Fighting Keyloggers

By Paladion

April 15, 2005

Internet usage is increasing by the day; so is the number of cyber
crimes. Stealing sensitive information of naive users is a favorite
with attackers. One method of stealing user passwords is with the help
of keyloggers. Find out more about keyloggers and the prevention

It is said that seventy percent of all the attacks on the internet are application based. You fix all the vulnerabilities in the application. Are you still safe? The answer is NO

Attackers can still concentrate on client side attacks. The simplest and the most prevalent amongst them are stealing passwords. The most common method of stealing passwords surreptitiously is by the use of Keyloggers. Key loggers are applications that monitor a user's keystrokes. They steal this information in several ways:

  • Send this information via email to the malicious user or
  • Upload it to some server on the internet controlled by the malicious user or
  • Store it as logs for future retrieval.

These logs can then be used to collect email and online banking usernames and passwords from unsuspecting users or capture source code being developed in software firms. Keyloggers can be one of the following types: Hardware Keyloggers, the hook and kernel/driver keyloggers.

Keylogger Anatomy:

Keyloggers found in the internet can be packaged with any legal software and can be sent to any innocent user. When the user installs this software, the keylogger gets installed in the user's system. Now it will monitor all the keystrokes of the user and store the logs on the same system or send it to the attacker via email or FTP. Here are some of the features we see in keyloggers today:

  1. Stealth Mode: In this mode no icon is present in the taskbar. Also there is no entry in the Task Manager and the keylogger is virtually hidden.
  2. Remote Installation: The keylogger has a feature whereby it can be packaged to other programs and can be sent by e-mail to install on the remote PC in stealth mode. It will then send keystrokes, screenshots and websites visited to the attacker by e-mail or via FTP.
  3. Smart Rename: This feature allows a user to rename all the keylogger’s executable files and registry entries.

Preventing Keystroke capture

Prevention from Application side: Keyloggers, both hardware and software, are basically designed to capture what a user types on the keyboard. On the web application side, one method to avoid keystroke capture is to use a virtual keyboard for entering username and password. A virtual keyboard is analogous to a graphical keypad where a user clicks on the characters rather than type them on the keyboard. Even this feature is not secure as some keylogger's are designed to capture screenshot on every mouse-click. Thus the password of the user can be found out by looking at the screenshots and getting all the characters clicked corresponding to the mouse click. To avoid this virtual keyboards also have a feature that allows a user to enter a character by just holding the mouse cursor over it for some seconds (say 2 seconds). Thus the user can enter the password without even clicking the mouse button.

A virtual Keyboard
Fig. 1. A virtual Keyboard

Another method is to ask the user to enter the characters in the password randomly. For example, an application can ask the user to enter the 1st, 3rd and 5th (odd placed) characters of the password and then the characters in the even places. However this sequence has to change every time or else anyone capturing the password can easily reconstruct the original password. The disadvantage of this method is that the keylogger captures all the characters in the password and the malicious person can easily crack it by trying different combinations.

The best solution therefore is to do away from the traditional one level authentication and use two-factor authentication. One example of dual factor authentication is the Entrust IdentityGuard wherein in addition to the current username and password; users are also provided with a second physical form of authentication based on an assortment of characters in a row/column format printed on a card. Whenever a user wants to login, he first enters the username and password and then answers the random challenge thrown to him based on the card in his possession as shown:

Dual Factor Authentication
Fig. 2. Dual Factor Authentication using Entrust IdentityGuard

Thus even if the keylogger captures the response to the random challenge, it will be of no use to it the next time as the random challenge for the next login will be different.

Prevention on the client side: The essence of any keylogger prevention exercise on the client side relies in educating the users to avoid using the keyboard for entering sensitive information and installing only what is needed. Untrusted freeware on the internet must be totally abstained from. Additionally ani-keyloggers can be used. Two types of anti-keylogging softwares are available.

  1. Signature based anti-keyloggers - Signature based anti-keyloggers are the ones that typically identify a keylogger based on the files or 'dlls' that it installs and the registry entries that it makes. Although, anti-keyloggers successfully identify the known keyloggers, they fail to identify a keylogger whose signature is not stored in their database.
  2. Hook based anti-keyloggers - A hook process in Windows uses a function called SetWindowsHookEx(). This is used to monitor the system for certain types of events, for instance a keypress/mouse-click. A hook procedure passes an event to the next procedure and this is how information of all the keypress/mouse-click gets collected. Hook based anti-keyloggers block this passing of control from one hook procedure to another. This results in the keylogging software generating no logs of the keystroke capture. Although hook based anti-keyloggers are better than signature based anti-keyloggers, they still are incapable of stopping kernel-based keyloggers.


With the vast proliferation of the internet in recent years and its subsequent use in day-to-day life, there has been a growing list malicious users trying to cash in by stealing information. Therefore need of the hour is to be aware of such practices and exercise maximum constraint while transacting on the internet.

Tags: Technical