-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just lightly scratching the surface, KeyScrambler.sys is signed by GlobalSign, strings reveals nothing interesting other than OpenSSL 0.9.8a is used.
elazar On Thu, 09 Dec 2010 09:26:49 -0500 Gary Baribault <g...@baribault.net> wrote: >Call me paranoid, but that sure would be a good way to spread a >key logger! > >Gary B > > >On 12/09/2010 07:25 AM, Christian Sciberras wrote: >> Dave, >> >> That's ok. Glad to have helped out :) >> >> Cheers, >> Chris. >> >> >> >> On Thu, Dec 9, 2010 at 1:07 PM, mrx <m...@propergander.org.uk ><mailto:m...@propergander.org.uk>> wrote: >> >> On 09/12/2010 10:26, Christian Sciberras wrote: >> >> I tried installing this plugin to Firefox 3.6.12 in a >virtualbox >> XP32(SP3) >> > environment and it is incompatible. >> >> I may wait for an update to the plugin and analyse its >behaviour, >> > providing my curiosity doesn't wane in the meantime. >> >> > Alternatively, you can just decompress the XPI (it's in fact a >zip) and >> > inspect the js files and/or decompress any binaries. >> > I suppose they are distributing some form of driver, so you'd >find >> > IDA/ollydbg useful. >> >> >> >> > Chris. >> >> >> I extracted the files (various .js files and an exe) from the >xpi. >> The .js files version check and create an instance of >keyscrambler.sys >> with the current firefox window passed to it as an argument. >> >> I also extracted the contents of the executable; setup.exe. >> Setup.exe contained various dll's and one sys file. I presumed >this >> sys file; keyscrambler.sys, is the driver and main component of >this >> addon. >> To confirm I monitored the running of setup.exe. >> >> My preumption was correct keyscrambler.sys is installed in >system32 >> folder and is registered as an autostarting service, although it >is hidden >> from the services pane in computer management. >> >> This is where my "skills" bottom out. ASM is something I have >not yet >> got my head around. >> I have a clue, but that's about all I do have... in time ;-) >> >> Thanks for your advice and input >> regards >> Dave >> >> >> > On Thu, Dec 9, 2010 at 11:23 AM, mrx <m...@propergander.org.uk >> <mailto:m...@propergander.org.uk>> wrote: >> >> > On 08/12/2010 11:30, Tim Gurney wrote: >> >>>> Hi >> >>>> >> >>>> This seems to contradict itself somewhat. A plugin to >firefox should >> >>>> have no way to encrypt things at a driver level within the >> kernel, that >> >>>> would require installing seperate software at the root >level, a >> plugin >> >>>> should not be able to do this and i would be VERY worried >and >> surprised >> >>>> if it could as it would mean bypassing the security of the >OS. >> >> > I tried installing this plugin to Firefox 3.6.12 in a >virtualbox >> XP32(SP3) >> > environment and it is incompatible. >> > I may wait for an update to the plugin and analyse its >behaviour, >> providing >> > my curiosity doesn't wane in the meantime. >> >> > I am not a professional, I do this kind of research as a hobby >and for >> > educational purposes, when I have some free time. >> >> >> >>>> Also if the driver is encrypting the key strokes and the >plugin is >> >>>> decrypting, what about all the keystrokes that are not in >> firefox, like >> >>>> email, word processing, programming, there is nothing to >decrypt >> these >> >>>> so you would end up only ever being able to use firefox on >the >> machine >> >>>> and nothing else every again. >> >> > The devs do state that it only encrypts keystrokes in Firefox >and >> not other >> > applications, although they do sell a version that supposedly >works >> > "in over 160 browsers and applications". >> >>>> >> >>>> personally I would not touch this with a barge pole and I >would >> do a lot >> >>>> more more digging and checking into this. >> >> > Yes, I am sceptical of claims, hence the post to this list. >> >> >> >> >>>> regards >> >>>> >> >>>> Tim >> >> >> > Thanks for your input >> > Dave. >> >> >> >>>> >> >>>> On 08/12/10 11:12, mrx wrote: >> >>>>> Hi list, >> >>>> >> >>>>> Is anyone familiar with the firefox addon KeyScrambler? >According to >> > developers this encrypts keystrokes. >> >>>> >> >>>>> Quote: >> >>>>> "How KeyScrambler Works: >> >>>>> When you type on your keyboard, the keys travel along a >path >> within the >> > operating system before it arrives at your browser. Keyloggers >plant >> >>>>> themselves along this path and observe and record your >> keystrokes. The >> > collected information is then sent to the criminals who will >use it to >> >>>>> steal from you. >> >>>> >> >>>>> KeyScrambler defeats keyloggers by encrypting your >keystrokes at the >> > keyboard driver level, deep within the operating system. When >the >> encrypted >> >>>>> keystrokes reach your browser, KeyScrambler then decrypts >them >> so you >> > see exactly the keys you've typed. Keyloggers can only record >the >> >>>>> encrypted keys, which are completely indecipherable." >> >>>> >> >>>>> Can this be trusted? As in trusted I mean not bypassed. >> >>>> >> >>>>> Input from the professionals on this list would be much >appreciated. >> >>>> >> >>>>> Thank you >> >>>>> regards >> >>>>> Dave >> >>>> >> >>>> >> >>>> _______________________________________________ >> >>>> Full-Disclosure - We believe in it. >> >>>> Charter: http://lists.grok.org.uk/full-disclosure- >charter.html >> >>>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> > >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQECAAYFAk0BLvQACgkQi04xwClgpZjORgP+NtHSIZnh3/JTmaAVrEqjQs+x+6k2 3xd8jjSmIE3H61m4pWiMTxqe5gGod4DlqdwlIUjSMvmLsFastAuQeCrNF7QATr0tr6xo xL+JsEmn0IWP08RFJ5mgbb1EoYT2goVU/HRWQMJ19dJI0CDQAiXO2vSX+2qtSxjZ9ShP sNsXXiM= =7lCB -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/