Kaspersky's most recent product launch of the Kaspersky Internet Security 2009, is featuring a virtual keyboard "a secure pop-up that enables logins, passwords, bank card details and other important personal information to be entered safely to prevent the theft of confidential information" aiming to protect users from keyloggers, and consequently provide a safer Ebanking experience. More info :
"Full details have yet to be confirmed, but it is understood that the program will let users bring up the keyboard from which to enter login details for Web sites such as online banks that might be vulnerable. The on-screen keyboard will cache the keystrokes, protecting them from recording programs that would pick up physical keystrokes coming via the keyboard driver. It's not a new idea but Kaspersky is the first major security vendor to include such a feature in a standard Net security program. "
Would keylogging evolve into clicklogging? Truth is, clicklogging courtesy of a malware has been around since 2006.
Going mainstream with such a feature, means the vendor has built enough confidence in its ability to provide a safer Ebanking experience. However, it doesn't, at least not it its current form, and in respect to the current threatscape that has long forgotten what keylogging is, perhaps due to the two-factor authentication used, so that every decent banker malware out there is taking advatange of form, session, and TAN grabbing rendering SSL and two-factor authentication irrelevant.
Back in 2006, prior to an analysis released by Hispasec (the folks behind Virustotal.com) regarding a banker malware that was successfully defeating virtual keyboards, I made a comment that's still relevant two years later as far as virtual keyboards are concerned :
"Anything you type can be keylogged, but generating videos of possibly hundreds of infected users would have a negative effect on the malware author's productivity, which is good at least for now. Follow my thoughts, the majority of virtual keyboards have static window names, static positions, and the mouse tend to move over X and Y co-ordinates, therefore doing a little research on the most targeted bank sites would come up with a pattern, pattern that should be randomized as much as possible. Trouble is, the majority of phishing attacks are still using the static image locations of the banks themselves, when this should have long been randomized as well. OPIE authentication, suspicious activity based on geotagging anomalies, and transparent process for the customer -- please disturb me with an sms everytime money go out -- remain underdeveloped for the time being."
A year later, proof of concept on defeating Citibank's virtual keyboard was released online that worked even though Citibank's virtual keyboard was displaying the keys in a random position in a virtual keyboard. Ebanking malware is anything but old-fashioned, and so instead of coming up with features that the developers behind the most popular crimeware kits think would work in a real life situation, they've started developing specific modules based on the authentication and sessions of the most popular banks on a per country basis.
It would be very interesting to monitor the developments on the keylogging front, especially now that an antivirus vendor is going mainstream with the feature, meaning it would attract a lot of malicious attention for sure, since users would be logging in using it at many other places next to their bank accounts.