12 Things You Should Know About Keyloggers
Fact 1
A keylogger is a software or hardware that records user activities—such as keystrokes, mouse movements, and clicks.
Fact 2
The main concept and goal of keyloggers is to capture the signals from keystrokes to their display on the screen. This can be achieved through various methods, such as hardware “bugs” on the keyboard itself, in the cable, or in the computer system unit; video surveillance; intercepting input/output requests; intercepting the system’s keyboard driver; filtering drivers in the keyboard stack; intercepting kernel functions by any means (modifying system tables, function code splicing, etc.); intercepting DLL functions in user mode; and finally, by using typical methods of querying the keyboard.
However, practice shows that the more complex the method, the less likely it is to be used by widespread trojan malware. Instead, these sophisticated techniques are more likely to be employed by targeted trojans aiming to steal corporate, personal, financial, and confidential information.
Fact 3
Types of Information That Can Be Controlled
- Keystrokes
- Mouse movements and clicks
- Dates and times of activity
Additionally, it can periodically take screenshots (and sometimes screen recordings) and copy data from the clipboard.
Fact 4
By Type
Keyloggers belong to a group of software products that control user activities on a PC. Initially, this type of software was only used to log keystrokes, including system keys, into special log files, which were later reviewed by the person who installed the program. These log files could be sent to network drives, FTP servers on the internet, via email, etc.
Today’s software products, while retaining this name, perform many additional functions—intercepting window data, mouse clicks, clipboard content, taking screenshots of active windows, saving records of all received and sent emails, monitoring file activity, working with the system registry, recording tasks sent to printers, intercepting audio and video from webcams and microphones connected to the PC, etc.
Hardware keyloggers are miniature devices that can be installed between the keyboard and the computer or inside the keyboard itself. They record all keystrokes made on the keyboard. The recording process is completely invisible to the end user. Hardware keyloggers do not require the installation of any applications on the computer to successfully intercept all keystrokes. When a hardware keylogger is installed, it does not matter whether the computer is turned on or off.
Fact 5
Work Time and Power Requirements
These devices can work indefinitely because they do not require an additional power source. The internal non-volatile memory of these devices can store up to 200,000 keystrokes with Unicode support.
These devices can be made in any form, so even an expert may sometimes be unable to detect their presence during an information audit.
Types of Keyloggers by Installation Location
Keyloggers are divided into internal and external based on where they are installed.
Acoustic Keyloggers
Acoustic keyloggers are the first type of hardware device that records the sounds created by the user pressing keys on the keyboard. They then analyze these sounds and convert them into text format.
By Log File Storage Location
- Hard disk
- Memory
- Registry
- Local network
- Remote server
- Cloud-based platforms
One of the most popular programs for keylogging is the Spyrix keylogger.
Fact 6
Log File Sending Methods
- FTP or HTTP (on the internet or local network)
- Various wireless connections (radio bands, infrared, Bluetooth, WiFi, and other variations in close proximity or advanced systems overcoming air gaps and physical isolation for data leakage)
Fact 7
By Usage Method
The method of using keyloggers (including both hardware and software products, keyloggers as a module) can distinguish between security control and security breaches.
Unauthorized Use: Keylogger installation (including hardware or software products with a keylogger as a module) without the knowledge of the automated system owner (security administrator) or the specific PC owner.
Unauthorized keyloggers (hardware or software) are called spyware or spy tools.
Unauthorized use is generally associated with illegal activities. Typically, illegally installed spyware is configured and obtained to not display any messages and does not create windows on the screen during installation. It also has the ability to include built-in resource delivery and remote installation configuration modules on user-prepared executable files. This means that installation can occur without direct physical access to the user’s PC, and usually does not require system administrator privileges.
Authorized Use: Keylogger installation (including hardware or software products with a keylogger as a module) with the knowledge of the automated system owner (security administrator) or the specific PC owner.
Generally, legally installed software requires physical access to the user’s PC and administrator privileges for configuration and installation.
Fact 8
By Including Signature Bases
Signatures of known keyloggers are included in the signature bases of well-known anti-spyware and antivirus software developers.
Unknown keyloggers, which do not have their own signature base, are often not included for various reasons:
- Keyloggers (modules) developed by government agencies for protection.
- Keyloggers (modules) created by developers of various closed-source operating systems and included in the system kernel.
- Keyloggers developed as limited editions for specific purposes, such as stealing important information from users’ PCs (e.g., using professional scam software). This spyware might involve slight modifications to the open-source keylogger code obtained from the internet, allowing the keylogger’s signature to be altered during compilation.
- Commercial keyloggers, especially those included in enterprise software modules, are rarely added to the signature bases of well-known anti-spyware and antivirus software developers. This results in situations where full-featured versions of software, published for fraudulent purposes on the internet, are converted into spyware that is not detected by anti-spyware and antivirus software.
- Keylogger modules included in virus applications intercept keystrokes on the user’s computer. Before the virus code signature data is included in virus databases, these modules remain undetected. An example is a well-known virus that caused significant trouble recently, which included a keystroke interception module and sent the received data over the internet.
Purpose of Use
Fact 9
Authorized Use of Keyloggers (including hardware and software products, keyloggers as a module) allows the owner of the automated system (security administrator) or a specific PC to:
- Identify input of critical words and phrases, which, if transferred to third parties, could lead to property loss.
- Gain access to information on the computer in case login credentials are lost for any reason (e.g., employee illness, deliberate actions by staff, etc.).
- Identify (and locate) all attempts to search for passwords.
- Control the use of the computer during idle time and find out what was typed on the keyboard during that period.
- Investigate computer incidents.
- Conduct scientific research to determine the accuracy, efficiency, and adequacy of staff responses to external impacts.
- Recover important information after a computer system failure.
Using keylogger modules allows commercial software developers to:
- Create rapid word search systems (electronic dictionaries, electronic translators).
- Develop applications for quickly searching names, organizations, addresses (electronic phone books).
Unauthorized Use of Keyloggers (including hardware and software products, keyloggers as a module) enables fraudsters to:
- Intercept information input by users via the keyboard.
- Gain unauthorized access to login information for various systems, including banking and client-type systems.
- Gain unauthorized access to user data protected by encryption systems—password phrases.
- Gain unauthorized access to credit card information.
Keylogging Principles
Fact 10
Standard Keyboard Traps
Generally, there are numerous variations of keylogger implementations; however, they all work on the common principle of intercepting the signal chain from keystrokes to their display on the screen. The most common implementation variant is the keyboard trap keylogger. The keyboard hook reads hardware input information from the system queue in the csrss.exe system process.
This method gained particular popularity because a filter hook allows the interception of absolutely all keystrokes as hooks control all system flows. Additionally, creating such spyware does not require any special knowledge beyond Visual C++ or Delphi and Win32API. However, this method requires creating a DLL dynamic library.
Periodic Keyboard State Querying
A primitive method involves high-speed polling of the keyboard state. This method does not require the execution of DLLs in the GUI process; as a result, the spyware is less noticeable.
The downside of this type of keylogger is the need for high-speed periodic keyboard state querying, at least 10-20 queries per second. This method is used by several commercial products.
Driver-Based Keylogging
This method is more effective compared to the ones mentioned above. There are at least two implementation variants for this method—creating and installing one’s own keyboard driver instead of the standard driver, or installing a filter driver. This method (like traps) is a keystroke tracking method.
Fact 11
Rootkit Spies
These can be implemented in both user mode and kernel mode. In user mode, keystroke tracking can be implemented by intercepting the csrss.exe process, by the keyboard driver, or using API functions such as GetMessage and PeekMessage. In many cases, even on-screen keyboards, which are usually considered invulnerable to any keylogging software, are not protected from rootkit keylogging software.
Hardware Keyloggers
Fact 12
Searching for Keyloggers on Your Home Computer
It is sufficient to ensure there is no keylogger software installed. However, in corporate environments, especially on computers used for banking transactions, electronic trading, and tasks involving handling confidential documents, there is a risk of using hardware keystroke interceptors.
Examining the Main Channels of Information Leakage via Hardware Keyloggers
1. Hardware Tabs in the Keyboard
Any keyboard typically has several cavities sufficient to place a small circuit board. The device can be powered and data transmitted directly by connecting to the keyboard controller’s printed circuit board. Hardware tabs can be installed manually or through industrial methods.
Solution: Open the keyboard and check for the presence of foreign electronic components. Seal the keyboard with stickers to prevent unauthorized access after inspection.
2. Reading Data from the Keyboard Cable by Non-Contact Methods
This method uses non-contact sensors to read data. Installation of such a device does not require opening gaps in the keyboard cable or installing any equipment. Non-contact hardware keyloggers need to be self-powered and are typically more complex than those connected directly. These devices might look like detachable noise filters on cables.
Solution: Non-contact readers are most effective when sensors are placed close to the keyboard cable (or even better—on the cable itself). Therefore, when inspecting the workplace, ensure there are no unidentified objects near or directly on the keyboard cable.
3. Device Installation in Cable Gaps
This type of keylogger is the most common as it is easy to install and detect. Hardware keyloggers are small devices inserted into the PS/2 or USB port of a computer, with the keyboard plugged into the keylogger. Installing such a device requires no special skills and can be done without shutting down the computer, especially if the keylogger is connected to a USB keyboard.
Hardware keyloggers may look like noise filters or adapters. These devices use input circuits to filter out noise and protect against overvoltage, with a microcontroller for storing collected information in low-power flash memory. Flash memory capacities vary from 32 KB to several megabytes; typically, they range from 128 KB to 2 MB.
Solution: Regularly check the workplace for unauthorized devices in the keyboard line gaps. Secure the keyboard plug with a sticker that breaks if the plug is removed from the socket.
4. Hardware Tabs Inside the System Unit
Referring to the principle of operation, this type of spyware is no different from devices of types 1 and 3 but is located inside the system unit. It can only be installed through specialized means and requires opening the unit’s casing.
Solution: Seal the system unit with stickers. Before sealing, check the contents of the system unit to ensure there are no external devices (the typical connection place is the motherboard parallel to the keyboard socket).
5. Information Reading Based on Acoustic and Electromagnetic Emissions Analysis
Catching the electromagnetic emissions of a keyboard over a distance is difficult (though theoretically possible), but catching the noise is much easier. Sometimes, during a phone conversation, you can clearly hear the interlocutor typing on the keyboard. Security research shows that each key produces a specific sound when pressed, allowing for key identification. The most notable work in this field was conducted by scientists at the University of California, Berkeley, who concluded that 60-96% of typed characters can be identified from common audio recordings.
Even without specialized analysis software, it is possible to detect the number of characters and the presence of repeated characters in a typed password.
Solution: The primary way to prevent information leakage through acoustic signal analysis is continuous, systematic staff training.