Which of the following is a well known example of spyware which captures the keystrokes of the user?
|
In
Hack the Stack, 2006 How attackers gain illicit entry to a corporation’s premises depends on the company’s security posture. One way is for the attacker to
loiter by the company entrance and wait for an authorized person to unlock the door. Once open, the attacker follows the person inside, thus, piggybacking on that person’s authorization (also known as tailgating). Another way is blending in with a group of people. If an attacker has to display a badge, they have to steal one. Alternatively, materials for making fake IDs are available on the Internet at www.myoids.com. A more brazen approach is to talk his
or her way inside. If a door requires a Personal Identification Number (PIN) for entry, shoulder surfing (i.e., observing someone else enter their PIN on the keypad) can be used to learn a valid PIN. If the PIN has to be used in combination with a badge, a combination of attacks is needed. Once unauthorized entry is achieved, the attacker can take photographs of computer screens and any other materials. He or
she can steal manuals, storage media, and documents (e.g., the company directory). The attacker can even install a hardware keystroke logger. Keystroke loggers (also known as keyloggers) record the keystrokes typed on a computer’s keyboard. Keystroke loggers record passwords and capture the information before encryption is used on the password. There are two types of keystroke loggers: hardware and software. Some advantages of hardware keystroke loggers are that they are completely undetectable by software, can record all keystrokes, and can record keystrokes before the operating system is loaded (such as the Basic Input Output System [BIOS] boot password). One disadvantage is that the attacker has to return to retrieve the hardware keystroke logger. An attacker can also be an insider (e.g., co-workers, a disgruntled employee, or someone on the cleaning crew). As you can see in Figures 9.1 and 9.2, hardware keystroke loggers have a male connector on one end and a female connector on the other end. It is placed between the keyboard jack on the computer and the plug on the keyboard. Figure 9.1. KeyKatcher with PS/2 Connectors Photo courtesy of Allen Concepts, Inc.Figure 9.2. KeyGhost with USB Connectors Photo courtesy of KeyGhost Ltd.Some Web sites selling hardware keystroke loggers are: ■www.KeyKatcher.com (see Figure 9.1) ■www.KeyGhost.com (see Figure 9.2) ■www.KeyLogger.com To make your own hardware keystroke logger go to www.KeeLog.com. Software keystroke loggers have many advantages over their hardware counterparts. They can be installed through social engineering attacks, can discern which program is accepting the keyboard input from the user, and can categorize the keystrokes for the attacker. They can send the captured keystrokes to the attacker via e-mail, Internet Relay Chat (IRC), or other communication channel. Some popular software keystroke loggers are: ■
Spector Pro (www.spectorsoft.com) Takes screenshots, records e-mail messages that are sent and received, and records keystrokes (see Figure 9.3). Figure 9.3. System Surveillance Pro Software Keystroke Logger ■Ghost Keylogger (www.download.com) Uses an encrypted log file and e-mails logs. ■IOpus STARR PC and Internet Monitor (www.pcworld.com/downloads/file_description/0,fid,22390,00.asp) Captures Windows login. ■System Surveillance Pro (www.gpsoftdev.com/html/sspoverview.asp) Inexpensive and easy to use (see Figure 9.3). Detecting software keystroke loggers can be accomplished a couple of ways. The most common is using scanning software to inspect files, memory, and the registry for signatures of known keystroke loggers and other spyware. A signature is a small portion of a file (i.e., a string of bytes) that always appears in spyware programs. Another method of finding spyware is real-time detection of suspicious activity. Some programs that detect keystroke loggers and other spyware are: ■FaceTime Enterprise Edition (www.facetime.com) ■Windows Defender (www.microsoft.com/athome/security/spyware/software/default.mspx) ■Ad-Aware (www.lavasoftusa.com) ■Spybot Search & Destroy (www.spybot.info) ■Webroot Spy Sweeper Enterprise (www.webroot.com) ■Spyware Doctor (www.pctools.com/spyware-doctor) Anti-spyware programs also have different supplemental tools. Spybot Search & Destroy has some nice tools such as a registry checker for inconsistencies (see Figure 9.4), which integrates with their file information program, FileAlyzer. Figure 9.4. Spybot Search and Destroy Anti-spyware Program Tools & Traps…Detecting Keystroke LoggersHardware keystroke loggers can only be detected by visually inspecting the keyboard connection. Because they don’t run inside the computer as a program, there’s no information in memory. Look for a device (usually barrel-shaped) that is plugged into the keyboard jack, with the keyboard plugged into a jack on that device. KeyGhost Ltd. makes a keyboard with the keystroke logger built in, so that even visual inspection is insufficient. Software keystroke loggers are programs that run inside the computer. They must be started every time the computer is booted or when a user logs on. There are many ways to get a program to start automatically; a program like Autoruns from www.sysinternals.com shows all of them. As seen in Figure 9.5, we have detected sfklg.dll, the SoftForYou Free Keylogger. Figure 9.5. Autoruns Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597491099500137 Advanced TechniquesTed Fair, ... Technical Editor, in Cyber Spying, 2005 IntroductionCongratulations, you have made it through the first part of cyber-spy school. By now you should have a basic understanding of the spy process and quite a few tricks to help you pry into people's online lives. You may be feeling computer savvy, and even a little dangerous. Be warned, this is just the beginning. We have given you a few basic tricks and scenarios, which will work most of the time, especially in ideal situations. Of course, one of the most important rules of cyber-spying (all spying, in fact) is that there are no ideal situations. To be as prepared as possible for these non-ideal conditions, you need to develop skills that will expand your knowledge base and make you as versatile as possible. One major thrust of this chapter is to improve and build upon some of the techniques discussed earlier in this book. We want you to take what you have learned and convert it from basic to guru, so that when you encounter those odd cases, you still have a few more tricks up your sleeve. Although this book focuses mostly on personal computers (PCs), they are only a small part of the entire cyber-realm. While they are generally most people's gateway to cyberspace, they are not the only area a good cyber-spy should focus on. As cell phones, personal digital assistants (PDAs), and even video game consoles become more advanced, there are more ways to get online and to store and use information. All of these devices can hold clues about how their owner lives. A cyber-spy should not overlook this potential gold mine of information. Harnessing the Internet and its many powerful search engines and online databases should also be a tool in every spy's arsenal. Many people still do things the old-fashioned way–by paper. Detailed credit card statements, phone bills, and other periodic paper documents are a great place for collecting even more information. Viewing the entire picture and collecting and correlating data from different sources is a very important part of spying, and an advanced technique that even professional spies have a hard time mastering. Tips and Tricks Take TwoThroughout this book, we have discussed using hardware-based keystroke loggers. In many cases, they are the easiest and only way to get the information you need. If you decide to purchase a keystroke logger for your spying endeavors, we strongly recommend that you buy two identical ones. Having two keystroke loggers is extremely helpful when you have to deploy and analyze data from them. A good spy tries to expose himself as little as possible; for you that means minimizing your time on target. While installing a keystroke logger is a quick and easy task, if you want to take it to any other computer and analyze it, there is a time issue involved. If you only have one, you are forced to install it again after you have dumped the data; hence, there is a window of time when the machine is not being monitored at all. The situation is improved with two keystroke loggers. When you remove the full one from the back of the target PC, you replace it with the empty one. You now have immediate coverage on the computer. Meanwhile, you can analyze the other keystroke logger on a different machine. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781931836418500137 Botnets: A Call to ActionCraig A. Schiller, ... Michael Cross, in Botnets, 2007 The Industry RespondsAt the TechEd 2006 conference in Boston, Microsoft confirmed that “well-organized mobsters have established control [of] a global billion-dollar crime network using keystroke loggers, IRC bots, and rootkits,” according to “Microsoft: Trojans, Bots Are ‘Significant and Tangible Threat,’” an article by Ryan Naraine in the June 12, 2006, edition of eWEEK.com. Microsoft is basing this conclusion on data collected by its Malicious Software Removal Tool (MSRT). The article says that MSRT has removed 16 million instances of malicious code on 5.7 million unique Windows systems. Sixty-two percent of these systems were found to have a Trojan or bot client. The Alliance Against IP Theft, an organization in the U.K., published a document titled “Proving the Connection—Links between Intellectual Property Theft and Organised Crime” (www.allianceagainstiptheft.co.uk) that supports Microsoft's claim. On August 10, a group of information security professionals, vendors, and law enforcement gathered at Cisco Headquarters in San Jose. With little notice, the “Internet Security Operations and Intelligence Workshop” attracted around 200 attendees. Led by the enigmatic Gadi Evron (security evangelist for Beyond Security and chief editor of the security portal SecuriTeam), speaker after speaker painted a bleak and complex picture. Many lamented the increasing ineffectiveness of the prevailing strategy, which focused on identifying and taking out C&C servers. This is the “kill the head of the snake” approach. Bots have begun to evolve beyond this weakness now. Some now have multiple C&C servers, and, like a Hydra, if you cut off one C&C server, two more pop up. Some used protocols that lend themselves to a more decentralized organization. Some are using “Fast Flux” DNS technology (see Chapter 3) to play an electronic version of the shell game with the C&C server. There was much wailing and gnashing of teeth by the security and network professionals. However, amidst the lamentations, some very interesting and innovative ideas were presented. These ideas involve different methods of detecting botnets, aggregating this information, and sharing it for the benefit of all. Some ideas were so tempting that participants began trying out aspects of the idea during the presentation. When all was said and done, 200 minds knew what only a handful knew before. Further, a “call to action” had been issued. Come out of our shell, share what we know, organize our responses. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597491358500032 Spying on Chat and Instant MessagesTed Fair, ... Technical Editor, in Cyber Spying, 2005 Collecting Passwords and Buddy ListsWhile there is a lot of information that can be gleaned from IM conversations, there are some situations where just having knowledge of who is on your mark's buddy list may be sufficient. This piece of information alone can shed valuable light onto the composition and nature of your target's online relationships; after all, these are the people your mark feels are worth having only a click away. Also, depending on the messenger service, it can be useful to have block/ignore lists as well. Once obtained, it may be necessary to impersonate your mark to determine some of his or her contacts’ relevance and relationship with your mark. This impersonation usually requires your mark's password, another important piece of data to collect. In some cases, the password is hidden and scrambled in registry settings; in others, it sits in a plain text file. Collecting the Buddy List and Password from AIMChapter 6 covered the process for obtaining the buddy list from AIM. Obtaining the password is a slightly trickier procedure. Versions of AIM older than 4.7 stored the scrambled passwords in the Windows registry. Version 4.8 and higher store a hash of the password. A hash is the result of feeding the password into a one-way function, meaning that it is mathematically impossible to recover the password from the hash. So, if your mark is using an old version of AIM, there is a chance you might be able to recover the password. To determine the version, go to the AIM window and select Help | About AOL® Instant Messenger. A dialogue box should pop up giving numerous tidbits of information, along with the version number. A Google search on AIM password recovery will show several tools that will uncover the password. While this would be a fortunate scenario, it is a highly unlikely one. As of the writing of this book, the current version of AIM is 5.9, and it will most likely be much higher by the time this book is printed. The best bet for actually acquiring a password is to use a hardware or software keystroke logger. In addition to installing one, a good idea is to pull up the client and type in an incorrect password. Since many clients automatically save the last password typed, you need to modify the one stored to ensure that your mark enters the correct one the next time he or she logs on. Collecting the Buddy List and Password from YahooLike AIM, viewing the Yahoo Messenger's buddy list is covered in Chapter 6. Like AIM, Yahoo passwords are not stored or transmitted in plain text. Similarly, using a keystroke logger is the best advice for collecting this information. Collecting the Buddy List and Password from MSNMSN uses Microsoft's .NET passport as the basis for its authentication. Like AIM and Yahoo, the password for MSN is not stored or transmitted in plain text. However, since it relies on .NET passport, access to your target's account is usually enough to get MSN to log on. Another very useful option of MSN is the ability to save a contacts list By going to Contacts | Save Contact List. Using this capability, you can take a list of buddies/contacts from your mark's computer and load them on a different computer for analysis. Collecting the Buddy List and Password from GaimSince Gaim is not distributed by the owners of the IM networks and must interact with more than one network, it is more efficient for Gaim to store its own buddy and password lists. Gaim stores all of its information in easy-to-view .xml configuration files. XML files are a type of markup language that is relatively easy to understand and which can be opened by most Web browsers. This is the program you want your mark using. If you have any influence at all, steer your mark this way. There are two files of interest: accounts.xml, which has all of the IM accounts and their corresponding passwords and blist.xml, which is a copy of the buddy list for each account. There are basically two ways to find the XML files that you are looking for—manually, if you know where they are, or by searching the entire hard drive for them. We discuss both methods along with their trade-offs. The default location of Gaim's XML files can be found by opening explorer.exe and browsing to the following location: C:\Documents and Settings\ Both files should be there and accessible using Notepad or most any other text-viewing application. This requires one of two things to be true: the user has not marked his or her files as private, which is often the case. Or, if they are marked as private, you must be looking for these files from an administrator account or from the same account as your mark. While this method depends on permissions and is a little trickier than the next one we discuss, it allows you to locate the Gaim configuration directory for your mark, which also contains other useful information. In addition, should the nomenclature for the file names change, you can examine the files in the directory one by one, looking for the correct information. Use Microsoft's or Google's search tool and look for blist.xml and accounts.xml. To broaden your search and find even more potentially interesting files, a search for *.xml in Microsoft's tool or xml in Google's should produce useful results. Like the previous method, this one also depends on file permissions. Once you have found the files, their contents should be plainly visible. The following example shows the accounts.xml file for a Gaim user. As you can see from this example, account names and their corresponding passwords (when stored) are both clearly visible. In this example, the account name is “sarahevans1988,” and the password is “gatorade.” 0’ encoding=‘UTF-8’ ?> In the next example, we show you the type of information that you can retrieve from a stored buddy list. This example shows you the blist.xml file for “SarahEvans1988.” rsion=‘1.0’ encoding=‘UTF-8’ ?>
From this file, we see that Sarah does not have many buddies added. In true life examples, it is not unusual for people (especially teenagers) to have hundreds of entries in the file. Also, besides just learning the names “dirtylarry001,” “chuckypoo100,” and “sk8gurl,” we have learned that each entry is under the group listing “Recent Buddies.” Many people categorize their buddy lists into several groups (i.e., “Friends,” “Work,” “Hookups,” and so forth), which can be descriptive in its own way. Collecting the Buddy List and Password from TrillianSimilar to Gaim, Trillian stores its buddy list on the computer (via the server). You can retrieve this list by browsing to: C:\Program Files\Trillian\users\default\Buddies.xml. However, unlike Gaim, this list does not contain the password of the user. Instead, the password is stored encoded in an .ini file for each service. For the popular ones we are monitoring, the files are: C:\Program Files\Trillan\users\global\default\aim.ini C:\Program Files\Trillan\users\global\default\msn.ini C:\Program Files\Trillan\users\global\default\yahoo.ini In these files, we are searching for a line similar to password=9447F5AB4BE7BFF7. Instead of encrypting the password, Trillian uses a two-character encoding scheme to scramble them. There are several programs that will break this encoding for you (including one available on our Web site), but to give you a better idea of how they work, we have included Table 9.1, which we can use to break the password in our aim.ini file). The top row contains the characters from our file, and the left-hand row contains the decoded plain text. You just need to match up the two character letters from the top row with the correct letter. Table 9.1. Sample of a Table to Decode Trillian Passwords
If you followed this exercise, you should have determined that 94 = g, 47 = a, F5 = t, AB = o, 4B = r, E7 = a, BF = d, and F7 = e. The result is that we now know that the password for this account is “gatorade.” Next, we turn our attention to the collection of the actual communications between chatters. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781931836418500125 Computer Network AttackJason Andress, Steve Winterfeld, in Cyber Warfare (Second Edition), 2014 ReconWe spent a good deal of time discussing reconnaissance and surveillance in Chapter 9 in the context of CNE. In that case, the reconnaissance that we would conduct would be done in a general sense, in order to map out and discover information on our target environment. As reconnaissance done in support of CNA and of the attack process, we may already have such general information already from the CNE and will be hunting for information on a much more specific level, given our potentially greater level of access and reduced need for stealth. Another tool that may become useful during this more specific stage of reconnaissance is social engineering. Using some of the social engineering tactics that we discussed in Chapter 8, we may very well be able to gain specific information that will allow us to access the systems in question without needing to resort to the full spectrum of attacks that we might need otherwise. Through social engineering we may be able to discover shared passwords used in other services or applications, may be able to find account names through searching the physical surroundings of those that work in the environment or through dumpster diving, or any number of similar tactics. Given the task of long-term reconnaissance at a more specific level, we may also want to plant the tools that would allow such monitoring on a particular system. Even on this scale, software such as a keystroke logger can produce enormous amounts of information, only a very small portion of which will generally have any great value; however, it may still be worth the effort. In environments where good password hygiene is not strictly enforced with technical controls, we can often find passwords that are manually synchronized between multiple systems, a great boon when attempting to gain access. We may also be able to sniff credentials from network traffic if less secure protocols such as telnet, File Transfer Protocol (FTP), or Post Office Protocol (POP) are allowed in the environment. TipWe should be prepared, at any step in the attack process, for our attacks to fail utterly and/or to be discovered. Particularly when our target is a highly secured environment, and we are facing stronger measures, such as multifactor authentication, this may very well be the case. It is always wise to have contingency plans that will allow us to still achieve our goals when we encounter such obstacles. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780124166721000106 Preventing System IntrusionsMichael West, in Network and System Security (Second Edition), 2014 Multiple Choice1. Which devices can locate wireless signals within a certain range, where they can siphon off the data being transmitted over the signals? A.Wireless sniffers. B.Packet sniffers. C.Port scanners. D.Port knocking. E.Keystroke loggers. 2.You can expect to have continued problems maintaining good network security awareness. Keep it simple. You need to draft some policies that define your network and its basic architecture. A good place to start is by asking the following questions, except which one? A.What kinds of resources need to be protected (user financial or medical data, credit-card information, etc.)? B.How many users will be accessing the network on the inside (employees, contractors, etc.)? C.Will there need to be access only at certain times or on a 24/7 basis (and across multiple time zones and/or internationally)? D.What kind of budget do I have? E.Will internal users be accessing the network, and if so, how many? 3.A good IDS detects unauthorized intrusions using three types of models: A.Anomaly-based. B.Signature-based. C.Network-based. D.Hybrid detection. E.Host-based. 4.For an IPS to be effective, it must also be very good at discriminating between a real threat signature and one that looks like but isn’t one (false positive). Once a signature interpreted to be an intrusion is detected, the system must quickly notify the administrator so that the appropriate evasive action can be taken. The following are types of IPS, except one: Network-based. B.Rate-based. C.Host-based. D.Backdoor-based. E.Content-based. 5.The latest trend to emerge in the network intrusion prevention arena is referred to as: A.antivirus. B.unified threat management. C.VPN. D.firewall services. E.antispam. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780124166899000022 Guarding Against Network IntrusionsThomas M. Chen, Patrick J. Walsh, in Network and System Security (Second Edition), 2014 Multiple Choice1. A stealthy type of malicious software (malware) designed to hide the existence of certain processes or programs from normal methods of detection is known as a: A.wireless sniffer. B.rootkit. C.port scanner. D.port knocker. E.keystroke logger. 2.If an intruder has installed malware for covert control, he or she will want to conceal the communications between him- or herself and the compromised target from discovery by: A.network-based intrusion detection systems (IDSs). B.tunneling. C.multiple time zones. D.budgets. E.networks. 3.What is a commonly used method to place packets of one protocol into the payload of another packet? A.Encryption. B.Signature-based. C.Tunneling. D.Hybrid detection. E.Host-based. 4.What is another obvious concealment method? A.Infection. B.Rate. C.Host. D.Back door. E.Encryption. 5.What can be a Trojan horse or other form of malware? A.Antivirus. B.Unified threat management. C.Keylogger. D.Firewall. E.Antispam. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9780124166899000034 Spying on E-mailTed Fair, ... Technical Editor, in Cyber Spying, 2005 Keystroke LoggingKeystroke logging offers another local method of collecting e-mail. Although it is still done on the target's box, it is different enough from collecting e-mail files to warrant mention. This method involves collecting keystrokes from your target's computer using either a hardware or software keystroke logger. The logic behind this method is that every single keystroke your mark types is captured by the keystroke logger. As a result, any e-mail they create on their system will be logged. Its structure will differentiate it from other material being typed in. Using a keystroke logger also has several other advantages. It can collect from a number of different e-mail accounts without having to adapt a strategy for each one; in fact, you do not even have to know about all of the accounts your mark uses. As long as your target types on his or her PC, the information will be caught. In addition, you do not need to know passwords for either the e-mail accounts or for access to the computer. A wonderful benefit of a keystroke logger is that eventually many passwords will be revealed when your mark types them in. One of the weaknesses of this method is that keystroke logging captures only data that originates on the target's machine; incoming messages are not logged. Have you ever heard half of a conversation? This is basically what you will get with a keystroke log. You will have your target's original e-mail and his or her replies to messages, but be left guessing at the replies your target receives or messages he or she is replying to. If your mark is using a Web mail account and logs in from remote locations, that e-mail will not be available either. Finally, using a keystroke logger requires close and continual access to your target's machine in order to harvest the keystrokes. Failure to collect the keystrokes in a timely manner could cause your collections to be overwritten as the user types enough to overwrite your keystroke logger's buffer. In addition, keystroke loggers are not limited to collecting e-mail. If your user bounces back and forth between surfing the Web, writing a school paper, chatting online, and typing an e-mail, then you will get a fairly difficult-to-read conglomeration of their typing. Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781931836418500113 What is a famous example of spyware?PhoneSpy. PhoneSpy is an example of a spyware virus that pretends to be a mobile application to gain access to and infect Android mobile devices. This approach allows threat actors to remotely control mobile devices and steal data.
Which of the following is an example of spyware keylogger?It invades your device, steals sensitive information and internet usage data, and transmits it to advertisers, data companies or external users. Keylogger is the most common type of spyware. Therefore, Keylogger is an example of spyware.
What are the 4 types of spyware?Spyware is mostly classified into four types: adware, system monitors, tracking including web tracking, and trojans; examples of other notorious types include digital rights management capabilities that "phone home", keyloggers, rootkits, and web beacons.
What is the most common type of spyware?Adware: This is the most common type. It causes pop-up advertising to appear constantly. Not only is it annoying, but any information you provide may be stored and sent without your permission when accessing any of these sites.
|
