How can a web browser intercept ctrl-alt-del?

2

So, I got a support call from someone who was browsing the web with Chrome, and got a popup message that their computer had been infected by a virus. It was a fairly standard "scare you into giving us your credit-card number" scam, and had locked up the browser so the user couldn't do anything, even exit it. Normally, I'd walk the user through using Ctrl-Alt-Del to kill the browser, then re-start it without any open tabs, but this time, the popup code managed to lock that out as well.

I though the idea behind that key sequence was that it can't be intercepted by any user-level program (eg. a web browser). How did this scam get around it?

Mark

Posted 2017-09-22T21:44:39.070

Reputation: 1 304

1It is not possible to block CTRL-ALT-DEL but is possible to altert what is offered on the secure desktop. CTRl-ALT-Escape would have displayed the task manager. The kernel combo in question cannot be blocked. – Ramhound – 2017-09-22T23:26:08.457

2Sounds like the computer was locked up for other reasons. – Appleoddity – 2017-09-22T23:52:37.983

What steps did you take to confirm the CAD sequence was locked out? – I say Reinstate Monica – 2017-09-23T13:54:05.163

Answers

4

It can't.*

The Ctrl+Alt+Del sequence (a.k.a. Secure Attention Sequence) can only be "heard" by the Windows kernel. Therefore, to disable or otherwise change how Windows responds to the SAS requires kernel-level privileges, which code running in the browser does not have.

Here are some other possible explanations (i.e. guesses) as to what happened:

  • The user misunderstood and didn't press the correct combination of keys

  • The computer became hard locked and could not process any instructions. In the future you can test for this by doing things like (in order of reliability):

    • Tap the Num Lock key and observe if the indicator light on the keyboard toggles on/off. This won't happen on a locked up PC.

    • Ping the computer. A locked up machine cannot generate an ICMP reply (exception might be a system with NIC offloading capabilities).

    • Disconnect/reconnect a USB device and listen for the corresponding audio notification that such action occurred.

  • The web page was running code that maxed out the CPU, making the system slow to respond. Still, repeated attempts at the SAS sequence should eventually work. Also, the browser should detect the condition and offer to end the script.

Bottom line: User mode code (the browser and code run by webpages) cannot change the behavior of the system's response to the Secure Attention Sequence.

*I'm excluding the possibility of a kernel exploit in this answer.

I say Reinstate Monica

Posted 2017-09-22T21:44:39.070

Reputation: 21 477

Asked: 2017-09-22T21:44:39.070

Viewed: 586 times

Active: 2017-09-23T15:30:13.133