Keyloggers

What is a Keylogger?

A keylogger is a software or a hardware tool that is used for keystroke logging. This practice refers to an action when every single key struck on a keyboard is recorded in secret. Usually, the person being monitored is not aware of it. A keylogger logs all the keystrokes in a file, and then it can upload this file to a predestined server.

There are many types of keyloggers out there, and they can be used for different purposes. Although initially, keylogger was not supposed to be a cybercrime tool, it did not take long for cybercriminals to apply keylogging in their daily activities, too.

Keylogger Types

Software vs. Hardware

The complexity of describing a keylogger lies in the fact that there are multiple types of keyloggers out there, and they could be classified based on several different variables. The most common classification is based on design. As such, there are software-based and hardware-based keyloggers.

Software keyloggers essentially are programs that get installed on a target computer. Depending on the classification, these applications may be further divided into programs that make use of a hooking mechanism and kernel or driver-based keyloggers.

The former will usually enter the computer as an executable file that launches the hook function. It is a legitimate Windows function else known as SetWindowsHookEx, and it is used to monitor your system for specific types of events. In order words, if a third-party application makes use of this system messaging mechanism, it can monitor your system and process the messages sent before they actually reach the appropriate target procedure. The difference between the hooking function-based and the kernel-based keyloggers is that the latter have the root access, and they can be virtually undetectable. In a sense, kernel-based keyloggers can be considered rootkits that can acquire illegal access to the hardware.

Hardware keyloggers, on the other hand, do not depend on any program or application to function because they work at a hardware level. That would be a specific device that records all the communication between your computer and your keyboard. Regular hardware keyloggers are placed somewhere in between the keyboard and computer, while there are also such hardware keylogger types as wireless keylogger sniffers, firmware, and keyboard overlays.

Legal vs. Illegal

Those who deal with malware on a daily basis are used to the malicious description of a keylogger, but the term itself is not malicious. It is only a program that is supposed to monitor someone’s activity. Therefore, there are both legal and illegal aspects of this software.

Legal keylogging programs might be used by employers to track the online activities of their employees in order to make sure that they do their job properly. Also, computer users may track their system activity via such programs in case their computers are used by third parties. What’s more, a keylogger may be a tool of parental control, enabling parents to track their children’s Internet activity. For the most part, these programs are supposed to ensure security in one way or the other. However, the thin ethical line between safety monitoring and downright spying makes keylogging a delicate subject.

The illegal use of keyloggers involves various types of cybercrimes. It can be used as a part of a trojan or a rootkit for data collection. Seeing how a keylogger can record all the keyboard input data, cybercriminals can intercept PIN codes, passwords, logins, email addresses, and other sensitive information without any difficulty. Such practice is highly dangerous both on the individual and corporate level, and that is why computer security experts advise users to perform regular system scans with security applications.

Keylogger Processes – Source: Researchgate.net

Examples of Keylogger Use in Cybercrime

There are many malicious infections that employ keyloggers, but to name just a few, perhaps we could start with the Predator Pain Keylogger that includes Browser, File, FTP, and Messenger stealers in its setup. This keylogger usually attacks online gamers, stealing passwords and usernames from Minecraft, Steam, and World of Warcraft users. According to extensive research, the program is usually distributed via infected USB flash drives or P2P websites.

A far more common type of infection that uses keylogging is a trojan. In this case, we could mention the Haxdoor Trojan. This malicious banking trojan appeared in 2006, and it was distributed via spam email messages that looked like legitimate notifications from a bank. This backdoor trojan with rootkit capabilities would collect banking usernames, passwords, credit card information, login details, and other financial information. With this data, the people behind this infection could steal millions of dollars from unsuspecting users.

Another good example of a trojan that employed keylogging is the notorious Zeus Trojan or Trojan.Zbot that was first discovered in 2010. The goal of this infection is to steal confidential information from the affected computer. Zeus Trojan usually spreads around via spam tools and drive-by downloads. Email messages that distribute this infection usually look like they have been sent from MySpace, Microsoft, Facebook, or any other reliable platform. Users are urged to click a link in the message, and once they do that, they get infected with the trojan. According to various security reports, the Zeus Trojan usually targets banking information, but it can be easily customized to steal other data as well.

Keylogger Distribution Method

Aside from the cases when keyloggers are installed legally for company security, parental control, or other justifiable purposes, the malicious infections with the keylogging function spread just like any other malware program out there. The distribution methods can be mainly grouped into four categories:

• spam email
• browser vulnerability exploit
• malicious program
• installer file on a P2P network

In the case of spam email, users get infected with keyloggers when they open the file attached to the message or click the embedded link. Browser vulnerability exploit refers to a method of malware distribution when the program download is launched automatically once the user visits the infected page. By “malicious program” in the third distribution method, we mean a situation when a keylogger is downloaded to your system by a malicious application that has already been running on your PC. Usually, trojans are able to connect to the Internet behind your back and download more unwanted programs. Finally, a keylogger may also enter your computer when you open its installer file on a P2P network. With this, we can see that when it comes to avoiding this type of threat, a lot depends on the users themselves.

How to Avoid Malicious Keyloggers?

The most efficient way to protect yourself from this and other types of infections is by installing a licensed anti-malware application. If your computer security tool is up-to-date, it will have all of the currently detected keyloggers in its definition database, and it will be able to intercept them immediately.

Users should also consider using one-time passwords, two-factor authentication, and virtual keyboards when they need to enter sensitive data. You should especially consider it when you use a third-party or a public computer. When it comes to keyloggers, it is not so much your computer that you should be worried about, but your personal information!