Video Screencast Help
Security Response

IME-Aware infostealer discovered

Created: 18 Aug 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:57:45 GMT
Masaki Suenaga's picture
0 0 Votes
Login to vote

Traditional key loggers are used to capture key strokes or parameters of WM_CHAR window messages. A key logger is usually good enough to decipher what is input by the user if the language is English, French, Russian, Arabic, Thai and so on. However, people in China, Japan, and Korea often have to input thousands of different kinds of characters, known as Chinese characters, Hiragana and Katakana, and Hangeul, while the PC has only 100 keys on the keyboard. That is why input method editors (IME) exist for these languages.

In order to input one special character through an IME, we need to type between one and six keys. Basically, we type the reading of the string (or parts of Hangeul in Korean) to obtain the converted strings. But, a reading can end up with multiple versions of the converted strings, which requires the user to ultimately determine the converted string. This final string is called the “result string” of an IME. Another IME-related technique can be found in a recently published paper IME as a Possible Keylogger.

For an attacker to successfully “wiretap” Chinese, Japanese and Korean input, it is more efficient to capture the result string of IME inputs. This methodology has been discussed theoretically in the past, but has now seen to be utilized in the wild with Infostealer.Corepias. This Trojan captures IME result strings and sends them back to the attacker. Technically, an application that can handle IME-related messages and APIs is called "IME-aware”. Infostealer.Corepias, seemingly made in Korea, appears to be the first IME-aware infostealer seen in the wild, with the exception of some Trojan horses that forcefully cancel the IME input.

Using this method, an attacker can know what has been input in an IME document with great precision. Certainly, if the document in question contains classified information, the information theft would be very critical to a company or a military unit. To decrease the risk, users should build a list of critical words in advance on a different PC, input sentences without the critical words, and finally, copy and paste the words into the list (choosing the insertion position as randomly as possible). It is also a good idea to take your time when building an IME document on a single PC to ensure that mistakes are kept to a minimum. These techniques are effective, even in non-IME languages, as long as you ensure the pasted characters are not recorded in some way.