Interesting Paper on Trojan Keyloggers

A team from University of Mannheim has published a case-study about trojan keyloggers and their dropzones. What I found particularly interesting is the analysis of configuration mechanisms: The two examined families of keyloggers (Limbo/Netshell and ZeuS/Zbot) both contact servers for updated configuration, whereas the ZeuS family is more advanced and even allows to take screenshots to defeat virtual keyboards.


[quote](…) The @ sign denotes websites for which a screenshot of 50×50 pixel around the mouse pointer should be taken at every left-click of the mouse. This capability is implemented to defeat visual keyboards, i.e., instead of entering the sensitive information via the keyboard, they can be entered via mouse clicks. This technique is used by different banks and defeats typical keyloggers. However, by taking a screenshot around the current position of the mouse, an attacker can also obtain these credentials. (…)[/quote]
The team was able to tap and analyse around 33 GB of data from the keylogger dropzones thanks to stupid server misconfigurations, containing more than 170.000 logins to email accounts, social networks and banking accounts.