Lazybit

After writing the previous story about keyloggers (free keylogger protection), another experiment was conducted; its results must be taken into account, since they make the previous conclusions complete, allowing you to see the real big picture.

Not every on-screen keyboard will protect you from keyloggers; the one that comes with Windows (osk.exe) is definitely not one of them.

Windows manages applications by sending them messages - codes that are interpreted by each program in their own way. There are different types of messages, for instance "minimize window", "close window", and so on. Among these messages, you can find keyboard-related ones, such as "a key was pressed", "a key was released". Whenever a key on the keyboard is pressed, Windows will notify the running programs about it, afterwards each program uses this information as it deems appropriate.

The on-screen keyboard works by 'artificially' sending these messages, i.e. the "key was pressed" event is not triggered by the keyboard, it is simulated instead. All the applications receive the same messages, without realizing that they are of a different origin - that's why the on-screen keyboard can be used without the risk of 'breaking' another program's functionality.

So far it is clear that the on-screen keyboard works just like the real one, meaning that the keylogging mechanisms that worked with real keyboards, will also work with the virtual ones.

Programming stuff - you can skip this paragraph

In order to catch all the key-presses, you should set up a system-wide hook, that watches WM_KEYDOWN and WM_SYSKEYDOWN messages. This way your program will be notified when normal, as well special (Ctrl, Alt, etc) buttons are pressed.

Conclusion: the standard on-screen keyboard will not offer you the protection you need. If you are forced to use a workstation you cannot trust, see the "Mouse::highlight & overwrite + arrow keys" technique.

Another important detail that must be mentioned - a virtual machine will not protect you either.

In the recent past, VMWare released a free tool called VMWare Player, which can be used with preset images of systems that are known to be 100% safe. What happens is that you do your web-surfing (and other activities you wish to keep private) in an isolated machine, that cannot be affected by external threats.

This approach is known as sandboxing - everything happens within a sandbox, nothing can get out of it, thus even if something goes terribly wrong in the sandbox, it will not have an impact on the external medium. This works the other way around too - what happens outside will not influence the processes that exist inside.

Since the virtual machine is known to be 100% safe - there is no spyware on it, no keyloggers, no viruses and so on; but what if the host system on which the virtual OS is running is infested with malicious tools?

Well, it turns out that a keylogger that runs on the host OS will succeed in catching all the key-press messages before these are sent to VMWare, meaning that a password you type in the sandbox is actually typed outside of it, and then sent 'inside', thus you are not safe.

What are the conclusions that have to be drawn?

• A computer that does not belong to you may not be considered 100% safe;
• You cannot entirely protect yourself when you use such a computer, because standard tools (such as the on-screen keyboard) do not offer the protection you expect;
• One way to minimize the chance of getting exposed si to use the "Mouse::highlight & overwrite + arrow keys" technique. "If you can't beat 'em, at least confuse 'em to death" :-)
• VMWare will not protect you from keyloggers either.

It's been a while since I interacted with a keylogger last time. Many years ago, I used a tool called HookDump to log all the keystrokes. It turned out to be a very efficient solution against frequent power surges. If there were problems with the power grid (this was a common phenomenon those days), I didn't lose anything, because the logs had it all. Another use of the program was "logging where there is no logging": I like to keep records of everything I do, whether it is instant messaging, or email, etc. If an application I use does not support logging - a keylogger is an elegant solution. A keylogger also helped me to retrieve several passwords I forgot, which was pretty cool. (Ok ok, I admit that a couple of friends checked their email on my computer, so I accidentally had their passwords too, but I never used them, really) :-)

But those days are long since gone.

• The state economy is better, there is no energy crisis, the chance to get into power trouble is minimal;
• I recently switched to a laptop anyway, so power problems are 100% out of the question;
• All the applications I use support a history mode, which dumps all the activity to a plain-text log file;
• There are great password management tools that solve the "forgotten password" type of problems;

This is what made keyloggers obsolete.

"Hold on buddy!" is the first thing that comes to your mind, isn't it so? And you're right!

Today keyloggers turned into a real problem. Sure, I found a peaceful use for such tools, but nowadays, they are much more popular among people with negative intentions, creating tens of thousands of victims all over the planet. This is why keyloggers can be extremely dangerous. Unlike phishing scams, keyloggers operate at a lower level, allowing the attacker to gather all your passwords and private details, not only those that you fill into the forms of a fake site. Because of that, each of us has to make sure that:

• Their computer is 100% keylogger-free;
• The chance of identity theft is minimized (or null);
• Or at least make sure that the attacker will have to spend a hell of a lot of time to actually find your password (in case you had to use a public computer);

The purpose of this story is to teach you how to achieve the previously stated objectives with your bare hands (i.e. without paying for expensive software that is supposed to do the dirty work for you).

Using the on screen keyboard

This is probably the easiest thing to do. Many people request a security-related application to have a built-in virtual keyboard to allow them to input passwords without using the keyboard. Only few people know that such an utility comes with Windows, OSK - On-screen keyboard.

It can be launched in an easy way:

1. Press Start\Run;
2. Type osk;
3. Press Enter;

Ta-da! If you've done things right, then this window will appear on the screen.

You can use your mouse to click on buttons, and the keystrokes will be reflected in the currently active application. Note that the on screen keyboard will not steal the focus of the current application, in other words, when you press a virtual key, the keystroke will be directed to the window you expect it to. Just give it a try and see how it works.

Another use for the on screen keyboard - it's an easy way to find out which special characters are available in the current keyboard layout, and which buttons you need to press in order to type those characters. Have you ever wondered how to print an umlaut using a standard keyboard? The same applies to French specific letters, Romanian ones, and so on.

The pros of using the on screen keyboard:

• Simple keyloggers are fooled;
• Can be used for typing passwords with non-standard characters in them;
• Can be used for typing passwords in a foreign language (have you tried to type in Russian on a keyboard that only has English labels on the buttons^?);
• You can impress your friends;

The cons of using the on screen keyboard:

• Mouse-clicking is usually slower than actual typing, so somebody who stands by you can see your password with ease (unless you're an expert mouse-clicker);
• Smart keyloggers will still get your password;
• It does not exist in all Windows versions (2000 and above only);
• Smart malware can be programmed to disable the on screen keyboard;

What makes a smart keylogger? Well, some of them have an option which writes the final content of the window to the log file. In other words, if a web-page has 5 fields, you fill them in (the keystrokes are logged, or logged not if you use the on screen keyboard), but as soon as you press the Submit button, the text in all those fields will be logged. This makes things a bit more complicated for the attacker, as he or she will have a lot of redundant data in the log. But hey, wouldn't you take your time to carefully read a 100 page log if you knew that somewhere in it is a key that will bring you a fortune?

Which is why we move on to the second method of "bare hands anti keylogging".

Mouse::highlight & overwrite + arrow keys

This method is pretty efficient, being able to trick simple and advanced keyloggers, it will also exert a greater psychological pressure on the attacker, getting him her frustrated very fast.

Here's how it works (click on the screenshot to watch the actual demo, it will open in a new window):

In the first line you see the real password, in the second line is the field in which the password is typed; the yellow tooltip will illustrate the current contents of the log.

As you can see, the keylogger will write a lot of characters to the log, even though those characters are not a part of the real password. Of course, the attacker cannot find out which characters are needed and which ones are redundant.

The pros of using the this kind of keylogger protection:

• Both, simple and advanced keyloggers are fooled;
• The logs cannot be processed automatically, requiring a human to actually read them and try to understand what is happening. An attacked gets frustrated very fast, so it is very possible that your password will remain unrevealed;
• Even if the log was read by a human and a password was obtained, it is very likely that it is an incorrect one. When somebody will try that password, access will be denied, making one conclude that you didn't know the right password yourself (thus the attacker will switch to the next victim);
• Does not require any additional utilities or system configurations;
• Works in any operating system, any application, any type of form, and so on;
• You can impress your friends;

The cons of using the this kind of keylogger protection:

• You can easily get confused, don't forget that in the real world, characters are masked with asterisks;
• It takes a lot of time before you are skilled enough to apply this technique;
• Smart keyloggers can make things easier for the attacker (but you can apply an alternative strategy to protect yourself better);

What makes a smart keylogger? As in the previous case, the keylogger might store the final contents of the field in a separate location, rendering all the wizardry useless. But this is still good news for you, because the logs will contain information which contradicts itself, thus the evil person will have to personally try each possible option. Of course, we live in the real world, where people are too lazy to do something. This tiny detail will always work for you. Keep in mind the fact that the attacker probably needs to read a tonn of other material in search of passwords and other private details; if there is a minor barrier, the person will switch to a different task (which appears to be easier).

Here is a small story that fits into the context:

Two tourists were spending their time in the wild, they noticed that a lion (that looked very hungry) was coming their way. One of the tourists quickly went to the car, found his sneakers and put them on.

Tourist#1: Why do you do that? The lion is still faster.
Tourist#2: I don't have to be faster than the lion, I only have to be faster than you!

In other words, there are millions of Internet users who are much easier targets than you are ;-)

Back to smart keyloggers. Some of them have the option to store data about the special keys that were pressed, such as Backspace, the Arrow keys, Delete, etc.

Assume that:

• @ = left arrow;
• # = home;
• ! = end;

In the previous example, we used shift+arrows to select a part of the text and then overwrite it. A smart keylogger will record the following text to the log:

anti@@keylogger#y!@@@@@@

If you take into account the notations, you can backtrace all the keypresses and obtain the actual text, which is

yankey

Certainly, 'yankey' looks pretty different from 'anti@@keylogger#y!@@@@@@'. One cannot obtain the real password just by looking at the log. Besides, the more complex your wizardry was, the greater is the chance that the attacker will do the reverse engineering incorrectly, obtaining a password such as 'antiyankey' or 'antikeylogger' :-)

The good news is that most attackers will choose not to record the special keys, because that would make the log grow much faster, making it more difficult to read. Just imagine how much redundant data a log will contain if a keylogger will write all the copy/paste operations! What about the zillions of key-presses on Ctrl, Shift and Alt in 3D-shooters...

The final trick is to use the mouse. In the previous example, '@@' means 'Backspace was pressed twice'. But what if you selected that part of the text with the mouse and typed over the highlighted text? The keylogger will not be able to reflect that action, making reverse engineering impossible. The only way to handle that is to write the coordinates of the mouse-pointer to the log whenever it moves, but even this will be useless, because screens have different resolutions, people use mouse pointers of different sizes, different applications use different fonts, etc. Finally, the attacker will need to manually read and reverse engineer (i.e. try to obtain the correct password by undoing your operations) a log that will grow to several hundred megabytes in a few hours - now that's a lot of fun! What else... How can such a log be sent via Internet without drawing a lot of attention? Your browsing speed will decrease, which will certainly make you take a look at the firewall and see what's going on.

Avoid keyloggers in the first place

This is the best solution.

• Don't click on all the links that are included in your emails;
• Do not execute attachments that are executable files (EXE, COM, SCR, etc);
• Do not break the previous rule, even if the email seems to be from a person you trust;
• Avoid downloading anything from sites that are open in pop-up windows (usually these sites are malicious, even though pop-up windows can be used for noble purposes too);
• Check all the files that come to your computer on a USB flash disk or a DVD (even if the person who brought the disk is a friend you trust);

The above list is incomplete, but these guidelines (if respected carefully) will certainly make you one of the fastest tourists on the Internet ;-)

Conclusions:

• Keylogger protection is not a complex process, you can protect yourself from keyloggers without paying anything;
• Your privacy is in your own hands, identity theft can be avoided if you apply one of the keylogger protection techniques described in this guide. Combining these techniques will bring better results;
• If you often need to log on to your accounts using public computers, and time is a significant constraint, and your passwords are very strong ones (ex: 'kpDp0o5;Z'), then password management tools might be a good idea. Otherwise you can use the protection strategies described in this story;

^ I do that every day :-)