Under the Spotlight: Keyloggers

Introduction

The keystroke logging system, or keylogger, is a tool used to monitor and record keyboard events such as when a user types in a password and other valuable data. That data is later covertly transmitted to the perpetrator/owner/installer of the keylogger. Keyboard monitoring has legitimate uses, too, but in most cases the keylogger was surreptitiously installed to track employee, parental or spousal activity. Online criminals use keyloggers to harvest log-in credentials and passwords from a victim’s computer, aggregate this data at special repositories such as attackers’ email or personal websites (often in encrypted form) and then use the stolen IDs for malicious purposes such as plundering funds from a victim’s online bank account.

Types of keyloggers

There are two classes of keyloggers: software keyloggers and hardware keyloggers.

Hardware-based keyloggers are physical devices that are attached to the keyboard at one end and a computer port such as PS/2 or USB at the other. They are designed to intercept, record and store data in memory for later retrieval. Hardware keyloggers can be embedded directly into keyboards and sold as a single unit at underground websites, so be careful when someone in your household or workplace suddenly replaces your keyboard for no apparent reason — you should be suspicious and investigate their true motives on that move. Hardware keyloggers are hard to visually identify, you would need to manually inspect the keyboard connections or disassemble the keyboard altogether to find a special chip that monitors your keystrokes — a demanding task for an average user. The benefit of hardware keyloggers from the attackers’ point of view is that it can capture keystrokes from the moment you power on your computer — everything from BIOS entries to passwords you enter at the log-on to subsequent sessions might end up in the wrong hands. Hardware keyloggers are almost undetectable to any modern software security program, and this constitutes a big threat. The drawback of hardware keyloggers is that these tools require physical access to the victim’s computer in order to install, maintain and retrieve accumulated data.

The remainder of this article addresses the other class of keyloggers, the software programs that log keyboard strokes.

Software design

Software keyloggers are programs you are likely never to see in the Control Panel’s Add/Remove Programs feature. Most of them are installed without the user’s knowledge or consent and their mission is to transmit captured information to predefined hacker locations, acting behind the scenes and spying on a target user.

Software keyloggers can also be divided into two distinct groups: kernel keyloggers and hook-based keyloggers.

Kernel keyloggers are more elaborate pieces of malware, integrating directly into the Windows kernel — the core of the underlying operating system. Because of the privileges of this low-level access, keyloggers of this type can act within the host OS and directly monitor keyboard activity. Kernel keyloggers may install proprietary keyboard drivers, making the process of monitoring key strokes an easy task. Kernel keyloggers are more stealthy and evasive on a system and require significant effort to detect and eradicate. Examples include the “Klog” keylogger.

Hook-based keyloggers work with hooks, which are legitimate Windows functions that intercept process transactions, commands or message windows. By installing a hook on a program, the keylogger can capture its content, including keyboard events. An example of a legitimate program using this approach is Punto Switcher, which automatically alternates keyboard layout based on the language the user types.

Methods of propagation

Aside from someone with physical access to a computer intentionally installing a keylogger, the common propagation routes include:

• drive-by downloads that exploit vulnerabilities in browser software (predominantly from improper ActiveX and Java Scripts);
• malicious spam and phishing attachments opened in email or an IM program;
• download and execution of malicious files from the Internet;
• malicious programs bundled with shareware and peer-to-peer content; and
• subsequent download of keyloggers following system-wide infestation.

Indication of infection

If a keylogger is properly designed (as with kernel-type keyloggers), chances are you will never see it operating on your system. Advanced keyloggers tend to borrow some rootkit functionality that allows them to stay hidden from generic utilities that monitor processes. Only specialized software such as rootkit detectors might point to possible signs of keylogger presence.

In a more typical scenario where the keylogger employs only hooking techniques to capture keyboard activity, its process name should be visible in Windows Task Manager. You should manually investigate each suspicious process listed in Task Manager with the help of your Internet search engine. A search like this will shed plenty of light on the legitimacy of each unknown process.

Firewalls, too, will display process-specific network activity and if you are meticulous you can spot the culprit. Outpost Firewall, for instance, with its Log Viewer utility lets you review past network activity filtered for a specific process, so it’s easy to verify what’s been going wrong on a system.

Disinfection and prevention

Preventing software keyloggers is a better approach than trying to remove them after infestation. Malware programmers can easily modify keyloggers to prevent detection by AV/antispyware that use conventional techniques for verifying code; it’s better to combat the intrusions in real-time than try to repair the damage they cause. Tools like HIPS (Host Intrusion Protection System), which monitor and avert unauthorized or noncompliant program activity, can prevent activation and damage in real-time caused by keyloggers as they hunt for your keystrokes. Outpost Firewall Pro with its Anti-Leak module, the upcoming Outpost Security Suite Pro and other advanced security software monitor behavior between applications, ensuring a malicious program doesn’t intercept actions, content and other shared data belonging to legitimate programs.

Firewalls alone cannot directly protect against keylogger attempts to hijack keyboard data, but they can prevent intercepted information from being transmitted to remote attackers.

Practical safeguards

Here are a few practical tips on preventing keyloggers from stealing your information.

If you access the Internet from a public place, such as an Internet café or airport kiosk, don’t log into private pages that need your personal passwords. Fundamentally, it’s not secure because even if you log in safely, someone could still inspect and extract sensitive information from the browser cache. If you absolutely must, follow the steps below to minimize the risk of a keylogger snatching your data:

When entering your log-in information

1. Type the beginning portion of, say, your password, and then
2. Place the mouse cursor over the empty space of a web page, and type something there. Of course no text will appear, but the keylogger would think this text was part of your secret phrase because the program can’t differentiate the exact fields of a program, it just logs entries. The keylogger will just record the succession of entries without knowing where these entries belong.
3. After typing a string of random characters in the empty space, switch back to your password field and continue entering valid symbols there.
4. Repeat the procedure a few more times so that the valid password becomes impossible to recognize. The screenshot below illustrates the sequence.

As a result your secret phrase {valid_password} would become, for example, {vjrfkrlfjajfkrfjlrhfjrhfihfjrefhdrfjkf_fjjkrjfpjfkrjfikafifjsrfjrfsjkjlwjkjrfklojdkfjrkdlfkdfd} and the keylogger will be of no use.

Use an online screen keyboard instead of tapping characters on your keyboard

You can use a virtual keyboard, like this, to type characters in a window instead of using the hardware keyboard.

Conclusion

Keyloggers are dangerous and nasty pieces of malware, however, if you are informed, use computers intelligently, and maintain good antivirus and behavioral monitoring software, you can significantly lessen, if not eliminate, their impact.