<<< Date Index >>>     <<< Thread Index >>>

RE: Defeating Citibank Virtual Keyboard protection using screenshot method



On Wed, 9 May 2007, Jim Harrison wrote:
> Without getting into SMTP latency comparisons...
> 
> Perhaps I missed something, but where is the threat demonstrated sans
> code installation?
> I'm not trying to disparage anyone's work, but as you yourself pointed
> out, there is nothing demonstrated here that doesn't qualify as common
> malware.

We are all really in agreement.

> 
> -----Original Message-----
> From: Gadi Evron [mailto:ge@xxxxxxxxxxxx] 
> Sent: Wednesday, May 09, 2007 1:42 PM
> To: Jim Harrison
> Cc: Int3; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: RE: Defeating Citibank Virtual Keyboard protection using
> screenshot method
> 
> On Wed, 9 May 2007, Jim Harrison wrote:
> > Granted, it's an interesting methodology, but until you can
> demonstrate
> > circumvention of the CitiBank keylogger without installing code on the
> > victim host, a threat is not indicated and cannot be taken seriously.
> 
> Even though I was the first to point out this is old news for the
> malware
> scene in online/e fraud, I'd be the first to bow down before Int3 and
> say
> "thank you for sharing your work with us". Many don't.
> 
> But your point above:
> "without installing malware on the victim host"
> 
> Although true on some level, is bogus for the purpose of this work, as
> it
> being written makes an automatic assumtion on working only after malware
> is installed.
> 
> Although you are right, in practice this is already an heavily abused
> technology, and.. 
> 'Getting malware on a system', who ever heard of such a ridiculous
> idea? :)
> 
>       Gadi.
> 
> > 
> > -----Original Message-----
> > From: Int3 [mailto:yashks@xxxxxxxxx] 
> > Sent: Wednesday, May 09, 2007 11:14 AM
> > To: Jim Harrison
> > Cc: bugtraq@xxxxxxxxxxxxxxxxx
> > Subject: Re: Defeating Citibank Virtual Keyboard protection using
> > screenshot method
> > 
> >  
> > This is not malware, it will only help people to experiment and see
> the
> > result without writing one for themself. 
> >  
> > Regards,
> > Yash K.S
> >  
> > On 5/9/07, Jim Harrison <Jim@xxxxxxxxxxxx> wrote: 
> > 
> >     (copied here without permission)
> >     Step by Step Demo:
> >     
> >     - Download POC from http://tracingbug.com/downloads/citihook.zip
> > <http://tracingbug.com/downloads/citihook.zip>  and
> >     unzip to some directory
> >     - Launch citihook.exe, this will watch only
> >     https://www.online.citibank.co.in/ URL
> >     
> >     Effectively, "Let me install my malware on your machine to
> > demonstrate
> >     how vulnerable it is."
> >     
> >     P-p-p-p-p-p-leeeze (three anti-social points for that quote)!
> >     The "problem" ceases to be a vulnerability at this point. 
> >     
> >     -----Original Message-----
> >     From: yashks@xxxxxxxxx [mailto:yashks@xxxxxxxxx]
> >     Sent: Monday, May 07, 2007 3:03 AM
> >     To: bugtraq@xxxxxxxxxxxxxxxxx <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
> > 
> >     Subject: Defeating Citibank Virtual Keyboard protection using
> > screenshot
> >     method
> >     
> >     Severity: Critical
> >     
> >     Platforms Affected:
> >     
> >     Microsoft Corporation: Windows 98 Any version 
> >     Microsoft Corporation: Windows Me Any version
> >     Microsoft Corporation: Windows XP Any version
> >     Microsoft Corporation: Windows 2000 Any version
> >     Microsoft Corporation: Windows 2003 Any version
> >     Microsoft Corporation: Windows NT 4.0 Any version
> >     Citi-Bank: Citi-Bank Virtual Keyboard Any version
> >     
> >     Browsers:
> >     Microsoft Internet Explorer Any version
> >     Mozilla FireFox Any version
> >     Any browser runs on Win32 platform ( With slight modification ) 
> >     
> >     Original URL :
> > http://www.tracingbug.com/index.php/articles/view/23.html
> >     
> >     Regards,
> >     Yash K.S <yashks@xxxxxxxxx > | www.tracingbug.com
> >     
> >     All mail to and from this domain is GFI-scanned.
> >     
> >     
> > 
> > 
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> 
> 
> All mail to and from this domain is GFI-scanned.
>