Feeds

back to article Your mouse may actually be a RAT in disguise

Security researchers have discovered a Trojan that attaches its malicious code to routines normally used only to control the inputs from mouse clicks. The tactic is designed to smuggle malicious code past automated threat analysis systems. During such procedures there's no user input and certainly no mouse moving and clicking. …

COMMENTS

This topic is closed for new posts.
Silver badge

It's clever.

But my first question, as with any malware, is why the OS would allow you to hook and execute code on mouse movement when running as a non-administrative user.

Because if we solve the problem of people not running with rights enough to do this as ordinary users, the malware is useless. And if the malware has access to do this kind of thing, there's several million other vectors it can use to ensure its code gets executed anyway. But, to be honest, if we did separate these privileges properly, most malware wouldn't be able to execute in the first place anyway.

Least-privilege principle. Users, and anything short of a signed device driver with user-verification, do not need to intercept mouse hooking messages.

2
5

Hooks on mouse movement are required for games, drawing programs or pretty much anything that does not use a native GUI interface, no? I mean, everything from a tooltip to determining where the mouse is with javascripts requires if not a hook, at least pooling from the device.

4
1
Gold badge
Meh

You are correct of course and installing it will almost certainly require admin privilege.

The problem is that we have largely moved away from the "running as admin" and "unauthorised privilege escalation" problems only to find a bit of a showstopper, the; "yes, of course I'll allow that Faceberk widget to install" and "of course I want a FREE!!11!!! antivirus scanner" ones.

Unfortunately, fixing those involves either killing users or going to an "install from the heavily policed app store only" model and fucking over the not-as-dumb-as-a-bag-of-hammers types as a side-effect.

The weakest link in any security system is the human aspect and some people are just irredeemably thick. I've yet to see an answer to this one that I like the look of.

13
0
Silver badge

Uhm

I'm pretty sure many games run on an event driven routine where mouse, keyup/keydown and joy events get pumped into a handler. I'm also pretty sure at least in SDL's case, that mouse events only happen when the mouse is inside the SDL window, and keyup/keydown events only happen when the SDL window is active.

So, no I don't see the need for a system wide hook on human interface devices in games.

2
2

@TeeCee

"The weakest link in any security system is the human aspect and some people are just irredeemably thick."

Reminds me of this topic:

http://www.theverge.com/2012/6/20/3098969/microsoft-researcher-nigerian-scammers-nigeria

1
0
Thumb Up

Re: Uhm

> "I'm pretty sure many games run on an event driven routine where mouse, keyup/keydown and joy events get pumped into a handler."

Correct. On windows they can now just use the classic windowing event loop, or use DirectInput (which is now almost the same, but polled). When done right theres no hooks...

0
0

Presumably, and as usual, the author forgets to say Windows malware and that *nix based OSes are not affected. Maybe, eventually, the world will catch on to how shit Windows really is.

5
10

Congratulations. You have made the point that everybody else makes every time there is a new type of malware announced. And, to be fair, I agree with you to a point. Perhaps what you should therefore do is come up with a solution that doesn't involve "Not using Windows" because we all know that is simply never going to happen and rather suggest something that can actually help?

6
3

The reason *nix based OSes don't have a problem...

...is because they are mainly set up and maintained by someone who knows what they are doing. The same as if the person setting up and maintaining a windows box knows what they are doing. Its secure and no crap gets installed on it.

Look at the average user. The one who will click yes on any popup box if their free download of pink pony screensaver asks for permissions.

That kind of person probably doesn't know (or care) how to install Linux on anything. They use whatever the box they bought came with

If Linux was the default operating system installed on all PCs, they would have the same idiots doing the same thing and giving the same permission to malware posing as freebies.

9
0
Silver badge
Boffin

Re: The reason *nix based OSes don't have a problem...

I actually disagree. There is more scope for this type of event handler to affect UNIX and Linux systems, at least as long as they run a GUI that uses X11.

Part of X11 allows a suitably written program with the correct permissions (and this is NOT superuser in this case, but the user's own credential set) to re-parent a window, or indeed to insert itself anywhere in the window hierarchy. As a result, all graphic and input events destined for a window go through said program before actually being sent to the application running the window.

This allows such things as all key-press events to be captured by said program, and mouse events to be used to trigger specific actions. This is by design, and is how an X11 Window Manager works, by inserting itself between the root window and all applications. This is also how programs like xscope work.

The credentials required are such things as Magic Cookies, which for systems where the client and server programs run on the same system are often stored in protected files in the user's home directory (there are other more sophisticated methods of protection [using such things as Kerberos and SSH tunnels with SSH agent], but cryptographically signed cookies are still the most common).

This means that if a user can be persuaded to run such a program on the machine with these credentials available, they are at risk of leaking significant amounts of information. There is no requirement to become a privileged user. This is why it is important on UNIX and Linux to keep a firm control of the programs that users are allowed to run. But this often comes down to being a social engineering attack, like so many other ways of bypassing security. If you can make a user run an arbitrary program, then all bets are off regarding the security of that user, regardless of which OS they are using.

Please note that unless the cookies are leaked, this mechanism will not allow one user on a multi-user system to access another user's session on the same machine. Not that this happens very much in these days of single user Linux systems.

I don't think that many people using UNIX or Linux nowadays actually understand the way that X11 authentication works any more, and that is why the icon.

4
0
Anonymous Coward

@ callam

never going to happen ?

What makes you say this? people only use windows because they choose to use windows. There is nothing that can not be done for normal office work that can not be done from a UX environment.

Office, emails, outlook

There are some rather large organisations as well as some entire countries that have rolled out linux as a desktop.

The only reason some may claim this is due to old fashioned business models that see Windows as a necessity

http://www.linuxit.com/blog/bid/226106/The-Death-of-Microsoft-Exchange-FLIP-BOOK?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+LinuxIT+%28LinuxIT+Blog%29

This is proof that its old fashioned views rather than what has been written

1
1
Anonymous Coward

Re: @ callam

Your right there is a lovely *nix version of "presence" where you can start typing an email, realise the person is online, right click fire up an IM, realise you need to start whiteboard and sharing desktops and then bang straight into a VC with 100 other people, many on mobiles and tablets; all seamlessly...I just can't think what it's called again...can you remind me?

0
1
Anonymous Coward

Re: @ callam

The thing is, these "old fashioned business models" are the ones still mostly being used by most western businesses. Pretending otherwise is simply denying reality. So we can hope everyone moves to linux desktops, and woohoo, the mouse hooking trojan is fixed!

Or we can come up with ways to fix it on windows, because there's fuck all chance of western businesses replacing windows as their desktop o/s anytime soon. For proof, see everybody who's made this argument over the last twenty years being proved so far wrong.

2
1
Silver badge

@AC 12:26

Cisco "presence" could very easily be ported to Linux or any UNIX. After all, it's available on MacOS X. All it would need is for Cisco to do the port.

The reason it is not available for Linux or UNIX is that they have decided not to do it (although I'll lay a bet on there being a skunk-works version for Linux somewhere within Cisco), rather than any technical reason.

This makes your comment rather spurious.

0
0
Silver badge

Re: @AC 12:26

In fact, looking into it, it may be possible to get Pidgin to talk to a "Prescence" server, because it look like it is based around the XMMP STANDARD.

0
0
Anonymous Coward

@ AC 1226

Your retarded.

0
0
Silver badge
Headmaster

Re: @ AC 1226 target at AC 15:45

Your retarded what?

2
0
Devil

Re: Re: @ AC 1226 target at AC 15:45

Re: @ AC 1226 target at AC 15:45

> Your retarded what?

"You're retarded" .. missing apostrophe ...

0
0
Silver badge

@dgharmon

Uh, yeah! That's what the Pedantic grammar nazi alert icon was for.

0
0
Unhappy

Re: @ callam

"people only use windows because they choose to use windows. "

People use windows because:

a) it comes on the box they've bought;

b) they can't afford a Mac;

c) they don't know about/are scared of/can't easily buy a Linux PC;

d) modern version of "noone ever got fired for buying IBM";

e) they want to use some software that only runs on Windows;

f) they are forced to use it by their employer;

g) better the devil they know/don't want to go outside comfort zone;

0
0

Re: @ callam

May I add in

h) They like it!

I use Linux on a daily basis and I have had to do more fiddling with Linux than I have ever had to with Windows. As for my wife, option g is appropriate. She can use it, but prefers not too. I know bashing Windows is a bit of a sport but it does have its advantages.

0
0

The weakest link is always going to be the user in these situations.

0
0
Coat

Upon seeing the headline I thought this was going to be an article on the amount of plague-causing bacteria found commonly on mice.

Hmmm, maybe mine is just dirtier than most...

2
0
Thumb Up

Nope - I also felt disappointed

I'd also guess Anti-Virus code is just going to have analyze mouse behavior from now on

0
0
jai
Silver badge

Dishonoured...

Anybody else playing Dishonoured at the moment and when they read the headline and the sub-headline thought this article was going to be about something totally different?

I felt myself clenching my left fist and about to look up for a suitable place, ready to blink to safety...

1
0
Bronze badge

Re: The reason *nix based OSes don't have a problem...

... is that no virus writer has yet figured out how to keep up with Gnome Version Hell.

1
0
This topic is closed for new posts.