Info-Tech Advisor - Research Brief

This content is retired.

While this research note is still accessible, its content and links are not currently being maintained by our research team. The information contained in this article is not guaranteed to be either current or free of dead links.

Keylogging Threats Put Data at Risk

Publication Date: September 27, 2005

Of all the types of malware permeating the Internet, none is more damaging than the keylogger, which steals data as it’s being typed on a user’s keyboard. New keylogger variants are emerging that are more dangerous than previous iterations. In fact, one in three PCs carry keyloggers and/or Trojans. Protect the enterprise by implementing quick and effective anti-keylogging countermeasures.

What Is Keylogging?

A keylogger is a small program unwittingly downloaded as spyware to a user’s PC or deliberately installed by a hacker on unsecured corporate networks. Typically classified as a Trojan horse, keyloggers consist of .dll and .exe files that record every keystroke made on the infected machine’s keyboard. This action allows hackers to steal usernames and passwords as they’re being typed.

Keylogging on the Rise

Although the keylogger has been around for a few years now, identity theft rings are adopting it in increasing numbers as a valuable tool for committing financial fraud. For instance, security company Sunbelt Software recently discovered a server that contained large numbers of logins, passwords, credit card numbers, bank account numbers, and other information, all of which were confirmed as being stolen by a new variant of keylogger.

Named Srv.SSA-KeyLogger, the new keylogger specifically targets data from users’ Internet sessions, including usernames and passwords from online banking sessions, eBay, PayPal, and other applications utilizing HTML-based forms to gather information. Other malicious keylogger characteristics include:

Hijacking the Windows clipboard.
Disabling the Windows firewall and some third-party firewalls.
Undetectable by any firewall the keylogger doesn’t disable.
Remaining hidden from the Task Manager.

Keyloggers are distributed through a wide variety of methods, including phishing, spam, "toxic" blogs, known Web browser vulnerability exploits, and other techniques. Even worse, instances of keylogger infection are rising dramatically. In February 2005, Webroot Software and ISP EarthLink announced that one in three PCs carry keyloggers and/or Trojans, a 230% increase over the previous quarter.

Action Plan

Detect instances of keylogging. While Ad-Aware and Spybot are useful tools for detecting spyware in general, tests have shown they are not as effective at finding keyloggers. In addition to these two software programs, also deploy PestPatrol, Spy Sweeper, or SpyCop to corporate desktops, which perform more thorough scans for finding surveillance malware.
Lock down Internet Explorer. The Srv.SSA-KeyLogger discovered by Sunbelt Software steals information from IE’s Protected Storage, which stores usernames and passwords for the enabled-by-default AutoComplete feature. Although the recorded information residing in AutoComplete is encrypted, the encryption is easily broken by freely available utilities.
- To disable AutoComplete in IE, select Tools > Internet Options > Content > AutoComplete > uncheck "Usernames and passwords on forms."
- Mozilla Firefox does not use Protected Storage, so it should be immune from this particular keylogger.
Use two-factor authentication where applicable. Logins to mission-critical applications should use a second form of authentication in addition to username and password. While smart cards are effective, they may be cost-prohibitive to small- and mid-sized enterprises (SMEs). However, dual-factor authentication software such as Entrust IdentityGuard prompts users to also enter an assortment of characters in a row/column format printed on a card. The user must successfully complete a random challenge to demonstrate that they are in possession of the appropriate card. Even if the hacker captures the response to the challenge via keylogging, it will be useless in later attempts, as the challenge for the next login will change.
Employ virtual keyboards on the server side. Virtual keyboards – the likes of which can be found in PrivacyKeyboard – should be used by IT administrators to log in to critical databases and other server-based applications. Virtual keyboards are a display on the computer screen whereby the administrator enters login information by using the mouse to click on the appropriate characters, thus bypassing the physical keyboard altogether. Since some keyloggers can also capture screenshots, use a virtual keyboard that allows users to enter a character by hovering the cursor over a letter or number for a few seconds.
Block data from leaving the network. Enforce anti-keylogging rules, such as implicit ingress/egress router filters and implicit IP-MAC filtering. Egress filtering on firewall ports is also essential.

Bottom Line

Keylogging is a stealthy and effective weapon in the hacker’s arsenal, but it can be mitigated with the right security tools and procedures.

Want to Know More?

"New Keylogger Steals Passwords From IE," from TechWeb.
"Fighting Keyloggers," from Palisade Application Security Intelligence.
"Introduction to Spyware Keyloggers," from SecurityFocus.
"Fight Back Against Surveillance Software," from PCWorld.com.

More @ Info-Tech Advisor

A New Way to Block Keylogging Activity

« Previous ITA Research Note

Next ITA Research Note »

I am not an Info-Tech Advisor member, but...

I would like to become a member (starting at $495/yr).
I would like to learn more.