The mystery of the black square

It’s not Malevich’s Black Square. This is what a screenshot taken by a suspicious application on a computer protected by Kaspersky Lab products looks like.

Hi folks!

Can you guess what this is? It’s not a vandalized version of Malevich’s Black Square.

That black box is — more or less — what a screenshot taken by a suspicious application on a computer protected by Kaspersky Lab products, for example, Kaspersky Total Security, looks like. Why?

Our products protect screenshots because cybercriminals — and other cyberlowlifes — are really interested in getting access to user accounts. The reasons vary (money, espionage, Herostratic delusions of grandeur, spying on spouses/competitors/enemies, etc.), and the intruders use different means, but the end they seek is always the same: access to user accounts.

But, you may be wondering, why does malware want to take screenshots? Sites and software products substitute dots for the characters used in a password, so what’s the point?

Actually, there are plenty of ways to get around those dots.

First, users often have the option to see the entered password (“show password” or some such). Second, many services always show the last few symbols of a password. Third, some services replace the password with dots only when the user proceeds to the next entry field.

Fourth, some services do not use masking dots at all, instead making the font size of the password field tiny — the idea is to make the password illegible to someone close by (unfortunately, that’s no deterrent to malware). Fifth, a variety of lifehacks and tools (like pwdcrack) let baddies turn off password-masking dots. All in all, the likelihood that a password will be shown on a screen is far from zero, and malware easily exploits that fact.

Incidentally, the likelihood of someone looking over your shoulder, or of security cameras taking a peek at your password, is negligible compared with the threat of it being read by malware using a screenshot.

Probably the most well-known banking Trojan, Zeus — as well as many of its clones — includes this function in its tool set. For example, one of those clones, named KINS, conducts an attack that takes screenshots not just when keys are pressed, but also when the mouse is clicked. That is, even if a virtual keyboard is used on a banking website for entering passwords or one-time codes, the malware can still work out the entered symbols.

It’s not just passwords, though. How about bank card details entered when buying something online? What about the security questions you’re asked for authentication or to recover access to a locked account? Personal information? Message contents? The list goes on and on.

Indeed, the humble screenshot is a major gateway to our private information and secrets; as such, protecting the information a screenshot can provide to outsiders is critical. Using functions such as Safe Money and Virtual Keyboard help, of course, but not everyone uses them — even some who consider themselves security-conscious. And anyway regular cybersecurity functions cannot guarantee total protection when cybervillains still have screenshotting in their arsenal. But we’re ready and waiting for them.

Most of our products include a patented technology that guards the API functions that allow applications to take screenshots. Thus, if an application is trying to take a screenshot, this is what happens:

  • The product works out which applications have windows open;
  • Based on data from various components and subsystems (for example System Watcherand Safe Money), the product determines if these windows potentially contain confidential or personal data;
  • The product analyzes the trust rating of the applications that request access to the screen;
  • The product decides whether to allow screenshots. If not, screenshots will get the black-square treatment.

And last but not least: a bonus!

The same technology that protects against malicious screenshotting is also helping detect previously unknown cyberattacks. Applications that suspiciously show an interest in other “windows,” seemingly without any real purpose, have their rating lowered, bringing them closer to being proactively detected by machine learning through KSN — or detected manually by an expert. That way, little by little, with a truly global effort plus highly trained cyberbrains, we all together lower the overall danger level of the Internet for the benefit of everyone.