How do I detect keystroke loggers in a reliable way?

I've always had a problem typing my passwords in on computers I don't trust (think non-technical friends computers) and although I can usually avoid doing it, there are times when I still need to use them. My main concern is having my passwords stolen by a keystroke logger.

So my question is - is there a reliable way to detect keystroke loggers?

I know of hardware keystroke loggers like KeyGhost but I'm mostly interested in software based ones.

gacrux

Posted 2009-07-17T11:53:12.017

Reputation: 1 611

See also Reliable software keylogger detection? on Server Fault: http://serverfault.com/questions/39445/reliable-software-keylogger-detection

– Arjan – 2009-07-17T14:22:47.543

Answers

Following the change of emphasis of the title of the question to "How do I detect keystroke loggers in a reliable way?" much of my answer below is irrelevant. In short, I do not believe you can detect keystroke loggers in a reliable way. There are some ways to detect some of them, some countermeasures to limit their effectiveness and some ways to bypass them, and I discussed some of these in the rather dated answer below, but there is no reliable way to detect them. Have a read at the Wikipedia article on keylogging methods and countermeasures.

Not an easy problem.

Software keylogging

Bypassing software that picks up keycodes as keys are pressed and released can be done by using on-screen keyboards or cut and paste from screen-based data but that will not work with software working at lower levels (at some point the operating system has to feed the "simulated keypresses" to the application waiting for input).

The risk can be further reduced by using an operating system that is less likely to be a target for keylogging software attacks.

If this really matters and the hardware is clear of logging devices then booting a read-only copy of a known clean operating system (e.g. a checksummed live CD or DVD) is worth considering if the hardware/network owner permits this and the CD/DVD contains the applications you need and you know the setup parameters needed (passwords and data could be on an encrypted USB stick mounted, in a Unix-like system, to not allow file execution). Using your own hardware/software, following good security practices and rebuilding regularly from clean, trusted, checksummed media is another way forward.

The suggested mechanisms aim to reduce the risk of having keylogging software on the system. If a keylogger gets onto a system then a strong firewall policy may detect a keylogger attempting to send data back to its 'owner' over the network but that often assumes an onerous manual involvement in the firewall process (e.g. tuning the system to allow specific applications to use specific IP ports and addresses). Finally, as well as a keylogger on the system, some of what has been typed in may be visible if the data is transmitted over a network or the physical integrity of the filesystem is compromised. How these can be mitigated is beyond the scope of this question but must be included when considering application and system integrity. However, monitoring the network can show whether sensitive data is normally transmitted and also help to identify unexpected transmissions.

One-time passwords, changing passwords quickly if they might have been compromised, the use of keylogging software detectors (software that scans the PC looking for the signature of known keylogging software) are also amongst the possible countermeasures but all countermeasures have weaknesses.

Hardware and other keylogging

Whilst outside the immediate scope of your question these needs to be borne in mind. They include observation of network flows, devices connected between the keyboard and the PC, over-the-shoulder snooping, video cameras, acoustic or electromagnetic or vibration monitoring (e.g. see TEMPEST measures) or examination of RAM contents for information, if someone is interested enough in what you might be typing. Detection of these ranges from easy to impossible.

General

There is a helpful article on Wikipedia on keylogging methods and countermeasures that is well worth reading.

mas

Posted 2009-07-17T11:53:12.017

Reputation: 2 431

1Remember that it's easier to format your USB drive NTFS or ext2/3/4 rather than FAT32 - it might be slower, but it supports UNIX permissions properly - so you can set the default in FSTAB to be no-exec. – Lucas Jones – 2009-07-18T09:21:02.620

Thanks for the comprehensive answer, after understanding the issues my solution will be to use a pocket os (like SLAX). – gacrux – 2009-07-19T20:51:14.463

It's not an easy problem, as Wikipedia goes into, and "reliable" seems to be out of reach so far. Some people are giving it a shot, though (complete with language about "100% efficient and reliable", which makes me take everything they're saying with a large bag of salt).

chaos

Posted 2009-07-17T11:53:12.017

Reputation: 1 599

@chaos Get this anti-keylogger for *FREE!* It's a great price of only $9.99! – Mateen Ulhaq – 2011-08-28T19:25:35.033

3"Every successful test worked." – GalacticCowboy – 2009-07-17T14:19:11.417

2Sixty percent of the time, works every time! – chaos – 2009-07-17T14:22:54.283

One way to defeat keyloggers is to type in your password with some extra characters, then use your mouse to select the extra characters and delete them. Since the keylogger is just recording keypresses it'll get a non-functioning password out of it.

ale

Posted 2009-07-17T11:53:12.017

Reputation: 3 159

3Yeah, but your password is still in there, and someone looking over the keylogger's captured text probably wouldn't take too long to figure it out. But you could type the characters of your password in random order, though, and rearrange them with the mouse... and that's where interspersing some extra characters would be useful. – David Z – 2009-07-17T20:00:25.340

Don't type the characters in. Copy them from a browser or a text file, or from the character map (on Windows it's charmap.exe). Charmap will even let you queue up several characters, so you don't have to do it one by one... if you're sure no one is shoulder surfing you.

stone

Posted 2009-07-17T11:53:12.017

Reputation: 1 187

-1

For security, what I do is I have secure passwords of sometimes upwards of 70 characters. Then, if for example, it is on Windows setup, I will alternate between the fields of ENTRY and RE ENTRY.

On top of this, I will click or arrow backwards and insert characters (ie. I will never type my passwords sequentially [if I am concerned for security])

You could also type off screen, if you are worried about the key logging.

I use a combination of letters, numbers, and symbols and generally section them off into blocks. These blocks I then assign the number value of how many characters are contained in that block for purpose of implementing and keeping track of the previously mentioned method of clicking and arrowing as it can get confusing. Sorry if that isn't too clear, I will clarify section as needed.

So, lets say you section your password off into 16 components of varying (or consistent string lengths). I section those 16 components off into rows of 4 and implement from there. Also, when setting up passwords, I don't implement the order of those 4 rows the same way as I do in either password entry field. This is what I consider to be reliable security, and for any one to be able to deduce what your password is will take enormous amounts of effort, if possible at all.

upandouttherabbith0le

Posted 2009-07-17T11:53:12.017

Reputation: 5

-3

There are many ways in this. And many good guids on the subject. Wikipedia is one. Ehow has one.

This is my favorite guide.

http://cognitiveanomalies.com/simple-ways-in-detecting-key-loggers/

David Ward

Posted 2009-07-17T11:53:12.017

Reputation: 1

That link nowadays points to parked domain. – Axel Beckert – 2017-01-31T20:44:40.150

2Having a link is nice, but please include the most relevant details here! Thanks! – slhck – 2012-03-10T14:48:07.367