Anti-Keylogger Myths Over the last few years, several technologies have been suggested in order to strengthen or replace the traditional password input field, as a result of its vulnerability to keyloggers. This whitepaper surveys the myths of anti-leylogger technologies, and pinpoints material flaws in each such technology. 2007© All Rights Reserved. Trusteer makes no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, photocopying, recording or otherwise, without prior written consent of Trusteer. While every precaution has been taken in the preparation of this publication, Trusteer assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. Anti-keylogger myths Table of Contents Introduction....................................................................................................3 1. Virtual Keyboard/keypad/PIN-pad ...........................................................3 2. Graphical Passwords ...............................................................................4 3. Password Managers.................................................................................5 4. Keystroke Dynamics ................................................................................6 5. One Time Passwords ...............................................................................7 6. Keystroke Encryption ..............................................................................8 Summary ........................................................................................................8 2 Anti-keylogger myths Introduction The Anti Phishing Working Group, a global pan-industrial and law enforcement association, defines keyloggers as “crimeware code which is designed with the intent of collecting information on the end-user in order to steal those users' credentials.” According to the Anti Phishing Working Group there are between 200 and 300 new unique variants of keyloggers each month. The SANS Institute, a group that trains and certifies computer security professionals, estimated that at a single moment last year, as many as 9.9 million machines in the United States were infected with keyloggers of one kind or another, putting as much as $24 billion in bank account assets — and probably much more — literally at the fingertips of fraudsters. According to the Anti Phishing Working Group, there were 3,353 unique websites hosting keyloggers in May 2007. It is of no wonder then that many technologies were suggested as an effort to overcome keyloggers. Most of them involve changing the way consumers sign into web applications and usually avoiding keystrokes altogether. However, the technology used by keyloggers is not limited to tapping the keyboard and can be easily adapted to evade various anti-keylogger techniques. Thus, most anti- keylogger technologies can be easily defeated using slightly more advanced keyloggers. This paper reviews the common anti-keylogger technologies and determines whether their claims are myth or reality; Or in other words, how easy it is for fraudsters to bypass each technology. 1. Virtual Keyboard/keypad/PIN-pad Stop Keyloggers Myth or Reality: Myth The most wide-spread measure against keyloggers is replacing the physical keyboard with a virtual keyboard (a.k.a. keypad or pinpad). The virtual keyboard is drawn on the screen and instead of keystrokes, the user points at the visual key with the mouse and clicks the mouse. There are several variations to this scheme, including replacing the mouse-click with “hovering” (meaning, the user is supposed to leave the cursor over the key for several seconds instead of clicking the mouse), randomly changing the key positions and keyboard layout, etc. Virtual Keyboard Example 1 1 Screenshot of the Microsoft Windows On-Screen Keyboard 3 Anti-keylogger myths Virtual keyboards are very easily bypassed using screen capturing. Instead of capturing keystrokes, the attacker captures the vicinity of the mouse pointer, each time the mouse is clicked. This provides the attacker with the image of the key the user clicked. If the designation method is hovering (for few seconds), the malware can detect lack of mouse motion, and record the mouse pointer’s surrounding. This counter attack against virtual keypads is in fact already found in the wild: • http://www.hispasec.com/laboratorio/cajamurcia_en.swf (video demonstrating a trojan attack against Caja Murica bank of Spain) • http://www.tracingbug.com/index.php/articles/view/23.html (demo of an attack against Citi Bank India) 2. Graphical Passwords Stop Keyloggers Myth or Reality: Myth Another method that obviates password typing is “graphical passwords” (or Graphical User Authentication – GUA). This is a name for a family of solutions, whose common theme is a password whose representation is graphical. The user is then required to identify the password (or parts thereof) in graphics provided by the server as a “challenge”. This challenge changes with each login attempt. In most practical solutions the user is required to identify a part of the password (an object) inside a set of graphical objects (one correct and many decoys). Choosing the correct object is typically done by clicking over it with the mouse. Example screenshot 2 requiring the user to choose the password picture 2 From “Picture Password: A Visual Login Technique for Mobile Devices” (NIST publication NISTIR 7030) by Wayne Jansen, Serban Gavrila, Vlad Korolev, Rick Ayers and Ryan Swanstrom, July 2003 http://csrc.nist.gov/publications/nistir/nistir-7030.pdf 4 Anti-keylogger myths Security-wise, this is conceptually identical to the virtual keyboard. Here too, a combination of mouse-click detection with mouse pointer proximity screen recorder can easily uncover the graphical password. 3. Password Managers Stop Keyloggers Myth or Reality: Myth Another way to avoid actual password typing is the use of a “password manager” or “password vault” software. Instead of typing the password into a form, the password manager automatically fills in the form with the correct password. The password manager stores the user’s password in a vault to keep fraudsters from accessing stored passwords. Password managers can be easily bypassed using keyloggers that reside inside the browser. While inside the browser the keylogger can see the password immediately after the password manager enters it into the login form. Keyloggers that reside inside the browser are also known as man-in-the-browser malware or malicious browser plug-ins. Browser plug-ins are very popular, both for legitimate uses (e.g. Google’s toolbar) and consequently, for non-legitimate uses (spyware and malware), piggybacking on the extensibility of the browser and the popularity of plug-ins. The browser plug-in technology grants the plug-in a lot of privileges, such as full access to the DOM (which is the internal representation of the page currently displayed), and subscription to browser events (such as “navigation”, “page load” and “form submission”). This makes it very easy for a malicious plug-in to get hold of the credentials. A malicious plug-in can access the credentials in the DOM, where they are injected by the password manager. Or, a malicious plug-in can wait for the submit event and capture the credentials during submission. Examples: • “Spy-Agent.ba” (McAfee malware description page) http://vil.nai.com/vil/content/v_139621.htm • (unnamed document) by Tom Liston, see bottom of page 4 to top of page 6. http://isc.sans.org/presentations/banking_malware.pdf Additionally, unless implemented very carefully and with security as its #1 goal, a password manager can turn out to be a security vulnerability in itself. This is due to the complexity of correctly identifying which form qualifies to be automatically populated. A phisher can exploit a flaw in the decision algorithm and present a form that will be automatically populated. The phisher can also include a Javascript code in that page that, once the form is (automatically) populated, reads the credentials and sends them to the phisher. The user in such case is kept out of the loop and the attack occurs automatically. Another concern with password vaults is the vault’s strength. If it can be easily broken, attackers would gain immediate access to all the passwords inside the vault. Examples for such flaws: • “Firefox vulnerable to Password Manager flaw”, Tom Espiner (ZDNet UK), November 22 nd , 2006 http://news.zdnet.co.uk/security/0,1000000189,39284818,00.htm 5 Anti-keylogger myths • A two part article titled “Password Management Concerns with IE and Firefox” in SecurityFocus (by Mikhael Felker, December 11 th , 2006) discusses several classes of flaws in password managers: http://www.securityfocus.com/infocus/1882 http://www.securityfocus.com/infocus/1883 4. Keystroke Dynamics Stop Keyloggers Myth or Reality: Myth Keystroke dynamics looks at the way a person types on a keyboard. Specifically, keyboard dynamics measures two distinct variables: "dwell time" which is the amount of time you hold down a particular key and "flight time" which is the amount of time it takes a person to move between keys. Research (http://avirubin.com/fgcs.pdf