You probably already know what a keylogger, and the definitions are not lacking, that said this article will try to give further explanations, and up to date, concerning the keyloggers.
What is a keylogger?
It can be called "keylogger" in French and as its name suggests, it is a program that accurately records key sequences typed on the keyboard.
The keylogger is part of the spyware because it usually acts in the background as an invisible and silent process while gathering very sensitive data . It can save the keys in a "log" file, send them to an e-mail address or to a remote server, via FTP for example.
90% of keyloggers or more target Windows systems even if keyloggers for other operating systems such as Linux exist. Notice to users of Mac and Linux, yes you're right on this point, you're less likely to catch one!
This is one of the best known ways to hack an account, hence their high popularity. Languages using the Rapid Application Development (RAD) method have favored easy handling of such malicious programs.
Generally a keylogger can take a long time on a computer because it is undetectable by the user (invisible). But even if the antivirus does not detect the malicious program, we will detect it through this article !
Types of keyloggers
There are two types of keyloggers:
- The software keylogger : The one we usually know, the spy program that will be discussed in this article.
- The keylogger hardware : which is a small physical device purchasable for thirty euros on the net but which is not easy to use because it must be physically installed on a target computer (usually to connect between the keyboard and the pc , or to integrate directly into the keyboard).
We can also note that keyloggers for smartphones exist, they are part of software keyloggers.
How exactly do they work?
We will focus on the details of keyloggers running Windows , although the principle remains the same for all.
The keylogger once executed will generally begin to ensure that it can be restarted automatically each time the system is booted . This is a first indication of his presence.
Then, it will perform its functions at each launch . It uses Windows APIs to retrieve keyboard events.
It will insert a recovery function into the Windows Key Event Chain . Suddenly when a key is typed, Windows retrieves the message, initializes a structure containing the code of the key pressed and sends it to all functions that "listen" to events on the keyboard.
This is not a threat as it is because many applications need to recover keyboard events for a totally legitimate interest like setting up keyboard shortcuts. This poses a problem of detection for antivirus.
Then a timer (counter) is triggered at regular intervals for example to send an e-mail containing the recorded data. A second detection track is offered to us: It uses the network.
The message is sent to other functions that listen to keyboard events so as not to block the string.
He continually repeats these steps until the system is shut down and will start again tomorrow seamlessly .
What exactly do they recover?
The keylogger as it is understood only retrieves the keystrokes typed on the keyboard. But the keylogger of days has become much more formidable.
We even distinguish the keylogger monitoring software that can recover a lot of data, whether audio, textual or visual.
For example, a monitoring software can take screenshots, retrieve the contents of the clipboard dynamically, retrieve the Skype conversations (and MSN at the time) received AND sent, retrieve or disable websites regardless of the browser, execute or delete other programs ... etc. It's scary, is not it?
These "professional" programs are however often paying and relatively expensive, they are also a lot less silent than a classic keylogger. The fact that they are created by specialized companies fortunately does not offer them to the general public. In addition, these programs generally signal to the user that he will be monitored. And a user who is aware and accepts that a keylogger or monitoring software is used on his computer makes legal action , and only in this case .
Limitations and countermeasures
The keyloggers seem very formidable, but all is not rosy for them either, and fortunately.
There are many languages, so many different characters and some require key combinations like AltGr + e for "€".
The functions of Windows to correctly handle these multiple combinations are a little old and become really difficult to use for a programmer wishing to record everything perfectly .
From there we have two possibilities, the keylogger only records the main keys of the keyboard (hence the good practices ). Either the characters can be initialized in an array by fiddling a bit to have something drinkable.
Thus, you can even crash a keylogger without realizing it, by typing for example a combination that it does not manage.
Very effective tip to type your credit card number or password safely:
Keyloggers record keystrokes typed in order . If your number is 1234 and you write 34 then click at the beginning and type 12 , you will get 1234 but the keylogger will record 3412 .
There are also anti keyloggers that "encrypt" the keys before the keylogger has access. These programs are unfortunately heavy and little used. Among these we can note the famous Keyscrambler .
Finally, my usual recommendations also apply to keyloggers: Be careful when you launch a suspicious program. Look regularly at programs started at system startup.
Regarding the network activity, I recommend the excellent TcpView which displays what happens to detect a possible message sent every x minutes and deduce a potentially suspicious program.
No comments:
Post a Comment