0

Is it possible to defeat software keyloggers?

I remember reading long ago about programs run from a USB which will defeat keyloggers.

The software works (if I remember correctly) by intercepting keyboard events to the system, and randomly replacing your keystrokes with random keys, and then counteracting the randomness with a backspace or copy and paste type algorithm.

Does this kind of software exist, and is it reliable? I'm sure a dedicated attacker could read his/her logs, but for use in a library or other public location this approach could seemingly work.

Rubber Duck
  • 516
  • 1
  • 5
  • 16
  • Obviously this won't help against hardware level keyloggers! – Rubber Duck Sep 13 '13 at 19:38
  • It's pure hogwash. If the browser (or whatever you're typing a password is) can reconstruct the password, so can the keylogger. (Except hardware keyloggers, in fact: this kind of scrambling can help against hardware keyloggers, assuming that what you type isn't the password but scrambles into it.) In fact, many keyloggers cut the middleman and grab the passwords directly from the browser (which depending on the techniques used may require fewer privileges than hooking into the keyboard event queue). – Gilles 'SO- stop being evil' Sep 13 '13 at 20:09

2 Answers2

1

The generic issue with such countermeasures is that they defeat only some keyloggers, and are themselves defeated by the next generation of keyloggers. In this case, it would be easy for a keylogger to take into account the backspace events (the keylogger sees all keyboard events, so in it sees backspaces) to rebuild the actual password. In fact existing key loggers should already do that, because human users use the backspace key occasionally, too !

Another generic issue with an anti-keylogger software is that it is software. A software keylogger, in order to enact its malevolent functionality, must intercept keypress events, and this requires privileged access to the operating system, at least administrator-level. An evil piece of code which obtains such access will not necessarily stop there; it may also scan for the launch of known anti-keylogger software and deactivate it. Malware and virus do that in general, against anti-malware and anti-virus software.

An additional reason why a keylogger would block out your envisioned anti-keylogger software is that keylogger writers generally dislike competition -- if they find other keyloggers from their fellow keylogger writers, they promptly kick them out. Your anti-keylogger software, from the outside, really looks like a keylogger, since it intercepts keypress events; it is then likely to be deactivated by another keylogger which just wants the monopoly of key logging.

Therefore, if software such as you describe exists at all, then it cannot be considered as reliable. It might enjoy some partial success against a few keyloggers, but this won't last.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
0

About the only consistent protection - other than all the usual precautions about protecting your computer from malware - is a hardware two-factor authentication dongle (à la SecureID).

This way if a software or hardware keylogger exists, your security has collapsed into one-factor authentication instead of zero-factor authentication.

The equivalent of a hardware dongle can be created by having a seeded pRNG on a mobile device. The Battle.Net authenticator for example. This assumes the malware is only on one of your computing devices - not both.

In either case, this protection from keyloggers is website-specific (or single sign-on equivalents) as the two-factor authentication needs to be recognised on the server-side.

Protecting the decryption of assets residing on the same device as the malware is impossible without some seriously compartmentalised hardware modules, or a weak malware infection to begin with.

LateralFractal
  • 5,143
  • 18
  • 41
  • Preferably a decentralised two-factor authentication provider, as centralised providers can and [have](http://securology.blogspot.com.au/2011/03/rsa-securid-breach-initial-reactions.html) been breached before. I just can't think of any off-hand. – LateralFractal Sep 13 '13 at 23:11