Information Security Asked by cppiscool on October 28, 2021
I came across a suspicious website called keylog.me (you can already tell from the name).
I was as curious as heck to find out what it does, so I got on a VM (Fedora Linux which I reinstalled later) and went to it but the VM crashed.
So then I went on it again with NoScript and there was a script embedded in an image (though, I couldn’t see what it was because the first time the VM crashed and this time I had NoScript). Only after did I find out that keyloggers can be installed through webpage scripts (I was using firefox on the VM).
Also, I found out that a keylogger may be able to escape (and of course I had internet enabled) a VM. So now I’m concerned about my data, thinking that I’m being keylogged right now typing this question (and more sensitive data).
Currently, my OS is Ubuntu, but I have Windows 10 on a separate partition which as we all know is nothing in comparison to Linux systems in terms of security and I have sensitive data there too.
If there is a keylogger tracking me how can I get rid of it and can website keyloggers escape a VM?
It's tricky.
If you were just browsing a website in the VM then you're reasonably safe.
If it managed to trick you into running a separate executable, then there is a chance that it could infect your host or other PCs on your network, if the VM wasn't properly isolated. (Using the same login credentials on the VM as on the host is the biggest no-no; using bridged networking increases the possible targets but by itself isn't usually an issue.) Having said this, it'd have to be a keylogger that included a viral component; these probably do exist but the chances you'd run into one accidentally are fairly slim. Especially across different OS types.
Another loophole that's easily overlooked however is that some VM software will automatically share your clipboard between host and guest; this means that a keylogger in the VM could potentially steal passwords or other important info if you happen to copy them while the VM is running. (This can occur without you noticing, eg. if you are using a password manager app that happens to use the clipboard to enter passwords.) Having said this, many VM systems will disable this by default (as it's a known vulnerability), so unless you've enabled it then you may be safe. (And a good password manager app shouldn't be using the clipboard in the first place.)
Answered by Miral on October 28, 2021
There may be many ways to get rid of keyloggers. For that, you have to work on its detection.
Wireshark can help in detection, but depending on the usage pattern of the PC, it can be difficult to determine which traffic is harmless and which is malicious.
This is what I would do if I suspect a keylogger transmitting data:
If you can, put Wireshark on a 2nd PC and use a Hub/SPAN Port to capture the suspicious PC's data. If you can't, you might have to go with installing Wirehark on the actual client's PC which has some drawbacks but sometimes can't be helped. Start the client's PC and let Wireshark capture the data coming and going to its network card.
Close as many programs that use the network as you can, to make sure that there is as little valid network traffic created as possible.
Open a text editor and start typing. Now if there's a keylogger it should at some point start to send out the captured data. You should see that as communications coming from the PC that have no other reason to be there. You can filter on that by using something like ip.src==X.X.X.X
where X.X.X.X
is the PC's IP address. This way you see everything that goes out. If there is something that you have no explanation for, you can filter on this communication bidirectionally. For example, by using the Follow TCP stream
filter (if it is, in fact, a TCP session). Then you need to determine what is happening and if this is, in fact, a keylogger.
You may have to monitor the PC for a while because not all keyloggers send their data out right away. If you have a Wireshark on a 2nd PC you can try to shut down the suspicious PC and see if there is a transmission right before the keylogger is terminated.
Once you detect the keylogger then you can remove that.
Answered by GrooT on October 28, 2021
TL,DR: Don't be worried, you are probably safe.
Usually malware cannot escape the VM onto the host OS. There are exceptions, as some malware are designed specifically to break from the VM into the host, but those are very, very few and usually are seen on targeted attacks, not on a public internet site.
Cross-OS malware infection are even rarer. Malware infecting your Ubuntu installation and jumping to Windows are plausible but mostly theoretical. A malware that escapes Firefox sandbox, infects the guest OS, escapes the VM, infects the host, discovers other OS installation and infects it too? No, I don't believe such thing would be available on a public facing site. It would be a weapon so powerful that nobody would admit to have it, even less go using it left and right.
Answered by ThoriumBR on October 28, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP