Friday, October 22, 2010

NIST Scientists Offer Tips to Defeat Keyloggers

How to Beat Keyloggers

Keyloggers monitor and record keyboard use, including the information typed into a system, which might include the content of emails, usernames and passwords for local or remote systems and applications, as well as financial information like credit card numbers, Social Security numbers or PINs.

Some keystroke loggers require the attacker to retrieve the data from the system, whereas others actively transfer the data to another system through email, file transfer or other means.

NIST scientists identify three main types of keyloggers:

Hardware -- Tiny inline devices placed between the keyboard and the computer. Because of their size, they can go undetected for long periods of time. These devices have the power to capture hundreds of keystrokes, including banking and email username and passwords. But for the criminal, the threat of being caught breaching the machine is a deterrent.

Software -- This type of keylogging is done by using the Windows function SetWindowsHookEx that monitors all keystrokes. The spyware will usually appear packaged as an executable file that initiates the hook function, plus a DLL file to handle the logging functions. An application that calls SetWindowsHookEx is capable of capturing even autocomplete passwords.

Kernel/driver -- This kind of keylogger is at the kernel level and receives data directly from the input device (typically a keyboard). It replaces the core software for interpreting keystrokes. This type of keylogger can be programmed to be virtually undetectable by being executed when the computer is turned on, before any user-level applications start. Since the program runs at the kernel level, one disadvantage to this approach it that it fails to capture autocomplete passwords, as this information is passed in the application layer.

Defending Against Keyloggers

There are several kinds of defenses that can be used to spot or prevent keyloggers from embedding on machines:

Physical Security -- The physical protection of the computer must be considered. Whether the computer is at home, in an office or during traveling, keeping the computer secure and making sure no one has access to it is a primary concern.

Application whitelisting -- is a way to prevent any software that isn't already approved or on the "white list" from being downloaded on to the computer. This is an emerging approach in combating viruses and malware. Application whitelisting tells the computer a list of software considered safe to run, and the machine is instructed to block all others.

Some experts see this approach as superior to the standard signature-based, anti-virus approach of blocking/removing known harmful software (essentially blacklisting), as the traditional approach generally means that exploits are already in the wild.

Detection Software -- Be careful where you go to on the Internet. Drive-by downloads from ads that have been laced with malware are being found now even on popular news sites - not just on the fringes.

At a minimum, at least have anti-virus and anti-spyware loaded, and make sure they're kept up to date. Again, buy from a reputable vendor.
Consider operating a "virtual" machine environment to browse the Internet.

Virtual machines -- are separated into two major categories, based on their use and degree of correspondence to any real machine. A system virtual machine provides a complete system platform that supports the execution of a complete operating system. The other type, a process virtual machine, is designed to run a single program. An essential characteristic of a virtual machine is that the software running inside is limited to the resources and abstractions provided by the virtual machine -- it cannot break out of its virtual world.

Future Trends

"Moving forward in the next 12-18 months, the major computer manufacturers will begin offering virtual machine technology. "We're going to see more consumer-friendly operating systems being designed by vendors that will limit malware by having the user on a virtual machine while on the Internet, and the 'home' environment separate.

Cloud-based whitelisting will also become more popular, making whitelisting more available.

Another advancement in the fight against keyloggers and other types of malware is the move by anti-virus vendors to set up reputation-based systems, which checks programs and tells the user whether it is legitimate or malicious.

The addition of a third component in the fight against malware is the use of operating systems and browsers that don't allow the malicious programs to be pushed down in the first place. By isolating and "sandboxing" the user's specific browsing session,
no software is downloaded to the user's computer.

No comments: