Wednesday, October 27, 2010

KeyScrambler: How keystroke encryption works to thwart keylogging threats

hanks to the Internet, financial transactions and purchasing never have been easier. But, that convenience comes at a cost. We have to divulge personal financial information. That becomes a problem if our banking credentials get into the wrong hands. One way that happens is through malware that employs keylogging applications. In fact, that’s what financial malware is all about. Type in your credit-card information, the keylogger records it, sends it to the attacker, and well you know the rest. Thankfully, there is an answer.

Fight back


There are two approaches that help thwart keylogging applications. Anti-malware programs by design will remove malware including keylogging apps. We all have our favorite anti-malware program. Just make sure it is effective against keylogging malcode.

Keystroke encryption is the second approach. It uses a different methodology. It doesn’t care whether a keylogging app is installed or not. The keystrokes are encrypted and all the keylogger records is gibberish.

I have tried several keystroke encryption programs and settled on KeyScrambler by QFX Software.Qian Wang developed KeyScrambler and is the President and CEO of QFX Software. Here are Qian Wang’s credentials:

“Qian has been a programmer since age 12 and has had experience working on cutting edge projects at both the M.I.T. Media Lab and the M.I.T. Laboratory for Computer Science. Qian holds a B.S. and a Master’s in Electrical Engineering and Computer Science from M.I.T.”

Questions about KeyScrambler
Before I ran my tests on KeyScrambler I wanted to understand it better. I contacted Qian Wang and he obliged me by answering the following questions:

Himanshu Kohli: Preventing keystrokes from being logged, stopping screen and clipboard captures, and keylogging software removal are some of the capabilities including in anti-keylogging programs. What features are included in KeyScrambler?

Qian Wang: KeyScrambler, as the name implies, focuses on preventing keystroke logging by encrypting the user’s keystrokes. At QFX Software, we are big believers in “Do one thing, and do it well”, so we are currently concentrating on providing the best possible protection for the users’ keystrokes.

Himanshu Kohli: The web site mentions says, “KeyScrambler encrypts keystrokes at the keyboard driver level, deep in the operating system, to defeat existing and future keyloggers.” Could you go into more detail on how that is accomplished?

Qian Wang: To understand how KeyScrambler works, it helps to look briefly at how an operating system like Windows actually processes keystroke data. When you type on your keyboard, it looks like the keystrokes are directly sent to the application you’re working on. In reality, they have to go through quite a long path to get there.

The keystrokes first arrive at a hardware controller on the computer’s motherboard, which forwards them to the Windows kernel’s keyboard input stack. They are then processed by the windowing system’s input manager, which sends them to a queue belonging to the application window that currently has input focus.

The application then retrieves the keystrokes from the queue and interprets them according to its own context, and finally the user sees the result of the keys that are pressed. This is a simplified view of what happens, without considering such complex issues as inputting non-English languages.

Many places along this path, there are ways to intercept the keystroke data. Any of these points can be used to perform keylogging, which is why it’s such a thorny problem.
What KeyScrambler does is to try to get to the keystrokes as early as possible in the Windows kernel using our encryption module. That way, as they get passed along the different layers of the OS, it won’t matter if they get logged, because the keystrokes are completely indecipherable.
When these encrypted keystrokes finally arrive at the intended application, the decryption component of KeyScrambler goes to work and turns them back into the keys the user originally typed.
If you are familiar with how SSL/TLS work to encrypt network traffic, this is basically the same principal applied to your keystrokes. And because KeyScrambler isn’t focused on defeating any particular technique or scanning for any particular signature, it doesn’t matter if a keylogger is well-known or brand new.

Himanshu Kohli: As KeyScrambler’s developer, what do you feel makes it unique?
Qian Wang: As far as I’m aware, when we released KeyScrambler in 2006, it was the first widely available keystroke-encryption product on the market. So for a while we were unique simply by being first.

More importantly, KeyScrambler is a new approach in dealing with the problem of keylogging. What we did was to look at keyloggers specifically, find out what data they’re after, and how they worked to get it. Then we thought about how to protect the data instead. In a sense, KeyScrambler isn’t so much focused on anti-keylogging as it is on keystroke-data protection.
Another feature is the display of the live encrypted stream of keystrokes. I think all too often security software take a “Trust us” stance and only bothers the users when something goes wrong. KeyScrambler tries to show both when and how it’s working.

Himanshu Kohli: We mentioned the two types of anti-keylogger applications used against software keyloggers. Why did you choose the encryption route?

Qian Wang: The “scan and remove” method is the traditional way. It’s the way most anti-malware programs work. The limitations of this approach, such as the length of time it takes to deal with new threats and the potential for false-positives are pretty well known.

Still, such software continues to be useful. In fact, we recommend it as a baseline even when you use KeyScrambler. Most of our users do have a general purpose “scan and remove” type product installed on their computers.

Having the same type of program specifically aimed at keyloggers doesn’t buy you anything new, and it’ll have the same limitations. KeyScrambler complements traditional defenses by providing an additional layer of security.

Himanshu Kohli: Many anti-keylogging apps also prevent screen captures. Is that something that might be included in KeyScrambler?

Qian Wang: Once we feel like we’ve perfected our keystroke-encryption system, we’ll take a close look at some of these other problems. We have some ideas already, but we try not to lose focus. We think the world doesn’t need another tool that promises to do everything, but doesn’t do any one thing particularly well.

Himanshu Kohli: I noticed KeyScrambler works with several password managers including RoboForm. Are there any plans to include the password manager LastPass?

Qian Wang: Since LastPass works as a browser add-on, it should already be supported if it’s used in a browser that’s supported by KeyScrambler. We will retest the latest LastPass version to see if anything has changed. It shouldn’t be a problem to add support for it if it now has a standalone component.

Himanshu Kohli: I wanted to make sure I asked you about hardware keyloggers and if KeyScrambler was able to defeat them.

Qian Wang: KeyScrambler currently does not defeat hardware keyloggers since it only starts working once the keystrokes have reached the Windows kernel. It’s something that we will address with a future version of KeyScrambler, although I think for the average user the threat from hardware keyloggers is much smaller than from software keyloggers.

Himanshu Kohli: I have written several articles about financial malware such as ZeuS and Carberp. A key element of their success is the ability to log keystrokes. Will KeyScrambler prevent that from happening?

Qian Wang: As you’ve noted in your articles, Zeus and Carberp are complex beasts with many variants. KeyScrambler should work as usual against variants that log keystrokes directly.
But, some variants steal information directly from an HTML form before it is submitted. Such attacks would fall outside KeyScrambler’s protection envelope at this time. One thing users can do, as I know you’ve suggested, is use a browser such as Google Chrome that has better handling of user data

Testing KeyScrambler

The first thing that concerned me was the amount of resources KeyScrambler would be using. The application is on all the time, yet it did not tax my computer as shown below:

One thing that makes KeyScrambler unique is the visual indicator of key strokes being encrypted. If so desired, KeyScrambler displays the encryption process in real-time as shown in the screenshot below:


It would not be a good test if I trusted that encryption was indeed taking place. So I enlisted the help of an application called Anti-Keylogger Tester. The test software was written by Guillaume Kaddauch of FirewallLeakTester.com. The first slide shows how Anti-Keylogger Tester is able to capture my keystrokes:

The next slide is with KeyScrambler turned on and Anti-Keylogger is not registering any recognizable keystrokes:

I would be remiss if I did not mention that KeyScrambler comes in three flavors. It is important to check out this web page if interested. It will help you decide which version fits your needs.

Final thoughts


Life today is complicated. Being able to shop and bank online helps simplify that complexity. So when that’s in jeopardy, we need to fight back. Besides, we worked hard for our money and deserve to keep it.

The beauty of a program like KeyScrambler is: Once installed, that’s it. Forget about it and let KeyScrambler be another layer of protection in the fight against financial malware.


No comments:

Post a Comment