Defense from malware

A computer virus or a computer worm is a malicious software program that can self-replicate on computers or via computer networks – without you being aware that your machine has become infected. Because each subsequent copy of the virus or computer worm can also self-replicate, infections can spread very rapidly.

The word keylogger describes the program’s function. A keylogger can be software or hardware. The device types used to be relatively rare but its numbers are rapidly growing.

There is a lot of legitimate keylogging software designed to allow administrators to track activities. The boundary between “justified monitoring” and “espionage” is a fine line: Parental control, jealous partners, company security, control over employees, government surveillance contractors, security services … it is a huge market. Keylogging software and devices are also popular for stealing passwords, user data relating to online payment systems, and data useful for social profiling. Virus writers are constantly writing new keylogger Trojans for all of these very purposes.

Malware

[linkview show_cat_name=”0″ cat_name=”Malware”]

Virus Watch

Any program within this subclass of malware can also have additional Trojan functions.

[linkview show_cat_name=”0″ cat_name=”Virus Watch”]

Keyloggers

Keylogger basics

The idea behind keyloggers is to get in between any two links in the chain of events between when a key is pressed and when information about that keystroke is displayed on the monitor.

This can be achieved using video surveillance, a hardware bug in the keyboard, wiring or the computer itself, intercepting input/output, substituting the keyboard driver, the filter driver in the keyboard stack, intercepting kernel functions by any means possible (substituting addresses in system tables, splicing function code, etc.), intercepting functions in user mode, and requesting information from the keyboard using standard documented methods.

More advanced keyloggers can intercept data from wireless keyboards, and even collect and decipher the electromagnetic radiation or electrical signals given off by a keyboard.

[linkview show_cat_name=”0″ cat_name=”Keyloggers”]

Software keyloggers

Dedicated programs designed to track and log keystrokes.

[linkview show_cat_name=”0″ cat_name=”Keyloggers Software”]

Linux keyloggers

A kernel module can pick-up the input directly from the keyboard and catch everything. And for some linux versions, it is “kernel modules everywhere!” Still, such keyloggers aren’t exactly easy to install on machines. They require physical access. It must be downloaded and manually set to executable or extracted from an archive that stored the permissions, and manually run (at least the first time). Changing start-up will require root permissions, which would have to be either social engineered, or gained through some type of kernel exploit.

If your system has been compromised at the root level, then the attacker can hide a keylogger from detection by linking in a custom kernel module that intercepts system calls that might lead to its detection at the kernel level. This requires compiling the attack code for each and every current kernel.
[linkview show_cat_name=”0″ cat_name=”Keyloggers Linux”]

Hardware keyloggers

Small devices that can be fixed to the keyboard, or placed within a cable or the computer itself.

[linkview show_cat_name=”0″ cat_name=”Keyloggers Hardware”]

Backdoors

A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing unauthorized remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program or may subvert the system through a rootkit.

A backdoor Trojan gives malicious users remote control over the infected computer. They enable the author to do anything they wish on the infected computer – including sending, receiving, launching and deleting files, displaying data and rebooting the computer. Backdoor Trojans are often used to unite a group of victim computers to form a botnet or zombie network that can be used for criminal purposes. Unlike computer viruses and worms, Trojans are not able to self-replicate.

[linkview show_cat_name=”0″ cat_name=”Backdoors”]

Router backdoors

As if it is not enough that intelligence agencies intercept and spy on our email, phonecalls, bank and credit card transactions, and other communications, the NSA actually intercepts, i.e., hijacks, computers before they reach their location.

[linkview show_cat_name=”0″ cat_name=”Router Backdoors”]

Infection

Phishing & email

Depending on your email provider, simply opening an email message shouldn’t infect you as you haven’t executed any code, yet. Opening an attachment very well might, if it’s infected. So one typical infection vector is phishing, which is designed to trick an email recipient into opening a malicious executable.

According to The Washington Post, the FBI uses this technique for infecting a system too. Supposedly the bureau uses it sparingly – in part to keep references to the capability out of news stories – and only after obtaining permission from a judge (which has not always been granted).

Some keyloggers have a feature to send e-mails to the attacker and/or to email adresses in your address book.

Browsing

Keyloggers can be installed via a web page script which exploits a browser vulnerability. The program will automatically be launched when a user visits a infected site. Compromising a browser is relatively easy and it is cross-platform, hence an often chosen target.

Downloading and torrenting

A noted approach is to put malware up on sites labeled as something people want, such as “My caek loves YOU! 2 DVDRip.avi”. When downloading, it’s an avi, but it’s also bound with malware. And the caek isn’t real to begin with. For windows binding malware to an avi file isn’t even necessary because windows extensions are hidden by default, so they can just name it file.avi when in reality it’s file.avi.exe. The caek is still not real.

Installation of applications and updates

Happens. So use the checksums. Checksums are used to ensure the integrity of data portions for data transmission or storage. Checksums is a simple error-detection scheme in which each transmitted message is accompanied by a numerical value based on the number of set bits in the message. The receiving station then applies the same formula to the message and checks to make sure the accompanying numerical value is the same. If not, the receiver can assume that the message has been garbled (or was altered).

Integrity checks are integrated in debian package managers. Never ever continue with installation if you get a:

WARNING: The following packages cannot be authenticated!
[linkview show_cat_name=”0″ cat_name=”Secure install”]

Countermoves

Safer browsing

It is clear that browsing has the most low cost attack vectors for data theft by hackers, tracking by corporations and governmental spying. Safer browsing is a good investment all around.

Password management

Banking systems use one-time passwords and two-step authentication whenever possible. A more cost efficient solution is proactive protection on the client side but that comes with tradeoffs as well. Personally, I do not use online banking at all.

Using a password manager allows you to load passwords in your clipboard, making it harder to catch it with a keylogger.

[linkview show_cat_name=”0″ cat_name=”Organise and encrypt passwords”]

Protection software

Anti-keylogging:

[linkview show_cat_name=”0″ cat_name=”Anti keylogging”]

Anti-virus software is probably the most overstated tool in most security toolboxes. For years, security experts have been pitching “Install antivirus and firewall software, keep up with patches”. Some antivirus software is “good” at detecting known threats, but not so great at flagging brand new malware samples. “Good”? Especially in windows digital worlds, many antivirus softwarez have commercial deals. Profit, you know, the newest god on the block. By now windows users have to install several antivirus scanners to counteract the various allowances, and that can slow down windows machines tremendously, as much as malware can. Oh well.

If you’re depending on your antivirus software to save you from risky behaviors online you’re asking for trouble. Anntivirus is just another layer of security and you have to pick the one(s) you use carefully:

[linkview show_cat_name=”0″ cat_name=”Antivirus”]

Check integrity of your system

Keyloggers can be installed via another malicious program already present on the victim machine, if the program is capable of downloading and installing other malware to the system. An attacker may not have thought about hiding the process of a running keylogger, so regularly check your running processes and do system-checks and use intrusion-detection-systems. And even without keylogger, malware payload can have some nasty eyes on your data.

Detekt is a free tool that scans your windows computer for traces of finfisher and hacking team rcs, commercial surveillance spyware that has been identified to be also used to target and monitor human rights defenders and journalists around the world.
[linkview show_cat_name=”0″ cat_name=”Check Integrity”]

I think my machine is infected. Now what?

On linux for checking for software keyloggers:

  • You can take a look at your processes (with ps -aux, htop or pstree), but if your new to Linux and your Linux install took care of running most of the programs it can be hard to know what’s really supposed to be running vs. what’s not supposed to be there. Ask for help from buddies or on a forum. Do not shut down your machine but put your computer in hibernate or sleep mode until you can get expert help in repairing or restoring the system. Or, use plan B (see last item in this list).
  • If so, a better chance of finding a keylogger is booting the machine from a known safe live-CD image and scanning for suspicious files. You can do that manually and/or use software like rkhunter (linux), chkrootkit (linux) and debsums (debian). One trick to try is to type a random unique string on your keyboard in the live running machine. Reboot the machine from the LiveCD and grep for that string. Find out where the string is stored, and you may have the temp file of the keylogger. Check the folder it is in, and check the folders upward in the tree.
  • Check crontab, it may be that the keylogger is relaunched regularly in case it is shut off or if the system reboots.
  • Look at the email streams. When programs start sending email by using another IP than your email server, it might be something fishy. It can of course also be legitimate. Also consider that a keylogger might just log in to your email server with valid credentials and email from there.
  • There is always a plan B: If a VM was infected, simply revert back to an earlier snapshot. A host can be reinstalled (Great, those regular backups I made of my data now come in handy).

Other platforms and keyloggers:
[linkview show_cat_name=”0″ cat_name=”Keylogger Detection”]

DIY: Reverse-engineering and analyzing malware

[linkview show_cat_name=”0″ cat_name=”Computer forensics malware”]

  1 comment for “Defense from malware

Leave a Reply

Your email address will not be published. Required fields are marked *