Kaspersky on Keyloggers

Kaspersky Lab released the first of a two-part report about keyloggers, which pose a considerable threat when they go undetected.

Keyloggers are increasingly used as a preferred method of gathering sensitive information. They're also growing in sophistication, with the ability to monitor Web site use and log keystrokes only when someone is visiting sites that interest whomever installed the keylogger.

According to Kaspersky's report, the Mydoom worm was unleashed on the public January 24, 2004. The worm installed a Trojan horse onto affected systems and, among other features, had built-in keylogging capabilities that stole credit card numbers and other sensitive information. Mydoom quickly escalated into one of the worst infections in Internet history. Several other historical instances offered in the report provide insight into the disastrous results of keylogger infiltration.

A report published by iDefense in November 2005 showed that in 2004, more than 3700 keyloggers were detected in various malware packages. That number nearly doubled in 2005 to well over 6000 keyloggers (in 2000 only 300 keyloggers were detected). A report published by Webroot in March 2007 revealed that of the companies it surveyed, 20 percent reported pharming and keylogger attacks.

Kaspersky's report points out that keyloggers can be constructed in a variety of ways: "[Recording keystrokes] can be achieved using video surveillance; a hardware bug in the keyboard, wiring, or the computer itself; intercepting input/output; substituting the keyboard driver or the filter driver in the keyboard stack; intercepting kernel functions by any means possible [such as] substituting addresses in system tables, splicing function code, etc.; intercepting DLL functions in user mode, and finally, requesting information from the keyboard using standard documented methods."

The report goes on to explain various techniques that can be used to protect against keyloggers. For example, the use of one-time passwords goes a long way in offering protection because even if intruders gather other sensitive information, they won't have access to the password generating device. The use of detection tools is also required to guard against software-based keylogger infiltration.

The first part of the article, "Keyloggers: How they work and how to detect them (Part 1)," is written by Nikolay Grebennikov at Kaspersky and is available in HTML format on the company's Web site. The company said that the second part will be posted in mid-April.