Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Form-grabbing rootkit sold on underground forums


22 May 2013   #1
A Guy

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 
Form-grabbing rootkit sold on underground forums

Quote:
There seemingly no end to the automated tools that aspiring cyber crooks can buy on underground forums.

The latest of these discovered by Webroot's Dancho Danchev is "Private Grabber", a commercial rootkit that can "grab" any form of communication transmitted over SSL, but is usually mostly aimed at stealing login credentials.
Source

A Guy


My System SpecsSystem Spec
23 May 2013   #2
Cr00zng

Windows 7 64-bit, Windows 8.1 64-bit, OSX Maverick
 
 

Once you have a root kit on the target machine, why would one need this tool for 75 bucks? A free key-logger will capture the UID/PWD for any login...
My System SpecsSystem Spec
23 May 2013   #3
Dallas 7

Windows 7 Home Premium x64
 
 

Quote   Quote: Originally Posted by A Guy View Post
Quote:
There seemingly no end to the automated tools that aspiring cyber crooks can buy on underground forums.

The latest of these discovered by Webroot's Dancho Danchev is "Private Grabber", a commercial rootkit that can "grab" any form of communication transmitted over SSL, but is usually mostly aimed at stealing login credentials.
Source

A Guy

Just read that article, that's scary.
My System SpecsSystem Spec
24 May 2013   #4
bobafetthotmail

Win 7 Pro 64-bit 7601
 
 

Quote   Quote: Originally Posted by Cr00zng View Post
Once you have a root kit on the target machine, why would one need this tool for 75 bucks? A free key-logger will capture the UID/PWD for any login...
Maybe for cases where you are not using the keyboard to login. Either using a key remapper or onscreen keyboard embedded in the site you are looging into. Or something weirder, like the "unite at least 3 points" kind of optional password of Android phones (that is a breeze to implement in a site)
My System SpecsSystem Spec
24 May 2013   #5
Cr00zng

Windows 7 64-bit, Windows 8.1 64-bit, OSX Maverick
 
 

Quote   Quote: Originally Posted by bobafetthotmail View Post
Maybe for cases where you are not using the keyboard to login. Either using a key remapper or onscreen keyboard embedded in the site you are looging into. Or something weirder, like the "unite at least 3 points" kind of optional password of Android phones (that is a breeze to implement in a site)
Good point... The hardware/software based key loggers cannot log virtual keyboard entries. One could also add CAPTCHA to the login process, which would make this form grabber useless for automated login with the stolen credentials.

The form grabber isn't really an SSL exploit as stated by the tester and his statement is misleading to say the least, quote:
Quote:
In this post, I’ll profile a recently advertised commercial ‘form grabbing’ rootkit, that’s capable of ”grabbing” virtually any form of communication transmitted over SSL
In actuality, the form grabber is a client exploit that grabs the UID/PWD prior to being submitted over the SSL channel for authentication. The more damaging component isn't really the form grabber, it is the root kit that enables this tool to capture authentication credentials and display it in a nice GUI interface. Presumably aimed for script-kiddies and alike, who hates searching through text logs...

The "”grabbing” virtually any form of communication transmitted over SSL" part of the sentence is false and suggests that anything submitted over SSL transfer is captured. Anything, as long as it is UID/PWD...

Commercial DLP (Data Loss Prevention) solutions do the same via the desktop agents. These agents can monitor/block the content of any encrypted communication, including SSL, SSH, PGP, etc., based on the desktop agent's content policy. The difference is price (huge) and performance; the desktop agent policy of monitor/block everything brings the desktop to a screeching halt...
My System SpecsSystem Spec
Reply

 Form-grabbing rootkit sold on underground forums




Thread Tools



Similar help and support threads for2: Form-grabbing rootkit sold on underground forums
Thread Forum
The Restoration of the Internet Underground Music Archive Chillout Room
Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough System Security
Excel grabbing focus on web update Microsoft Office
Video ripping/grabbing request Chillout Room
what's the possibility of me grabbing win7 elsewhere? General Discussion

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 10:56 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App