Dark Reading

A trio of German software firms claims to have developed a password system that prevents Trojans and viruses from stealing passwords from a Windows machine.

The “Trojan-proof” virtual keyboard software, which was developed by Global IP Telecommunications, PMC Ciphers, and CyProtect AG, is available in a free beta version for download.

"This development can make input of PIN codes and transaction numbers for online banking completely safe in the near future," said C.B. Roellgen, creator of the password dialog and CTO of PMC Ciphers, in a statement.

It works like this: the software flashes a virtual keyboard onto the video display that flickers the characters on and off at high speeds, with the keys displayed in random locations on the screen rather than as a standard Qwerty keypad. As soon as the user types a character in his or her password on the virtual keyboard, that key is moved to another location on the keyboard.

In a demonstration of the technology, the simulated Trojan was only able capture “skin of the dialog window” and not the actual key characters making up the password code, according to the developers. And their high-powered Trojan simulator ate up about 11 percent to 15 percent of the machine’s CPU.

“A real Trojan horse must be programmed to consume less than one percent of CPU time in order not to be detectable by professionals,” the developers say in a video demonstration of the software.

Bernd Roellgen with PMC Ciphers and Global IP Telecommunications, says the developers wanted to fill in the gap of existing Trojan protection solutions. "We found that there wasn't a solution so far that was software-only," Roellgen said in an interview with Dark Reading. So that's the approach the developers took, he says.

But security expert Thierry Zoller, product manager and senior security engineer for n.runs AG, says that though he hasn’t tested the software, he doesn’t think it would be completely Trojan-proof. “The video shows that they use certain dithering tricks to foil screen cams to record what button has been pressed. This is nice, but surely not every way to find what keys have been pressed, not to mention there are DirectX-based screen recorders, which I doubt would not register these tricks,” he says.

This new virtual keyboard is not the first attempt at preventing password sniffing, either. “Attempts to prevent password sniffing have been appearing in various forms for years,” says Nate Lawson, principal with Root Labs. “There's no perfect solution to this problem. The best thing to do is vary the scheme occasionally, based on what attackers are doing and try to keep Trojan software off PCs in the first place.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.