Keylogger (keyboard logger) – is a keyboard recorder, and it should be called keyboard spyware, belongs to classic spyware programs — programs that run on the user’s computer without the user’s consent and participation. The main purpose of keyloggers is to save and transfer the logins and passwords of various user accounts, e-wallets, bank cards, etc.
Keyloggers are characterized by the fact that it is able to record keystrokes by the user on the keyboard, and then deliver the received data to the right place. Modern keyloggers can relate keyboard input to the current window and input element. Many of them are able to track the list of running applications, take a “photo” of the screen according to a predetermined schedule or event, spy on the contents of the clipboard, secretly monitor the user.
All collected information is stored on hard drive and then recorded in a log file – something like a list, data can be transmitted via email or HTTP/FTP protocol. At the same time, some advanced keyloggers use RootKit-technologies, masking the traces of their stay in the system.
The fact is that sometimes the antivirus does not consider the keylogger as a virus, because it does not reproduce itself, and it’s not like a Trojan program, so if the keylogger is caught, the only reason is a specially extended database and additional modules specifically aimed at it. Another problem is that the number of keyloggers is huge, they are not difficult to produce and the signature search against them is not effective.
How Do the Keyloggers Work
In general, their way of operation is to infiltrate the process of passing a signal from pressing a key to the appearance of a symbol on the screen. The most common option is to install keyboard traps – hooks. In Windows, a hook is intercepting system messages using the special Win32API mechanism. Most keyloggers of this type use the WH_Keyboard hook. The WH_JOURNALRECORD hook can also be used. The difference is that WH_JOURNALRECORD does not require a separate dynamic library (DLL), simplifying the distribution of this malicious software over the network.
Interrogating the State of the Keyboard
A very simple method is to cyclically interrogate the state of the keyboard at high speed. No DLL implementation is required in GUI processes (GUI is a graphical user interface). The lack of such keyloggers is the need to periodically poll the state of the keyboard at a fairly high speed (10-20 polls per second).
The method is more efficient than the ones described. At a minimum, it is possible to implement the method in 2 ways: write and install your keyboard driver into the system instead of the regular one, or install a filter driver. Keyboard traps make up the vast majority of all keyloggers.
it happens that the keylogger is implemented in kernel mode, however, it can also be done in UserMode as well. When it happens in UserMode, everything that is being inputted from the keyboard is tracked using the interception of the exchange in the process called “csrss.exe” and the driver of the keyboard, however, it can also be done by monitoring the GetMessage and PeekMessage API functions. In such cases, the on-screen keyboard which is considered to be one of the means to protect yourself from the keylogger does not help at all. Hardware keyboard devices opposed to spyware cannot be detected by software.
How Are Keyloggers Transferred
In general, the same as any malware.
They can get:
● From an e-mail file;
● Launched from a shared folder in the peer-to-peer network;
● Using a script on web pages that use the features of Internet browsers and allows programs to run automatically as soon as the user has visited the page;
● Through an already installed virus program that can download and install into the system its own kind.
Naturally, such programs can be installed by the security services of companies, well, or if you are a close object of observation from your second half.
Types of Keyloggers
All keyloggers can be divided into 3 kinds: software keyloggers, hardware keyloggers, and acoustic keyloggers which are considered illegal and can’t be purchased in a legal way.
Hardware keyloggers are pretty rare if to compare with their software brothers and are much more expensive. They work as an attachment to the cable that connects the keyboard to the PC or a USB device that log all keyboard actions or take screenshots depending on their type. They are much less discrete than software ones and can only be installed on the targeted device if you have direct access to it. They are limited with their memory span and can be easily detected by a user if he/she has some knowledge of computers. At the same time, they aren’t detectable by the Antivirus software.
Acoustic keyloggers are the rarest of the kind and are mostly used by secret services, spies or recon teams. They are much bigger in terms of their size and the way they work is recording the sound of keystrokes which is later analyzed and interpreted in the text. They have a list of pros and cons that come with them:
● Can’t be detected by software antiviruses and antispyware;
● Work at a distance;
● No physical access to computer required.
● High price;
● Purchasing this equipment is not legal;
● Big size;
● There are errors in the accuracy of recognition of the acoustic cryptoanalysis system;
● Are not available for sale.
Software keyloggers are the most wide-spread kind. They work as a piece of software that is installed in the system and does the same as all of the ones mentioned before, however, require a stable internet connection to be used.
It should be noted that keyloggers are quite an old type of spyware that appeared in the days of MS-DOS — at that time they were keyboard interrupt handlers about 1 kilobyte in size. However, the functions of keyloggers have not changed much since then – their main task is still the secret recording of keyboard input with a further recording of the collected information on the hard disk or transmission over the network.
The majority of keyloggers that exist today are considered legal and are sold on the internet on a free market, since the creators of such software declare many reasons for using keyloggers, for example:
● for parents: tracking the actions of children in the network and notifying parents in case of attempts to enter the “18+” pages (parental control);
● for security services of different organizations: tracking of cases of inappropriate use of personal computers, their use during off-hours;
● for security services of companies: tracking of typing on the keyboard of critical words and phrases that constitute a commercial secret of the company, and disclosure of which can lead to the material or other damage;
● for various secret services and law enforcement agencies: analysis and investigation of incidents involving the use of personal computers;
A large number of today’s keyloggers hide in the system (since they have the functions of a rootkit), which greatly simplifies their implementation and subsequent use. This makes the task of identifying keyloggers one of the priorities for anti-virus companies.
In the classification of Kaspersky Lab’s malicious programs, keyloggers are assigned a special category Trojan-Spy (hidden spyware), which includes programs that include the functions of keyloggers. According to the definition of Kaspersky Lab, these are the programs that carry out electronic espionage.
● Some keyloggers are listed in the antivirus signature database and are identified by them as malware, which can be deleted during the work process.
● Big choice;
● Developer Technical Support;
● To install the keylogger and receive reports, physical access to the computer is not required.
In order to keep track of what the children are doing in your absence or with whom the wife or husband communicates via the Internet, you will have enough of the software keylogger. In my opinion, this type of keyloggers has more advantages than disadvantages, especially in a situation where you have the opportunity to install (in some cases, set up an antivirus to work with a keylogger) and read logs in a relaxed atmosphere when no one is at home.
Software for Finding and Removing Keyloggers
Of course, it would be impolite on our part if we wouldn’t mention the ways of dealing with these kinds of programs or checking if some of them are installed on your PC. Actually, here is the whole arsenal, which may be useful:
● Almost any antivirus product.
Most antiviruses, in one way or another, can find keyloggers, but it makes no sense to rely only on them, because, as mentioned above, this is not quite a virus.
● Utilities that implement the signature and heuristic search engines.
An example is an AVZ utility, which combines a signature scanner and a trap-based keylogger detection system;
● Specialized utilities and programs designed to detect keyloggers and block their work.
Such programs are most effective for detecting and blocking keyloggers, since, as a rule, they can block almost all types of them.
From free semi-specialized solutions, it is worth looking at:
● Norman Malware Cleaner;
● Malwarebytes Antimalware;
Of course, there are more, but this set should be enough. As a last resort, as already mentioned, any reasonable antivirus will come in handy, since a free 30-day free period is available to almost everyone.
Ways of Protection
Since the main purpose of using keyloggers is to obtain confidential information (bank card numbers, passwords, etc.), the following methods of protecting against them are reasonable:
● Using one-time passwords/two-factor authentication;
● Use of proactive protection systems;
● The use of virtual keyboards;
● Use No-script extensions for browsers.
The most secure way of protection will always be the two-factor authentication as this way a second password is generated which is always different and can’t be stolen. Moreover, even if it is, the password remains valid only for one login attempt and won’t provide any kind of access to your sensitive data in the future.
Now let’s summarize everything that was said:
● Despite the fact that keyloggers manufacturers position them as legal software, most keyloggers can be used to steal personal information of users and implement economic and political espionage (although the latter is already in the realm of fiction);
● Currently, keyloggers, along with phishing and social engineering methods, are one of the main methods of electronic fraud;
● Companies operating in the field of computer security, record a rapid increase in the number of malicious programs that have the functionality of a keylogger;
● There is a tendency to add rootkit technologies to software keyloggers, the purpose of which is to hide keylogger files so that they are not visible to either the user or the anti-virus scanner;
● Detect the fact of espionage using keyloggers is possible only with the use of specialized means of protection;
● To protect against keyloggers, you should use multi-level protection from browser protection to antiviruses, virtual keyboards, etc.
As it often happens the good intentions lead to bad consequences. The programs that were initially designed for parental control are now used to steal personal information and different kinds of sensitive data.
What originated as a simple keylogger can now record video of the desktop and even gain access to the webcam of the computer or the camera of any device it’s installed on. It is necessary to remember that even though such software can be installed without your consent, you are in charge of your own security, therefore, a person should always be aware of the ways of protection against such malicious and threatening software.
Keyloggers may have the possibility to deceive your antivirus software, but they won’t be able to deceive you if you have enough knowledge.