The mystery of the black square.

Hi folks!

Can you guess what this is?

No – it’s not Malevich’s Black Square. Nor is it a rhetorical clickbait question.

Actually, if you look closely – if your screen shows it big enough – you’ll see something that’ll give you a clue, but you still might not get it…

Ok; the answer is: it is (minus the watermark) what a screenshot taken by a suspicious application on a computer protected by, for example, KTS, looks like. But how? Why?…

Cyber-criminals, cyber-military, cyber-miscreants and other cyber-lowlifes… all of them are REALLY interested in getting access to user accounts. They each have their own reasons (money, espionage, Herostratic delusions of grandeur, spying on spouses/competitors/enemies, etc.), and there are different means applied, but the end they seek is always the same: they want to obtain access to the user accounts.

But, you may be wondering why malware wants to take screenshots – given the fact that sites and software products substitute dots for the letters, numerals and/or symbols used in a password.

Actually, those dots can be gotten around – very easily in plenty of ways…

First, often a user is given the option to see the entered password (‘show password’ or some such). Second, many services show the last few symbols of a password for better service usability. Third, some services only replace the password with dots when the user proceeds to the next entry field after pressing enter. Fourth, sometimes the font size of the password is tiny – ‘so someone close by won’t be able to read it’! Fifth, there are different lifehacks and tools (like pwdcrack) that allow baddies to turn off password-masking dots. In short, the likelihood that a password will not be shown on a screen is far from zero, and malware easily exploits that fact.

Incidentally, the threat posed by the possibility of someone looking over your shoulder, or of security cameras taking a peek at your password, is negligible when compared to the threat of it being read by malware via a screenshot.

Taking screenshots is one function of what is probably the most well-known banking Trojan, Zeus; also of its many clones – for example KINS, which conducts an attack that takes screenshots when the mouse is clicked (not just when keys are hit). That is, even if a virtual keyboard is used on a banking website for entering passwords or one-time codes, the malware can still work out the entered symbols.

But it’s not only passwords that are of interest to the bad guys.

How about bank card details entered when buying something online? What about the security questions you’re asked for authentication or to recover access to a locked account? Personal details? Contents of messaging? The list goes on and on. Indeed, it is the indispensable screen that’s the main gateway to our private information and secrets; as such, it’s the one place that most needs to be kept away from the prying eyes of bad guys via screenshots. There are ways to protect it, using functions like Safe Money and/or Virtual Keyboard, but they’re not used by everyone – even the more security-conscious. And anyway, though these functions help, they’re no guarantee of total protection. For the cyber-villains still have screenshotting in their arsenal. But we’re ready and waiting for them with a solution against just that…

Most of our products have a patented technology that guards the API functions that allow applications to take screenshots. Thus, if an application is trying to take a screenshot, this is what happens:

  • The product works out which applications have their own windows on the screen;
  • Based on data from different components and subsystems (for example System Watcher and Safe Money), the product determines if these windows contain confidential/personal data;
  • The product analyses the trust rating of the applications that get access to the screen;
  • The product takes a decision on whether to block screenshot-taking ability or not. Put another way: black square or no black square.

And last but not least: there’s a bonus!

This technology that protects against malicious screenshottting helps uncover previously unknown cyberattacks. Applications that suspiciously show an interest in other ‘windows’ without a real purpose have their rating lowered, and they edge closer to being proactively detected by machine learning via KSN or manually by an expert. That way, little by little, with a truly global effort plus highly-trained cyber-brains, we all together lower the overall danger level of the internet for the benefit of everyone. Hurray! Cheers to that.

Comments 1 Leave a note


    I tried to take a screenshot (Win key+PrtScr) of an online banking session protected by KTS Safe Money and all it gave is a black screen and it works. I’ll keep using KTS for all of my family members PCs and me and my friend will consider Kaspersky Small Office Security for our small business.

    Of all the AV programs I’ve tried, Kaspersky figured out how to balance security, performance and low false positives.

Leave a note