Saturday, May 07, 2005
Introduction to Spyware (Keyloggers) from Sec.Focus
"Facts do not cease to exist because they are ignored."-- Aldous Huxley
As the prostitute said, "It's not the work, it's the stairs." As told to me by Elaine Stritch, star of stage, screen, & TV, right after she won her 1st Emmy. Ago 79.
Spyware overview
Spyware is a categorical term given to applications and software that log information about a user's online habits and report back to the software's creators. The effects of these programs range from unwanted pop-up ads and browser hijacking to more dangerous security breaches, which include the theft of personal information, keystroke logging, changing dialup ISP numbers to expensive toll numbers, and installing backdoors on a system that leave it open for hackers.
Spyware usually gets into the computer through banner ad-based software where the user is enticed to install the software for free. Other sources of spyware include instant messaging, various peer-to-peer applications, popular download managers, online gaming, many porn/crack sites, and more. Note that most, but not all, spyware is targeted exclusively at Microsoft's Internet Explorer web browser. Users of modern Web browser alternatives, such as Mozilla's Firefox and Apple's Safari, are generally not affected by spyware at all.
The most recent delivery methods used by malicious spyware require no permission or interaction with the users at all. Dubbed as "drive-by downloads," [ref 1] the spyware application is delivered to the user without his knowledge simply when he visits a particular website, opens some zipped files, or clicks on a malicious pop-up ad that contains some active content such as ActiveX, Java Applets, and so on. Spyware can also be hidden in image files or in some cases has been shipped along with the drivers that come with a new hardware device.
Spying techniques
Depending upon the nature of the information gathered, each piece of spyware may function differently. Some spyware applications simply gather information about a user's surfing habits, purely for marketing purposes, while others are far more malicious. In any case, the spyware attempts to uniquely identify the information sent across a network by using a unique identifier, such as a cookie on the user's hard disk or a Globally Unique Identifier (GUID). [ref 2] The spyware then sends the logs directly to a remote user or a sever that is collecting this information. The collected information typically includes the infected user's hostname, IP address, and GUID, along with various login names, passwords and other keystrokes.
Types of keyloggers
As mentioned, keyloggers are applications that monitor a user's keystrokes and then send this information back to the malicious user. This can happen via email or to a malicious user's server somewhere on the Internet. These logs can then be used to collect email and online banking usernames and passwords from unsuspecting users or even capture source code being developed in software firms.
While keyloggers have been around for a long time, the growth of spyware over the last few years means they warrant renewed attention. In particular, this is due to the relative ease at which a computer can become infected -- a user simply has to visit the wrong website to become infected.
Keyloggers can be one of three types:
1. Hardware Keyloggers. These are small inline devices placed between the keyboard and the computer. Because of their size they can often go undetected for long periods of time -- however, they of course require physical access to the machine. These hardware devices have the power to capture hundreds of keystrokes including banking and email username and passwords.
2. Software using a hooking mechanism. This type logging is accomplished by using the Windows function SetWindowsHookEx() that monitors all keystrokes. The spyware will typically come packaged as an executable file that initiates the hook function, plus a DLL file to handle the logging functions. An application that calls SetWindowsHookEx() is capable of capturing even autocomplete passwords.
3. Kernel/driver keyloggers. This type of keylogger is at the kernel level and receives data directly from the input device (typically, a keyboard). It replaces the core software for interpreting keystrokes. It can be programmed to be virtually undetectable by taking advantage of the fact that it is executed on boot, before any user-level applications start. Since the program runs at the kernel level, one disadvantage to this approach it that it fails to capture autocomplete passwords, as this information is passed in the application layer.
Analyzing a keylogger
There are many different keyloggers available, including the Blazing Tools Perfect Keylogger [ref 3], Spector [ref 4], Invisible Keylogger Stealth [ref 5], and Keysnatch [ref 6]. Most of these have more or less the same set of features and way of functioning. Therefore, we will focus on one particular tool in our examples, the one from Blazing Tools.
The Blazing Tools Perfect Keylogger will be analyzed in this paper because it has been found hidden in so many Trojans on the Internet. It's a good example of a common hook-type keylogger. Although Blazing Tools markets its products to IT administrators and parents, the presence of their keylogger in many Trojans illustrates how people can package legal code and use it for malicious activities. The following features of the "Perfect Keylogger" are of use to anyone trying to spy on an unsuspecting user:
1. Stealth Mode. In this mode no icon is present in the taskbar and the keylogger is virtually hidden.
2. Remote Installation. The keylogger has a feature whereby it can attach to other programs and can be sent by e-mail to install on the remote PC in stealth mode. It will then send keystrokes, screenshots and websites visited to the attacker by e-mail or via FTP.
3. Smart Rename. This feature allows a user to rename all keylogger's executable files and registry entries.
More later, another time
MY ADVICE endeavors at keen.com. The number is 1-800-275-5336 (800-ask-keen) + ext. 0329063 for tech stuff, 0329117 for running a small business, and 0329144 on investing. Want to CHAT, I use Yahoo's IM as the_web_ster. View me in the Friends & Family part of webcamnow.com, just click on "view cams", then in the Java window click on WebcamNow Communities drop down arrow & select Friends & Family. Under the live webcams look for & click on me "the_webster".
Some HDTV General info.
"Facts do not cease to exist because they are ignored."-- Aldous Huxley
As the prostitute said, "It's not the work, it's the stairs." As told to me by Elaine Stritch, star of stage, screen, & TV, right after she won her 1st Emmy. Ago 79.
The first noticeable difference is HDTV's much wider screen. In the current analog system, the width of the picture divided by its height gives you a ratio of 4/3. HDTV, on the other hand, has a width to height ratio of 16/9, which closely resembles that of a movie screen. The second key feature is that HDTV has more than six times the sharpness and clarity of analog TV. The HDTV picture contains 1080 vertical picture elements (pixels) by 1920 horizontal pixels, for a total of more than two million. The analog picture contains a total of 230,400 pixels.
That means it's 5 or 6 times brighter as well.
Just an FYI.
MY ADVICE endeavors at keen.com. The number is 1-800-275-5336 (800-ask-keen) + ext. 0329063 for tech stuff, 0329117 for running a small business, and 0329144 on investing. Want to CHAT, I use Yahoo's IM as the_web_ster. View me in the Friends & Family part of webcamnow.com, just click on "view cams", then in the Java window click on WebcamNow Communities drop down arrow & select Friends & Family. Under the live webcams look for & click on me "the_webster".
New feature at the "Big Red Y"
"Facts do not cease to exist because they are ignored."-- Aldous Huxley
As the prostitute said, "It's not the work, it's the stairs." As told to me by Elaine Stritch, star of stage, screen, & TV, right after she won her 1st Emmy. Ago 79.
http://360.yahoo.com/index_beta.html Yeah it's a blog feature. I'll be looking at this as fast as I can.
Yeah, the iBlog site wasn't that great to or for me.
MY ADVICE endeavors at keen.com. The number is 1-800-275-5336 (800-ask-keen) + ext. 0329063 for tech stuff, 0329117 for running a small business, and 0329144 on investing. Want to CHAT, I use Yahoo's IM as the_web_ster. View me in the Friends & Family part of webcamnow.com, just click on "view cams", then in the Java window click on WebcamNow Communities drop down arrow & select Friends & Family. Under the live webcams look for & click on me "the_webster".
Friday, May 06, 2005
From Steelhoof: Good news, for now anyway - Court yanks down FCC's broadcast flag (Or, the court say, No you can't take HDTV Cards off the market)
"Facts do not cease to exist because they are ignored."-- Aldous Huxley
As the prostitute said, "It's not the work, it's the stairs." As told to me by Elaine Stritch, star of stage, screen, & TV, right after she won her 1st Emmy. Ago 79.
By Declan McCullagh
Staff Writer, CNET News.com
In a stunning victory for hardware makers and television buffs, a federal appeals court has tossed out government rules that would have outlawed many digital TV receivers and tuner cards starting July 1.
The U.S. Court of Appeals for the D.C. Circuit ruled Friday that the Federal Communications Commission did not have the authority to prohibit the manufacture of computer and video hardware that doesn't have copy protection technology known as the "broadcast flag." The regulations, which the FCC created in November 2003, had been intended to limit unauthorized Internet redistribution of over-the-air TV broadcasts.
News.context
What's new:
A federal appeals court has squelched an FCC rule that would have required TV gear to use copy protection technology known as a "broadcast flag."
Bottom line:
The ruling is a big setback for Hollywood studios, which sought to limit unauthorized Internet redistribution of over-the-air TV broadcasts. But it's a reprieve for makers of HDTV sets, PC tuner cards, and USB and Firewire tuners.
More stories on this topic
"The broadcast flag regulations exceed the agency's delegated authority under the statute," a three-judge panel unanimously concluded. "The FCC has no authority to regulate consumer electronic devices that can be used for receipt of wire or radio communication when those devices are not engaged in the process of radio or wire transmission." (Click here for a PDF of the decision.)
One result of Friday's ruling is that, unless it's eventually overturned by a higher court, the fight over digital TV piracy will return to Capitol Hill. The D.C. appeals court noted that the FCC "has no power to act" until "Congress confers power on it" by enacting a law explicitly authorizing the broadcast flag.
Under the FCC rules, starting in July digital TV tuner manufacturers would have had to include the broadcast flag. The flag limits a person's ability to redistribute video clips made from the recorded over-the-air broadcasts.
But in January, a coalition of librarians and public interest groups filed suit against the regulations, arguing that they would sharply curtail the ability of librarians and consumers to make "fair use" of copyrighted works and would curb interoperability between devices.
Friday's ruling represents a sizable setback for the Motion Picture Association of America, which had lobbied for the broadcast flag rules and had intervened in the lawsuit to defend them. But it's a reprieve for makers of HDTV sets, PC tuner cards, and USB and Firewire tuners--which will no longer have to redesign their products to comply with FCC rules.
special coverage
Finally, you are in control
Broadcast and cable networks are losing the ability to dictate programming. Also: What TVs to buy, and when.
James Burger, a lawyer at Dow, Lohnes and Albertson who opposed the broadcast flag on behalf of tech companies, said the FCC's legal theory was deeply worrying for computer makers.
"It would have turned the Federal Communications Commission into the Federal Computer Commission," Burger said. "Do you know of a computer now that doesn't touch the telecommunications infrastructure? The FCC was asserting jurisdiction over all information technology."
A digital game of capture the flag
Under the proposed rule, it would have become illegal to "sell or distribute" any product capable of receiving broadcast-flagged shows unless the product complies with the FCC's regulations.
Such products could handle flagged broadcasts only in specific ways set by the government. Those essentially include delivering analog output without copy protection, digital output to a few low-end displays, or high-quality digital output to devices that also adhere to the broadcast flag specification.
In general, consumers would have been able to record broadcast-flagged shows and movies, but would only be able to play them back on the same device. The FCC rules specify that all devices must uniquely link "such recording with a single covered demodulator product, using a cryptographic protocol or other effective means, so that such recording cannot be accessed in usable form by another product."
Broadcasters are not required to tag their shows and movies with the flag. It's up to each local station and network.
During oral arguments in February, the three judges on the appellate panel foreshadowed this week's decision by suggesting that the FCC had overstepped what the law permits.
"You're out there in the whole world, regulating. Are washing machines next?" asked Judge Harry Edwards. Quipped Judge David Sentelle: "You can't regulate washing machines. You can't rule the world."
Some manufacturers of HDTV tuner cards had planned to discontinue their current products because they did not recognize the broadcast flag.
"We don't support the flag in our current hardware, meaning that if there is flagged content, we'll ignore the flag," Nicholas Freeman of Elgato Systems said in an interview last month. "After July of this year, we wouldn't be able to manufacture it anymore."
Elgato sells the EyeTV line of products, which includes the EyeTV 500 HDTV tuner for the Macintosh. The EyeTV 500 does not abide by the broadcast flag restrictions.
MY ADVICE endeavors at keen.com. The number is 1-800-275-5336 (800-ask-keen) + ext. 0329063 for tech stuff, 0329117 for running a small business, and 0329144 on investing. Want to CHAT, I use Yahoo's IM as the_web_ster. View me in the Friends & Family part of webcamnow.com, just click on "view cams", then in the Java window click on WebcamNow Communities drop down arrow & select Friends & Family. Under the live webcams look for & click on me "the_webster".
Thursday, May 05, 2005
Phishers Dodge Shutdowns by Striking via 'Botnets'
"Facts do not cease to exist because they are ignored."-- Aldous Huxley
As the prostitute said, "It's not the work, it's the stairs." As told to me by Elaine Stritch, star of stage, screen, & TV, right after she won her 1st Emmy. Ago 79.
By Ryan Naraine of Eweek.com
Phishing attacks may be on the decline, but don't think for a minute that the Internet scam artists have found new jobs.
Security researchers have uncovered evidence of a highly organized phishing network implementing a new tactic to keep malicious Web sites online: using botnets as DNS (Domain Name System) servers.
"This is a clever trick that makes it more difficult to 'dismember' the methods they're using to host the phishing sites," said Mike Poor, founder and senior security analyst at Intelguardians Network Intelligence LLC.
Poor, who doubles as an incident handler for the SANS Internet Storm Center, said the elaborate attack scenario involves the use of hijacked computers to host not only the malicious phishing site but also the DNS servers that provide domain resolution services for the targeted domain name.
A botnet is a collection of compromised machines infested with malware like keystroke loggers, Trojan horses or back doors. Malicious hackers control the botnets remotely, usually via IRC (Internet Relay Chat) sessions, sending instructions to the infected machines to launch spam runs or host malicious sites.
By turning the botnets into DNS servers, the attackers are able to automate the cat-and-mouse game with ISPs that routinely shut down the malicious servers.
"They're basically serving up lots of different IP addresses for the malicious site and changing those IP addresses every five minutes. This makes it virtually impossible to shut down the malicious server," Poor said.
"We now have the hijacked computers serving up the phishing sites and also handling DNS resolution. And it's rapidly changing, almost in an automated manner. This is quite new as far as using DNS servers to work in conjunction with phishing," he added.
The latest tactic has been described as a "distributed phishing scam" that provides further evidence that a well-organized ring is operating the scheme.
Thor Larholm, a senior security researcher with PivX Solutions Inc., is convinced that the use of botnets to handle name-server resolution is the work of a small, well-organized group. "I'd say no more than 200 people, primarily from the United States, are responsible for 90 percent of all spam worldwide. You can fit these guys into that group," Larholm said in an interview with Ziff Davis Internet News.
Larholm said the ability to move to a new DNS server every time a malicious server is shut down gives the scammers a major advantage and effectively blunts most anti-phishing initiatives.
The SANS ISC said the onus now shifts to domain name registrars to offer a formal procedure for dealing with requests to shut down a particular domain name.
The Center, which tracks and reports on malicious Internet activity, said ISPs can also combat the attacks by implementing a form of domain hijacking to intercept and redirect malicious DNS traffic passing through the network.
"While this approach does not entirely mitigate the issue, it does mitigate it within the ISP's network; it is particularly effective if implemented by a large ISP. Considering the limitations of this mechanism, having domain registrars develop processes for addressing this attack scenario would be very helpful," the Center said.
Joe Stewart, senior security researcher at managed services vendor LURHQ Corp., said the latest trick looks eerily similar to Migmaf, the reverse-proxy Trojan that handled spam runs in 2003.
With Migmaf installed on compromised machines connected to cable modems, Stewart said, the spammers could move Web sites around at will, minute by minute. "Back then, the press zeroed in on the porn sites that were being served up, but there was a phishing element to that attack. The intent was to steal credit card numbers when people visited those sites and signed up," Stewart explained.
Stewart said the latest misuse of DNS resolution points to an "escalating war" between phishers and companies deploying anti-phishing technologies. "It has picked up to the point where it's similar to how the anti-virus companies try to stay ahead of virus writers. They're usually a day behind."
"If they keep getting shut down at one ISP, they're simply moving that DNS server to another infected cable modem user in a matter of minutes. They have a large pool of available servers so it exacerbates the problem," Stewart added.
The latest botnet-as-DNS scenario follows recent reports of DNS cache poisoning attacks that redirected Web surfers to malicious sites. Cache poisoning occurs when incorrect or false DNS records are inserted into a DNS server's cache tables, overwriting a valid-name server record with its own DNS server address.
MY ADVICE endeavors at keen.com. The number is 1-800-275-5336 (800-ask-keen) + ext. 0329063 for tech stuff, 0329117 for running a small business, and 0329144 on investing. Want to CHAT, I use Yahoo's IM as the_web_ster. View me in the Friends & Family part of webcamnow.com, just click on "view cams", then in the Java window click on WebcamNow Communities drop down arrow & select Friends & Family. Under the live webcams look for & click on me "the_webster".
