Introduction:They are the spy softwares which are used to record the keystrokes made on victims system. These Keyloggers are tools that enable attacker to keep a record of the victims activities.
Common type of Attacks
Once the keylogger is installed on victims computer it can be used for following malicious activities:
- Accessing the content of confidentional emails and documents.
- Recording password, credit card numbers, accounts, ID’s, etc.
- Pilfering software programming code.
- Finding out vital information regarding tender price and future business plans.
- Capture screen shots
- Privacy invasion
- Steal passwords and other intellectual property
Working
Keyloggers originally began as a tool for playing pranks on unsuspecting individuals but they soon began to use for a number of malicious purposes. The working is as follows:
1. The keylogger is installed on target victim through deceit or disguise. Some of the popular methods of doing this are as follows:
i.E-mail: Sending Keylogger file as an attachment to email addressed to victim. The problem with this method is that most often, the victim may not open the infected attachment.
ii.Auto run CD-ROMs: Burn the Keylogger onto a CDROM and then use the auto run facility of the CD to automatically execute /install the Keylogger, the moment the CD is inserted into the tray.
iii.Instant Messenger: It is also possible to send the Keylogger disguised it looks like a normal, legitimate file.
iv.Physical Access: Physical access to victim system gives an opportunity to attacker to install sever part of Keylogger manually.
v.EXE Binders: These binders are devices that allow user to bind two .exe Files together into one file, in such a way that there is no effect in working of either two files .So, the attacker binds or conceals the Keylogger inside a legitimate .EXE file. The container .EXE file is usually chosen to be irresistible to the victim, such as pornography videos or greeting cards .The Keylogger gets hidden inside these tempting file and when the victim opens the combined file, while the pornography or greeting card is being shown on screen, the Keylogger is being installed in the
2. The key logger once installed works in the background of the victims system and records all keystrokes or screenshots in log file .The recorded information is then automatically mailed to a predefined email address fed in by attacker on regular intervals.
3. It is also possible to configure an auto destruct features into a Keylogger which will automatically get destroyed at a predefined data and time, leaving a little evidence behind.
Detection
The following are some of the most common technique of detecting the presence of a keylogger on victim’s computer:
- Suspicious Open ports: It is difficult to detect as port opens only when log file is mailed, this is the main difference between a keylogger and Trojan .In case of Trojan port is open all time
- Detection Tools: Many tools allow system administrator to detect Keylogger. Most of Anti-virus tool also look for Keylogger installation.
- Start-up Files: Keylogger is most dangerous as it gets loaded into the memory every time the victim system boots. For this to happen, there has to be a reference to it in some startup files.
- System files: the two system files i.e. win.ini and system.ini have sections where all programs that are referenced get executed.
- Registry Files: There is another place to look for Keylogger program reference. All programs are referred to in the Registry key.
- Monitoring out going Traffic: What is most dangerous about a keylogger is that it covertly emails the logged keystrokes to attacker’s preset email address. Hence by blocking all malicious outgoing email it is possible to guard against keylogger.The administrator should look for illegal activities around the external mail servers i.e. SMTP or port 25
Countermeasures
After a Keylogger has been detected, the system administrator needs to remove it from system. They can be done in following manner:
- There are many keylogger/spyware removal tools that can be downloaded and used to remove most common Keylogger. One should not only remove the Keylogger but also reference to Keylogger from the start-up files.
- Never accept or execute any files sent over mail, chat etc.
- Because .EXE allows attacker to join two .EXE files; the harmful Keylogger files may be embedded inside a normal harmless .Exe file. This Keylogger cannot be detected and only increase the file size by a certain bytes. Therefore is careful and only downloads software from Internet from original developer’s website.
- A more effective countermeasure against Keylogger activity is installing a firewall on your computer to monitor and log all port traffic. Especially SMTP port no.25 which is mail server port which is used to send log files via mail to attacker. This enables you to detect and trace Keylogger _exploiting attempts.
0 comments:
Post a Comment