
Mouse Underlaying: New keylogger technique - superbigkoi
http://eudl.eu/doi/10.4108/eai.15-10-2018.155740
======
yolo1
If I have code exec on your everyday system, it's game over. There are very
few viable defenses without a complete architecture overhaul which would
probably remove too much usable functionality to be a viable option anyway.
It's just game over.

~~~
rficcaglia
There are viable defenses. There was similar work at three letter agencies
back in 2001 - 2004 time frame and defenses were interactive. Ie flood the
mouse or other logger with real enough looking data or use steganography

Could the defenses be hooked? Sure. But there were defenses against that ...

In the end since most password are 123456 it was decided that these solutions
were like building Fort Knox but Having the key to the front door under the
mat. Attackers follow the path of least resistance.

Maybe times have changed with MFA use...nah!

~~~
yolo1
What?

No if you create rock-solid keylogging preventions I'll just scrape chrome
temporary files instead lol.

~~~
nsomaru
Could you elaborate what you're talking about? Stealing passwords/sensitive
info from Chrome temporary files?

How can one mitigate this threat?

~~~
jrockway
I mean, this is why things like "secure elements" and "trusted platform
modules" exist.

You have a piece of hardware that stores encrypted data, and it can't be
accessed until that hardware is convinced that the operator is requesting the
access. The simplest example is a U2F key. It will not even sign an
authentication request for a website until it detects that a human operator
has asked it to do so (by touching it while flashing). That prevents malware
from authenticating on your behalf. (You can still be tricked into
authenticating, through, and then the malware will just steal the cookie you
got. That is why things like secure boot exist; if the hardware verifies the
OS and the OS verifies the hardware, then you can be reasonably sure that
security protections are in place and that random software downloaded from the
Internet can't interact with secure areas of your hardware. Modulo bugs in the
OS, which is hardly a guarantee given how complex they are these days.)

------
flipp3r
TLDR from the document "The keylogger generates a small transparent window
which is always under the mouse pointer requesting focus. Hence, local
listeners are capable of capturing the entire user input (keystrokes and mouse
clicks). In the following, this keylogger window closes while the captured
user input is imitated.".

On first sight, this looks quite silly..

~~~
pas
It has a lot of drawbacks, that make it easily noticeable that something is
not right. (Browser autocompletion not working for example.) Though it's an
interesting concept.

~~~
pjc50
I don't see why it would interfere with autocompletion - the keystrokes are
passed onto the browser, after all.

Interfering with focus might be more noticeable, although Windows 10 has made
this much less obvious than it used to be.

It does rather drive home the extent to which the "desktop" model is at odds
with the user being able to run multiple mutually hostile applications from
different sources. And sometimes the ability to read and inject keyboard input
is legitimate.

~~~
alanbernstein
There is at least one password manager autocomplete system that works by
examining the title of the current active window, so if that's not the
browser, it will fail.

~~~
zwp
But presumably the transparent keylogger window must know which is the
supposedly-active window (in order to be able to pass on keystrokes to it), so
the transparent window could emulate the supposedly-active window's title?

------
godojo
Would argue that UI Redressing is the general problem (mostly present on the
web, but can also be done on native as this paper suggests). Good BH
presentation:
[https://www.blackhat.com/docs/asia-14/materials/Niemietz/Asi...](https://www.blackhat.com/docs/asia-14/materials/Niemietz/Asia-14-Niemietz-
UI-Redressing-Attacks-On-Android-Devices-Revisited.pdf)

------
logfromblammo
I wonder how the attack would handle touch input. A touch event could happen
anywhere on the screen, not just at the pixel under the mouse pointer.

I think I'd try using a window that is equal to the screen size, hide it, take
a screenshot, and unhide it with the screenshot image displayed.

~~~
TeMPOraL
Or just make the window 100% transparent. AFAIK all mainstream OSes on all
mainstream platforms support transparent windows.

~~~
logfromblammo
The paper mentioned there was a problem with using 0% opacity. The moving
pixel window was therefore set to the lowest possible nonzero opacity.

------
forapurpose
OT: The European Union Data Library publishes the paper, and the webpage is in
English. English is the international language of many domains, including
business and science. However,

1\. The UK is exiting the EU, leaving no members with English as their first
language (unless I am overlooking someone).

2\. AFAIK, English became the international language because of the cultural
predominance of the U.S. and the consequences of the former British empire.
The U.S.'s cultural impact seems to have greatly receded since 2016, and its
relative power had already greatly receded since the end of WWII, when it
produced half the world's economic output. The British Empire is a distant
memory.

3\. Some EU members, such as France, have long pushed back against English's
dominance.

Will the EU continue to use English, officially and unofficially? To the same
degree as today? If not, what will they use? I realize some of the answer is
impossible to predict, but some is EU policy. Is there any discussion of it?

~~~
Tsiklon
The Republic of Ireland has two official languages Irish and English.

Irish is the first national language as it is both culturally important and
distinctive - though English is the dominant language with 93% of all people
in the country speaking it fluently or as their only language.

~~~
lucian1900
There's also Malta.

