written by: Tom Olzak, CISSP•edited by: Lamar Stonecypher•updated: 4/13/2010
Probably the most insidious malware, keyloggers collect everything you type on your keyboard and make it available to cyber-criminals. This article examines how keyloggers work, two types of keyloggers, and what you can do to protect your privacy.
slide 1 of 4
How Keyboards Work
To understand keyloggers, we need to understand how keyboards work. Briefly, a keyboard is a matrix of circuits which communicates character codes to a keyboard driver in your computer, as shown in Figure 1 (Olzak, 2008, p.2).
When you press a key, the circuit location in the matrix is translated to a code in the keyboard processor and placed into the keyboard buffer. From the buffer, the keyboard codes are sent to the keyboard controller. The keyboard controller, interfacing with the operating system, passes keyboard data to waiting applications. This is a very simple explanation, but it serves our purposes.
slide 2 of 4
Types of Keyloggers
What is a keylogger? The most common type of keylogger consists of a piece of malware installed and managed by a rootkit. Please refer to Figure 2 (Olzak, 2008, p. 4).
A typical software keylogger replaces operating system kernel components. As keyboard codes move from the keyboard controller to the operating system, the keylogger captures all keyboard entry before passing it on to the target application.
Because criminals want keyloggers to remain undetected, even by anti-virus (AV) software, they bury this privacy-stripping software in a way that prevents user view or AV detection of anything out of the ordinary.
Another type of keylogger uses an actual piece of hardware. Depending on approach, a special circuit might be inserted into the keyboard (Figure 3 (BitForensics)) or a device placed between the keyboard and the computer keyboard interface (Figure 4 (Keelogger)).
The success of hardware keyloggers depends on access. Software keyloggers are easily installed and collected data removed, even without physical access to the target computer. However, AV software is getting better all the time at detecting them. This is the main advantage of hardware keyloggers.
Hardware keyloggers are virtually undectable with software, but an attacker must have physical access to the target computer for implementation and data collection. Yes, there are researchers who claim there are ways to detect hardware keystroke loggers. I don't disagree. However, these methods are impractical and unavailable for general use.
slide 3 of 4
How do you get rid of a keylogger? Well, that depends.
Anti-spyware software capable of detecting software keyloggers (usually as rootkits) is readily available. However, removing rootkits is never assured. Applications like keyloggers tend to have the ability to reinstall themselves. The only real way to clean a rootkit/keylogger infected computer is to wipe the hard drive and start over.
Free and fee-based keylogger detection applications include:
These applications can usually tell you if there is a keylogger or other rootkit implementations on your computer, but there is no perfect keylogger remover. The best way to kill keyloggers to to stop them before they get a chance to take up residence on your system. The recommendations in my recent article, Trojan Defense: Configuring Your SOHO or Personal Infrastructure, will serve to protect your computer from Trojans and other rootkit-based applications that really, really want your personal information.
Hardware or Locally Installed Keyloggers
No matter how well you use technology to protect from remote attacks, allowing unauthorized physical access to your computer or network trumps all technical controls. If an attacker can sit at your keyboard, he or she can install any software they like. Most password authentication methods will not keep them out. They can also install, and later recover, a hardware keylogger that is undetectable by keylogger detection software. For information about effective physical security, see Physical Security Controls.
The only way to detect and remove hardware keyloggers is to periodically check your keyboard interface for "extra" components. Also, if a new keyboard mysteriously shows up on your desk, be wary until you confirm it was left by someone you trust.
slide 4 of 4
The Final Word
As with all malware, the best way to deal with keyloggers is to keep them off your computer in the first place. For more information about how keyloggers work--including acoustic keyloggers--see Keystroke Logging.