Going by the most basic definition, keyloggers capture the keystrokes typed on your keyboard. Typically, a software keylogger saves these keystrokes in a file and may periodically send it to the owner of the program.
How do keyloggers work?
A keylogger captures all the keystrokes typed through the keyboard by hooking itself to the application programming interface (API). It saves the data in a file, including information like usernames and passwords, credit card details, websites visited, applications opened, screenshots, and so on. Depending on the features available, keyloggers can encrypt the data and upload it on an FTP or HTTP site or email it to a cyber miscreant, who could simply read that file, log into your account and change the password or misuse bank accounts and credit cards.
Modes of attack
Technically, the keylogger is only a piece of code that logs keystrokes, and could be a part or only a feature of a Trojan horse or malware. Malware can intrude your computer in various ways, some of which are listed below:
• Installing it manually on a personal or public computer.
• Visiting a malicious website, which may cause your computer to download and install malware/trojan/keylogger.
• Removable media/USB drive worms.
• Malicious software installed through peer-to-peer networks.
• Worms that use network vulnerabilities to move around.
• Keylogger binded with a genuine program.
Software commonly known as a binder could attach a keylogger to a genuine program. For instance, someone could bind the keylogger to a genuine executable such as a 'game', and ask you to try the new 'exciting' software. When the user executes the game, it runs the keylogger as well. Even though the game is genuine, it would harm your computer by covertly installing malware. Software cracking programs like key generators are a good 'game' example—these are frequently binded with malware.
Security against keyloggers
It is difficult to manually detect keyloggers, since they are very stealthy and almost impossible to find for a novice computer user. Detecting a keylogger requires good knowledge of how malicious code works (out of scope for this tip). An antivirus is incompetent at providing foolproof security against keyloggers. An antivirus works on the basis of known signatures; hence, if the new keylogger signature is unknown, the antivirus will not report it.
Nevertheless, an updated antivirus gives you a fair amount of protection against previously known and latest threats. Hence, it is recommended that you regularly update your antivirus software. In case you suspect a file to be malicious, and your antivirus fails to detect it, you can submit it to an online malware scanner like virustotal.com.
Tighten your defences
Implementing the following practices will ensure protection against keylogger attacks:
• Do not login to your sensitive accounts from a shared computer.
• Make sure you login from a computer, such as your personal or office that no one else uses.
• Keep your personal computer safe so that no one installs anything without your permission.
• You can use an on screen keyboard for entering your password, since it uses mouse clicks and not keystrokes. This feature is used by most banking sites today.
• Always set up account recovery details like Forgot Password, security questions and answers carefully, so that if ever the account gets lost, you are able to recover it. It is the easiest and most powerful way of recovering a hacked account.
Apart from the aforementioned defences, you could also learn and start using Linux to protect against keyloggers due to the following reasons:
• Keylogger attacks can be easily performed on Windows. Also, writing a keylogger for Windows is not very difficult.
• A novice computer user is likely to use Windows.
• Since majority of the computer users worldwide use Windows, the wrongdoers make malicious tools targeting Windows to reach a wider market.
• Installing keyloggers for Linux is not an easy task (without root access, that is).
About the author: Aditya Lad is a B.Tech graduate in Electrical Engineering from IIT Roorkee. Computer security is among his areas of interest. Currently Lad works as a software developer in a Bangalore-based software firm, and has been part of the null Bangalore chapter (www.null.com). He can be contacted on firstname.lastname@example.org.
This was first published in February 2011