RE: Defeating Citibank Virtual Keyboard protection using screenshot method

---

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• Date: Wed, 9 May 2007 14:19:47 -0700

---

Without getting into SMTP latency comparisons...

Perhaps I missed something, but where is the threat demonstrated sans
code installation?
I'm not trying to disparage anyone's work, but as you yourself pointed
out, there is nothing demonstrated here that doesn't qualify as common
malware.

-----Original Message-----
From: Gadi Evron [mailto:ge@xxxxxxxxxxxx]
Sent: Wednesday, May 09, 2007 1:42 PM
To: Jim Harrison
Cc: Int3; bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: Defeating Citibank Virtual Keyboard protection using
screenshot method

On Wed, 9 May 2007, Jim Harrison wrote:

Granted, it's an interesting methodology, but until you can

demonstrate

circumvention of the CitiBank keylogger without installing code on the
victim host, a threat is not indicated and cannot be taken seriously.

Even though I was the first to point out this is old news for the
malware
scene in online/e fraud, I'd be the first to bow down before Int3 and
say
"thank you for sharing your work with us". Many don't.

But your point above:
"without installing malware on the victim host"

Although true on some level, is bogus for the purpose of this work, as
it
being written makes an automatic assumtion on working only after malware
is installed.

Although you are right, in practice this is already an heavily abused
technology, and..
'Getting malware on a system', who ever heard of such a ridiculous
idea? :)

Gadi.

-----Original Message-----
From: Int3 [mailto:yashks@xxxxxxxxx]
Sent: Wednesday, May 09, 2007 11:14 AM
To: Jim Harrison
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Defeating Citibank Virtual Keyboard protection using
screenshot method


This is not malware, it will only help people to experiment and see

the

result without writing one for themself.

Regards,
Yash K.S

On 5/9/07, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:

(copied here without permission)
Step by Step Demo:

- Download POC from http://tracingbug.com/downloads/citihook.zip
<http://tracingbug.com/downloads/citihook.zip> and
unzip to some directory
- Launch citihook.exe, this will watch only
https://www.online.citibank.co.in/ URL

Effectively, "Let me install my malware on your machine to
demonstrate
how vulnerable it is."

P-p-p-p-p-p-leeeze (three anti-social points for that quote)!
The "problem" ceases to be a vulnerability at this point.

-----Original Message-----
From: yashks@xxxxxxxxx [mailto:yashks@xxxxxxxxx]
Sent: Monday, May 07, 2007 3:03 AM
To: bugtraq@xxxxxxxxxxxxxxxxx <mailto:bugtraq@xxxxxxxxxxxxxxxxx>

Subject: Defeating Citibank Virtual Keyboard protection using
screenshot
method

Severity: Critical

Platforms Affected:

Microsoft Corporation: Windows 98 Any version
Microsoft Corporation: Windows Me Any version
Microsoft Corporation: Windows XP Any version
Microsoft Corporation: Windows 2000 Any version
Microsoft Corporation: Windows 2003 Any version
Microsoft Corporation: Windows NT 4.0 Any version
Citi-Bank: Citi-Bank Virtual Keyboard Any version

Browsers:
Microsoft Internet Explorer Any version
Mozilla FireFox Any version
Any browser runs on Win32 platform ( With slight modification )

Original URL :
http://www.tracingbug.com/index.php/articles/view/23.html

Regards,
Yash K.S <yashks@xxxxxxxxx > | www.tracingbug.com

All mail to and from this domain is GFI-scanned.





All mail to and from this domain is GFI-scanned.

All mail to and from this domain is GFI-scanned.

---

• Follow-Ups:
  • RE: Defeating Citibank Virtual Keyboard protection using screenshot method
    • From: Gadi Evron

• References:
  • RE: Defeating Citibank Virtual Keyboard protection using screenshot method
    • From: Jim Harrison
  • RE: Defeating Citibank Virtual Keyboard protection using screenshot method
    • From: Gadi Evron

• Prev by Date: Re: Re: Defeating Citibank Virtual Keyboard protection using screenshot method
• Next by Date: RE: Defeating Citibank Virtual Keyboard protection using screenshot method
• Previous by thread: RE: Defeating Citibank Virtual Keyboard protection using screenshot method
• Next by thread: RE: Defeating Citibank Virtual Keyboard protection using screenshot method
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Delete unwanted Microsoft banner/icon ... >> Do you have any antivirus or spyware protection or a firewall ... describing is nothing standard on any Microsoft installation. ... replacement and Windows installation yourself but instead took the ... Here are general malware removal steps. ... (microsoft.public.windowsxp.general) RE: Defeating Citibank Virtual Keyboard protection using screenshot method ... code installation? ... malware. ... Microsoft Corporation: Windows 98 Any version ... (Bugtraq) Re: Add Printer Wizard and Spooler Subsystem ... Windows Printing Team ... AcGenral.DLL Windows Compatibility DLL Microsoft Corporation ... ADVAPI32.dll Advanced Windows 32 Base API Microsoft Corporation ... VERSION.dll Version Checking and File Installation Libraries Microsoft ... (microsoft.public.windowsxp.print_fax) RE: Defeating Citibank Virtual Keyboard protection using screenshot method ... circumvention of the CitiBank keylogger without installing code on the ... Even though I was the first to point out this is old news for the malware ... Microsoft Corporation: Windows 98 Any version ... (Bugtraq) Re: firewall for Laptops ... Personally I believe in preventing of installation of such software ... It is true that Windows Firewall doesn't filter outbound traffic while ZA ... If I was to write malware I will ... (microsoft.public.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)