0

According to this article, keyloggers usually make use of the FTP ports and email ports:

http://rbmikrotik.blogspot.com/2011/07/how-to-block-port-frequently-keylogger.html

My question is, can a keylogger software make use of other ports within the network so that it sends the information to the attacker?

Matthew
  • 621
  • 2
  • 11
  • 18

2 Answers2

8

A keylogger can use literally any form of communication to send its data back to the attacker.

Common methods:

  • FTP upload
  • Email
  • IRC
  • HTTP POST
  • Connect-back (i.e. attacker connects to a service listening on your machine)
  • P2P network (e.g. Gnutella or BitTorrent)
  • Custom protocol running over TCP or UDP, directly to the attacker.

Note that any of these services can be set up on any port, since the standard port is just for ease-of-use. As such, you might find an IRC server operating on port 50321 rather than 6667, or an FTP server operating on port 80 rather than 21.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • I was thinking of creating a program which monitors the standard FTP and email ports and notify the user in case large amounts of information are being sent without his consent (there is possibly a keylogger). I guess my approach is almost impossible if the keylogger can use any port. What do you think Polynomial? – Matthew Mar 25 '13 at 22:09
  • 1
    Typically it won't be large amounts of data. Keyloggers can have a fair amount of intelligence built in to search for data of interest. – Rory Alsop Mar 25 '13 at 22:17
  • @RoryAlsop Thank you for your response. My approach combines an on-screen keyboard controlled by mouse-hovering (to protect against basic keyloggers) and a program which checks the ports to see if the keylogger is sending screenshots. I though that the act of sending screenshots requires some amount of bandwidth however I haven't gone into the details. What do you think Rory? – Matthew Mar 25 '13 at 22:19
  • I think it's a poor heuristic. Just advise the user to keep up to date on OS and software updates, run an AV, and not click dodgy stuff. – Polynomial Mar 25 '13 at 22:35
  • One even used calls to a fake DNS to pass traffic. Hey, everything needs DNS to function. Ooh, look open firewall ports on 53. – Fiasco Labs Mar 25 '13 at 23:23
2

Yes, certainly. A keylogger doesn't' necessarily need to access any port at all...It can easily log to disk, or if it's a hardware keylogger, to it' own storage without ever using network access at all. It it does transmit data across the network, it could use any port it chooses. The most likely candidates are 80 and 443, as those are most likely to be unblocked and potentially un-inspected.

Xander
  • 35,525
  • 27
  • 113
  • 141