The Truth About Keystroke Loggers

Programs that record data about users' activity in Internet and send them to their developers are called Spyware. Their activity can have different results - from pop-up advertisements to serious violations of OS, including personal data theft, pressed keys record, "back door" installation, etc. Also known as 'drive-by downloads', Spyware-applications use up-to-date methods of intrusion. Many users do not know that most spyware-applications penetrate into their computers when they visits different web-pages, opens archived files, clicks on pop-ups that contain active elements like ActiveX, Java Applet, etc. Spyware-modules can also be bundled with graphic files and sometimes with drivers for new hardware.

Spy Methods
Spyware-applications may function in different ways - it depends on the data they collect. Some of them collect data about user's habits in Internet for marketing purposes, others are more dangerous. Anyway, spyware-applications try to identify data sent over the network by using a unique identifier (cookie for example) which is located on user's PC, or a Global Unique Identifier (GUID). After that spyware sends logs to a remote user or to the server that collects the data. Usually, this data include host's name, IP-address and GUID, as well as logins, passwords, etc.

Types of Keystroke Loggers
Keystroke logger is an application that spies on pressed keyboard buttons and sends this information to the malevolent user. This can be performed by mail or by sending data directly to the server located somewhere in the global network.

Keystroke loggers have been around for a pretty long time. However, the increase of their amount requires new attention nowadays. The reason is easiness of infecting a PC - all a user needs to become infected is to visit a certain web-page.

There are three types of Keystroke Loggers:

- Hardware Keystroke Loggers
These are miniature built-in devices, located between the keyboard and the PC. Due to their tiny size they remain unnoticed for a long time. However, they require physical access to the equipment. These devices can record hundreds of symbols (including mail and bank data) that were typed from the keyboard.
- Application with Intercepting Mechanism
This type uses Windows function called API SetWindowsHookExe that monitors the reports of pressed keyboard buttons. Usually, this spyware-application consists of the exe-file that initiates the function of interception and the dll-file that controls the functions of data recording.
- Kernel/Driver Keystroke Loggers
This type of keystroke loggers locates on the kernel level and receives data directly from the input device (keyboard). It replaces the main software that controls all pressed keys. As the program is launched on the kernel level, it cannot intercept autofill passwords because this information is handed over on the application level.
Detecting and Removing of Keystroke Loggers
With its actions and work spyware-application differs fundamentally from a virus or a worm. That is why many anti-viruses consider it to be a usual program. The thing is that virus signatures differ from spyware signatures.

Firewalls are also helpless against spyware-applications, as spyware are usually bundled with other programs, hidden in the graphical file or perform usual web-traffic on the 80th port.

That is why it is of great importance for a user to make sure that his OS has all the necessary updates. The best way of protection from infection (besides changing the OS on more secure, like Mac OS X) is teaching users not to press everything they come across in the network and install only the most necessary software. Users should be taught to avoid 'free' software and pop-ups. It is also important to make sure that firewall settings are correct and secure, and have at least one program for detecting and removing of spyware. Some examples of such programs are
Microsoft Antispyware, Arovax Antispyware (http://www.arovaxantispyware.com), Ad-Aware.

It should be noted that basically the spyware problem is closely connected with Microsoft Internet Explorer browser. Using more modern and functional browsers like Mozilla Firefox can practically save users from this problem. However, the fact is that some web-sites were developed for being used with Internet Explorer, so browser change may not satisfy all users' needs.

How to Prevent from Pressed Keys Recording
Keystroke loggers, both hardware and software, are developed for intercepting symbols that were typed from a keyboard. Using a virtual keyboard for typing user's name and password is a good way to prevent from interceptions on the web-applications level. Virtual keyboard is a graphical presentation of a usual keyboard. A user types data from it by clicking with his mouse button on the necessary symbols. This solution will not satisfy all users, of course. However, this method can be used when working with important information or certain applications. It also should be noted that using a virtual keyboard does not guarantee full security because some keystroke loggers make pictures of the screen during every pressing a mouse-button. To avoid it, some virtual keyboards are able to enter symbols when a mouse-cursor is directed at them and held on them for some time. Thus, a user can enter information without pressing the mouse-button.

There is another way to avoid interception - program's inquiry to randomly enter password symbols. For example the program can ask a user to enter 1st, 3rd and 5th symbols and then even symbols. However, the order of entering must be different every time, otherwise the original password can be restored by somebody who constantly follows the entered information. The disadvantage of this method is that keystroke loggers record all symbols and a malevolent user can get the password by "playing with" symbol combinations.

How to Counteract Keystroke Loggers
There are two types of applications that counteract keystroke loggers: - Counteraction on the basis of signatures
These applications detect a keystroke logger by the files that it installs and by signatures that it adds to the register. Fighting known keystroke loggers in a good way, they are helpless against those programs that are not included into their database.
- Counteraction on the basis of interception
The process of interception (filtration) of Windows messages uses the function SetWindowsHookEx, the same as keystroke loggers do. This process is used for viewing certain actions but counteracting interception applications forbid control hand over from one function to another. As a result, there is no information in the logs of keystroke loggers. Though this method of counteraction is more effective than the first one we should note that it is not able to fight kernel/driver keystroke loggers.

Conclusions
Because of increased spyware-applications amount in the last time, we can observe rapid growth of websites and malevolent users that benefit from keystroke loggers installation and private data theft.

You have to be aware of the danger and you should be able to define it. The first step in the fight against spyware-applications is using an alternative browser, for example Firefox, Opera, etc. If for some reason this cannot be done, you should take necessary measures in order to maintain preventive diagnostics as well as define and remove keystroke loggers from your PC using latest Antispyware software. It is also wise to use anti-spyware programs that detect and remove spyware applications.

Arovax Company (http://www.arovaxcompany.com), for example, offers a number of effective solutions for solving this issue. Its programs - Arovax Shield (http://www.arovaxshield.com) and Arovax Antispyware (http://www.arovaxantispyware.com) - are developed to help users protect their computers.

Kira Foster is an expert on modern IT technologies and security software. She is also a Project Manager of Arovax Company (http://www.arovaxcompany.com) which is one of the leaders in the field of software development and PC protection. More articles by Kira Foster http://www.arovax.blogspot.com , http://forum.arovaxcompany.com