So why would it filter based on the page title? Monitoring DNS traffic only reveals which sites the user accesses, misses requests that takes advantage of the local cache, and cannot easily be correlated to individual HTTPS requests (other than through the IP address, in which case you might as well filter on that). And the keylogger needs to examine the content of the page: it isn't going to find the credentials in the title. What's the point? Filtering based on the title of a page is not terribly useful: sure, a keylogger would be more interested in a page that's called “login”, but on many sites login is done as a widget on the front page or on any page, not on a separate page. I'll confess to not having any practical experience with keyloggers, but I don't see why a keylogger would care about the title of a web page, or would monitor DNS or TCP traffic. Overall, from the common user's perspective a browser with bank mode plus the absence of WinPcap plus an antivirus for general safety seems to be a sufficient protection against keyloggers. Mitigation: Don't have WinPcap installed.Ģb) Monitor DNS requests with a custom firewall-type driver. A simple guy like me is not likely to run into this.Ģa) Monitor DNS requests for known domains with WinPcap and such. However, this approach is highly sophisticated and used mostly in government-made malware in targeted attacks on political opponents. Mitigation: Impossible apart from relying on your antivirus. Mitigation: Use a browser with bank mode that does not reveal page name in its window title.ġb) Break into the address space of a browser to see what it is actually working with. But to tell it did?ġa) Monitor the titles of browser windows for known pages. I see but one possibility: You have to intercept only the text entered after a known bank/email/etc page became active in a browser. How do you find passwords in this flood of text and what can your victims do to mitigate the threat? (For the record, I'm not talking about myself here.) Your trojan is going to send you megabytes of user input every day, 99.999% of it irrelevant. Imagine you are planning to deploy 100,000 copies of a Windows trojan with keylogger functionality. This question also applies to clipboard monitoring.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |