Keyloggers

Overview

A Keylogger (KeyLogger, Key Logger, or Keystroke Logger) is a program that runs in the background, recording all the keystrokes.  Once keystrokes are logged, they are hidden in the machine for later retrieval, or shipped raw to the attacker.  The attacker then peruses them carefully in the hopes of either finding passwords, or possibly other useful information that could be used to compromise the system or be used in a social engineering attack.  For example, a key logger will reveal the contents of all e-mail composed by the user.  Keylog programs are commonly included in rootkits and RATs (remote administration trojans).

 

A Key Logger normally consists of two files: a DLL which does all the work, and an EXE which loads the DLL and sets the hook. Therefore when you deploy the hooker on a system, two such files must be present in the same directory.

 

There are other approaches to capturing info about what you are doing.

 

*   Some products, such as Spector and PC Spy, capture screens, rather than keystrokes. As a result, they cannot be detected by KeyPatrol (which does generic keylogger detection), but can be detected by PestPatrol, PestPatrolCL, and PPMemCheck. Some products (such as Win-Spy), capture both keystrokes and screens.

*   Other products will secretly turn on video or audio recorders, and transmit what they capture over your internet connection.

*   Consider what ISpyNow can do:

*   Internet Conversation Logging - Log both sides of all chat conversations for AOL/ICQ/MSN/AIM Instant Messengers, and view them in real time, as they are happening!

*   Window Activity Logging - Capture information on every window interacted with.

*   Application Activity Logging - Track every application/executable that was executed and interacted with.

*   Clipboard Activity Logging - Capture every text and image item that was csent to the clipboard on the remote machine.

*   Keystroke Monitoring - Track all keystrokes pressed [including hidden system keys!] and which windows they were pressed in. Keystrokes can also be passed through a formatter for easy viewing/exporting.

*   Websites Activity Logging - Log all websites that were accessed on the remote machine.

 

A Keylogger might be as simple as an exe and a dll that are placed on a machine and invoked at boot via an entry in the registry.  Or a keylogger could be as sophisticated as the ProBot Activity Monitor which boasts these features:

 

*   Stealth: invisible in process list

*   Includes kernel keylogger driver that captures keystrokes even when user is logged off (Windows 2000 / XP)

*   ProBot program files and registry entries are hidden (Windows 2000 / XP)

*   Includes Remote Deployment wizard

*   Active window titles and process names logging

*   Keystroke / password logging

*   Regional keyboard support

*   Keylogging in NT console windows

*   Launched applications list

*   Text snapshots of active applications.

*   Visited Internet URL logger

*   Capture HTTP POST data (including logins/passwords)

*   File and Folder creation/removal logging

*   Mouse activities

*   Workstation user and timestamp recording

*   Log file archiving, separate log files for each user

*   Log file secure encryption

*   Password authentication

*   Invisible operation

*   Native GUI session log presentation

*   Easy log file reports with Instant Viewer 2 Web interface

*   HTML and Text log file export

*   Automatic E-mail log file delivery

*   Easy setup & uninstall wizards

*   Support for Windows (R) 95/98/ME and Windows (R) NT/2000/XP

 

Because a keylogger can involve dozens of files, and has as a primary goal complete stealth from the user, removing one manually can be a terrifying challenge to any computer user.  Incorrect removal efforts can result in damage to the operating system, instability, inability to use the mouse or keyboard, or worse. Further, some keyloggers will survive manual efforts to remove them, re-installing themselves before the user even reboots (see W32.Badtrans.B@mm Worm)

 

Are keyloggers illegal?  The answer varies from one jurisdiction to another.   In December, 2001, a federal court ruled that the FBI did not need a special wiretap order to place a keystroke logging device on a suspect’s computer.   Also, the judge allowed the FBI to keep details of the device secret, citing national security concerns.  The defendant in the case, Nicodemo Scarfo Jr., used encryption to protect a file on his computer.  The FBI used the keystroke logging device to capture Scarfo’s password and gain access to the file.

Uses of a Keylogger

Privacy advocates may find no valid use for a keylogger.   Those whose strokes are surreptitiously logged may be angered by the invasion of privacy.  But administrators in some organizations, and some parents, might find some benefits.  Here are some benefits of keylogging, as suggested by the documentation for the ProBot Activity Monitor

 

*   You are suspicious that someone could be using your computer for reasons without your permission. Use ProBot to find out!

*   You are a parent and your children use the Internet. You could use ProBot to make sure they are using the Internet appropriately and safely.

*   You are a business with many computers and you want to ensure that your employees are not misusing company property. ProBot will let you know!

*   You are a system administrator and you would like to track down unauthorized PC usage by hostile individuals.

*   You wish to retrieve lost information (in case of power loss, etc)

*   Gather statistical information, e.g. the time person spends surfing Internet or playing games.