A keylogger is a hardware device or specialized software (driver, service, «daemon» or application), which tracks different user actions at the workstation or the server console. It tracks (depending on the settings and functionality of the keylogger) keystrokes of physical or virtual (
All keyloggers can be divided into three groups: two of them can be used legally. These are hardware (representing additional physical devices) and software (part of software complexes or separate applications). The third group is a purely spy equipment designed to secretly obtain information from highly secure systems and objects: acoustic keyloggers.
Let’s start with acoustic keyloggers.
An acoustic keylogger is usually a part of a hidden listening system. In fact, it is a miniature device that contains a powerful microphone, a large capacity information storage system (or equipment that transmits information by cable or wireless connection — radio channel/
Hardware keyloggers (first group) are usually connected between the PC and monitored device and represent small devices with their own memory or with a removable memory card (usually microSD cards are used). More advanced devices are equipped with wireless communication modules (Bluetooth or
A security administrator or system administrator who has access to such a keylogger always has the ability to replace the microSD card to save the information that the keylogger has collected in order to quickly investigate it. If the hardware keylogger is equipped with a wireless communication module, the information from it can be received online.
The advantages of this type of keyloggers are the following:
— installation and connection of a hardware keylogger of this type is not difficult, it can be performed even by a usual user;
— keylogger, although it is a hardware device, does not require additional power (power is provided by the PS/2 port or USB);
— if the keylogger writes information to the memory card, even a very small memory card (for example, 2 GB) will be able to store information about more than 2 billion bytes of keystrokes, which even in the case of using Unicode encoding is more than enough to record the user’s work throughout his life;
— checking the availability and performance of the keylogger is also not difficult;
— low price.
But along with the advantages, keyloggers of this type have significant disadvantages:
— the keylogger is installed openly, i.e. the user knows that the keylogger is installed on his workstation or server so the user will be more secretive in electronic communication compared to working without the keylogger;
— the user can remove the keylogger or remove the memory card, which will make saving keyboard input impossible. This disadvantage can be avoided by sealing the connectors and periodically checking the flow of information through the wireless module;
— these keyloggers have a very small possibility range. So, interception of mouse’s keystrokes and its cursor movements, and especially taking screenshots is hardly possible.
Thus, the use of such keyloggers can be recommended only for a
A very special case of using hardware keyloggers is their use in highly secure devices (laptops and keyboards). In this case, the hardware keylogger module is an integral part of the device itself and is located inside, and such a keylogger can be removed only by destroying the device (which, by the way, is not always possible, given the strength of the materials from which the device is made). Reading of information from such keyloggers is allowed only in special conditions; and usually — only with the use of the device itself, remote reading of information is impossible. Such devices are widely used by various governmental and private law enforcement agencies (mainly for outdoor work), or in industries, as part of technological complexes. Examples of such devices are shown in Fig.3–1 (specially protected notebook in metal case) and Fig.3–2 (specially protected keyboard, material of keys and case is also metal).
Given the extremely low distribution of such devices among ordinary users, system administrators and information security specialists, as well as a very narrow scope of their usage it should be noted that the use of hardware keyloggers in usual conditions is quite limited and they have an extremely narrow area of usage.
When people say keyloggers they usually mean the second group of keyloggers — software ones. This is not surprising: software keyloggers are the most widely used in the information environment.
As a unified classification scheme of
— identification by threat detection systems (antiviruses, vulnerability detectors): identifiable or unidentifiable (i.e. the keylogger signature is included in the database of the manufacturer of
— additional functionality: is the keylogger «classic», i.e. intercepts only keystrokes of the keyboard and mouse, or has additional functions, such as taking screenshots;
— keyboard keylogger type:
— program type: application module (library), driver, service, daemon (for *NIX type operating systems), part of the operating system, independent standalone application;
— permanent storage of intercepted information: local or remote storage (server etc.).
Since the software Keylogger is essentially a «spy» module, many users and system administrators believe that all vulnerability detectors and
However, this is hardly true. Most likely, keyloggers that are secretly present in the systems will never be determined in the following cases:
— keyloggers developed in the departments of governmental special services for special purposes.
— keyloggers that are part of specialized operating systems used in specially protected IT infrastructures of companies, governmental organizations and technological industries, as well as in defense systems. Here everything should be clear — in such systems Keylogger is a part of a comprehensive system of information security of the object, and not spyware. Moreover, as a rule, such keyloggers are parts of the operating system kernel and CAN NOT BE REMOVED from it without destroying the structure of the operating system and, accordingly, disrupting its performance;
— keyloggers designed to solve one particular task of stealing confidential information from a particular computer. This keylogger simply does not have time to get into the database of antivirus or spyware detector, because it quickly and secretly performs the task, and after then
— keyloggers built into corporate software products in the field of information security. Unfortunately, there are unpleasant exceptions to this rule — for example, the Keylogger, which is a part of the StaffCop Enterprise user monitoring software, is defined as a spyware threat by most of the available
In all other cases, based on heuristic analysis algorithms or based on application behavior analysis (for example, increasing the time interval between a key press and the application response to this press), the presence of a keylogger should be determined by an antivirus or spyware detector.
Classification of keyloggers by functions is quite simple. «Classic» keyloggers in terms of functionality actually works similar to hardware keyloggers installed between the
Classification of keyboard keyloggers by level (
The classification of keyloggers according to the location of the intercepted information is also obvious. The keylogger can store the intercepted information either locally (on the same computer, usually the storage location is a file on disk) or transfer it to the server. It should be noted that the most reasonable would be to combine both methods: if the server to which the keylogger sends information is available, the intercepted information is sent periodically, after a certain interval of time, if not — is stored locally.
In order to understand the classification of keyloggers depending on the type of program, you first need a small guide through the structure of the operating system. We will do this on the basis of the architecture of the