Keyloggers Survey

Overview

A keylogger is a type of program that monitors and records keystrokes made on a keyboard. It can be used for both legitimate and malicious purposes. Keyloggers are more commonly associated with malicious activities, such as stealing sensitive information like passwords, credit card numbers, and personal identification numbers (PINs)​​​​.

Types of Keyloggers

Hardware Keyloggers

Hardware keyloggers are physical devices designed to capture keystrokes by intercepting the signal between the keyboard and the computer. These devices can be categorized based on their installation method and operational level, offering varying degrees of stealth and complexity.

Inline Devices

Inline devices are perhaps the most straightforward type of hardware keyloggers. They are physically inserted between the keyboard and the computer, directly intercepting the keystrokes as they travel from the keyboard to the computer's input port. These devices are usually small and designed to blend in with the existing hardware, making them difficult to detect through casual observation. Inline keyloggers capture the electrical signals sent by the keyboard, storing the intercepted data in an internal memory.

Firmware Keyloggers

Firmware keyloggers take a more integrated approach by embedding the keylogging functionality within the hardware's firmware. These keyloggers can be installed in the keyboard's firmware or the computer's BIOS (Basic Input/Output System). Firmware keyloggers operate at a very low level within the system, often below the detection capabilities of most antivirus and anti-malware software. Because they are part of the hardware's firmware, these keyloggers can survive system formats, operating system reinstalls, and even some hardware replacements.

Wireless Keyloggers

Wireless keyloggers are designed to intercept keystrokes from wireless keyboards by capturing the radio frequency (RF) signals transmitted between the keyboard and its receiver. These keyloggers exploit vulnerabilities in the wireless communication protocols, allowing them to log keystrokes remotely without needing direct physical access to the target device. Wireless keyloggers are particularly effective at short distances, making them suitable for covert surveillance.

Software Keyloggers

Software keyloggers are programs designed to monitor and log keystrokes on a computer system. Unlike hardware keyloggers, they do not require physical access to the machine and can often be installed remotely through various methods. Software keyloggers can be categorized based on their operation level and method of capturing keystrokes.

Application Layer Keyloggers

Application layer keyloggers operate at the level of user applications, capturing keystrokes by interacting with the application programming interfaces (APIs) provided by the operating system. These keyloggers work by hooking into the keyboard APIs, allowing them to intercept keystrokes before they are processed by the application. These keyloggers are relatively easy to develop and deploy, making them a common choice for attackers. They can be integrated into seemingly benign software, such as freeware or shareware, that users download and install without realizing the hidden functionality.

Kernel-Based Keyloggers

Kernel-based keyloggers operate at a deeper level within the operating system's kernel. By running at this level, they can intercept keystrokes as they are processed by the kernel before reaching the application layer. This method allows kernel-based keyloggers to capture keystrokes more stealthily and effectively, as they are less likely to be detected by traditional antivirus or anti-malware software. These keyloggers can survive system reboots and even some forms of system maintenance, making them particularly persistent and dangerous.

Form Grabbing Keyloggers

Form grabbing keyloggers specialize in capturing data entered into web forms before it is submitted. These keyloggers are often embedded within the browser or browser extensions and intercept the data at the moment it is entered by the user. A browser-based form grabber can capture login credentials, credit card numbers, and other sensitive information typed into web forms. This type of keylogger is particularly effective for stealing information from online banking websites, e-commerce platforms, and other online services where users enter confidential data. Unlike other keyloggers, form grabbers do not rely on intercepting keystrokes but rather the complete form data, making them highly effective for specific types of data theft.

JavaScript Keyloggers

JavaScript keyloggers are embedded in web pages, often as part of malicious scripts injected into otherwise legitimate websites. These keyloggers use JavaScript event handlers to capture keystrokes entered into web forms or any part of the web page. When a user visits a compromised website, the JavaScript keylogger activates and begins recording keystrokes, which are then sent to the attacker’s server. This method of keylogging is particularly insidious because it does not require any software to be installed on the user's computer, relying instead on the web browser to execute the malicious script. JavaScript keyloggers are commonly used in phishing attacks where users are tricked into visiting a malicious website that appears legitimate.

Clipboard Keyloggers

Clipboard keyloggers monitor and capture data copied to the clipboard. When users copy and paste sensitive information, such as passwords or personal identification numbers (PINs), clipboard keyloggers can intercept this data. These keyloggers typically hook into the clipboard API provided by the operating system, allowing them to monitor clipboard activity and log any copied data. Clipboard logger applications are less common than other types of keyloggers but can be effective in capturing information that users consider secure enough to copy and paste, bypassing traditional keystroke logging.

Remote Access Tools (RATs)

Remote Access Tools (RATs) are a class of malware that provides attackers with remote control over a compromised system. Many RATs include keylogging as part of their functionality, allowing attackers to capture keystrokes remotely. RATs with built-in keylogging modules can record keystrokes and send the captured data to a remote server controlled by the attacker. These tools often come with a variety of features beyond keylogging, such as screen capture, file access, and remote command execution, making them versatile and dangerous.

Keylogger Execution Requirements

Hardware Keyloggers

Hardware keyloggers, being physical devices, necessitate certain conditions and resources to effectively capture and store keystroke data. Understanding these requirements is crucial for both deploying and detecting these types of keyloggers.

Physical Access

The primary requirement for installing a hardware keylogger is physical access to the target machine. This involves being able to insert a device between the keyboard and the computer or directly modifying the internal components of the hardware. Physical access could be obtained in various ways, such as during the manufacturing process, through social engineering tactics to gain entry to a workspace, or by exploiting moments when the target machine is left unattended. This necessity makes hardware keyloggers less practical for remote attackers but highly effective in environments where physical security is lax.

Power Source

Hardware keyloggers must be powered to function. Some draw power directly from the keyboard connection, which is the case for many USB and PS/2 keyloggers. These devices are designed to use the minimal power provided through the keyboard interface, making them self-sustaining as long as the keyboard is connected. Others might require an independent power source, especially more sophisticated devices like those embedded in the firmware. These can be battery-powered or designed to tap into the computer’s internal power supply. Ensuring a reliable power source is crucial for the keylogger to operate continuously without interruption.

Stealth Installation

For a hardware keylogger to be effective, it must be installed in a way that avoids detection by the user. This means the device needs to be discreet and often mimics the appearance of standard connectors or adapters. Installation must be done carefully to avoid raising suspicion, often necessitating some level of technical skill and knowledge of the hardware being targeted. Additionally, more advanced hardware keyloggers might use techniques to camouflage themselves within the existing hardware, such as embedding into the keyboard's circuitry or hiding within the computer case, making physical detection even more challenging.

Software Keyloggers

Software keyloggers, being digital in nature, require a set of specific conditions related to the software environment and system configuration of the target machine. These requirements influence how they are deployed, their operational efficiency, and their ability to remain undetected.

Administrative Privileges

Kernel-based keyloggers, which operate at the system kernel level, often require administrative privileges to install. This level of access allows the keylogger to interact with core system processes and intercept keystrokes before they reach higher-level applications. Achieving administrative privileges can be done through various means such as exploiting vulnerabilities, using privilege escalation techniques, or deceiving the user into granting such permissions, often through social engineering methods or phishing attacks.

Persistence Mechanisms

To ensure that the keylogger continues to operate even after system reboots, it employs various persistence mechanisms. These mechanisms can include modifying startup items so the keylogger runs automatically when the system boots, altering registry entries to embed itself into the system's startup routine, or embedding code within existing system files. Persistence is crucial for the long-term operation of the keylogger, as it ensures that the keylogging activity is continuous and does not require repeated reinstallation.

Remote Network Access

For remote keyloggers, network access is essential to transmit captured data to the attacker’s server. This requires the keylogger to have the capability to connect to the internet, often using standard network protocols such as HTTP, HTTPS, or FTP to send logs discreetly. Some keyloggers might use encrypted communication to avoid detection by network monitoring tools. Ensuring reliable and stealthy data transmission is critical for the effectiveness of remote keyloggers, as it enables the attacker to receive data without physically accessing the compromised machine.

Antivirus Evasion

Effective keyloggers must evade detection by antivirus and anti-malware software. This often involves using techniques like code obfuscation, encryption, and polymorphism, where the keylogger changes its code signature frequently to avoid detection. Advanced evasion techniques might also include manipulating the operating system’s security mechanisms and using trusted system processes to execute malicious actions, making it harder for security software to detect and remove them.

Browser Access

Form-grabbing and JavaScript keyloggers specifically target web browsers to capture data entered into web forms. These keyloggers require access to the browser environment, which can be achieved through exploiting browser vulnerabilities, manipulating browser extensions, or using cross-site scripting (XSS) attacks. By gaining control over the browser, these keyloggers can intercept data such as login credentials and credit card information entered by the user. Ensuring continued access to the browser and maintaining the ability to capture and transmit this data without detection is crucial for the success of these types of keyloggers.

Keylogger Indicators

Suspicious Processes and Services

One of the most direct technical indicators of a keylogger is the presence of suspicious processes and services running on the system. Services that start automatically on system boot can be particularly telling. An unfamiliar service with a vague or misleading name running on startup should be scrutinized, as keyloggers often configure themselves to launch automatically to ensure they begin logging as soon as the system is active. Advanced users can use tools such as Process Explorer or Autoruns to delve deeper into running processes and startup items, providing more detailed information that can help identify hidden threats.

Keyboard and Input Device Monitoring

Keyloggers specifically target keyboard inputs, often hooking into keyboard APIs to capture keystrokes. This behavior can sometimes cause noticeable issues with input devices, such as lag, erratic behavior, or malfunctioning keyboards. Software attempting to hook into keyboard APIs can be detected through specialized tools designed to monitor these interactions. Tools like Microsoft's Spy++ or similar API monitoring software can be used to detect and log API hooks related to keyboard inputs. These tools can reveal which applications are attempting to intercept keyboard signals, providing valuable clues in identifying potential keyloggers.

File and Registry Changes

Keyloggers often make changes to system files and registry entries to integrate themselves into the operating system. Detecting these changes can be a strong indicator of their presence. Users can employ integrity checking tools that monitor specific files and registry keys for unauthorized changes. For example, the Windows built-in tool System File Checker (SFC) can help detect changes in protected system files. Similarly, registry monitoring tools can alert users to unexpected modifications in the registry, which may indicate keylogger activity.

Network Packet Analysis

Keyloggers that transmit captured data over the internet can be detected by analyzing the size and timing of network packets. Tools like Wireshark or tcpdump are used to capture and inspect network packets, looking for patterns that match the data transmission behavior of keyloggers. For instance, the Keystroke Recognition and Entropy Elimination Program (KREEP) is a technique that can identify keystrokes by analyzing packet sizes and timing, even if the data is encrypted. This method works by recognizing the specific patterns and intervals of packets generated by keystroke logging activities, differentiating them from normal traffic. By correlating these patterns with the times when keystrokes are made, security analysts can pinpoint potential keylogger activity.

Permissions and Application Analysis

A critical aspect of keylogger detection involves scrutinizing application permissions and behaviors. Many keyloggers, especially those integrated into seemingly legitimate applications, require specific permissions to operate effectively. By reviewing the permissions requested by applications, particularly those related to keyboard and input monitoring, internet access, and system settings, security analysts can identify potentially suspicious applications. For instance, a third-party keyboard application requesting extensive permissions beyond what is necessary for its functionality may be a red flag. Tools that specialize in permissions analysis can help automate this process, providing alerts when applications request or use permissions in a manner inconsistent with their stated purpose.