All About Keyloggers
The all infamous keyloggers
Keystroke Logging ( Keylogging for short) is defined by Wikipedia as :
Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored.[1] Keylogging can also be used to study human–computer interaction. Numerous keylogging methods exist: they range from hardware and software-based approaches to acoustic analysis.
What it actually pertains
In short it is to record every key you press on the keyboard. A search on google "Free Keylogger" would yield you with 2 Million+ results and most of the top download links are working and from trusted website.
Now you would ask as 'Shouldn't it be a crime selling /making/distribution of these softwares ?' For that the companies and makers do have a legit reason to make it and one of them being 'Parental Control' and then there are some reasons such as 'Lost Typing?'(where the author wishes to say that if you should install a keylogger because you could lose some data during power outage , if working on a text editor ... I mean Seriously ??? , here is the link, the backup battery power companies would salute the person with such an idea ) Also it isn't illegal to use it on yourself .However there are case like this ( where the creator did face consequences cause it had the sole purpose of being nefarious ).
Let me start with some of the basic features of modern keyloggers :
- Invisibility Cloak ( As in Harry Potter ;) ) : Not shown in Task Manager and in any menu entries ( and of course no desktop icon )
- Email: Email the logs to a predefined email address on a set interval of time or a particular time of day
- Auto Destruct : Deletes any trace of itself , without the victim ever knowing it existed
- Screen Capture : Capture screenshots
- Clipboard Monitoring : Monitor clipboard for changes
- Record Running Applications
- Persistence
- Remote Installation (Some paid versions do offer it)
Even thought of having this piece of software on your system would give goosebumps to many.Now there are many tutorials on installing and using these , anyone who has ever installed a software on Windows can do it pretty easily. We would be discussing the internals of what goes into making a good keylogger .
How is it done
Invisibility Cloak
The Desktop icons are quite easy to handle since they are the ones that are explicitly put by the software, so as to ease the use of their software , in case of keylogger , it just chooses not to put them.
Task Manager hiding or rather obfuscation using obscure names of the likes of system processes. Hiding from task manager is achieved using some of the techniques applied by rootkits , however it's beyond the scope of this article .
It is not that the email will come out of nowhere ( Did you really think so ;) ). At the time of installation you need to enter your email credentials , obviously you would create a fake mail just for this purpose , if I were you . This the part where my senses start piquing , don't you suspect some dark business going in the background , however save it for the last part 'The Consequences And Remediation'.
It works the same way as any email client like Thunderbird or MS Outlook would work. Every email provider has SMTP( Simple Mail Transfer Protocol ) server ( such as gmail or yahoo or yandex ) which runs on port 587 or any other given in their settings. The software connects to their server using your credentials and then sends the keylog file alongwith a subject if it could be configured into the keylogger i.e. to say if it had an option of setting the subject line of the email being sent . The receiver ( as specified in the options of your keylogger ) then checks the email on a web client ( a sophisticated way to refer to a web browser ;) ) or email client software ( as mentioned above ).
#Python code for sending mail through gmail server
#Similar is the usage for other email providers
#Import the module responsible for sending mail
import smtplib
# Specifying the from and to addresses
fromaddr = '[email protected]'
toaddrs = '[email protected]'
# Writing the message (this message will appear in the email)
msg = 'Enter you message here'
# Gmail Login
username = 'username'
password = 'password'
# Sending the mail
server = smtplib.SMTP('smtp.gmail.com:587')
#gmail requires tls
server.starttls()
server.login(username,password)
server.sendmail(fromaddr, toaddrs, msg)
server.quit()
However if you need to use this script you need to allow 'Less Secure Apps' in your gmail From Google Support :
" Since these apps and devices are easier to break into, blocking them helps keep your account safe. "
Just login to your gmail ,go to this link and allow above script to use your account.
Auto Destruct
Here comes the tricky part , some may say that how can one destroy itself without leaving a trail of itself. Now if you would have googled 'Boost your PC performance' you would've seen one of the solution would be to 'Clear the Temporary Files'. These files can be seen by executing '%TEMP%
' on the Run
command , which in turn can be opened either from the Start Menu ( yes it's there, it's just that you never needed this ) or by pressing Win Key + r
( go on give it a try ).
These files are automatically deleted by the OS on reboot. I hope you got the catch.
So one may ask what is it used for ?
A Windows temporary file is created under the following three circumstances : 1
- Windows Desktop applications, such as Write, and multiple document interface (MDI) applications, such as Excel, create temporary files to handle necessary user editing. Because a Desktop application cannot have multiple documents open at once, it must immediately create a temporary file that allows you to undo any editing. MDI applications create temporary files only when necessary (for related editing), rather than for every worksheet that is open.
- When you run an MS-DOS-based standard application with Windows/286, Windows/286 creates a temporary file (for example, ~PIFCHFA.TMP) so that it can swap to disk to make room for other applications to use memory.
- When you print from Windows or any Windows-based application with the spooler enabled, Windows creates temporary files on the hard disk. Windows spools the print job to the temporary file and then sends it to the appropriate printer as a background operation.
Note : Microsoft recommends that you have approximately 2 megabytes (MB) of free disk space available for the creation of temporary files.
Now suppose I create a batch file that when run deletes a file. Now combining the knowledge of above two things we can make the self destruct mechanism. First when the keylogger gets the auto destruct command it creates a bat file ( or something similar that could be executed ) , whose contents tell the OS to delete the files of the keylogger. After executing the bat file the main keylogger exits as you can't delete the files of a running software that are being used by the OS. The bat file in turn gets destructed on next boot.
Of course this one of the simplest ways among a myriad of methods (there can be some other mechanisms too , I don't know all that is to know).
Screen Capturing , Clipboard Monitoring and Recording Running Applications
These all can be done using the Windows API **(Application Programming Interface), it provides with methods such as:
if you would have programmed a windows application , you might have come across these methods.
Persistence
It is achieved by using the windows 'Startup Programs' mechanism (however only the non stealthy applications seem to be using this mechanism) or by using registry key.The following list of registry keys are accessed during system start in order of their use by the different windows components:[2]
1) HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
2) HKLM\System\CurrentControlSet\Services (start value of 0 indicates kernel drivers, which load before kernel initiation)
3) HKLM\System\CurrentControlSet\Services (start value of 2, auto-start and 3, manual start via SCM)
4) HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
5) HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
6) HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
7) HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
8) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
9) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
10) HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
11) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
12) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
13) HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
14) HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
15) HKLM\Software\Microsoft\Windows\CurrentVersion\Run
16) HKCU\Software\Microsoft\Windows\CurrentVersion\Run
17) HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
18) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
19) HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
20) HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
21) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
22) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler(XP, NT, W2k only)
23) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
The software path mentioned in these keys are run during startup.So there is ample space for the malware to slip into one of these and remain persistent. You can check out the currently configured autorun softwares using 'Autoruns' a windows sysinternals tool.
Remote Installation
The keylogger produces an installer file with your options embedded into it.
There are many installer makers to name a few popular ones :
The Consequences And Remediation
Well as far as the consequences go it so a no brainer as to what happens if you give your mail credentials to someone even if you set up the mail just for the keylogger , still your mail may be used in phishing campaigns or for signing up for different online services. If it has a cloud storage linked to it then it can be used to store 'looted' info such as stolen credit card info and other stuff , just to name a few.
There can be no assurance that the keylogger you downloaded wouldn't be doing stuff apart from what it intended to do.Stuff like bitcoin mining or DDoS . However if it's a legit stuff bought from a legit company then it may be trusted. However the amount of data software send to their servers just to give 'Customized experience' is enormous , specially mobile apps , privacy is a myth.
Remediation
- Updated AntiVirus
- If possible scan the file on Virustotal.com , since the maximum file size limit is 128 MB , you can possibly copy its hash to check it in their database ,it is fast and would save you bandwidth.
- If all fail and it is necessary to login , suppose you are in a cyber cafe ( you could easily guess the scenario ) , use Virtual Keyboard also known as 'On Screen Keyboard'. It is pre bundled in windows and here is how to use it .Since there aren't any key presses so you can be safe from keyloggers.
Hope you learnt something new .
Disclaimer
Any actions and or activities related to the material contained within this website is solely your responsibility.The misuse of the information in this website can result in criminal charges brought against the persons in question. The author will not be held responsible in the event any criminal charges be brought against any individuals misusing the information on this website to break the law.
This site may contain links to materials that can be potentially damaging or dangerous.