Detection For Keylogger Spyware Attacks

Published Date: 02 Nov 2017

Malware steals information from a computer or can cause damage. Type includes keylogger, spyware, adware, rootkit etc. In short we can say that it is a program that is intentionally developed to cause harm or exploit people computers especially which are connected to Internet [23]. The thing which makes them more hazardous is that they reinstall themselves again even after they have been removed and are difficult to be cleaned as they hide themselves deep within Windows [24]. It has become very crucial to provide efficient security solutions for these attacks. A keylogger spyware is a different kind of malware attack which uses two malwares program in a combined script. In this paper we have proposed a client and server honeypot based detection technique for the keylogger spyware attacks. We have created two honeypots i.e. Client Honeypot and Server Honeypot. The client Honeypot deployed at the client’s end is capable of monitoring and the malicious activities occurring in the infected client system and reports them to Server Honeypot. At Server Honeypot a database is maintained in which the information sent by Client Honeypot is recorded. The malicious activities (i.e. email sending after every two minutes) can be easily detected in an inspection process moreover information sent can be further used to prevent this attack. The overall paper is organized as: in Section II we discussed related work. Section III contains the related terminology. Section IV defines problem definition followed by methodology of this work in section V. Section VI contains various proposed algorithms for keylogger spyware detection. The work done is concluded in section VII followed by future work in section VIII.

II. LITERATURE SURVEY

In paper [1] authors have proposed a framework for detection and prevention of keylogger spyware attack. It is capable to defend against such kind of attacks using a combination of malwares. The paper [2] focused on the honeypot honeynet technology and for network security technology provides new powerful means, the optimization of system to improve the honeypot for target, integrity from system detection rate and safety. Experiments show that the improved honeypot system achieves a higher detection rates and higher safety. To collect the information at the same time, to attack graduates' employment information systems provide effective protection. In this paper [3] the authors present an agent-based honeynet framework for protecting servers in a campus network. In this framework, agents remove malicious processes and executable files on servers infected by zero-day attacks as soon as the honeynet detects them. The proposed framework provides a novel defense mechanism that protects servers from new types of internet worms effectively, without the use of signatures. This paper [4] presents an intrusion detection module based on honeypot technology, which utilizes IP Trace back technique. By using the mobile agents, this module has the capability of distributed detection and response; the whole detection module can be extended with convenience and be configured dynamically and flexibly. By using honey pot technology, this module traces the intrusion source farthest. In [5] authors provide an integrated framework of malware collection and analysis using both of the technologies called server honeypots and client honeypots. The main objective was to do the analysis of collected malwares from honeypots. Classification of Honeypots can be as server honeypots and client honeypots. Server Honeypots which provide us the knowledge of server side attacks are passive honeypots. Client honeypots provide us the deep knowledge of client side attacks; therefore they are also called as active Honeypots or Honeyclient. In the proposed integrated framework for malware collections and analysis, there are 5 components: URL data source, Honeypot controller, Central Database, Analysis Server and Management Server. In the observation it is found that conventional server honeypots suffer from lack of exposure, risk of detection, demand high resources and administrative supervision where as client honeypots are risk generating false positive alerts, false negative and slow performance speeds. In [6] authors propose an Intelligent Intrusion Detection System, based on specific AI approach for unknown malware attacks. The techniques that are being investigated includes neural networks and fuzzy logic with network profiling, that uses simple data mining techniques to process the network data. A hybrid system is introduced that combines anomaly, misuse and host based detection. An attack classification method is proposed for computer network security. The attacks are classified depending on vulnerability i.e. attack propagation skills and attack intentions. The classification results are arranged as per attack propagation skills and attack intentions. In [7] authors aim to discover some frequent new sequential attack patterns of malware. This paper proposes data mining algorithm, the PrejixSpan method. The PrejixSpan algorithm is used to analyze the malware footprints. This method is used to detect the frequent sequential attack pattern with high accuracy. The PrejixSpan method is an algorithm for efficient mining of sequential pattern in a huge dataset without the requirement to construct candidate generation and the memory consumption is much smaller. The result of analysis shows that the attacks are performed by multiple sequential attack patterns within a short amount of time. In paper [8] an improved intrusion detection system is designed based on the analysis of traditional IDS, which combined the advantages of data capture techniques by honeypot and two layer Detection. The system can detect intruders not only outside but also abusers within the system. The system provides a complete, controllable, reliable proactive protection for computers and network. For the shortcoming of traditional intrusion detection system (IDS) in complex and unknownattack detection, distributed intrusion detection system based on honeypot was proposed in paper [9]. In [10] authors explain a new generation of malware attack for VoIP infrastructures and services. If strong security measures are not deployed then these malwares produces a real threat to the deployed VoIP architectures. The proposed bot architecture stack of different protocols provides the bot with an application interface to use these protocols. The SIP stack is responsible for sending and receiving, manufacturing and parsing SIP messages. The RTP stack is responsible for coding and decoding, compressing and expanding, encapsulation and demultiplexing of media flows. Other stacks can be supported as well i.e. the STUN protocol is useful to bypass NAT. The communication agent allows the bot to exchange information and commands with the attacker. Most of the known botnets use IRC (Internet Relay Chat - RFC 1459) or peer-to-peer (P2P) networks for their control and command architecture. The introduced "VoIP bots" support a wide set of attacks ranging from spam over internet telephony spit (SPIT) to distributed denial of service attack (DDoS). They are tested against several VoIP platforms. In [11] authors discuss some problems (i.e. Gap between spamtraps and phoneytokens, Online verification of phoneytokens etc.) of existing anti phishing solutions based on honeypots. Spamtraps are used only as a tool to detect phishing emails (i.e., URLs of phishing sites included in the phishing emails), and submissions of phoneytokens are triggered after a phishing site is confirmed (often by a human inspector). A framework is provided which can overcome these problems by transforming the real e-banking system itself into a honeypot equipped with honeytokens. A phishing detector is used which can automatically detect suspicious phishing attempts. In paper [12] authors proposed a worm detection and defense system named bot-honeynet which combines the best features of honeynet, anomaly detection and botnet. The combination of honeynet and anomaly detection system offers a tradeoff between false positive and false negative rates. Bot-honeynet is designed to not only detect worm attacks but also defend against malicious worms. The authors conclude from simulation that P2P based benign worm is provided with high efficiency on defending against malicious worms and is better than traditional benign worm even if the release time is later. Thus, it saves more time for security researchers to prepare benign worms. In paper [13] on the basis of the research on honeypot technology, in view of the many problems in current traditional security resource applications, the honeypot technology is used in network security defense, and a Honeypot-based distributed intrusion prevention model is presented. The experimental results show that the program can successfully remedy the deficiencies of existing monitoring system and improve the performance of the safety defense systems. The experimental results show that the program can successfully remedy the deficiencies of existing monitoring system and improve the performance of the safety defense systems. In paper [14] the authors proposed a new architecture, which is composed of distributed cooperative agents to reduce the false alarm ratio of the intrusion detection systems (IDS) in a twofold contribution. In this paper the architecture of the proposed system is described, a theoretical analysis of agents' behavior is given and its possible extensions are explained. Data collection related to Internet threats has become the important concern for security researchers and network administrators. Huge amount of raw data (related to threats) can rapidly overwhelm people in charge of analyzing such data sets. Systematic analysis procedure is needed to extract useful information from large traffic data sets. So authors in paper [15] describe an analysis framework specifically developed to gain insights into honeynet data. The used forensics procedure aimed at finding, within an attack data set, groups of network traces sharing various kinds of similar patterns. A flexible clustering tool is designed that can be applied in a systematic way on different feature vectors characterizing the attacks further they illustrate the application of their proposed method by analyzing one specific aspect of the honeynet data, i.e. the time series of the attacks. In [16] authors discuss whether it is possible to enter data to confuse spyware assumed to be running on the machine in question. They add that the problem of password security can be improved by biometric based authentication and graphical authentication, however availability and cost of biometric authentication is considerable problem. They present an alternative user authentication based on Images that is resistant to keylogger spywares. In paper [17] the authors presented a signature analysis and extraction system for web services. A similar existing tool was able to help administrator in generating precise signatures of various attacks on HTTP, SMTP and FTP etc. In this work, an important issue of intrusion attack analysis and precise signature extraction for web services has been addressed. The developed system is able to alert the system administrator about the attack patterns on the web services. It allows the administrator to determine the number of attacks made on different services using different transport protocols. The presented system is helpful in analyzing the attack and shall be useful in extracting good quality signatures from the data logs of honeypot, the data from logs of traffic analyzer and Utilsnoop for web services. In paper [18] the authors discussed their experience in analyzing benefits of honeynets for intrusion detection. The purpose for their work is to examine how to integrate multiple intrusion detection sensors and honeynets in the order to minimize the number of incorrect-alarms. The authors presented a framework for designing honeynets based project for network security analysis and an example of the framework. In [19] authors propose a hybrid and adaptable honeypot-based approach that improves the currently deployed IDSs for protecting networks from intruders. The main idea of this paper is to deploy low-interaction honeypots that act as emulators of services and operating systems and have them direct malicious traffic to high-interaction honeypots, where hackers engage with real services. Used setup permits for recording and analyzing the intruder's activities. On the basis of obtained results administrative can take actions toward protecting the network. In paper [20] authors propose a distributed intrusion detection framework based on autonomous and mobile agents. In this framework, the mobile agent platform "aglets" is utilized. An aglet (agile applet) is a small application program or applet with the capability to serve as a mobile agent of services in a computer network. In paper [21] to meet network security requirement, the model of SISH (Study of Intrusion Signature based on Honeypot) which takes advantage of honeypot technology to collect the activities of attackers on the honeypot is proposed. According to information replied from the honeypot, and data captured on the network, one can reproduce the attack with attack tree. Having classified the attack information of the attacked objects, one can create the signature of the intrusion data in the same class by LCS (Longest Common Sub-string) algorithm. New signatures are used to enrich the signature database of the IDS to make up for the deficiency of the IDSs and perfect defense system. In paper [22] the authors developed J-Honeypot, a Javabased network deception tool with web-based monitoring and rule-based intrusion detection capability. They have interfaced it with SQL database, developed a rich set of logging functionalities, and provided a convenient GUI for users to visualize the results.

III. RELATED TERMINOLOGY

Malwares are the biggest threats on Internet. They can hijack the browser, redirect search attempts, serve up nasty pop-up ads and track the web sites visited. Malware programs make the computer slow and unstable which is unbearable to the user along with causing other wrecks. Malware can infect computers in many a ways. Some malware programs like pop-up ads are used for earning revenue from the ads. Majority of malware needs to get installed by the user. It is very difficult to get rid of malware because they have the tendency to multiply once they get installed.

Some related terminologies are discussed as follows:

A. Malwares

Malwares are classified into various categories include: adware, spyware, hijackers, toolbars and dialers.

1) Spyware: Spyware programs spy confidential information and send this to specified system. Some Spywares are having the task of sending the URL information or may send information you type in Internet Explorer or the names of files you download. Some of them can search the hard drive and report back what programs you have installed, contents of your e-mail address book can be stolen which will be further sold to spammers. Any other useful information about you such as your name, browser history, login names and passwords, credit card numbers, and your phone number and address can be easily stolen [1][24].

2) Keylogger: Keylogger or keystroke logger is a software or hardware device used to monitor the keys typed on the keyboard. Its presence can’t be detected as it runs in the background and its information is not present in the list of programs running in the task manager or control panel. It can be used to obtain very secret information like username and passwords in case you logged on to your online bank account [1] [24].

B. Honeypot

Honeypot /Honeypot System is an Internet attached server acts as a decoy, luring in potential hackers in order to study their activities and monitor how they are able to break into a system. Honeypots are designed to mimic systems that an intruder would like to break into but limit the intruder from having access to an entire network. If a honeypot is successful, the intruder will have no idea that they are being tricked and monitored. Collection of honeypots forms a network this network is defined as honeynet.

1) Use of Honeypot: A network that is intentionally left with common vulnerabilities that a hacker would use to hack that entire network or some attached computers. There are two reasons why people use honeypots:

The first reason is for research to see what types of exploits hackers are currently trying to use.

The second reason is for a system administrator of a network or computer to see how hackers are targeting his network, and therefore the system administrator knows what security measures need to be focused on in order to better protect the network or computer. The system administrator can also find out the potential hackers to their more important computers.

By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers.

2) Working of Honeypot: Most honeypots are installed inside firewalls so that they can better be controlled, though it is possible to install them outside of firewalls. A firewall in a honeypot works in the opposite way that a normal firewall works: instead of restricting what comes into a system from the Internet, the honeypot firewall allows all traffic to come in from the Internet and restricts what the system sends back out.

Fig. 1. Implementation Scenario of Honeypots in Network

The malware attack becomes very deadly if they are used in a combination. In this work we have designed an attacking scenario for keylogger spyware, a combination of keylogger and spyware program. The keylogger script stores every keystroke into a file and generates a log file then the spy script email this log file to the designer’s specified address.

IV. PROBLEM DEFINITION

Hackers use malware to breech the security of a system and when they get success it causes lots of trouble to security experts. Malware can be of many type i.e. keylogger, spyware, rootkit etc, further we can use them in a combination i.e. keylogger spyware as a common program. In this paper we have proposed a technique for detection of keylogger spyware attacks. The proposed technique uses a Client Honeypot and a Server Honeypot. Client Honeypot is deployed at the Client end where it detects the malicious activity being performed by the Keylogger spyware if present. This information is reported to the Honeypot server where a database is maintained having all the entries of the malicious activities taking place at the client end. It contains Timestamp, IP address of the client and the Process ID of the email sending process. The Honeypot based technique is capable to detect such kind of attacks.

V. METHODOLOGY

The methodology of proposed work is divided as into two sections keylogger spyware attack, Client-Server Honeypot Based Detection:

A. Keylogger Spyware Attack

We have designed an attacking scenario for keylogger spyware attack on user’s system as shown in figure 1. There are 2 users, accessing various services via Internet i.e. online banking, email etc. A malicious server hosting keylogger spyware enters into the system like application software as it appears to the user as some useful application which he is in need of leading him to download it. Once the downloaded program is installed, it starts capturing every keystroke. A log is generated corresponding to each keystroke (i.e. spylog file).

The included spy script within the malicious software installed email this log file to the specified email address of the hacker.

Fig. 2. Keylogger Spyware Attack

The red colored arrows in figure 1 show the entry of keylogger spyware program into user’s system.

Fig. 3. Transfer (emailing) of confidential information from user’s system

Figure 3 shows automatic email process performed by the spyware script. It is shown by blue colored arrows in figure 3. As the end users are not aware of the functioning of this malicious program within their system, they continue using their online banking account, email account etc. through their systems which leads to the theft of their credentials (i.e. through spylog shown in figure 5).This process of sending the keystroke information in the form of spylog to email address of the hacker occurs periodically i.e. after every 1 minute. The credentials and the confidential information lost can be misused.

Fig. 4. Email send by Mohammad Wazid to [email protected]

Mohammad Wazid a system user sends an email to [email protected] at 3:14 pm, as shown in figure 5.

Fig. 5. Snapshot of spylog file received at [email protected]

The Keylogger spyware generated a log file (spylog) as shown in figure 5 corresponding to each keystroke. The information contains in generated log file has the important credentials of the user i.e. for Mohammad Wazid the username can be wazidkec2005 and password hnic@050124.

Fig. 6. Snapshot of spylog file received at [email protected]

Figure 6 shows the message typed by the user Mohammad wazid which was sent to [email protected]. The typed message was

Hello,

We have a meeting at 4.00 PM

Regards,

Wazid

So the entire message also can be leaked.

Fig. 7. Spyware logs file received at hacker’s email account

Figure 7 shows the snapshot of email received at hackers specified address i.e. [email protected]. The spylogs shown in figure 5 and 6 are received at this email id at 3:14 and 3:15 PM respectively.

B. Client-Server Honeypot Based Detection

The proposed technique uses a Client Honeypot and a Server Honeypot. Client Honeypot is deployed at the client’s end where it detects the malicious activity being performed by the keylogger spyware if present. This information is reported to the Honeypot server where a database is maintained having all the entries of the malicious activities taking place at the client’s end.

We have deployed the Client Honeypot in the system of the user. This Client Honeypot monitors the malicious activities of the keylogger spyware and reports these to the Server Honeypot. It contains Timestamp, IP address of the client’s system and the Process ID of the email sending process.

Fig. 8. Deployment of Honeypot client

Figure 8 shows keylogger spyware monitoring process performed by deployed Client Honeypot. The black arrows show the entry of keylogger spyware into the user’s system having Client Honeypot program.

Fig. 9. Communication between Client Honeypot and Server Honeypot

Figure 9 shows that the communication between Client Honeypot and Server Honeypot. The information sent by the Client Honeypot is entered in the database maintained at the Server Honeypot. This database will further use in the inspection process of malicious programs.

Fig. 10. Entries in the maintained database at Server Honeypot

Figure 10 shows the snapshot of database containing information send by the honeypot client to the honeypot server. This database is having three columns Timestamp, IP address and Process ID of the email sending process.

VI. PROPOSED ALGORITHMS

For the proposed technique we have designed following algorithms:

A. Keylogger Spyware Algorithm [1]

Keylogger_Algorithm ( ){ /*Algorithm for keystroke capturing*/

While (true)

{

OPEN ( )

GET ( )

Append the time in the log file.

LISTEN ()

Enter the activity into log file as soon as the valid status of particular key pressed or mouse click is observed.

CLOSE ( )

APPEND ( )

}

}

Spyware_Algorithm ( ){ /* Algorithm for emailing*/

While (true){

Keylogger_Algorithm ( )

SLEEP ( )

GET_NAME ( )

Select that log file.

ATTACH_AND_EMAIL ( )

KILL ( )

Keylogger_Algorithm ( )

}

}

B. Client Honeypot Algorithm

Honeypot_Client_ Algorithm ( )

// TCP processes are those processes that are using the TCP protocol at transport layer in the layered architecture of the network

// APPL_SMTP processes are those processes that are using SMTP protocol at Application Layer

// BUFFER is a Buffer having PIDs that can be implemented by using BufferedReader Class of JAVA at Client Honeypot

// sleep (2): go into sleep mode for 2 seconds

1. Get the PID’s of all the TCP processes by using the COMMAND netstat –o –p.

2. Store the PID’s of the APPL_SMTP processes in a BUFFER.

3. if the result of Step-2 is NULL then

Sleep(2)

GOTO step-1

otherwise

GOTO step-4

4. Using TCP Socket establish the connection with honeypot server

5. Send the BUFFER content with the time stamp and client’s IP address to honeypot server.

6. Close the connection and GOTO step-1.

C. Server Honeypot Algorithm

Honeypot_Server_Algorithm ( )

// BUFFER is a Buffer having PIDs that can be implemented by using BufferedReader Class of JAVA at Client Honeypot

1. Open TCP connection with Client Honeypot.

2. Get the BUFFER content at client with time stamp and IP address.

3. Maintain the LOG information at honeypot server and insert BUFFER|| time stamp || IP address in this LOG.

4. Close the connection with Client Honeypot.

5. Goto step-1.

D. Keylogger Spyware Inspection Algorithm

Keylogger_ Spyware_ Inspection_ Algorithm ( )

// detected_IP_address is IP address of client’s system stored in database maintained at Server Honeypot

// detected_PID is the process ID of email sending process stored in database maintained at Server Honeypot

// time_stamp is a time when email was sent from user’s system

if detected_IP_address & detected_PID is same after every nT time_stamp value then

keylogger spyware is present in the user’s system

otherwise

System is safe

VII. CONCLUSION

The discussed attacking scenario is very threatening as it is making a combination of two malwares i. e. keylogger and spyware. It can steal the credentials or any confidential information typed can be leaked. So the detection and prevention of this attack has become very crucial. In this paper we have designed the technique making use of two kinds of honeypots i.e. Client and Server Honeypots. Client Honeypot is deployed at the client’s end monitors the malicious activity going on and reports them to the Server Honeypot. The database maintained can be inspected by the administrator to carry out the further process of prevention.

VIII. FUTURE WORK

The detection of the Keylogger spyware attack is completed in this paper. The future work includes the prevention of the keylogger spyware attack with the use of the information being sent by the Client Honeypot to the Server Honeypot.