Today’s advanced malware tools often comprise several different components, each with a different job description. These programs are more like Swiss army knives rather than individual tools, giving the attacker the ability to perform a number of different actions on a compromised system. One component that is often present in these attack toolkits is a keylogger, a highly specialized tool designed to record every keystroke made on the machine, giving the attacker the ability to steal huge amounts of sensitive information silently.
A keylogger is any piece of software or hardware that has the capability to intercept and record input from the keyboard of a compromised machine. The keylogger often has the ability to sit between the keyboard and the operating system and intercept all of the communications without the user’s knowledge. The keylogger can either store the recorded data locally on the compromised machine or, if it’s implemented as part of a larger attack toolkit with external communication capabilities, sent off to a remote PC controlled by the attacker. Although the term keylogger typically is used in relation to malicious tools, there are legitimate surveillance tools used by law enforcement agencies that have keylogging capabilities, as well.
Although there are a wide variety of keylogger variants, the two main categories are software-based and hardware-based keyloggers. The most commonly used kind of keylogger is a software-based tool, often installed as part of a larger piece of malware, such as a Trojan or rootkit. This is the easier of the two kinds of keyloggers to get onto a target machine, as it typically doesn’t require physical access to the machine. One common type of software keylogger has the ability to impersonate an API on the target machine’s operating system, which allows the keylogger to record each keystroke as it’s made. There also are kernel-level keyloggers, man-in-the-browser keyloggers and other more complex variants.
Hardware-based keyloggers are less common, as they are more difficult to implement on the target machine. Hardware keyloggers often require the attacker to have physical access to the target machine, either during the manufacturing process or after deployment. Some hardware variants can be installed during the manufacturing process, including BIOS-level keyloggers. A malicious insider could install such a keylogger at the factory level. Other hardware keyloggers can be implemented via USB flash drives or as a fake connector for the keyboard that sits between the keyboard cable and the PC. Hardware keyloggers, while more difficult to implement, can be more flexible for the attacker as they are OS-independent.
Method of Infection
Software keyloggers often are delivered along with larger pieces of malware. Target machines can be infected through a drive-by download attack from a malicious Web site that exploits an existing vulnerability on the PC and installs the malware. Keyloggers also are installed in some cases as part of a legitimate application download, either through the compromise of the download channel or through the insertion of the malware into the application itself. Hardware-based keyloggers typically are installed by an attacker who has physical access to the target machine.
Detection and Removal
Detection of malicious keyloggers can be difficult as the applications don’t typically behave like other malicious programs. They don’t look for valuable data on a target machine and send it to a command-and-control server, nor do they attempt to destroy data on the machine, as some malware does. Keyloggers are designed to remain quiet and undetected. Antimalware products can scan for, detect and remove known variants of keyloggers. However, custom keyloggers or keyloggers built for a specific attack can present a difficult challenge, as they won’t be recognized immediately as malicious software, depending upon their actions on the compromised machine. If a user suspects the presence of a keylogger on a machine, she can employ a number of techniques to circumvent the malware, specifically by booting the PC from a CD or USB drive, or by using a virtual, on-screen keyboard, which prevents the malware from receiving any input from the keyboard.