Keyloggers that stealthily records the users' keystrokes is one of the major threats unleashed by the hackers. Malicious elements use keyloggers to steal passwords mainly for financial gains. The objective of this article is to help users understand the risks of keyloggers and prevent them through detection and removal.

According to a study, the threats from keyloggers, the stealthily installed programs that record computer keystrokes to help steal personal information, grew 65 percent the previous year, marking a growing trend in hackers using malware for financial gain. As keylogging is a very effective method, hackers and fraudsters can launch hundreds of these attacks around the world in seconds, gathering sensitive data to conduct large-scale monetary transfers for their illegal activities. Keyloggers are largely distributed by organized cyber theft groups and are typically packaged with phishing emails or spyware.

What is a Keylogger?

A keylogger is a computer program that logs each keystroke a user types on a keyboard and saves this data into a file or transfers it via the Internet to a predetermined remote host. It also can capture screenshots of user activity, log passwords, record online chat conversations or take different actions in order to find out what a user is doing. A keylogger poses the most dangerous threat to user privacy.

A keylogger runs in the background, recording all the keystrokes of a user and hides it in the machine to be retrieved later. Once a keylogging program is activated, through a command from the hacker, it provides the hacker with personal data such as addresses, account numbers, or passwords - basically any strings of text a person enters.

Keylogger Threats

A Keylogger software program is used to monitor and log each of the keys a user types into a computer keyboard. The user who had installed the program can view all keys typed in by that user. Because these programs monitor the keys typed in by a user - the installer [malicious user] can easily find user passwords and other information a user may not wish others to know about. Keyloggers, as a surveillance tool, are often used by employers to ensure employees use work computers for business purposes only. Unfortunately, keyloggers can also be embedded in spyware allowing your information to be transmitted to an unknown third party.

Practically all keyloggers are very difficult to detect. They can violate user privacy for months and even years until the user will notice them. During all this time a regular keylogger is able to find out everything about the user. Someone who controls a keylogger gets priceless information including the monitored user’s passwords, login names, credit card numbers, exact bank account details, contacts, interests, web browsing habits and much more. All this information can be used to steal victim's valuable personal documents, money, use his name, address and other identity data for criminal offences.

Powering Identity Theft

A reason keyloggers are gaining attention among hackers is their potential use in identity theft. A sizable amount of these identity theft cases are the result of keyloggers that most people don’t realize they have on their machines.

The rise in keylogging is part of the trend of creating worms, viruses, and malware for profit. For example, the Zotob worm attack was part of this trend. Zotob attacked major corporations by exploiting a vulnerability in Microsoft’s Windows operating system and signaled the rise of the “business worm,” or a type of malicious software that targets enterprises rather than home users.

This is part of the process where attacks are moving from notoriety to criminalization. Hackers want to create malware they can leverage and use for identity theft and which can financially benefit them. Keyloggers have, however, flown under the radar as consumers and businesses have had their resources diluted because of the rise in the number of security threats.

Types of Keyloggers

These are software programs that are designed to work on the target computer’s operating system. From a technical perspective there are four categories:

* Hypervisor-based: The keylogger can theoretically reside in a malware hypervisor running underneath the operating system, which remains untouched, except that it effectively becomes a virtual machine. Blue Pill is an example of this type.

* Kernel based: This method is difficult both to write and to combat. Such keyloggers reside at the kernel level and are thus difficult to detect, especially for user-mode applications. They are frequently implemented as rootkits that subvert the operating system kernel and gain unauthorized access to the hardware which makes them very powerful. A keylogger using this method can act as a keyboard driver for example, and thus gain access to any information typed on the keyboard as it goes to the operating system.

* Hook based: Such keyloggers hook the keyboard using functionality provided by the operating system for applications to subscribe to keyboard events legitimately. The operating system notifies the keylogger each time a key is pressed and the keylogger simply records it.

* Passive Methods: Here the coder uses operating system APIs like GetAsyncKeyState(), GetForegroundWindow(), etc. to poll the state of the keyboard or to subscribe to keyboard events. These are the easiest to write, but where constant polling of each key is required, they can cause a noticeable increase in CPU usage and can miss the occasional key. A more recent example simply polls the BIOS for preboot authentication PINs that have not been cleared from memory.

* Form Grabber based logs web form submissions by recording the web browsing .onsubmit event functions. This records form data before it is passed over the internet and bypasses https encryption.

Functional Aspects

A keylogger is a program that runs in the background, recording all the keystrokes. Once keystrokes are logged, they are hidden in the machine for later retrieval, or shipped raw to the attacker. The attacker then peruses them carefully in the hopes of either finding passwords, or possibly other useful information that could be used to compromise the system or be used in a social engineering attack. For example, a keylogger will reveal the contents of all e-mail composed by the user. Keylogger is commonly included in rootkits.

There are many approaches to capturing info about what you are doing. Some of the main functions of keyloggers are listed below

* Logs each keystroke a user types on a computer’s keyboard.

* Some keyloggers capture screens, rather than keystrokes. Takes screenshots of user activity at predetermined time intervals or when a user types a character or clicks a mouse button.

* Tracks user activity by logging window titles, names of launched applications, exact time of certain event occurrence and other specific information.

* Monitors online activity by recording addresses of visited web sites, taken actions, entered keywords and other similar data.

* Records login names, details of various accounts, credit card numbers and passwords including those hidden by asterisks or blank space.

* Captures online chat conversations made in popular chat programs or instant messengers.

* Makes unauthorized copies of outgoing and incoming e-mail messages.

* Saves all collected information into a file on a hard disk, and then silently sends this file to a configurable e-mail address, uploads it to a predefined FTP server or transfers it through a background Internet connection to a remote host. Gathered data can be encrypted.

* Complicates its detection and removal by hiding active processes and concealing installed files. The uninstaller, if it exists, usually refuses to work if a user cannot specify a password.

* Other keyloggers will secretly turn on video or audio recorders, and transmit what they capture over your internet connection.

Technical Features

A keylogger normally consists of two files: a DLL which does all the work and an EXE which loads the DLL and sets the hook. Therefore when you deploy the system hooker process on a system, two such files must be present in the same directory.

Some keyloggers when installed is invoked at the system boot via an entry in the registry. A fully functional keylogger has the following technical features for keylogging

* Stealth: invisible in process list.

* Includes kernel keylogger driver that captures keystrokes even when user is logged off in XP.

* The program files and registry entries are hidden in Windows XP.

* Includes Remote Deployment wizard.

* Active window titles and process names logging.

* Keystroke / password logging.

* Regional keyboard support.

* Keylogging in NT/DOS based console windows.

* Launched applications list.

* Text snapshots of active applications.

* Visited Internet URL logger.

* Capture HTTP POST data (including logins/passwords).

* File and Folder creation/removal logging.

* Mouse activities.

* Workstation user and timestamp recording.

* Log file archiving, separate log files for each user.

* Log file secure encryption.

* Password authentication.

* Invisible operation.

* Native GUI session log presentation.

* Easy log file reports with Instant Viewer 2 Web interface.

* HTML and Text log file export.

* Automatic E-mail log file delivery.

Because a keylogger can involve dozens of files, and has as a primary goal complete stealth from the user, removing one manually can be a terrifying challenge to any computer user. Incorrect removal efforts can result in damage to the operating system, instability, inability to use the mouse or keyboard, or worse. Further, some key loggers will survive manual efforts to remove them, re-installing themselves before the user even reboots.

Ways of Infection

Keyloggers differ from regular computer viruses. They do not spread by themselves and usually must be installed as any other software with or without user content. There first two major ways unsolicited keystroke logging program can get into the system and the rest two types are spread through the Internet.

1. A legitimate keylogger can be manually installed by system administrator or any other user who has sufficient privileges for the software installation. A hacker can break into the system and setup own keylogger. In both cases a privacy threat gets installed without the monitored user’s knowledge and consent.

2. Malicious keyloggers often are installed by other parasites like viruses, trojans, backdoors or even spyware. They get into the system without user knowledge and affect everybody who uses a compromised computer. Such keyloggers do not have any uninstall functions and can be controlled only by their authors or attackers.

3. Keylogging can be perpetrated through emails known as phishing attacks. In these emails, users are lured into clicking on what seems like a harmless link. Once they do, a program is secretly downloaded into their computers.

4. The programs can also be spread if they are embedded on iPod files or picture files on major web sites. Hackers use techniques including chat program Internet Relay Chat and programs like trojans that give hackers backdoor access to systems to gather and filter logged keystrokes.

Keyloggers affect mostly computers running Microsoft Windows operating system. However, some less prevalent parasites can be also found on other popular platforms.

Preventing Keystroke Capture

Keyloggers are basically designed to capture what a user types on the keyboard. On the web application side, one method to avoid keystroke capture is to use a virtual keyboard for entering the username and password. A virtual keyboard is analogous to a graphical keypad where a user clicks on the characters rather than types them on the keyboard. This approach may not be practical for every user, for obvious reasons. However, it can be still be useful for very sensitive applications. Note however that even this approach is not completely secure, as some keyloggers are designed to capture screenshots on every mouse-click. Thus, the password of the user can still be found out when a virtual keyboard is used by looking at the screenshots and getting all the characters clicked corresponding to the mouse click. To avoid this, some virtual keyboards also have a feature that allows a user to enter a character by hovering the mouse cursor over a letter for a few seconds. Thus the user can enter the password without even clicking the mouse button.

Another method of avoiding keystroke capture is to ask the user to enter the characters of the password randomly. For example, an application can ask the user to enter the 1st, 3rd and 5th (odd placed) characters of the password and then the characters in the even places. However this sequence has to change every time or else anyone capturing the password can easily reconstruct the original password - and additionally, the application must support this approach. The disadvantage of this method is that the keylogger still captures all the characters in the password and the malicious person can easily crack it by simply trying different combinations.

How to Remove a Keylogger?

Most keyloggers work in the same manner as the computer viruses and therefore can be found and removed with the help of effective antivirus products like Symantec Norton AntiVirus, Kaspersky Anti-Virus, McAfee VirusScan, Panda Antivirus, AVG Anti-Virus. Some advanced spyware removers, which are able to scan the system in a similar way antivirus software does and have extensive parasite signature databases can also detect and remove keyloggers and related components. Anti-spyware solutions such as Microsoft AntiSpyware Beta, Spyware Doctor, Ad-Aware SE, SpyHunter are known for keylogger detection and removal capabilities.

In some cases even an antivirus or spyware remover can fail to get rid of a particular keylogger. One can browse the Internet resources for such specific types of keyloggers, which provide manual malware removal instructions. These instructions allow the user to manually delete all the files, directories, registry entries and other objects that belong to a parasite. However, manual removal requires fair system knowledge and therefore can be a quite difficult and tedious task for novices. Not all keyloggers (even if they track your personal information) are illegitimate and needed to remove immediately.

Usage of Keyloggers

In terms of usage of keyloggers, software keyloggers are divided into parasitical and legitimate applications. Malicious keyloggers are very similar to viruses and trojans. They are used by hackers to violate user privacy. Legitimate keyloggers, also known as computer surveillance tools, are commercial products targeted mostly to parents, employers and teachers. They allow us to find out what children or employees are doing online.

However, even legal programs work without the monitored user’s knowledge and consent. They can be also used by malicious persons and therefore are not classified as less harmful threats than the actual parasites. In legal terms, due to the potential threat of all kinds of keyloggers, regardless of their intention of usage by general users - all keylogging programs are illegal.

A Brief Conclusion

The objective of a keylogger is to get the coveted password. Keyloggers can capture keystrokes without you knowing it while advanced programs can even grab cookies and scrape the screen to get personal information.

Keyloggers are part of the continuous wave of security problems that some people don’t even know how to detect. There are so many victims because so few know the risk or the early warning signs; you simply can’t stop what you can't see. There needs to be greater education about the issue and how keyloggers perpetrate. As a precautionary practice, it is always safe to install a anti-keylogger software which protects you from the wreck of keyloggers.

—By: R. Manoj. The author is an Assistant Editor at Fanatic Media, Bangalore. He is also an Independent Researcher, specializing in Software Security. He has an active interest in designing security algorithms for securing softwares. He can reached at infosecurity@fanaticmedia.com