so you
> > see exactly the keys you've typed. Keyloggers can only record the
> >>>>> encrypted keys, which are completely indecipherable."
> >>>>
> >>>>> Can this be trusted? As in trusted I mean not bypassed.
> >>>>
> >>>>> Input from the professionals on this list would be much appreciated.
> >>>>
> >>>>> Thank you
> >>>>> regards
> >>>>> Dave
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Full-Disclosure - We believe in it.
> >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>>> Hosted and sponsored by Secunia - http://secunia.com/
>
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> >>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> >>
>

> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ