What is a Keylogger, Types, and How to Detect a Keylogger Infection

Page content

What is a Keylogger?

Keyloggers, or keystroke loggers, are ingenious software programs or hardware attachments, used mainly for identity theft. Very simply, they record all the keystrokes a user inputs. The data is then either sent across to a person on the other end, or stored for later retrieval. However, like everything else, keyloggers have evolved greatly and are now capable of recording almost anything on the computer – right from voice conversations to clipboard contents.

Keyloggers are frighteningly easy to install, however there are ways and means of protecting one’s data from being hijacked by unscrupulous persons.

Surprisingly, keyloggers are sometimes sold for legitimate surveillance. There are some cases where owners of a machine might want to monitor the activity that is taking place on the said machine in their absence. Keyloggers are then installed to record everything, and save it to an encrypted file on the computer. The ethics of using a keylogger in this manner is questionable, however that is entirely dependent on the user.

Types of Keyloggers

Most keylogger programs are transferred directly onto a user’s machine through a secondary storage device, like a DVD drive, or removable storage media, like USB flash drives. The files can also be attached to downloads from unsecured sources like most other malware, as keyloggers are essentially Trojans by nature.

The program attaches itself to a commonly used software application, and resides in the main memory. The more sophisticated keyloggers are practically invisible on the infected machine, usually running as a background process.

As keyloggers are highly customizable, the program is usually set to record the activity on the computer after a particular sequence of keystrokes is used. This trigger is used to record session data, like user names and passwords.

Hardware keyloggers, on the other hand, are similar to extension sockets; the keyboard is plugged into one end of the device, while the other end is plugged into the keyboard’s designated port. The device is then retrieved and the contents examined to extract the recorded data.

Detecting a Keylogger Infection

There are many ways to determine whether or not a machine has been infected with a keylogger program. One of the main indicators is a machine’s poor performance. Since a keylogger resides and operates from main memory, the RAM gets bogged down with the program. If a user is suddenly experiencing slower responses, without having made any alterations to the machine, chances are the machine is infected with some sort of malware.

Since keyloggers are designed to be as invisible as possible in the list of processes, it is difficult to assess the existence of one from unusual process entries. However, keyloggers leave a trail in browsing history, as the data is routed to another location. Most users are aware of their individual browsing history and can easily detect an entry that is out of place.

Getting Rid of a Keylogger using an AntiSpyware Application

The simplest solution to getting rid of a keylogger is to install a powerful antivirus or antispyware application. It is important to keep the application updated with the latest virus database entries, and scan the machine periodically for infections.

There are a number of commercially available applications, like SpywareBlaster or SpywareGuard. These are mainly blocking tools which prevent the infection from being downloaded onto the machine through a network. There are freeware versions too, like Spybot S&D, which works slightly differently: Spybot scans the machine periodically for infections and gets rids of them after displaying a warning.

After installing an antimalware application, reboot the computer for a startup scan. It is a good idea to turn off System Restore at this point, and delete all previous stored restore points. While it may be inconvenient, the restore may contain copies of the malware, and therefore deleting them will remove the chances of the program reasserting itself. After the scan is finished, turning on System Restore back on will ensure a clean machine.

Installing more than one antispyware application should not cause any problems, however the case is entirely different with antivirus applications. Installing more than one is counter-productive, causing large gaps in the scan process and system instability. It is best to stick with one application at a time, keeping it updated at all times.

Analyzing Running Processes

For more advanced keyloggers, it is possible to distinguish the existence of a keylogger in the process list available in the Task Manager. However, keyloggers usually attach themselves to system files and are therefore difficult to distinguish with certainty.

There are tools available online, like Liutilities and Neuber. Both have products designed to analyse the system processes and sniff out a potential infection. There is also a directory of common system processes that run on an average system. A user can cross-check the processes with the directory to find any suspicious processes. Once a process has been determined to be a keylogger, it can be terminated easily.

Terminating processes shouldn’t be undertaken lightly, as the wrong process termination could adversely affect the system. A user needs to be completely sure a process is malicious before getting rid of it.

Once the process has been terminated, the infection must be removed from the system, otherwise on reboot, it will reappear. This is easily done with the use of an antispyware application.

Other Removal Techniques

There are other, more drastic, measures that can get rid of keylogger programs; one sure-fire method is to reformat the machine. Reformatting must be done through the use of an installation CD. Since the machine is booted up through the use of an installation CD, the keylogger is no longer resident in the main memory and therefore is subject to removal. However, formatting will remove all the data from the computer, so this method is best left as a last resort.

Getting rid of a hardware keylogger is as simple as unplugging the device and reinstalling another keyboard. The device can then be destroyed so none of the data is retrievable. Hardware keyloggers are not a common problem in homes, as they require manual installation and physical access to the machine.