Lazybit

After writing the previous story about keyloggers (free keylogger protection), another experiment was conducted; its results must be taken into account, since they make the previous conclusions complete, allowing you to see the real big picture.

Not every on-screen keyboard will protect you from keyloggers; the one that comes with Windows (osk.exe) is definitely not one of them.

Windows manages applications by sending them messages - codes that are interpreted by each program in their own way. There are different types of messages, for instance "minimize window", "close window", and so on. Among these messages, you can find keyboard-related ones, such as "a key was pressed", "a key was released". Whenever a key on the keyboard is pressed, Windows will notify the running programs about it, afterwards each program uses this information as it deems appropriate.

The on-screen keyboard works by 'artificially' sending these messages, i.e. the "key was pressed" event is not triggered by the keyboard, it is simulated instead. All the applications receive the same messages, without realizing that they are of a different origin - that's why the on-screen keyboard can be used without the risk of 'breaking' another program's functionality.

So far it is clear that the on-screen keyboard works just like the real one, meaning that the keylogging mechanisms that worked with real keyboards, will also work with the virtual ones.

Programming stuff - you can skip this paragraph

In order to catch all the key-presses, you should set up a system-wide hook, that watches WM_KEYDOWN and WM_SYSKEYDOWN messages. This way your program will be notified when normal, as well special (Ctrl, Alt, etc) buttons are pressed.

Conclusion: the standard on-screen keyboard will not offer you the protection you need. If you are forced to use a workstation you cannot trust, see the "Mouse::highlight & overwrite + arrow keys" technique.

Another important detail that must be mentioned - a virtual machine will not protect you either.

In the recent past, VMWare released a free tool called VMWare Player, which can be used with preset images of systems that are known to be 100% safe. What happens is that you do your web-surfing (and other activities you wish to keep private) in an isolated machine, that cannot be affected by external threats.

This approach is known as sandboxing - everything happens within a sandbox, nothing can get out of it, thus even if something goes terribly wrong in the sandbox, it will not have an impact on the external medium. This works the other way around too - what happens outside will not influence the processes that exist inside.

Since the virtual machine is known to be 100% safe - there is no spyware on it, no keyloggers, no viruses and so on; but what if the host system on which the virtual OS is running is infested with malicious tools?

Well, it turns out that a keylogger that runs on the host OS will succeed in catching all the key-press messages before these are sent to VMWare, meaning that a password you type in the sandbox is actually typed outside of it, and then sent 'inside', thus you are not safe.

What are the conclusions that have to be drawn?

• A computer that does not belong to you may not be considered 100% safe;
• You cannot entirely protect yourself when you use such a computer, because standard tools (such as the on-screen keyboard) do not offer the protection you expect;
• One way to minimize the chance of getting exposed si to use the "Mouse::highlight & overwrite + arrow keys" technique. "If you can't beat 'em, at least confuse 'em to death" :-)
• VMWare will not protect you from keyloggers either.