In-Depth
Keyloggers: The Most Dangerous Security Risk in Your Enterprise
How keyloggers work and spread, why anti-virus applications won't stop them, and how you can protect your enterprise.
By George Waller
Keyloggers are on the rise and they are no match for even the most security-conscious organizations. Just look at some of the names done in by a tiny chunk of code in the last 12 months: RSA, Lockheed Martin, Epsilon, Oakridge Nuclear Weapons Lab, Sony, Iranian Nuclear Program and Linked-In to name just a few. Keyloggers have been around for a long time, but today they may be the most dangerous threat an enterprise faces.
What is a Keylogger?
A keylogger is a piece of malicious software, usually called "spyware" or "malware," that records every keystroke you make on a keyboard. Keyloggers can be installed without your knowledge or consent when you visit a Web site or read an e-mail, install a program, or perform other activities. Once installed, the keylogger records all your keystrokes, and then e-mails the information and other data to the computer hacker.
How Keyloggers are Constructed
The main idea behind keyloggers is to get in between any two links in the chain of events between when a key is pressed and when information about that keystroke is displayed on the monitor. This can be achieved using video surveillance: a hardware bug in the keyboard, wiring or the computer itself; intercepting input/output; substituting the keyboard driver; using a filter driver in the keyboard stack; intercepting kernel functions by any means possible (substituting addresses in system tables, splicing function code, etc.); intercepting DLL functions in user mode, and requesting information from the keyboard using standard documented methods.
Keyloggers can be divided into two categories: keylogging devices and keylogging software. Keyloggers that fall into the first category are usually small devices that can be fixed to the keyboard or placed within a cable or the computer itself. The keylogging software category is made up of dedicated programs designed to track and log keystrokes.
The most common methods used to construct keylogging software are:
- A system hook that intercepts notification that a key has been pressed (installed using WinAPI SetWindowsHook for messages sent by the window procedure). This hook is most often written in C.
- A cyclical information keyboard request from the keyboard (using WinAPI Get(Async)KeyState or GetKeyboardState. This software is most often written in Visual Basic, sometimes in Borland Delphi.
- Using a filter driver. This requires specialized knowledge and is typically written in C.
Recently, keyloggers that disguise their files to keep them from being found manually or by an antivirus program have become more numerous. These stealth techniques are called rootkit technologies. There are two main rootkit technologies used by keyloggers: masking in user mode and masking in kernel mode.
How Keyloggers Spread
Keyloggers spread in much the same way that other malicious programs do. Keyloggers are often hidden inside what appears to be legitimate applications, graphics, music files, or downloaded pictures. Identity thieves and hackers get you to unwittingly download their malicious software through an e-mail or instant message that "makes sense." The world–renowned Australian Computer Emergency Response Team (ausCert), has published a report showing that 80 percent of all keyloggers are not detectable by anti-virus software, anti-spyware software, or firewalls.
Identity thieves have also been known to portray themselves as kids on popular teen sites and share infected files. Listed below are just some of the creative ways in which Identity thieves have been known to distribute their keyloggers:
- MP3 music files
- E-mail attachments
- Clicking on deceptive pop–ups
- P2P networks
- AVI files (i.e., "YouTube" or other videos)
- A legitimate Web site link, picture, or story that was malfaced
- Downloaded games or any other PC tools or programs
- Faked malicious Web sites that impersonate popular sites (sites such as Google, eBay, Amazon, Yahoo, banks) or anti-virus programs
Why Your Anti-Virus Program Doesn't Stop Keyloggers
Anti-virus programs are reactive programs. They can only stop and detect against "known" and already "catalogued" viruses; they cannot protect you against a brand new virus that has just been written. Most anti-virus software requires a frequently updated database of threats. As new virus programs are released, anti-virus developers discover and evaluate them, making "signatures" or "definitions" that allow their software to detect and remove the virus.
This update process can take anywhere from several months up to a full year for your anti-virus manufacturer to build a "fix" for a single virus. It is estimated that there are currently millions of new viruses introduced on the Internet every month. It is an impossible task to immediately identify a new virus and protect against it. Many recent lab tests have shown that anti-virus is only about 25 percent effective in stopping keyloggers.
How to Keep Confidential Information Safe from Keyloggers
There are few ways that enterprises can protect themselves. One way is to prevent employees from installing downloaded software. Obviously, this isn't always practical. Regardless, some level of employee training is always helpful. Teaching employees about malware and keyloggers may prevent some level of identity theft, espionage, or data breach, but it's hardly foolproof. There's a clicker in every crowd.
Filtering and detection is pointless because hackers will always find ways to avoid detection, so the focus should be on how to keep your data from getting to the cybercriminals. You can set egress filters to prevent the data from being "sent back" to hackers, but these techniques have also been easily avoided by the bad guys.
Encryption has always been considered as the most secure way to protect data, which is true here. The most successful way to protect your keystrokes is by installing "anti-keylogging keystroke encryption software" in addition to your existing anti-virus software. Keystroke encryption secures everything you type, in real time, at the point of origin (when you type on the keyboard), making your keystrokes invisible to any undetected keyloggers that are hiding on your computer.
George Waller is the EVP and co-founder of StrikeForce Technologies, Inc., the creator and key patent holder for two-factor, out-of-band authentication as well as an anti-keylogging keystroke encryption technology (patent pending). Their software protects over four million individuals and businesses in over 100 countries from identity theft and data breaches. You can contact the author at gwaller@strikeforcetech.com.