Encrypt keystrokes to foil keylogger malware

According to the Verizon RISK Team, keylogger applications were present in almost half (48%) of all breaches that Verizon investigated or analyzed in 2011. Here's one solution that encrypts keystrokes and uses an out-of-band channel to safely deliver keystrokes to intended applications.

According to the 2012 Verizon Data Breach Report, companies of all sizes have fallen victim to malicious code commonly called keyloggers designed to capture user inputs where they originate -- at the keyboard.

Keyloggers are commonly used by cybercriminals to steal user names and passwords and many other forms of personal and business information. Keylogger applications were present in almost half (48%) of all breaches that Verizon investigated or analyzed last year. This most likely contributed to the use of stolen credentials in roughly 1 out of 3 breach-related incidents, according to Verizon.

ROUNDUP: The worst data breach incidents of 2012 -- so far

Keyloggers are a very effective means for stealing information. It's not just keystrokes but also mouse clicks, screen displays, websites that a user visits, and files that are opened and closed that can be captured by a keylogger.

Many people assume they are protected from keyloggers and other malware if they are running a current antivirus program. Unfortunately, this is true only some of the time. A recent study by a team of University of Alabama-Birmingham computer forensics and security management students revealed that the leading antivirus software programs only detect malware, on average, about 25% of the time.

This low detection success rate is disappointing when you consider that antivirus software vendors claim their products help prevent malware such as keyloggers from infecting computing resources. In reality, many AV products are best able to prevent "known" and catalogued viruses, malware and spyware -- and not necessarily their numerous variants that are created every day. Today criminals are building malware from starter kits that circulate in cyberspace for a very short time. Very little technical knowledge is required to use one of these kits to develop a new malware variant. By the time these kits are detected by those who would shut them down, they often already out of circulation.

Cybercriminals are taking advantage of the common things we do every day to stick us with malware. As reported by Verizon, a successful social attack such as a phishing email is a common entry point for malware. Good defense-in-depth controls that go beyond antivirus software could aid in keeping the attacker out in the first place, or in remediating the problem if a malware infection does occur.

Some companies now operate under the assumption that their users' computers may already have a keylogger installed. They utilize anti-keylogger solutions to prevent sensitive information from being stolen and used against them, as in the case of purloined user credentials for enterprise applications.

StrikeForce Technologies is one company with a keystroke encryption solution. The product, GuardedID, prevents information from being exfiltrated, rather than trying to detect the presence of a keylogger. GuardedID is a client-based application that takes control of the keyboard at the lowest possible layer in the Windows kernel. The keystrokes are then encrypted and sent to the target application (email, word processing, etc.) via an out-of-band channel bypassing the Windows messaging queue. The keystrokes are unencrypted once they reach the intended application.

GuardedID has a built-in self-monitoring capability that prevents it from being bypassed by other software. If GuardedID is tampered with in any way, it warns the user of the breach. With this approach, GuardID helps organizations change the malware paradigm by protecting the data at the keystroke, even if malware plants a keylogger payload on the user's PC.

In addition to preventing keylogging, the Strikeforce Technologies product also addresses "clickjacking" and screen scraping exfiltration techniques. Clickjacking, also known as a "UI redress attack," occurs when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when he was intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for one page and routing them to another page, most likely owned by another application and/or domain. Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes and text boxes, a user can be led to believe he is entering his password into, say, the login screen for his email or his bank account. Instead he is typing into an invisible frame controlled by the attacker.

GuardedID protects against this vulnerability by scrutinizing the Web page and warning the user when content is not from the expected domain. If false content is hidden in an invisible overlay, the product makes it visible. If the content is hidden underneath, GuardedID draws red borders around it. Either way, the user will be made aware of the content and, hopefully, be cautious of his movements on the page.

Screen scraping is a technique used by malware to record the contents of your computer screen. GuardedID blocks this capability and protects organizations against this threat.

Panda Security reports that fully half of all the computers globally are infected with some form of malware. As keyloggers become a more prominent means for easily gaining access to user IDs, passwords and sensitive information, it's important prevent them from doing their dirty deeds.

Brian Musthaler is a principal consultant with Essential Solutions Corporation. You can write to him at Bmusthaler@essential-iws.com.


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2012 IDG Communications, Inc.