Virtual Keyboard and the Fight Against Keyloggers

Santosh Jadhav
By Santosh Jadhav

February 13, 2009

Welcome to Safe Bank's net banking. Please enter your net banking userid and password.

Userid: 15236523
Password: *************
Action = submit.jsp

and you have logged into net-banking application. Wow!!! You can now view your account balance, do third party funds transfer and much more.


Welcome to Safe Bank's net banking. Please enter your net banking userid and password.

Userid: 15236523
Password: *************
Action = submit.jsp

and you have logged into net-banking application. Wow!!! You can now view your account balance, do third party funds transfer and much more.


File contents:
08-Aug-08: 08:00: Window title: Welcome to Safe Bank net banking
Userid: 15236523 [tab] Password: Welcome123!

Behind the Scenes:
When you browsed to your net banking page and typed in your username and password to login into the online bank, there was a malicious program you were unaware of, named keylogger running in the background logging all the keystrokes into a config.dll file located in C:WINDOWSsystem32 folder. This file contains all the keystrokes typed in. It contains the window title and all those things typed into that window along with few other details. This file will then be uploaded to the attacker's website which he can use to his benefit.

These keyloggers are easily and freely available on internet and also integrated with other programs like rookits making its detection very difficult. So your chance of being infected by such a malicious code even if you have an updated antivirus/anti-Spyware program is about 70%. See the brighter side, you still are 30% safe. Sounds scary..huh!!! So lets keep our focus to internet banking websites and see how we (BANK + USERS) can try to avoid compromising login credentials.

Round 1: Fight!

This is when password stealers were simple keyloggers. Whatever keys were typed in, they were captured by the malicious code and logged into some file in simple or encrypted form. This file was later uploaded to attacker's site or simply the logs were mailed. This attack can be mitigated by virtual keyboards.

Figure 1.shows the basic virtual keyboard screenshot. It works simply by clicking the keyboard layout by a mouse. So the basic keyloggers cannot capture the mouse clicks and hence the passwords cannot be logged.

HDFC Virtual Keyboard
Fig 1. Virtual Keyboard (HDFC Net banking VKB)

You can achieve the same by Windows built-in virtual keyboard. Go to Start -> All Programs -> Accessories -> Accessibility -> on-screen keyboard.

Windows Virtual Keyboard
Fig 2. Virtual Keyboard (Windows in-built)

Round 2: Fight!

Now the malware coders were challenged as to how to defeat the virtual keyboards.

Mouse clicks cannot be logged. However their x-y positions can be logged which can then be used to get the keys clicked using their x-y position on the web page.

This technique is much simpler to mitigate by simply randomizing the keyboard layout. However total randomizing can make end users unhappy. So a good tip can be randomizing only selected 2 or 3 rows of alphabets instead of all of them.

Round 3: Fight!

Now what? We have the x-y positions but how do we know that what keys were present in that x-y co-ordinate for that period as they have been randomized. Simple!!! Why not take a snap of the keys pressed. Screen snap-shot of say 1 by 1 cm can be taken when a mouse click occurs. The letter present in snapshot is the password of the victim. This code along with basic keylogger can get log username typed from keyboard and snapshots of keys pressed by mouse-clicks from the other code.

Captured Password
Fig 3: Screen shots of password typed as captured by the malicious code.

One well known worm using this technique was W32/Dumaru. How can this be mitigated? How about changing the characters on the keys pressed to something other, on a mouse click? Or simply put change all keys (instead of a single key) to a # sign or a * sign. So if I click on letter "p" then it changes to "#" and then to original letter.

Replaced Keys 1
Fig 4: p changes to # on a mouse click

So the key captured on the screen shot will be captured-keys-2.png instead of correct characters.

Round 4: Fight!

Again our frustrated malicious minded person, let us call them "Malman" (We can't call them either a hacker or a script kiddie so in short Malman :) ) thinks of a way to fight their way to capture passwords. What if they capture screen shot of the keys clicked just a second after (or rather say few milliseconds after) the mouse is clicked. So when I click on "P" it becomes "#" on mouse click and back to "P" when click is released. Boom! Take a screen-shot of the key now. This works fine.

This can be defeated by changing the keys after the mouse click. So if I press "p", it changes to "#" and then to "r". Character "r" is captured in the screen shot.

Replaced Keys 3
Fig 5: p changes to # on a mouse click and then to r

This can however make the end-user uncomfortable because each time the keys location will change and he will have to search for his password which will greatly help shoulder surfing. Hovering is a technique in which the keys will automatically be selected and entered into the password field when a mouse cursor is held over it for a few milliseconds. Again the time delay has to be such that it should cause neither user in-convenience nor aid shoulder surfing.

The fight continues

The fight will go on and on. New attack vectors target Win32 API calls made to access HTML document where virtual keyboard fails to protect your passwords. However this can be mitigated in combination with products from different vendors like Trusteer's Rapport, Juniper's "Secure Virtual Workspace" or by secured remote terminal sessions using citrix. But then this again adds to increased cost and security overheads. Not many banks will happily implement such solutions.

So should we as end users let the "Malman" get all our passwords. No. We can fight back by taking few precautions from our side in combination with few other trusted tools which can help us protect our passwords.

  • Regularly update your Operating System for any patches released.
  • Use latest anti-virus and anti-spywares engines. Regularly update with detection signatures and periodically scan your system
  • Also do scan for any rootkit present on your system with tools like Rootkit Revealer
  • Always use updated version of internet browsers with latest patches. Do not forget to regularly update the patches
  • Simple freeware tools like KeyScrambler Personal firefox add-on can add to the increased security
  • Keep yourself educated with different techniques used by Malman to steal passwords

At last

This is what-in-short you can do to secure your Bank accounts. I mainly focused on Virtual Keyboards and how their fight against keyloggers evolved. But there are many attack vectors like Phishing etc. on internet used to compromise Bank accounts. Both Bank and the end customers should fight side by side to defeat the Malman. Individually it is impossible to fight them back.

Tags: Technical