After writing the previous story about keyloggers (free keylogger protection), another experiment was conducted; its results must be taken into account, since they make the previous conclusions complete, allowing you to see the real big picture.
Not every on-screen keyboard will protect you from keyloggers; the one that comes with Windows (osk.exe) is definitely not one of them.
Windows manages applications by sending them messages - codes that are interpreted by each program in their own way. There are different types of messages, for instance "minimize window", "close window", and so on. Among these messages, you can find keyboard-related ones, such as "a key was pressed", "a key was released". Whenever a key on the keyboard is pressed, Windows will notify the running programs about it, afterwards each program uses this information as it deems appropriate.
The on-screen keyboard works by 'artificially' sending these messages, i.e. the "key was pressed" event is not triggered by the keyboard, it is simulated instead. All the applications receive the same messages, without realizing that they are of a different origin - that's why the on-screen keyboard can be used without the risk of 'breaking' another program's functionality.
So far it is clear that the on-screen keyboard works just like the real one, meaning that the keylogging mechanisms that worked with real keyboards, will also work with the virtual ones.
Programming stuff - you can skip this paragraph
In order to catch all the key-presses, you should set up a system-wide hook, that watches WM_KEYDOWN and WM_SYSKEYDOWN messages. This way your program will be notified when normal, as well special (Ctrl, Alt, etc) buttons are pressed.
Conclusion: the standard on-screen keyboard will not offer you the protection you need. If you are forced to use a workstation you cannot trust, see the "Mouse::highlight & overwrite + arrow keys" technique.
Another important detail that must be mentioned - a virtual machine will not protect you either.
In the recent past, VMWare released a free tool called VMWare Player, which can be used with preset images of systems that are known to be 100% safe. What happens is that you do your web-surfing (and other activities you wish to keep private) in an isolated machine, that cannot be affected by external threats.
This approach is known as sandboxing - everything happens within a sandbox, nothing can get out of it, thus even if something goes terribly wrong in the sandbox, it will not have an impact on the external medium. This works the other way around too - what happens outside will not influence the processes that exist inside.
Since the virtual machine is known to be 100% safe - there is no spyware on it, no keyloggers, no viruses and so on; but what if the host system on which the virtual OS is running is infested with malicious tools?
Well, it turns out that a keylogger that runs on the host OS will succeed in catching all the key-press messages before these are sent to VMWare, meaning that a password you type in the sandbox is actually typed outside of it, and then sent 'inside', thus you are not safe.
What are the conclusions that have to be drawn?
It's been a while since I interacted with a keylogger last time. Many years ago, I used a tool called HookDump to log all the keystrokes. It turned out to be a very efficient solution against frequent power surges. If there were problems with the power grid (this was a common phenomenon those days), I didn't lose anything, because the logs had it all. Another use of the program was "logging where there is no logging": I like to keep records of everything I do, whether it is instant messaging, or email, etc. If an application I use does not support logging - a keylogger is an elegant solution. A keylogger also helped me to retrieve several passwords I forgot, which was pretty cool. (Ok ok, I admit that a couple of friends checked their email on my computer, so I accidentally had their passwords too, but I never used them, really) :-)
But those days are long since gone.
This is what made keyloggers obsolete.
"Hold on buddy!" is the first thing that comes to your mind, isn't it so? And you're right!
Today keyloggers turned into a real problem. Sure, I found a peaceful use for such tools, but nowadays, they are much more popular among people with negative intentions, creating tens of thousands of victims all over the planet. This is why keyloggers can be extremely dangerous. Unlike phishing scams, keyloggers operate at a lower level, allowing the attacker to gather all your passwords and private details, not only those that you fill into the forms of a fake site. Because of that, each of us has to make sure that:
The purpose of this story is to teach you how to achieve the previously stated objectives with your bare hands (i.e. without paying for expensive software that is supposed to do the dirty work for you).
Using the on screen keyboard
This is probably the easiest thing to do. Many people request a security-related application to have a built-in virtual keyboard to allow them to input passwords without using the keyboard. Only few people know that such an utility comes with Windows, OSK - On-screen keyboard.
It can be launched in an easy way:
Ta-da! If you've done things right, then this window will appear on the screen.
You can use your mouse to click on buttons, and the keystrokes will be reflected in the currently active application. Note that the on screen keyboard will not steal the focus of the current application, in other words, when you press a virtual key, the keystroke will be directed to the window you expect it to. Just give it a try and see how it works.
Another use for the on screen keyboard - it's an easy way to find out which special characters are available in the current keyboard layout, and which buttons you need to press in order to type those characters. Have you ever wondered how to print an umlaut using a standard keyboard? The same applies to French specific letters, Romanian ones, and so on.
The pros of using the on screen keyboard:
The cons of using the on screen keyboard:
What makes a smart keylogger? Well, some of them have an option which writes the final content of the window to the log file. In other words, if a web-page has 5 fields, you fill them in (the keystrokes are logged, or logged not if you use the on screen keyboard), but as soon as you press the Submit button, the text in all those fields will be logged. This makes things a bit more complicated for the attacker, as he or she will have a lot of redundant data in the log. But hey, wouldn't you take your time to carefully read a 100 page log if you knew that somewhere in it is a key that will bring you a fortune?
Which is why we move on to the second method of "bare hands anti keylogging".
Mouse::highlight & overwrite + arrow keys
This method is pretty efficient, being able to trick simple and advanced keyloggers, it will also exert a greater psychological pressure on the attacker, getting him her frustrated very fast.
Here's how it works (click on the screenshot to watch the actual demo, it will open in a new window):
In the first line you see the real password, in the second line is the field in which the password is typed; the yellow tooltip will illustrate the current contents of the log.
As you can see, the keylogger will write a lot of characters to the log, even though those characters are not a part of the real password. Of course, the attacker cannot find out which characters are needed and which ones are redundant.
The pros of using the this kind of keylogger protection:
The cons of using the this kind of keylogger protection:
What makes a smart keylogger? As in the previous case, the keylogger might store the final contents of the field in a separate location, rendering all the wizardry useless. But this is still good news for you, because the logs will contain information which contradicts itself, thus the evil person will have to personally try each possible option. Of course, we live in the real world, where people are too lazy to do something. This tiny detail will always work for you. Keep in mind the fact that the attacker probably needs to read a tonn of other material in search of passwords and other private details; if there is a minor barrier, the person will switch to a different task (which appears to be easier).
Here is a small story that fits into the context:
Two tourists were spending their time in the wild, they noticed that a lion (that looked very hungry) was coming their way. One of the tourists quickly went to the car, found his sneakers and put them on.
Tourist#1: Why do you do that? The lion is still faster.
Tourist#2: I don't have to be faster than the lion, I only have to be faster than you!
In other words, there are millions of Internet users who are much easier targets than you are ;-)
Back to smart keyloggers. Some of them have the option to store data about the special keys that were pressed, such as Backspace, the Arrow keys, Delete, etc.
In the previous example, we used shift+arrows to select a part of the text and then overwrite it. A smart keylogger will record the following text to the log:
If you take into account the notations, you can backtrace all the keypresses and obtain the actual text, which is
Certainly, 'yankey' looks pretty different from 'anti@@keylogger#y!@@@@@@'. One cannot obtain the real password just by looking at the log. Besides, the more complex your wizardry was, the greater is the chance that the attacker will do the reverse engineering incorrectly, obtaining a password such as 'antiyankey' or 'antikeylogger' :-)
The good news is that most attackers will choose not to record the special keys, because that would make the log grow much faster, making it more difficult to read. Just imagine how much redundant data a log will contain if a keylogger will write all the copy/paste operations! What about the zillions of key-presses on Ctrl, Shift and Alt in 3D-shooters...
The final trick is to use the mouse. In the previous example, '@@' means 'Backspace was pressed twice'. But what if you selected that part of the text with the mouse and typed over the highlighted text? The keylogger will not be able to reflect that action, making reverse engineering impossible. The only way to handle that is to write the coordinates of the mouse-pointer to the log whenever it moves, but even this will be useless, because screens have different resolutions, people use mouse pointers of different sizes, different applications use different fonts, etc. Finally, the attacker will need to manually read and reverse engineer (i.e. try to obtain the correct password by undoing your operations) a log that will grow to several hundred megabytes in a few hours - now that's a lot of fun! What else... How can such a log be sent via Internet without drawing a lot of attention? Your browsing speed will decrease, which will certainly make you take a look at the firewall and see what's going on.
Avoid keyloggers in the first place
This is the best solution.
The above list is incomplete, but these guidelines (if respected carefully) will certainly make you one of the fastest tourists on the Internet ;-)
^ I do that every day :-)
2g 3g authentication beta biometry «blue screen» branding bsod business driver email encryption «file system» fingerprint forensics form-filling gsm howto internet keeper keylogger linux logon mapping mobile password «password carrier» portability privacy «private disk» reader release security seven sim «sim card» «sim manager» «sim reader» «smart card» software tips token troubleshooting usb usim vista winamp windows wiping xp