On Wed, 9 May 2007, Jim Harrison wrote: > Without getting into SMTP latency comparisons... > > Perhaps I missed something, but where is the threat demonstrated sans > code installation? > I'm not trying to disparage anyone's work, but as you yourself pointed > out, there is nothing demonstrated here that doesn't qualify as common > malware. We are all really in agreement. > > -----Original Message----- > From: Gadi Evron [mailto:ge@xxxxxxxxxxxx] > Sent: Wednesday, May 09, 2007 1:42 PM > To: Jim Harrison > Cc: Int3; bugtraq@xxxxxxxxxxxxxxxxx > Subject: RE: Defeating Citibank Virtual Keyboard protection using > screenshot method > > On Wed, 9 May 2007, Jim Harrison wrote: > > Granted, it's an interesting methodology, but until you can > demonstrate > > circumvention of the CitiBank keylogger without installing code on the > > victim host, a threat is not indicated and cannot be taken seriously. > > Even though I was the first to point out this is old news for the > malware > scene in online/e fraud, I'd be the first to bow down before Int3 and > say > "thank you for sharing your work with us". Many don't. > > But your point above: > "without installing malware on the victim host" > > Although true on some level, is bogus for the purpose of this work, as > it > being written makes an automatic assumtion on working only after malware > is installed. > > Although you are right, in practice this is already an heavily abused > technology, and.. > 'Getting malware on a system', who ever heard of such a ridiculous > idea? :) > > Gadi. > > > > > -----Original Message----- > > From: Int3 [mailto:yashks@xxxxxxxxx] > > Sent: Wednesday, May 09, 2007 11:14 AM > > To: Jim Harrison > > Cc: bugtraq@xxxxxxxxxxxxxxxxx > > Subject: Re: Defeating Citibank Virtual Keyboard protection using > > screenshot method > > > > > > This is not malware, it will only help people to experiment and see > the > > result without writing one for themself. > > > > Regards, > > Yash K.S > > > > On 5/9/07, Jim Harrison <Jim@xxxxxxxxxxxx> wrote: > > > > (copied here without permission) > > Step by Step Demo: > > > > - Download POC from http://tracingbug.com/downloads/citihook.zip > > <http://tracingbug.com/downloads/citihook.zip> and > > unzip to some directory > > - Launch citihook.exe, this will watch only > > https://www.online.citibank.co.in/ URL > > > > Effectively, "Let me install my malware on your machine to > > demonstrate > > how vulnerable it is." > > > > P-p-p-p-p-p-leeeze (three anti-social points for that quote)! > > The "problem" ceases to be a vulnerability at this point. > > > > -----Original Message----- > > From: yashks@xxxxxxxxx [mailto:yashks@xxxxxxxxx] > > Sent: Monday, May 07, 2007 3:03 AM > > To: bugtraq@xxxxxxxxxxxxxxxxx <mailto:bugtraq@xxxxxxxxxxxxxxxxx> > > > > Subject: Defeating Citibank Virtual Keyboard protection using > > screenshot > > method > > > > Severity: Critical > > > > Platforms Affected: > > > > Microsoft Corporation: Windows 98 Any version > > Microsoft Corporation: Windows Me Any version > > Microsoft Corporation: Windows XP Any version > > Microsoft Corporation: Windows 2000 Any version > > Microsoft Corporation: Windows 2003 Any version > > Microsoft Corporation: Windows NT 4.0 Any version > > Citi-Bank: Citi-Bank Virtual Keyboard Any version > > > > Browsers: > > Microsoft Internet Explorer Any version > > Mozilla FireFox Any version > > Any browser runs on Win32 platform ( With slight modification ) > > > > Original URL : > > http://www.tracingbug.com/index.php/articles/view/23.html > > > > Regards, > > Yash K.S <yashks@xxxxxxxxx > | www.tracingbug.com > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > All mail to and from this domain is GFI-scanned. >
