57

A friend of mine just started a job at a security sensitive company. They've provided him with a laptop with Windows XP Professional installed. He's heard a rumor from other employees that the laptops may have key loggers installed. Is there any way for him to confirm or disprove this allegation? Will this be as simple as looking at the process tree or registry, or do these kinds of key loggers hide themselves better than that?

He does have administrator rights.

Plutor
  • 671
  • 1
  • 5
  • 4
  • 17
    Not all administrator rights are created equal. – this.josh Jan 27 '12 at 23:20
  • If his contract didn't state that his contract was secret in itself, what are the relevant clauses? What does it say about company-issued hardware? – Luc Apr 08 '13 at 12:12
  • 2
    Just keep writing 'i know your watching me' followed by some profanity/company secrets and anyone key logging you will get the attention raised! :P – NULLZ Apr 08 '13 at 23:36
  • 3
    Further, keep in mind that a key logger need not be software. Hardware key loggers exist. – derobert Apr 10 '13 at 02:25
  • 13
    I find these statements to be typically contradictory: `a security sensitive company` and `Windows XP Professional... He does have administrator rights`. – AviD Sep 12 '13 at 20:21
  • 2
    If the suggestion of @NULLZ doesn't work then try writing this: "As per our plan I've successfully been hired by the company XXX. A list of organizations secret and work flows is attached in the document...." – Omar Tariq Dec 16 '15 at 11:19
  • Assume that a Keylogger is installed. If the hardware is company property, I'd keep the use strictly business. – m4ck Jan 29 '12 at 03:03
  • @OmarTariq: I'm late, but this can be made real funny by creating a large gibberish binary file on another computer, transfer it to the target laptop and attach to your email, adding at the end "The encryption key was as we've agreed last month." That said, it's a creative way to find out whether there is a keylogger from the company, but not a way to keep the job! – user21820 Jul 21 '17 at 05:45

5 Answers5

59

This would greatly depend on the implementation of the keylogger. Some enterprise-level products do include rootkits which make the keylogger nearly impossible to detect, unless you know the product in use and its configuration. For an example, check out Spector Pro*. Also, as syneticon-dj notes, it's possible they may instead be using a hardware keylogger which could be implemented in a way that cannot be easily detected by software.

If they've given your friend full admin rights on the box, they're either really confident in their monitoring and configuration control capabilities or they're fairly ignorant to the implications of giving such privileges to an end-user. Often times, it's the latter. But, if you presume the former to be the case, then you should also presume there's some solid justification for their confidence.

Regardless, it's very likely that your friend has already signed (and thereby agreed to) an Acceptable Use Policy which includes a clause that relinquishes all rights to privacy on company-owned equipment. Further, any company worried about compliance in these matters will also have a Warning Banner on the system which reminds users at each log-in that they may be subject to monitoring on those systems.

Bottom line: Don't do anything on company equipment that you don't want them to see. Always presume that they are logging keystrokes, capturing screenshots (another common spyware feature), and monitoring network traffic with the possible inclusion of an SSL proxy. Keep business on business hardware, and personal stuff on personal hardware, and you should be fine.

 * Note: This is not an endorsement of Spector Pro. I have no affiliations with the company, nor have I used their product. This is simply given as an example of what sort of spyware tools are available to corporations.

Iszi
  • 26,997
  • 18
  • 98
  • 163
  • 11
    I wish I could +500 for your "bottom line" paragraph. – David Stratton Jan 27 '12 at 20:41
  • 3
    The SSL proxy may be installed in such a way that you **will not see any SSL certificate errors**. – this.josh Jan 27 '12 at 23:06
  • 1
    @DavidStratton If you really mean that, you can. Start a bounty on this question, then award it to Iszi. – Luc Apr 08 '13 at 12:05
  • @Luc good idea. – David Stratton Apr 08 '13 at 12:17
  • Great answer. I wonder isn't there a law that prohibits companies to do this? Or does that agreement already give the company the right to hack whatever we use? – jeff Oct 24 '15 at 22:31
  • 1
    @halilpazarlama The company can do whatever they want to ***their systems***. That's their right as property owners. If they wanted to do this to your personally-owned computer though, that would be a completely different discussion. But if you want to browse the Internet without worrying about your employer spying on you, don't use company equipment - that's not what it's for. – Iszi Nov 04 '15 at 21:18
32

Iszi gives you some very good advice in general - chances are if they're using monitoring software, they're confident in it.

Will this be as simple as looking at the process tree or registry, or do these kinds of key loggers hide themselves better than that?

Detecting keyloggers is as simple as looking in the right place (which may or may not be simple depending on your viewpoint). The problem is knowing what to look for and where. What follows is a non-exhaustive few things you could do to check for keylogging modules.

Firstly, the obvious easy way to build a keylogger is to use DLL Injection which can be achieved a number of ways. Most of these will result in a DLL showing up as mapped to the process's address space. Take a look at this picture:

pyd process

What is the topmost entry in that list? It's a pyd, or python extension, file. I've been messing with python-implemented COM servers and as a result, the DLL is loaded into Windows Explorer's address space.

DLL Injection of the keylogging variety will load its DLL into all of the target address spaces - can't capture everything if you don't. So one thing to look out for would be strange DLLs you cannot attribute to products whose purpose you know. They'll show up in this list for all processes.

Of the techniques described on wikipedia, the only one that I've not seen is the CreateRemoteThread variety - I'm uncertain if the outcome would be to attach a thread to the image or execute a thread with a name DllMain. Thanks to process explorer, we can still see what threads are executing what:

Threads

Awesome, right? Well, they could well be named to coincide with the obvious user32.dll or some such. There's a number of experiments we could perform to work out if that's the case, if we so wanted. These are left as an exercise to the reader (don't you just hate it when people say that!).

So that covers user-mode-obvious-keylogger-mode. There are some less obvious places a keylogger could be embedded (but they'd unlikely be global ones). However, things get really exciting when you start talking about kernel level hooks. There's an excellent article by Mark R and Bryce Cogswell on this topic, although it needs updating with the following caveat:

  • 64-bit Windows kernels have a kernel-patch protection mechanism that periodically checks key points in the kernel for modification and shuts the system down if they're detected.

So, if you're running 32-bit windows, you could still have some form of kernel level hooking installed and working; if you're using 64-bit it is much less likely - given KPP has been bypassed before and is constantly changing, I would bet on you being free of kernel hooks on x64 as windows updates would crash the monitoring product system periodically. Software just doesn't sell on that basis.

What can you do versus a 32-bit hook? Lots of things:

  • Examine the drivers folder for entries that look suspicious/cannot be attributed.
  • Do the same thing, but offline, so that the driver can't prevent you from looking.
  • Configure a debug boot entry with bcdedit (bcdedit /copy {current} /d "Windows in debug mode", bcdedit /debug {id} ON after appropriate bcdedit /dbgsettings), hook up a firewire cable (really. Don't use serial. I discovered this using serial cables - firewire's much faster). Then, on your source machine, start kd and set a break point on module loading, then step through all the modules that load, making a note of them. Not much a driver can do to hide itself from you before its started. You might even proceed to examine it from here (g to continue, ctrl+c breaks at any point).

Of course, caveats here are that no windows executables have been patched directly, or some such malfeasance that is beyond our ability to trivially detect.

That's directly looking at the system, but is no means a complete solution. If you believe the logging software is phoning home, a transparent proxy might help you identify where - i.e. you might be dialled in to vpn.mycompany.com but you might also see connections to monitorserver.mycompany.com.

As you can no doubt tell, a lot of the techniques available to you depend on two things:

  • Your pre-existing familiarity with your OS, or ability to quickly become familiar with what is out of place and
  • The ability and resource of the author to hide/disguise their modifications from you.

Short answer: there's no foolproof way to detect anything of the sort; there are however some places you can start looking for evidence.

Various disclaimers:

  • Investigating might be contrary to your AUP. It might also be illegal where you live.
  • If you try everything I suggest and turn up nothing, follow Iszi's advice, assume that any monitoring program is better than you are.
  • You are not likely to make any friends amongst IT Support and Sysadmins analysing their systems like this.
  • The security of your activity on the work laptop depends on more than just its OS - it also depends on all the hardware/software involved in the transit of that data. My point? If you're worried (not saying you are, just an example) that your employer s spying on you to determine whether you spend your day playing farmville, well, they don't need a keylogger to do that - if you're connected via their network they ought to be able to log your connections. SSL will hide the content, but not the source or destination.
  • In my experience, rumours of keyloggers usually turn out to be just that - rumours. However, that's based on my statistically invalid sample of one company where such a rumour existed, so, not to be relied on. Clearly, these products exist.
  • 3
    Excelent answer. Most suspected keyloggers are myth. There are many other simpler ways to see what you are up to without logging every key stroke you make. Nice point that keyloaggers may be hardware as well as software. See my answer [here](http://security.stackexchange.com/a/7850/2737) for a little history on keyloggers. – this.josh Jan 30 '12 at 04:10
19
  1. Create GMail account with no 2 step authorization (not from friend' laptop).
  2. Log in with you friend' laptop into GMail web interface (type username/pass manually).
  3. Create new mail with subj some reports from %companyname%, attach some dummy .docs and .pdfs, type "dave123@another-company-in-your-field.com" in "To:" field. Click "Send".
  4. Enable 2 step authorization, and link it to your phone (not from friend' laptop)
  5. Never log into that account from anywhere then, just wait for an SMS confirming keyloggers :)
Evgeniy Chekan
  • 798
  • 6
  • 12
  • @TildalWave sure, this will work only if keylogger is installed and it's owner try to see what has been sent :) I'm pretty sure there is no way to prove that system is keylogger-free, cuz of there're just too much ways to stalker laptop user. The best decision here is simply to use company-provided laptop for company-related work only. – Evgeniy Chekan Apr 09 '13 at 08:49
  • 4
    Would gladly hear downvote reasoning. – Evgeniy Chekan Apr 09 '13 at 13:32
  • 4
    No idea for the downvote. I find this pretty inventive and interesting actually. Flawed like any other probing that can only prove it and not also successfully disprove it, but that should be self-understood to all that read this thread by now. I guess someone didn't get it. I deleted my first comment, I hope it didn't cause the downvote by being misunderstood as a suggestion your answer isn't helpful. That was certainly not my intention! I'll +1 to balance things, but that's obviously not a voting suggestion for others either, people should make their own minds about it. – TildalWave Apr 09 '13 at 17:52
  • Great idea. I'd additionally type an email on the potentially infected system saying, "Roger, about the $40000 that I owe you: I'm away from my password list right now, but I'll just give you my bank account's password, like before, and you do that complicated wire transfer thing you have to do; it's impossible for stupid, tech-disabled me. TODO : type in password here for Roger once I'm home (saved to Drafts)". Might expedite the process :-) – vijucat Sep 05 '16 at 01:26
0

well some keyloggers hide them selves very well in fact some might be like a rootkit and you should get a good antivirus program that can detect and root out rootkits and trojans and the like from the computer and it should be scanned thoroughly from a CLEAN system otherwise you might be booting up to a rootkit or other nasty things which would make the scan appear to come out clean when in fact it isn't. one good such program is the AVG Pro antivirus and antirootkit program and there are a few others that claim to do well against rootkits and all other sorts of trojans spyware worms etc... a good investment, if you don't like having somone watching over your shoulder all the time, or worse catch a rather nasty "bug" so do a scan with something like AVG , from a CLEAN system... that should take care of any of those things I mentioned, and keep your antivirus / antirootkit software up to date as well

  • 2
    Good advice but it may not be practical as the computer in question is company owned equipment. Company policy and IT guidelines may disallow some or all of the methods you suggest. – this.josh Jan 27 '12 at 23:08
  • +1 to @this.josh. Also, I've got a *really* hard time up-voting a post that has so many formatting issues. – Iszi Jan 29 '12 at 19:08
0

Basically, there is no way to detect this other than taking the system apart and comparing to a trusted implementation.

It has been proven to be theoretically impossible to create a program which would be able to analyze an arbitrary piece of code and determine if is going to halt eventually or run forever given a particular input (halting problem), which in turn means a whole lot for scanners which are meant to determine if an arbitrary binary is going to put your machine in a particular undesirable state.

As a further complication, key loggers do not need to be software installed within your operating system - they might be a hardware component as well.

syneticon-dj
  • 184
  • 6
  • 2
    Actually, no, it hasn't. The proof of the halting problem being undecidable applies to *Turing* machines, not *finite-state* machines. Actual computers closer to finite-state machines (they have finite memory). Its trivial in theory to answer "does this halt" for a finite-state machine; run it until it either halts (answer: yes) or a state is repeated (answer: no). States are finite, so that can't go forever. A Turing machine could do that. A real computer, not so much. I'm not aware if there is proof of no better algorithm than the naïve one. – derobert Jan 31 '12 at 20:46
  • More hardware keyloggers: http://amecisco.com/faq_hardwarekeylogger.htm#Q15 http://www.keelog.com/hardware_keyboard_logger2.html Undecidability is a bit of a red herring though. You might not be able to prove that a heuristic scanner is reliable on all possible inputs, but that doesn't make it useless. (Though a computer with access to a net connection it can send data to and query later might be closer to a Turing machine than a finite state machine for purposes of detecting repeated states before the heat death of the Universe.) – armb Apr 08 '13 at 13:30