Keyloggers are real, effective, and invisible, so anti-keylogger software needs to be in every security toolkit.
By James E. Gaskin
August 02, 2013
Often it seems we swim in a sea of malware every second we’re on a computer. Viruses, Trojans, and what may be the most insidious, keyloggers.
Surreptitious software that captures every keystroke at the keyboard level, keyloggers started out as hardware. Yes, an actual device that could be inserted between the plug on the keyboard and the matching plug on the computer. Back in the pre-Internet days, the hacker would have to gain physical access to the monitored system to install the keylogger device, then again on a regular basis to download the recorded keystrokes for interpretation.
Today, keylogging software is sold openly for purposes of monitoring children or employees, but the names give away their sneaky intent: SpyAgent, WebWatcher, Spector Pro, and eBlaster. Our favorite keylogger name? IamBigBrother. Interestingly, purchased keyloggers cost about double their anti-keylogging software opposites (around $60-$70 versus around $30-$40).
Most keyloggers invade systems through the typical malware infection vector like email attachments, tricky subject lines to get you to open media files (Your Favorite Hollywood Celebrity Naked!!!), hacked websites, and drive-by attacks. They usually hide as a rootkit, either masking in user mode or masking in kernel mode.
Internally, they trap keyboard presses by leveraging one of the following software hooks:
- WinAPI SetWindowsHook
- WinAPI Get(Async)KeyState
These tools are generally written in C, although Visual Basic is sometimes used. Small and light on resource usage, the delay they add between keystroke and character appearance on the screen is but a tiny fraction of a second and therefore goes unnoticed.
When in place, a keylogger captures every username and password, every credit card and Social Security number, and every word typed into emails and documents. Imagine the hacker looking over your shoulder and copying down everything you do on your computer, and you understand why a keylogger may be the ultimate hacking tool. Anyone remember how a hacker put keylogger software in more than 14 Kinko’s locations in New York, and opened bank accounts with the stolen the identities of more than 450 users?
The first line of defense is the same as against all malware: user training and protections against malicious downloaded files, program execution blocks at a system level, and regular sweeps that include rootkit cleaning. If these precautions are being skipped by clients, keylogging education may be the straw that breaks the back of malware denial. Probably not, but worth a shot.
Second, avoid using the physical keyboard for logging in to all online systems. Seriously, this is the best advice from multiple security experts. Hit Windows Key-U to open the Ease of Access Center (within Control Panel / Ease of Access) and choose “Start On-Screen Keyboard.” Typing by clicking with the mouse pointer on the on-screen keyboard bypasses the APIs used by keyloggers and therefore bypasses keylogging software. Chances of getting users to follow this suggestion? Zero, except for the one paranoid power user who will then demand a better on-screen keyboard.
The only real protection against keylogger software is anti-keylogger software. Dozens of companies offer software ranging from free to $100 (see list of five good options at the end of this article). For our testing, we used GuardedID from StrikeForce Technologies, available through the channel.
Following a typical install (download, license key including user information screen, license agreement, file location, reboot), the GuardedID software starts automatically. It loads several processes that encrypt the information between the keyboard and Windows operating system, so the keylogger only sees numbers (1, 2, 3, etc.) in ascending order over and over. Totally useless to a hacker.
Different vendors use different displays, but GuardedID adds a toolbar icon to Internet Explorer and Firefox. When active and encrypting, the indicator light is green. When off, red. A warning appears when an un-trusted driver has been found in the keyboard device stack.
In addition, the active text entry field background turns green (the color is configurable) to tell the user it’s safe to type. To stop clickjacking, the method of hiding a frame inside a legit site to gather keystrokes, GuardedID will turn invisible frames and buttons visible, and draws a red border around frames that come from a different website than the main page.
The admin screen shows far more information about Windows internals than a user will every need. For resellers, status reports and log downloads will prove the anti-keylogger software is active and their keystrokes are protected.
Leading Anti-Keylogger Software Products
GuardedID from StrikeForce Technologies
DataGuard AntiKeylogger from MaxSecurity Lab
CoDefender from Encassa