Keyloggers: what do we know about them?

A keylogger is a hardware device or specialized software (driver, service, «daemon» or application), which tracks different user actions at the workstation or the server console. It tracks (depending on the settings and functionality of the keylogger) keystrokes of physical or virtual (on-screen) keyboard, mouse keys, mouse pointer moves etc. This is true for a «classic» keylogger, but many keyloggers, both hardware and especially software, have additional functions, such as taking screenshots (screen photos) of the user’s monitor, saving the contents of the clipboard and even recording video of the user’s screen.

All keyloggers can be divided into three groups: two of them can be used legally. These are hardware (representing additional physical devices) and software (part of software complexes or separate applications). The third group is a purely spy equipment designed to secretly obtain information from highly secure systems and objects: acoustic keyloggers.

Let’s start with acoustic keyloggers.

An acoustic keylogger is usually a part of a hidden listening system. In fact, it is a miniature device that contains a powerful microphone, a large capacity information storage system (or equipment that transmits information by cable or wireless connection — radio channel/Wi-Fi/Bluetooth), as well as software that can determine the type of the sound — is it speech, music or keyboard keystrokes. Acoustic keyloggers have a very narrow specialization: they distinguish tonal DTMF-codes of pressing the phone buttons or on-screen keys of the smartphone, restoring the sequence of their pressing. Thus, acoustic keyloggers can restore the text typed on your phone or smartphone, and pass it outside the protected perimeter. An example of a spy device containing an acoustic keylogger is shown in Fig.1.

Spy device containing an acoustic keylogger

Hardware keyloggers (first group) are usually connected between the PC and monitored device and represent small devices with their own memory or with a removable memory card (usually microSD cards are used). More advanced devices are equipped with wireless communication modules (Bluetooth or Wi-Fi) and allow not only saving the results of keystrokes interception, but also transferring them over the network to a file storage or to workstations of security administrators. Fig.2.1 shows examples of such devices, Fig.2.2 — show an example of a connected device for USB type keyboards.

Hardware keyloggers for PS/2 and USB keyboards USB-keyboard connected via a hardware keylogger

A security administrator or system administrator who has access to such a keylogger always has the ability to replace the microSD card to save the information that the keylogger has collected in order to quickly investigate it. If the hardware keylogger is equipped with a wireless communication module, the information from it can be received online.

The advantages of this type of keyloggers are the following:
— installation and connection of a hardware keylogger of this type is not difficult, it can be performed even by a usual user;
— keylogger, although it is a hardware device, does not require additional power (power is provided by the PS/2 port or USB);
— if the keylogger writes information to the memory card, even a very small memory card (for example, 2 GB) will be able to store information about more than 2 billion bytes of keystrokes, which even in the case of using Unicode encoding is more than enough to record the user’s work throughout his life;
— checking the availability and performance of the keylogger is also not difficult;
— low price.

But along with the advantages, keyloggers of this type have significant disadvantages:
— the keylogger is installed openly, i.e. the user knows that the keylogger is installed on his workstation or server so the user will be more secretive in electronic communication compared to working without the keylogger;
— the user can remove the keylogger or remove the memory card, which will make saving keyboard input impossible. This disadvantage can be avoided by sealing the connectors and periodically checking the flow of information through the wireless module;
— these keyloggers have a very small possibility range. So, interception of mouse’s keystrokes and its cursor movements, and especially taking screenshots is hardly possible.

Thus, the use of such keyloggers can be recommended only for a short-term monitoring in small organizations: it is obvious that centralized management of such keyloggers, even if they have wireless modules, is impossible.

A very special case of using hardware keyloggers is their use in highly secure devices (laptops and keyboards). In this case, the hardware keylogger module is an integral part of the device itself and is located inside, and such a keylogger can be removed only by destroying the device (which, by the way, is not always possible, given the strength of the materials from which the device is made). Reading of information from such keyloggers is allowed only in special conditions; and usually — only with the use of the device itself, remote reading of information is impossible. Such devices are widely used by various governmental and private law enforcement agencies (mainly for outdoor work), or in industries, as part of technological complexes. Examples of such devices are shown in Fig.3–1 (specially protected notebook in metal case) and Fig.3–2 (specially protected keyboard, material of keys and case is also metal).

Specially protected laptop in a metal case equipped with a built-in hardware keylogger Specially protected keyboard in a metal case with a trackball (analog of the device of the mouse type) equipped with a built-in hardware keylogger

Given the extremely low distribution of such devices among ordinary users, system administrators and information security specialists, as well as a very narrow scope of their usage it should be noted that the use of hardware keyloggers in usual conditions is quite limited and they have an extremely narrow area of usage.

When people say keyloggers they usually mean the second group of keyloggers — software ones. This is not surprising: software keyloggers are the most widely used in the information environment.

As a unified classification scheme of key-loggers has not yet been developed by specialists we classify all software keyloggers according by the following criteria:
— identification by threat detection systems (antiviruses, vulnerability detectors): identifiable or unidentifiable (i.e. the keylogger signature is included in the database of the manufacturer of anti-spyware software products or not);
— additional functionality: is the keylogger «classic», i.e. intercepts only keystrokes of the keyboard and mouse, or has additional functions, such as taking screenshots;
— keyboard keylogger type: high-level (intercepting only the text entered in the application) or low-level (intercepting pressing including control keys, for example, modifying — Ctrl, Alt, Shift — keys);
— program type: application module (library), driver, service, daemon (for *NIX type operating systems), part of the operating system, independent standalone application;
— permanent storage of intercepted information: local or remote storage (server etc.).

Since the software Keylogger is essentially a «spy» module, many users and system administrators believe that all vulnerability detectors and anti-virus programs are simply obliged to at least determine the presence of any such modules in the operating systems and applications, and ideally — remove them.

However, this is hardly true. Most likely, keyloggers that are secretly present in the systems will never be determined in the following cases:
— keyloggers developed in the departments of governmental special services for special purposes.
— keyloggers that are part of specialized operating systems used in specially protected IT infrastructures of companies, governmental organizations and technological industries, as well as in defense systems. Here everything should be clear — in such systems Keylogger is a part of a comprehensive system of information security of the object, and not spyware. Moreover, as a rule, such keyloggers are parts of the operating system kernel and CAN NOT BE REMOVED from it without destroying the structure of the operating system and, accordingly, disrupting its performance;
— keyloggers designed to solve one particular task of stealing confidential information from a particular computer. This keylogger simply does not have time to get into the database of antivirus or spyware detector, because it quickly and secretly performs the task, and after then self-destructs. This is perhaps the most dangerous case of keylogger usage, given that it can be created very easily by modifying the source code which can be easily found in the Internet, sometimes even as a training example;
— keyloggers built into corporate software products in the field of information security. Unfortunately, there are unpleasant exceptions to this rule — for example, the Keylogger, which is a part of the StaffCop Enterprise user monitoring software, is defined as a spyware threat by most of the available anti-viruses. Fortunately, there are ways to get around this limitation — you can add a StaffCop threat by its name or by the name of the StaffCop process/program file.

In all other cases, based on heuristic analysis algorithms or based on application behavior analysis (for example, increasing the time interval between a key press and the application response to this press), the presence of a keylogger should be determined by an antivirus or spyware detector.

Classification of keyloggers by functions is quite simple. «Classic» keyloggers in terms of functionality actually works similar to hardware keyloggers installed between the USB-port of the system unit and the external keyboard. Their task is to collect the keystrokes made by the user and save them. Keyloggers with advanced functionality have additional features: they allow, for example, to save the log of the user’s work in the form of screenshots, according to which the security administrator or the system administrator can determine what the user was doing in a certain period of time — in which applications the text was entered. However, we should not forget that if an attacker uses the advanced functionality of the keylogger, the damage significantly increases.

Classification of keyboard keyloggers by level (high-level or low-level) is also quite simple and obvious. The high-level keylogger records only the text entered by the user in the application, i.e. only the result of the user’s work is saved. Low-level ones allow you to save more — the sequence of creation of this result, i.e. recognized by pressing functional, control and modifying keys — such as Ctrl, Alt, Shift.

The classification of keyloggers according to the location of the intercepted information is also obvious. The keylogger can store the intercepted information either locally (on the same computer, usually the storage location is a file on disk) or transfer it to the server. It should be noted that the most reasonable would be to combine both methods: if the server to which the keylogger sends information is available, the intercepted information is sent periodically, after a certain interval of time, if not — is stored locally.

In order to understand the classification of keyloggers depending on the type of program, you first need a small guide through the structure of the operating system. We will do this on the basis of the architecture of the 32-bit Microsoft Windows system, as this architecture has become the basis of the architecture of modern operating systems, both 64-bit and 32-bit. Unfortunately, it is a very common misconception that 32-bit systems are already something from the past: in fact, 32-bit systems are widely used as control systems for technological objects (machines, alarm control systems etc.): the fact is that in conditions of limited resources 32-bit systems work much faster than 64-bit ones. This is well understood in Microsoft: even the latest Windows for end users from Microsoft — Windows 10 — keeps the 32-bit version, and the version of Windows 10 for the «Internet of things» — Windows 10 IoT — was originally developed as a 32-bit, and only «by numerous user demands» the 64-bit version was released, and 32-bit version of Windows 10 IoT was not removed from delivery.