How easily are keyloggers foiled?

Malicious software that only logs keyboard strokes rarely exists in the wild. Most key loggers for graphical interfaces (e.g. Windows) are more sophisticated and log all user interaction including mouse, copy and paste events by hooking into the operating system.

Key loggers are normally a small subset of a rootkit that may also include the ability to act as a man-in-the-middle (MITM) and capture your credentials or session information without logging any key strokes.

The best way to foil key loggers is not to have them.

Ninefingers answer on Methods of mitigating threats from keyloggers has good recommendations. E.g. Monitor network traffic, use an intrusion prevention system (IPS) or intrusion detection system (IDS).

In addition I would add:

  • Avoid logging into websites/accounts using computers that you don’t have control over. E.g. At work, at a friend or parent’s house.
  • Avoid installing software that is not from a reputable source. Use digital signatures and file hashes.
  • Be aware of what applications and services run on your computer. While rootkits do stealth themselves making them hard to detect, knowing what should be running is definitely an advantage.
  • Use two factor specifically one-time-password (OTP) authentication to websites where possible. In the specific scenario of Internet banking, financial intuitions often offer a token or SMS based service that provides a password or number that can only be used once.
  • Use protected mode browsing that disabled browser plugins or scripts.
  • Use low security accounts for normal activities.
  • Apply security updates.
  • Change password regularly.

And while this does not prevent key loggers, backup you files regularly. I say this because if you suspect that you have a rootkit then you should wipe your installation and restore only the data you need.


I was wondering exactly how powerful can keyloggers be?

Extremely powerful. But the use of the term keylogger can be distracting so lets explore what a keylogger is.

Back many decades ago computers had very small hard drives and little RAM, but lots of various cables and assorted adapters. The keyboard was connected to the computer tower with a 5-pin connecter known as an AT/XT connector because they were designed for the IBM AT, IBM XT, and clones. An 11 bit message was sent from the keyboard to the computer. The Integrated Circuit (IC) used to read the keyboard codes was widely available. A hardware keyboard signal recorder was easily made. Graphics were poor and a mouse would not become a standard input device until the IBM PS/2 four years later.

As computers evolved they became more powerful and had greater capacity for storage. What originally made hardware based keyboard recorders attractive was that provided an easy method for retrieval of the recorded information. As opposed the a floppy. When computers became networked machines (even if the network was made of analog phone modems) the network became a more attractive retrieval mechanism. Additionally now it was possible to attack computer to which you had no physical access. This generation of keyloggers ended to be software trojans that looked specifically for passwords. They targeted AOL, Novell Netware, and other network access programs.

In the modern age where computers are always on and always connected to a network, the keyloggers are more insidious. Now a attacker can simply watch what data you send on the network to look for unencrypted passwords. Keyloggers don't bother reading what the keyboard sends to the computer, instead they look for the final product sent from the machine. They are harder to find as they may hide among any of several running processes on your machine. Take a look at all the processes running on your machine (including the threads if you know how). The software to identify a password and record it may be very small.

But modern keyloggers are not limited to a few hundred or few thousand bytes. They can send millions of bytes and record everything from account numbers to e-mail addresses to IP addresses and more. They can be adaptive and discover linked information making the connection between a web address and a file used to store passwords. In fact most malware does not limit itself to search and transmitting user input. Keyloggers are more typically part of a fuller malware suite that includes a wide range of nastiness.


Consider, that the keylogger can simply wrap the UI component used by browser to render the password input field. None of the tricks you have listed will prevent it from getting your password.

Tags:

Keyloggers

Recent Posts