Methods of mitigating threats from keyloggers

Question

I am concerned about keyloggers being installed on my system and transmitting sensitive data out of our network.

Is there a common method that such malware uses to send its collection back to the hacker? For instance, do they generally contact a server directly and separately, or utilize an existing connection through a web browser or other benign program?

Assuming that prevention methods (anti-malware programs) are in place but have failed to stop a malicious installation, what further steps can be taken to prevent data from being transmitted?

One thought I had is to install a firewall such as ZoneAlarm to warn of any new connection attempts, but if the keylogger uses an existing trusted connection that would be of little value.

Answer 1

Is there a common method that such malware uses to send its collection back to the hacker? For instance, do they generally contact a server directly and separately, or utilize an existing connection through a web browser or other benign program?

Not with any consistency there isn't. Here's a range of methods Mr Hacker could use:

• Listen, a-la simple shell script. Basically this method relies upon the attacker probing for then connecting to the port in question. Fairly naive and easy to mitigate - only allow outbound connections, ever. Do this in spite of NAT as IPv6 will make those NAT defences disappear.

• Outbound connection by a component of the malware. These actually break down into further sections:

  • To some odd port number, like dodgy.site.example:1337. Clearly, you should be blocking outbound connections to ports you don't need, but in the context of a home environment this might not be practical.
  • Via email. Either to a known smtp relay, dedicated smtp relay or directly (MX lookup + straight to the mailbox). In any case, do NOT allow traffic out on port 25 or even 587. Identify either a local trusted relay or a remote one and only allow connections on port 25/587 outbound to that machine. Enforce TLS and authenticated login.
  • Looking like a legitimate protocol, e.g. I've connected to https://dodgysite.example but not talking that protocol. SPI/Deep packet inspection may find these sort of things, or it may not.
  • Actually being a legitimate protocol. Does an HTTP POST look suspicious to you? Me neither, but given I just want to get data somewhere, CGI will handle collection nicely and HTTP POST is probably allowed everywhere. Would make an ideal data submission vector.

In both of the above two cases, an authenticated proxy server might help, simply because it reduces the chance of an outbound connection as not all malware is capable of detecting or using proxies.

Several improvements can be made on these from the malware perspective.

• Hooking another application and executing any of the outbound/inbound connections in the context of that process.
• Using a rootkit to simply refuse to allow local (as in on the system) scanning software to even know the outbound connection exists.

What is the solution?

Well, probably the best way is to keep your computer clean in the first place. Prevention is absolutely better than cure, especially in the case of a kernel level infection. However, knowing you have a problem is clearly important too, so:

• Intrusion detection systems.
• Monitor logs for suspicious activity. Firewall logs, operating system logs etc. See IDS, but do it yourself too.

That's about it. If all the ports you don't need are turned off and you're passing all connections you want through proxies or reasonably scanning them, the best you can do is reactive defence in this case.

---

From a personal perspective, I am very much interested in Mandatory Access Control. I honestly think a lot of benefit can be derived from designating specific resources an application requires and I say that as a programmer as it helps define specifications. If you're using a platform capable of some level of MAC you might be interested in investigating it. I've also recently answered a question on Sandboxie which looks like an excellent piece of kit for Windows.

Answer 2

Unfortunately the answer to the first part of your question is that there are a range of techniques keyloggers use to communicate out, and these include utilising existing connections such as http, so unless you have a firewall which works on a whitelist you will find it very difficult to prevent.

Some keyloggers do not connect out at all, but require local access by the attacker to pick up the logged data - a separate problem, but again - not detectable by a firewall.

You really want your antimalware tool to be up to date, and to use safe practices when accessing the internet, as keyloggers are hard to detect otherwise.

Answer 3

Schneier's Password Safe comes with a virtual keyboard where instead of typing you click on the letters you want. This is more of secuirty though obscurity because you are assuming the attacker isn't monitoring these actions. Really the problem is that you have been hacked and you need to remove the malware with an anti-virus.

Answer 4

There is a book on this topic written by one of the top security leaders, Richard Bejtlich: How to detect data leaving your network - it's not an easy problem, and it really depends on your risk assessment. There are almost infinite possible ways someone can send data out, from a simple HTTP GET request, a direct connection, a reverse connection, to piggybacking on other connections and using covert channels.

The book is titled Extrusion Detection: Security Monitoring for Internal Intrusions

Answer 5

If you can't help but get infected you can always just install KeyScrambler

This is again, security through obscurity. It obviously cannot stop hardware keyloggers.

Answer 6

I think it becomes more of a Paranoia when I always do this before using any computer. Check all the incoming and outgoing connections & Services running all the time on the Terminal. If there is anything funny going on, you can start investigating it !