A few thoughts on why is ransomware is so prevalent right now.Read More
In my last post I gave a brief introduction to what a keylogger is. In summary a Keylogger is a piece of Hardware or Software that records your keystrokes (usually against your permission). This post is going to look explicitly at Software keyloggers.
In this post I'm also not going to cover any of the free keylogger software available out there for three reasons:
- Most of it is old.
- Most of it is very clunky.
- Its easily detected by Antivirus.
Instead I'm going to focus on Keylogger code.
What is a Software Keylogger?
A Software keylogger is different from the Hardware keyloggers we covered here. Software keyloggers essentially perform the same functions as Hardware keyloggers in that they log keystrokes however where as Hardware keyloggers require a dedicated device, software keyloggers only need to be written to run on a victims operating system. Software keyloggers also usually have more features builtin than hardware keyloggers, for example its quite common for software keyloggers to also take screenshots or in some cases even record video on periodic intervals and send them back to a remote server this would be quite difficult to do with a Hardware keylogger.
As fields like virtualisation and now containerisation have advanced in the last decade there has been an increase in the complexity and also functionality of software keyloggers there are now kinds of keyloggers which run explicitly from virtual machines or can detected when they have infected a virtual machine and act accordingly.
Keyloggers are actually quite easy to find on the internet. Just doing a quick google serach provides a goldmine of information you can user to create your own keylogger. Most of these examples are in Python or C++ heres a few of the best ones:
GitHub is an absolute treasure trove for keyloggers I have listed a few examples below but its also good to look at botnet code or trojans to see how they do keylogging as in some cases they might have a more efficient system than some of the ones below:
A few months ago i modified a C++ Keylogger and installed it on a virtual machine. heres some sample output:
In a nutshell one started all keys are logged to a file in C:\WINDOWS called KeyboardServices.txt to get the whole thing running from looking at some code samples and chopping and changing some bits the whole operation took an hour.
Im still fixing up some issues where it logs special characters as "Unknown Character" but it make deciphering text that little bit easier but it could get in the way if your trying to sniff passwords and all the special Characters are coming up as "Unknown Character".
If I ever setup GitHub I'll be sure to upload it and make a reference to it here.
Protecting Yourself from Software Keyloggers
Just like protecting yourself from hardware keyloggers many of the same rules/tips apply but I have included a few extra here:
- Always check any computer you are using for any strange peripheral devices.
- Make sure you thoroughly check any PC's or devices you purchase online to make sure you haven't received any "Bonus extras".
- Regularly audit your PC for peripheral devices.
- Use air gapped machines for any business or sensitive admin tasks.
- If you have to use a machine with a level of security you don't trust enter sensitive information out of order use the mouse cursor to help.
- Use a Key Scrambler program.
- Use Antivirus regularly. most Antivirus products detect keyloggers quite easily.
- Use additional Anti-malware / keylogger detection software.
- Periodically audit system locations for any suspicious files. The keylogger I wrote stores the keystrokes in the Windows Folder many may do the same or similar.
- Use a Password manager App to avoid keying in your password repeatedly.
As always please let me know if found this article useful or if you didn't, Don’t forget to like this post or leave a comment below to let me know another area you would be interested in reading about. Thanks for your continued support! Until next time!
In my last post which you can read here I used a tool called veil to bypass the antivirus on a test machine and create a backdoor from which I could remotely issue commands to that machine. Unfortunately, many people will add this incident into their lists of why antivirus doesn’t provide any value anymore, some will even argue that antivirus never added any value in the first place and that we should probably boycott the use of antivirus or at the very least distance ourselves from it. I am not one of those people.
The misconceptions: Where they come from
To uneducated users, Antivirus is marketed and sold as a silver bullet solution to any computer security issues, as sad as I am to say this is not true. Antivirus is only one piece of a security solution. Unfortunately nobody ever told the antivirus marketing departments because they keep publishing ads like the one below, which don’t help to erase this misconception that end users have developed about Antivirus:
One of the problems the Industry has which is evident in the video above is that due to the highly technical nature of how virus and antivirus solutions work, there is an over reliance on metaphors to convey “how it works” while most complex fields also have this problem they are not marketed anything like Antivirus is. What these metaphors do is create a perception that Antivirus is omnipotent at eliminating security threats, after some experience and research users find out that this is not the case and a select few start to condemn antivirus as vapourware.
How it is sold: Antivirus
Bruce Schneier has spoken about trust v fear based selling within the Information Security, He proposes that the information security business should aim to sell products and services based on trust rather than fear, while some companies do sell goods and services based on trust there is still an overwhelmingly high proportion of organisations which sell their products on fear.
I don’t want to pin the blame on organisations for using fear based selling. Recent current events make it impossible to sell products on a trust basis but these same recent current events make it very easy to sell to users based on fear. It’s likely that these same events will have a major measurable impact for years to come.
In any case I believe we should look at promoting and educating the public about the more integrated and interesting Information security picture. When I say this I am talking about the range of security tools and how they work some examples are (please note however, some of these are enterprise tools and there’s a good chance you won’t need them on your personal devices):
- Mail filters
- Parental controls
- Identity management systems
- Privileged identity management systems
- Container based
- Rootkit protection
- Secure coding
- Memory protection
- Hardware protection
- Application architecture
- Regular updates and bug fixes
- Good old fashion suspicion and common sense
Why we shouldn't boycott antivirus and why it still matters: Antivirus
Why shouldn't we boycott antivirus? Two simple reasons. Reason one, it actually helps us. While new malware is being created at an astounding rate antivirus firms are also working on signatures and behavioural based techniques to identify all of the new malware out there so that they can help incorporate that into their products, while the odds are stacked against them they are continually working on improving their products, for you their customer.
While this does sound a little reactive rather than proactive most antivirus products will detect hundreds of thousands of threats while there is an unknown yet considerably larger number of malware out there why would you not let antivirus take care of these for you.
A lot of the colleagues I have worked with prefer to use virtual machines to run suspicious programs and files, opposed to antivirus, while this is a good practice it’s also good to do this with antivirus because there is a range of sophisticated malware out there which can detect whether it’s being run on a virtual machine or a physical machine and respond accordingly. This malware is called blue pill malware aptly named after the sequence in the matrix where Morpheus offers Neo the blue pill (accepting the illusion) or the red pill (facing the hard truth).
Blue pill malware is just one example but ultimately what I would like readers to take away from this post is that antivirus is just one tool for fighting against cyber criminals, just like firewalls are another and just like sandboxing and containers are another, we should use all of these tools (or as many as possible) in unison to fend off cyber threats, as I mentioned earlier Antivirus is useful but it is being marketed as the tool for everything not just one tool in an extremely large set of tools. This marketing decision does take away from antivirus as its inflated potency is unable to live up to reality and this makes people understandably upset.
Reason two, we shouldn’t boycott antivirus or the industry because of how much the AV industry contributes to InfoSec in general. What I mean by the previous statement is look at how much the antivirus industry gives back to InfoSec, below is a breakdown of some of the many contributions the AV industry has either directly or directly made to InfoSec:
- First off small improvements are being reintegrated into the antivirus analysis process by researchers ever day (i.e. every enhancement these companies make to their internal processes and procedures helps you).
- The Industry hires a lot of talented and smart people to look at attempting to solve some of the bigger and more threatening issues in the industry. The ways much of this is done is through the research papers that published by researches working on them for Antivirus companies.
- In addition to research papers antivirus companies and threat researchers are as part of their work developing products and solutions to other security problems, many of these are passed to you, the customer where appropriate.
- Antivirus firms are often the only ones looking into assisting dissidents which have been infected by advanced or undetected malware which may have been created and sent to them by nation states. In today’s world this is not something that tech companies are going out of their way to do, in many cases they may be working against their own governments.
- Antivirus companies have lent resources and people to help break down cybercrime rings, Symantec has been extensively referenced in a number of academic papers and articles where a combination of law enforcement personnel and academics have infiltrated and taken down botnets. You can read one here from just two days ago
I rewrote this post a number of times because I felt important information was missing, while I still feel that to some degree here, I feel this version of the post best articulates why antivirus is still useful and can provide you with a measurable level of protection for your devices. I would like to stress that when I say this Antivirus is not a silver bullet for security issues but I think in the future as we get closer to a silver bullet the Antivirus products you use and the work done by AV companies will be a big part of that silver bullet.
As always please let me know if found this article useful or if you didn’t, leave a comment below to let me know another area you would be interested in reading posts about.