About Keyloggers

SANS What are key-loggers, and what exactly is keystroke monitoring? According to the "NSA Glossary of Terms Used in Security and Intrusion Detection", Keystroke Monitoring is "a specialized form of audit trail software, or a specially designed device, that records every keystroke by a user and every character of the response that the computer returns to the user". A keylogger (also referred as keystroke monitoring software, keystroke-logging programs, activity monitoring programs, keystroke recorders, snoopware, or simply spyware) is a little hidden program recording data (such as keystrokes) to a local or remote file (log file).

Hacker Keyloggers may be distributed and installed locally (e.g. through floppy or CD disks, local networks, etc.), or they may be distributed remotely (e.g. via the Internet). Keyloggers can be enveloped in a Trojan or virus, and be transmitted via email. More advanced keyloggers will then email the recorded key logs silently - the user will never know it is being done! For example - the newest computer viruses send email messages with infected attached files, as well as installing a Trojan component containing spyware to steal information from infected systems.

Keylogging applications are split into two classes: commercial key loggers that are freely downloadable on the internet, and custom built keyloggers that can auto install onto a PC as part of a blended attack through malicious code. Commercial keylogging applications often market themselves as a consumer solution that can be used to monitor what a spouse or child is doing while they are on the computer, whether online or offline. Although these applications are marketed for the intentional monitoring of commercial or home PC use, they can easily be used for malicious intent within an enterprise.

More recently, hackers have advanced the delivery of noncommercial, custom-built malicious keyloggers. When looking at the recent JS Scob outbreak, users infected their PCs by simply visiting sites where malicious code was automatically deposited onto their system without their knowledge or acceptance. For example, when users visit the infected website of a banking institution, their user names, passwords and account numbers may have been captured and transferred to a keylogger's host server.