25

I was wondering exactly how powerful can keyloggers be?

For example someone wanted to access his bank account (which of course is through HTTPS), he will "enter" his password using a combination of

  1. type

  2. delete

  3. highlight delete

  4. highlight-drag-drop

  5. cut (from another program etc)

  6. copy (from another program etc)

and basically you know, funny ways to foil keyloggers. I'm not very adept with this technology on keyloggers and I was wondering are these attempts sufficiently strong enough?

Or rather, how many % of keyloggers would be foiled by these attempts in masking the password?

Of course I understand it is more critical that we do Methods of mitigating threats from keyloggers but I mean in this case we assume that the user has not managed to block the tunnel that sends the attacker the password.

Community
  • 1
Pacerier
  • 3,253
  • 6
  • 34
  • 61
  • The site asking for the password could only ask for certain character (what is the second, third, and eighth character?). – DanBeale Oct 02 '11 at 10:40
  • @DanBeale I'm not understanding you Dan – Pacerier Oct 02 '11 at 13:23
  • 1
    I think Dan means something like this: Say your password is 'moose'. The site could say "enter the third character of your password, then a 'z', then the fifth character, then a 'q' ..." the user would enter "ozeq..." and a keylogger would get mostly gibberish. (If you want to get crazy, it could even say "then enter the letter before the second character or your password".) – David Schwartz Oct 02 '11 at 22:05
  • @DanBeale And how'd you implement password-hashing than? "abcdefghijklm" doesn't give the same hash as "bch". You could generate the hashes of "bch", "abc",... when the password is registered, but that'd be highly insecure because if you than in your database have a column named `firstSecondandEight_character_of_password`, a hacker only has to bruteforce 3 characters to know your first, second, and eight character of actual password. If your pass would than be only 8 characters long, he just has 5 to left. – O'Niel Jul 02 '16 at 23:01

3 Answers3

31

Malicious software that only logs keyboard strokes rarely exists in the wild. Most key loggers for graphical interfaces (e.g. Windows) are more sophisticated and log all user interaction including mouse, copy and paste events by hooking into the operating system.

Key loggers are normally a small subset of a rootkit that may also include the ability to act as a man-in-the-middle (MITM) and capture your credentials or session information without logging any key strokes.

The best way to foil key loggers is not to have them.

Ninefingers answer on Methods of mitigating threats from keyloggers has good recommendations. E.g. Monitor network traffic, use an intrusion prevention system (IPS) or intrusion detection system (IDS).

In addition I would add:

  • Avoid logging into websites/accounts using computers that you don’t have control over. E.g. At work, at a friend or parent’s house.
  • Avoid installing software that is not from a reputable source. Use digital signatures and file hashes.
  • Be aware of what applications and services run on your computer. While rootkits do stealth themselves making them hard to detect, knowing what should be running is definitely an advantage.
  • Use two factor specifically one-time-password (OTP) authentication to websites where possible. In the specific scenario of Internet banking, financial intuitions often offer a token or SMS based service that provides a password or number that can only be used once.
  • Use protected mode browsing that disabled browser plugins or scripts.
  • Use low security accounts for normal activities.
  • Apply security updates.
  • Change password regularly.

And while this does not prevent key loggers, backup you files regularly. I say this because if you suspect that you have a rootkit then you should wipe your installation and restore only the data you need.

Community
  • 1
Bernie White
  • 2,866
  • 17
  • 18
  • 1
    Upvoted. The two-factor OTP authentication dot point is by far and away the most durable of the recommendations. About everything else relies on the same precautions as any malware. – LateralFractal Sep 14 '13 at 00:30
  • "Change password regularly" seems OK from a key logger threat point of view. From a password management point of view it is debatable, since regular changes will result in using simple passwords, unless a password manager is used. So it's a trade off. – Dick99999 Jun 18 '14 at 09:27
15

I was wondering exactly how powerful can keyloggers be?

Extremely powerful. But the use of the term keylogger can be distracting so lets explore what a keylogger is.

Back many decades ago computers had very small hard drives and little RAM, but lots of various cables and assorted adapters. The keyboard was connected to the computer tower with a 5-pin connecter known as an AT/XT connector because they were designed for the IBM AT, IBM XT, and clones. An 11 bit message was sent from the keyboard to the computer. The Integrated Circuit (IC) used to read the keyboard codes was widely available. A hardware keyboard signal recorder was easily made. Graphics were poor and a mouse would not become a standard input device until the IBM PS/2 four years later.

As computers evolved they became more powerful and had greater capacity for storage. What originally made hardware based keyboard recorders attractive was that provided an easy method for retrieval of the recorded information. As opposed the a floppy. When computers became networked machines (even if the network was made of analog phone modems) the network became a more attractive retrieval mechanism. Additionally now it was possible to attack computer to which you had no physical access. This generation of keyloggers ended to be software trojans that looked specifically for passwords. They targeted AOL, Novell Netware, and other network access programs.

In the modern age where computers are always on and always connected to a network, the keyloggers are more insidious. Now a attacker can simply watch what data you send on the network to look for unencrypted passwords. Keyloggers don't bother reading what the keyboard sends to the computer, instead they look for the final product sent from the machine. They are harder to find as they may hide among any of several running processes on your machine. Take a look at all the processes running on your machine (including the threads if you know how). The software to identify a password and record it may be very small.

But modern keyloggers are not limited to a few hundred or few thousand bytes. They can send millions of bytes and record everything from account numbers to e-mail addresses to IP addresses and more. They can be adaptive and discover linked information making the connection between a web address and a file used to store passwords. In fact most malware does not limit itself to search and transmitting user input. Keyloggers are more typically part of a fuller malware suite that includes a wide range of nastiness.

techraf
  • 9,141
  • 11
  • 44
  • 62
this.josh
  • 8,843
  • 2
  • 29
  • 51
5

Consider, that the keylogger can simply wrap the UI component used by browser to render the password input field. None of the tricks you have listed will prevent it from getting your password.

Michał Šrajer
  • 4,154
  • 4
  • 18
  • 21
  • 1
    I do know that these tricks won't foil the keyloggers that does these things, but my question was more of.. are or aren't most keyloggers *weak* in the sense that these tricks would effectively make them useless? – Pacerier Oct 04 '11 at 07:20