The designed Bot can harvest email addresses from files stored in the local disc and email accounts. In the former case, the bot's effectiveness depends on the security policies of the underlying operating system, which may or may not grant access to files stored in the local discs. However, such security policies are not frequently set as they can lead to unnecessary blockage of legitimate programs. As such, harvesting email addresses from the files stored in the local discs in most cases gets undetected unless some other bot detection mechanism detects the bot and removes it from the system. In the latter case, the bot's effectiveness depends upon the underlying success of the keylogger to capture keystrokes and deduce email authentication data and yet does not get detected by anti-spyware software packages or even does not show up in system programs such as task manager. It also depends upon the user's consent, who may or may not permit XOAuth authentication to the bot.
Prefixes Myriad contemporary malware detection techniques are available [12], [26], among which signature-based and behaviour-based detection techniques are the two standard keylogger detection techniques. While the signature-based technique detects only known keyloggers, behaviour-based techniques can also detect unknown keyloggers. Keyloggers use some hooking technique (system-wide or thread-specific) to intercept events such as key presses before they reach their intended application. The hooking uses some API of the underlying operating system that prevents function calls or messages pass between software components. To devise an anti-keylogger, an anti-hook technique [27] detects suspicious processes or files which use hooks by scanning all the processes, static executables, Dynamic Link Libraries, etc. However, besides being prone to false positives, such an anti-keylogger may also not detect all types of keylogging activity. Another technique to detect keylogging is by using HoneyID [28], wherein bogus events are generated by the anti-keylogging programme to trap the processes that respond to these fake events. This technique offers an advantage in detecting unknown keyloggers at a higher cost. Also, Dendritic Cell Algorithm [29], which uses the correlation between different behaviours such as keylogging, file access, and network communication, is an efficient technique to detect keyloggers as it has a meagre false alarm rate. These features are incorporated in many anti-spyware utilities that can detect keylogging. Spearman's Rank Correlation algorithm monitors and correlates system activities such as keylogging activity, file access, and outgoing traffic by executing different API functions to detect the presence of bot software [30]. However, this algorithm may fail if the bot performs its activities in random time slots. Use of antivirus, anti-malware, and anti-spyware software that implements one or more of the techniques mentioned above may help to mitigate threats posed by the designed email address harvesting bot, which can warn the user about background keylogging. They may also not allow it to be installed or run and may remove it from the system if installed. Also, a virtual keyboard can provide sensitive data such as email addresses and passwords, which could be made default methods for accepting user input while filling passwords.
Access granted to the bot (a third-party application) to read email and private data stored in emails through the XOAuth authentication mechanism can be controlled through user awareness that can make them more attentive to the risks of granting such permissions. When logging in to apps using OpenID provided by email service providers like Gmail, Yahoo etc., users should pay attention to the permissions being granted. Users can also disable XOAuth authentication mechanisms of their email accounts when not required. Although XOAuth authentication mechanisms are helpful in many situations, their careless use can be hazardous, especially for novice users. Therefore, more strict instructions and passing CAPTCHA tests can be included in the XOAuth authentication process.
Users should always purchase or download software from widespread and trusted sources and avoid downloading software from unknown and un-trusted sources they do not need. Cracks, Keygens, and activators of trusted software from un-trusted sources should be avoided at all costs. There are high chances that this software contains viruses and spyware.
Being careful and monitoring their computers can sometimes help detect and remove such malware. In addition, users should often check monitoring tools provided by the operating system to look for suspicious-looking processes.
Exploitation, installation, and communication with the command-and-control unit are the three primary stages involved in the life cycle of a bot. The first stage is the exploitation stage, wherein vulnerable systems are identified and targeted through various communication channels such as email, removable media, websites, viruses, or any other socially engineered technique. At this stage, mitigation is possible by keeping systems up-to-date with recent releases of patches and a robust defensive mechanism against socially engineered techniques, which is impossible for all systems and users. In the second stage, a Bot is installed on the system. Bot masters code bot programs for different operating systems and environments, ensuring appropriate versions for each release of the current operating system and periodically changing the disguised user interface and application of the bot. An antimalware software running on a system may prevent the bot from being installed and executed on a system. However, its efficiency shall depend on the underlying techniques and database to detect malware signature or behaviour or reputation, etc. As a general rule, antivirus and other malware detection and removal tools must be frequently updated with new signatures and databases to keep it current. If the first two stages fail and the bot finds its way onto a system, it establishes communication with the command-and-control unit. In this stage, some anomaly detection mechanisms may be used to detect a bot; however, depending on its implementation, it may be challenging to differentiate bot traffic from the traffic of a legitimate application.
Bot and botnet detection is an active area of research, with the lead taken through a Honeynet project [32] and later through traffic analysis [33]. Various techniques for their detection can be classified as signature-based [34], anomaly-based [35], host-based [36] and network-based techniques [37]. Signature-based techniques are useful for known bots, and anomaly-based techniques analyse network traffic to detect irregularities but cannot scan encrypted channels. Hosts are scanned for identification of Bot programs based on their behaviour etc., in host-based techniques, while network traffic is monitored in the network-based techniques. Other classifications of technical and non-technical bot mitigation techniques at the application layer have been presented and compared [38].
Multiple network security tools are currently available for capturing, visualising, analysing and detecting network traffic [39]. A traffic analysis of the designed bot was conducted to check for its possible irregular behaviour and subsequent detection. Figure 6 shows a window of the Wireshark displaying the posting of email addresses to the command-and-control unit alongside other communication over the Internet, which did not report any irregular behaviour and as such, antivirus and the anti-malware software installed on the test machine did not detect the bot's communication with the command-and-control unit. Implementing SSL/TLS completely encrypts the communication between the bot and the command-and-control unit, which will make the tools based on network analysis useless because they won’t be able to perform decryption and analysis of the communication data.
During the testing of the bot on systems installed with some anti-spyware/anti-virus software, the underlying keylogger of the bot remained undetected on some of the tested systems despite up-to-date definitions of the installed anti-virus/anti-spyware software. Figure 7 shows the detection of the designed bot's keylogging activity on a system with anti-spyware software installed.
Despite having an active anti-keylogger, there are certain situations, such as cybercafés, Government Offices, academic institutions, etc., where such tools will deliberately not be installed, and keylogging is mischievously facilitated. In such situations, users may conceal their password from being logged by changing focus from password fields in forms to another area while keying in their passwords [31] or by using virtual keyboards whenever provided. In addition, some operating systems also offer built-in virtual keyboards which can be used to type sensitive information instead of typing directly from the keyboard.
To make detecting the keylogger difficult, the bot was reprogrammed to use different hooking methods to intercept key presses before reaching their intended application. Using different system-wide and thread-specific methods for keylogging made keylogging challenging to detect by anti-spyware software. Platform-dependent native code through Java's native interface was leveraged to create low-level system-wide hooks and deliver those events to the bot application. Anti-spyware software, including those which detected the keylogging activity of the designed bot, could not detect the reprogrammed bot that used a different hooking technique for keylogging.
The bot was further tested with many popular anti-virus and anti-spyware software. Because the Java implementation of the bot works on top of JVM, a trusted software, most of the security tools didn’t report its malicious activities. A few software, however, reported Java.exe trying to log keyboard activity.
A. A Mitigation Tool for the Designed Bot
A Java programming language security tool has been developed and tested to mitigate the designed Bot. The tool checks for the presence of Java Security Policies on the user’s machine by looking for the “.java.policy” file in the user's home directory. The tool also tries to create and delete a test file and listen to Mouse and Keyboard events with proper exception handling to check whether or not such Java Security Policies have been implemented. If the Java Security Policies do not deny the tool, permissions to perform the test activities or if the “.java.policy” file is not found, it lets the user create the “.java.policy” file automatically in the user’s home directory, thereby withdrawing the File and AWT Events permissions. The following algorithm is used by the security tool to check for the policies
BEGIN
SET dir = getHomeDirectory()
IF fileExists(dir + “/.java.policy”)
Set policyFileExists = true
policyFileLabel.setColor(color.green)
ELSE
Set policyFileExists = false
policyFileLabel.setColor(color.red)
END IF
TRY
createFile(dir + “/test.file”)
writeToFile(dir + “/test.file”, “Sample Text”)
SET fileSystemAccess = true
filePermissionsLabel.setColor(color.red)
END TRY
CATCH Exception
SET fileSystemAccess = false
filePermissionsLabel.setColor(color.green)
END CATCH
TRY
SET str = readKeyboardInput()
SET keyLoggingEnabled = true
keyloggerLabel.setColor(color.red)
END TRY
CATCH Exception
SET keyLoggingEnabled = false
keyloggerLabel.setColor(color.green)
END CATCH
END
Figures 9 and 10 respectively show the screenshots of the designed tool before and after installing the security policy.
The following algorithm creates the java policy file to prevent keylogging and other activities by JAVA-based applications. The algorithm runs after the previous algorithm, which has already set some required variables:
BEGIN
SET policyFile = dir + “.java.policy”
IF policyFileExists = False THEN
createFile(policyFile)
END IF
openFileForWriting(policyFile);
writeLine(“grant {”)
writeLine(“};”)
closeFile();
END
In the above algorithm, all the permissions are revoked in case a Java policy file already exists. However, a more advanced algorithm can be designed to revoke permissions to File Access and Keyboard Events only, allowing any Java applications to function correctly.