Tuesday, January 12, 2016

What is a Keylogger ?

A Keylogger or Keystrokelogger is a small piece of hardware or software which is used to capture the actions of keys struck on the keyboard, often secretly. It is used to secretly monitor what a user is typing on the keyboard and thus is very popular to attackers. Attackers often use this in Trojans, especially Spyware.

How does a Keylogger monitor activities on the keyboard

Study says, there are a couple of techniques used to implement a Keylogger. These can be hardware based or software based.

Software Based Keyloggers :

A Keylogger may be implemented in software in a couple of ways.

  • The attacker can secretly make a malicious hypervisor which can run underneath the Operating System once the computer is infected by a malware. In that case, the computer effectively becomes a Virtual Machine and the Keylogger runs within the hypervisor.

  • Once a computer is infected by a malware, the malware can manage to get root access and the Keylogger may hide itself within the kernel level. In that case, whenever a keystroke passes through the kernel, the Keylogger acts as a kernel device driver and collects information about whatever is typed by the user.

  • The Keylogger software can hook keyboard APIs in the running application and whenever a user releases a keystroke the Keylogger is called and it collects information about keystrokes.

  • The Keylogger may monitor user activity of filling up a web form and whenever the form is submitted, the Keylogger may collect information on whatever is typed in the web form before submitting the web form in the web application.

  • Keyloggers may even monitor memory tables associated with web browser and associated system functions and collect information on keystrokes by altering the tables.

  • The Keylogger may capture network traffic associated with HTTP POST in a computer and collect information about information sent over HTTP POST. But, on using HTTPS this possibility becomes very less.

Hardware Based Keyloggers :

  • A hardware based Keylogger can modify the BIOS level firmware associated with keyboard events and record keystroke events when they are processed.

  • Sometimes the attackers get control over the physical computer and install a hardware circuit between the keyboard and the computer. These hardware devices normally are inline with the keyboard's cable connector. These devices secretly collect information about keystrokes of users.

  • A hardware based Keylogger can intercept the packets transferred between a wireless keyboard and its receiver and collect information about keystrokes.

  • Sometimes attackers use keyboard overlays to steal ATM PINs. They place this over the actual keyboard and whenever any key is typed, it collects information about it.

  • Attackers can use a small piece of hardware which can monitor the sounds made while typing the keyboard and analyze them to guess whatever is typed.

Countermeasures for Keyloggers

There are a couple of countermeasures that can safeguard us from Keyloggers.

  • Anti Keyloggers can be used to detect Keyloggers. They are piece of software that can detect Keyloggers by comparing files in the computer with that of common Keyloggers. Normally, these Anti Keyloggers have higher probability of detecting Keyloggers than normal anti-virus.

  • Rebooting a computer using LiveCD or Live USB is a possible countermeasure for Keyloggers.

  • Some anti-virus or anti-spyware programs are quite effective in detecting Keyloggers.

  • Network monitors can be used to protect against Keyloggers. They monitor network traffic and issues an alert whenever an application tries to make a network connection to a remote computer, and thus protecting from keystroke information getting transferred to the attacker.

  • Some browsers give the option of auto-filling of web forms. This can prevent Keyloggers as the user do not need to type information on the keyboard.

  • Some web applications like that of banks give the option of typing through on screen keyboards. This is a possible protection against Keyloggers. As it is safer to type through on screen keyboards.

  • Keystroke Interference Software is a piece of software which attempts to trick Keyloggers by introducing random keystroke information and thus making it much difficult for the attackers to extract meaningful information.

  • A user can be careful while typing sensitive passwords and use some non-technical methods to trick the Keyloggers. For example, if the password is 'secret', the user may type 'asdfk' and delete 'a', 'd', 'f' and 'k' using the backspace and then type the rest of the password using the same technique. This will make much difficult for the attackers to extract meaningful information.

    So, beware of various security vulnerabilities and stay safe, stay secured.

1 comment: