It's been a while since I interacted with a keylogger last time. Many years ago, I used a tool called HookDump to log all the keystrokes. It turned out to be a very efficient solution against frequent power surges. If there were problems with the power grid (this was a common phenomenon those days), I didn't lose anything, because the logs had it all. Another use of the program was "logging where there is no logging": I like to keep records of everything I do, whether it is instant messaging, or email, etc. If an application I use does not support logging - a keylogger is an elegant solution. A keylogger also helped me to retrieve several passwords I forgot, which was pretty cool. (Ok ok, I admit that a couple of friends checked their email on my computer, so I accidentally had their passwords too, but I never used them, really) :-)
But those days are long since gone.
- The state economy is better, there is no energy crisis, the chance to get into power trouble is minimal;
- I recently switched to a laptop anyway, so power problems are 100% out of the question;
- All the applications I use support a history mode, which dumps all the activity to a plain-text log file;
- There are great password management tools that solve the "forgotten password" type of problems;
This is what made keyloggers obsolete.
"Hold on buddy!" is the first thing that comes to your mind, isn't it so? And you're right!
Today keyloggers turned into a real problem. Sure, I found a peaceful use for such tools, but nowadays, they are much more popular among people with negative intentions, creating tens of thousands of victims all over the planet. This is why keyloggers can be extremely dangerous. Unlike phishing scams, keyloggers operate at a lower level, allowing the attacker to gather all your passwords and private details, not only those that you fill into the forms of a fake site. Because of that, each of us has to make sure that:
- Their computer is 100% keylogger-free;
- The chance of identity theft is minimized (or null);
- Or at least make sure that the attacker will have to spend a hell of a lot of time to actually find your password (in case you had to use a public computer);
The purpose of this story is to teach you how to achieve the previously stated objectives with your bare hands (i.e. without paying for expensive software that is supposed to do the dirty work for you).
Using the on screen keyboard
This is probably the easiest thing to do. Many people request a security-related application to have a built-in virtual keyboard to allow them to input passwords without using the keyboard. Only few people know that such an utility comes with Windows, OSK - On-screen keyboard.
It can be launched in an easy way:
- Press Start\Run;
- Type osk;
- Press Enter;
Ta-da! If you've done things right, then this window will appear on the screen.
You can use your mouse to click on buttons, and the keystrokes will be reflected in the currently active application. Note that the on screen keyboard will not steal the focus of the current application, in other words, when you press a virtual key, the keystroke will be directed to the window you expect it to. Just give it a try and see how it works.
Another use for the on screen keyboard - it's an easy way to find out which special characters are available in the current keyboard layout, and which buttons you need to press in order to type those characters. Have you ever wondered how to print an umlaut using a standard keyboard? The same applies to French specific letters, Romanian ones, and so on.
The pros of using the on screen keyboard:
- Simple keyloggers are fooled;
- Can be used for typing passwords with non-standard characters in them;
- Can be used for typing passwords in a foreign language (have you tried to type in Russian on a keyboard that only has English labels on the buttons^?);
- You can impress your friends;
The cons of using the on screen keyboard:
- Mouse-clicking is usually slower than actual typing, so somebody who stands by you can see your password with ease (unless you're an expert mouse-clicker);
- Smart keyloggers will still get your password;
- It does not exist in all Windows versions (2000 and above only);
- Smart malware can be programmed to disable the on screen keyboard;
What makes a smart keylogger? Well, some of them have an option which writes the final content of the window to the log file. In other words, if a web-page has 5 fields, you fill them in (the keystrokes are logged, or logged not if you use the on screen keyboard), but as soon as you press the Submit button, the text in all those fields will be logged. This makes things a bit more complicated for the attacker, as he or she will have a lot of redundant data in the log. But hey, wouldn't you take your time to carefully read a 100 page log if you knew that somewhere in it is a key that will bring you a fortune?
Which is why we move on to the second method of "bare hands anti keylogging".
Mouse::highlight & overwrite + arrow keys
This method is pretty efficient, being able to trick simple and advanced keyloggers, it will also exert a greater psychological pressure on the attacker, getting him her frustrated very fast.
Here's how it works (click on the screenshot to watch the actual demo, it will open in a new window):
In the first line you see the real password, in the second line is the field in which the password is typed; the yellow tooltip will illustrate the current contents of the log.
As you can see, the keylogger will write a lot of characters to the log, even though those characters are not a part of the real password. Of course, the attacker cannot find out which characters are needed and which ones are redundant.
The pros of using the this kind of keylogger protection:
- Both, simple and advanced keyloggers are fooled;
- The logs cannot be processed automatically, requiring a human to actually read them and try to understand what is happening. An attacked gets frustrated very fast, so it is very possible that your password will remain unrevealed;
- Even if the log was read by a human and a password was obtained, it is very likely that it is an incorrect one. When somebody will try that password, access will be denied, making one conclude that you didn't know the right password yourself (thus the attacker will switch to the next victim);
- Does not require any additional utilities or system configurations;
- Works in any operating system, any application, any type of form, and so on;
- You can impress your friends;
The cons of using the this kind of keylogger protection:
- You can easily get confused, don't forget that in the real world, characters are masked with asterisks;
- It takes a lot of time before you are skilled enough to apply this technique;
- Smart keyloggers can make things easier for the attacker (but you can apply an alternative strategy to protect yourself better);
What makes a smart keylogger? As in the previous case, the keylogger might store the final contents of the field in a separate location, rendering all the wizardry useless. But this is still good news for you, because the logs will contain information which contradicts itself, thus the evil person will have to personally try each possible option. Of course, we live in the real world, where people are too lazy to do something. This tiny detail will always work for you. Keep in mind the fact that the attacker probably needs to read a tonn of other material in search of passwords and other private details; if there is a minor barrier, the person will switch to a different task (which appears to be easier).
Here is a small story that fits into the context:
Two tourists were spending their time in the wild, they noticed that a lion (that looked very hungry) was coming their way. One of the tourists quickly went to the car, found his sneakers and put them on.
Tourist#1: Why do you do that? The lion is still faster.
Tourist#2: I don't have to be faster than the lion, I only have to be faster than you!
In other words, there are millions of Internet users who are much easier targets than you are ;-)
Back to smart keyloggers. Some of them have the option to store data about the special keys that were pressed, such as Backspace, the Arrow keys, Delete, etc.
- @ = left arrow;
- # = home;
- ! = end;
In the previous example, we used shift+arrows to select a part of the text and then overwrite it. A smart keylogger will record the following text to the log:
If you take into account the notations, you can backtrace all the keypresses and obtain the actual text, which is
Certainly, 'yankey' looks pretty different from 'anti@@keylogger#y!@@@@@@'. One cannot obtain the real password just by looking at the log. Besides, the more complex your wizardry was, the greater is the chance that the attacker will do the reverse engineering incorrectly, obtaining a password such as 'antiyankey' or 'antikeylogger' :-)
The good news is that most attackers will choose not to record the special keys, because that would make the log grow much faster, making it more difficult to read. Just imagine how much redundant data a log will contain if a keylogger will write all the copy/paste operations! What about the zillions of key-presses on Ctrl, Shift and Alt in 3D-shooters...
The final trick is to use the mouse. In the previous example, '@@' means 'Backspace was pressed twice'. But what if you selected that part of the text with the mouse and typed over the highlighted text? The keylogger will not be able to reflect that action, making reverse engineering impossible. The only way to handle that is to write the coordinates of the mouse-pointer to the log whenever it moves, but even this will be useless, because screens have different resolutions, people use mouse pointers of different sizes, different applications use different fonts, etc. Finally, the attacker will need to manually read and reverse engineer (i.e. try to obtain the correct password by undoing your operations) a log that will grow to several hundred megabytes in a few hours - now that's a lot of fun! What else... How can such a log be sent via Internet without drawing a lot of attention? Your browsing speed will decrease, which will certainly make you take a look at the firewall and see what's going on.
Avoid keyloggers in the first place
This is the best solution.
- Don't click on all the links that are included in your emails;
- Do not execute attachments that are executable files (EXE, COM, SCR, etc);
- Do not break the previous rule, even if the email seems to be from a person you trust;
- Avoid downloading anything from sites that are open in pop-up windows (usually these sites are malicious, even though pop-up windows can be used for noble purposes too);
- Check all the files that come to your computer on a USB flash disk or a DVD (even if the person who brought the disk is a friend you trust);
The above list is incomplete, but these guidelines (if respected carefully) will certainly make you one of the fastest tourists on the Internet ;-)
- Keylogger protection is not a complex process, you can protect yourself from keyloggers without paying anything;
- Your privacy is in your own hands, identity theft can be avoided if you apply one of the keylogger protection techniques described in this guide. Combining these techniques will bring better results;
- If you often need to log on to your accounts using public computers, and time is a significant constraint, and your passwords are very strong ones (ex: 'kpDp0o5;Z'), then password management tools might be a good idea. Otherwise you can use the protection strategies described in this story;
^ I do that every day :-)
Comment from: Kevin Fitzsimmons [Visitor]
Hi Alex, thanks very much - this is very helpful. (I couldn't see your demo, however - kept getting a Gateway Timeout, but I think I get the idea.) I was recently the victim of card fraud. I don't know whether this happened at an ATM, or whether my computer has been compromised, despite my many anti-spyware utilities. I thought of using Windows On-Screen Keyboard, but you state that this is not foolproof. Can you suggest an on-screen keyboard that would offer a better level of protection? Best regards, Kevin.
Kevin, thank you for the feedback, I updated the link, so the demo should work properly. Take a look at it and test yourself (i.e. make sure you've grasped the concept).
It is also important that you read the other story about keyloggers: http://www.lazybit.com/index.php/a/2007/03/01/keylogger_virtual_keyboard_vmware
It explains why Windows' on-screen keyboard is not effective; it turns out that even a dumb keylogger will 'see' what you type with it. The article also shows that using a virtual machine is not going to do the trick either.
I do not know which on screen keyboard is safe to use, but researching this is in my plans.
Comment from: i dont know my name [Visitor]
umm ya first of all my friend searched the interet to download
a keylogger (he wanted to see how it worked) and he found one
downloaded it and he got a log
and then he noticed when they sign
into somthing it when they say somthing it says like lets say my username for some game is thegamer127
then usally when u type pass it would go ******** but when they talk it shows there name liek thegamer127
and there pass with it like thegamer127-password so when they say somthing it shows both user and pass so the only way to prevent a keylogger is to not say crap
Interesting article. I am developing a free anti-keylogging utility which tries to fool keyloggers using 2 methods - firstly to inject a load of fake keystrokes into the Windows buffers, and secondly by trying to jam other processes that have installed keyboard hooks. It defeats at least 2 keyloggers completely, but I'm still trying to find a way to beat the KGB keylogger.
If anyone would like to help with the project, either with the Delphi coding or by testing against other keyloggers please contact me using the details on my web site.
I suspect the fake keystrokes can break some functionality in other programs; for example, an IM client that sets my status to "away" by watching the keyboard activity.
As for preventing hooks - what about legit applications that want to set up a hotkey for an action?
Comment from: me [Visitor]
I use an onscreen keyboard for keylogger protection; it's Neo's SafeKeys 2008. It's free. http://www.aplin.com.au. It's pretty good; I've tried it against a couple of keyloggers, and it seems to protect entries really well.
Great suggestions. But where do I find a one-in-all complete antikeylogging/spyware package and for free, that is powerful enough to keep government and the like agencies out. Not a criminal, just appreciate my privacy too much. Freedom, independence, and privacy are very important to me. How does one protect oneself from spyware that takes screenshots with every mouse click? An on-screen keyboard does not necessarily protect against that. I read somewhere that one can hover for several seconds over an on-screen key, but I fail to understand how that provides protection if the screen shot happens at the mouse click... But thanks for the great idea. I enjoyed the one person who was developing a program that injects large amounts of typing into the log files. That was great. I plan to check that out. Thanks. WK
Incidentally, I have read that there are some on-screen keyboards that do indeed also protect against spyware capturing clicked keys. When I find that again I will post it here. Also I am as of yet unclear on whether spyware, even if no keys are logged or keylogs are sent to the spyer, can indeed capture the ******* characters out of password fields at the moment the form is sent to the server on the other end, say your bank or email provider. I came across some form-protector, but don't recall off hand what they do and do not provide. Hence my search for an all in one solution. For a good one I might be willing to invest... Thanks again. WK
Comment from: Jose [Visitor]
Wow, I never thought about that! I'll have to do some more research.
Comment from: THomas [Visitor]
Or use keyscrambler.
google it up
Comment from: mobile phone [Visitor]
I haven't thought of a keylogger program like thqat, where you were recovering stuff you lost, or figuring out what you were searching. Personally, I never found much use for it, as I tended to have a ton of passwords saved in a notepad document, hahaha.
Onscreen keyboards look cool, but I think until you have some sort of touch screen implemented on the computer monitor, it's simply just going to be too slow for me.
Update: It's been a while (see above),l but I thought I ought to mention this. Currently running a Windows 7 Home Edition machine. Pulled up the on-screen keyboard, this time for ergonomic reasons and not for anything private. Got a popup warning from an old no longer supported security program I was running in the background and which I had set at a high detection level, warning me that I had just opened an application that may (note it said "may" use a keylogging function. Just thought folks should know... So I guess even with changed times, scramblers as discussed above and separate on screen keyboard programs NOT from windows may still be the best solution. I have to admit I begin to wonder a bit if privacy is truly attainable on the net, but I feel people have the right to as much privacy as possible. Not saying that in favor of illegal things, of course, while at the same time I continue to have questions in my mind about how far ease-dropping can be taken beyond national or international security when so much information goes through such vast central locations. Here in The Netherlands public transportation is now almost completely computerized. One can almost not go anywhere without registering every move. And one is not much more private using cars either. This is great for organized burglars who have one good computer guy who can hack those databases and see patterns of target groups all in one location. I understand efficiency and marketing considerations, but how does one measure the true price paid for all that and who pays that price? I am not sure where legal and ethical ought to meet or where one should override the other, or vice versa. But in any case I was amused about the on-screen keyboard data collection warning and remembered this online discussion and thought I ought to bring that up...
Has anyone had any new or even better ideas than had been discussed here before?
Anyways, I intend to continue to fight for maximum privacy, as in email for example, and otherwise. I am amazed at what all CCleaner finds, and then what I find in addition when I go into the areas CCleaner finds stuff in using the command prompt. All kinds of additional logs are there, only about half of which I have some understanding of their necessity (which I find questionable but I have to research it further). Cheers, WK
Hey, thanks for returning and sharing your thoughts.
I've been to the Netherlands and I was really impressed by the public transport system, and especially the trip planner in ns.nl.
At the time I was there, I remember I could buy tickets printed on paper. I could use a pre-paid debit card, purchased with cash - so technically, one wouldn't know it was me who bought that ticket and took that ride.
But I agree, the general trend is convenience vs privacy. Since you're in The Netherlands, you can always take a bike :-)
Other places are not as bike friendly, for example Moldova (where we're located) - we have no dedicated bike lanes, car drivers don't respect those who were brave enough to get on a bike.. Cycling is not a very attractive option, unfortunately.
Times change and... it might get a bit crazy, but what the heck, here we go - if this trend continues, we will keep sacrificing privacy for convenience, the 'big brother' will always know where we are. BUT,
if you think about it from a different perspective, maybe society will become so interconnected that we will eventually behave like a single organism with a single mind.
- The buggers in "Ender's game" or
- The cloud from "The black cloud" by Fred Hoyle.
The point is that if you can read my thoughts and I can read yours - is it still meaningful to see us as different individuals?
Maybe this is how the "privacy question" will be addressed in the very distant future.
Back to the subject, you mentioned that security program. It is probably monitoring the processes that set up 'hooks', the on-screen keyboard uses that method. So yeah, naturally it will throw a warning. It doesn't mean the program is malicious, but it could be. So... one should always rely on common sense before listening to what a program says (-:
Ok you are right in that the public transport system is a very interesting one here, especially compared to many other countries in the world, even many western ones. With a country this small, that makes this easier. And yes of course I have benefited from it greatly in going to and from work. On the other hand, traveling to work/schooling within Amsterdam took me longer on public transport or bicycle than someone I know who travels to work in another city pretty far out. However they are expanding the metro at great risk and expense which is a controversial issue here, but certainly a respectable effort from an engineering point of view.
Those times of paper tickets are completely gone now. You have to check in and out with a magnetic or radio signal response card. If you forget they grab four Euros from your saldo, regardless of how quickly you check in again on the next bus. This is especially nasty for the elderly for example, who may be more forgetful at times although I have lost that amount several times in a row with this system. I estimate I loose between 100 and 200 Euros per year that way. One can fill in a form and add a printout that can be made on some of the purchasing machines and get the money back if the story checks out, but that's a lot of paperwork I don't have the energy for.
All this does not mean, however, that programming is all bad. You are right about that, in those cases where computer programming is put to good use in this system, connections can improve greatly above what they are already. So yes I should continue to be aware of my blessings, thanks for that insight.
I completely disagree with Fred Hoyle, bu the way, but let's not get into that.
Biking is definitly an option that I use a lot, yes. Within cities it remains a decent option, if the city is not too large. Some distances within Amsterdam are pretty far but still doable if you have an hour and a half. But Rotterdam for example is more spread out, I am not sure one could do everything on bike there.
I worry, though, about cameras with facial recognition. All digital, likely to all end up on people's computers, which are connected to the internet, etc. So that leaves you still a bit vulnerable even on a bicycle. I am an amateur photographer and doubt that I would ever want one of those. Plus they are too expensive anyways. I like old fashioned thrift store type simple film SLR's. My farorite is a simple NIKON FE. Not even a spot meter but that is ok by me. I can do everything manually.
You are right about not jumping to conclusions about every warning against keyloggging. In this particular case, since it was the Windows one screen keyboard, I suspect the warning was dead-on. But I still wonder if I got a separate on screen keyboare software program, how would that protect against screen loggers that take screen shots as soon as you open that program. Anyways, I am not an ICT specialist or I would probably be communicating and doing things very differently, it's the down side of being an "end user." I worked tech support before, but that's only first line and it does not make me a programmer at all. As to reading thoughts and individualism, I go along but only to a point, and only if it enhances mutual understanding. As a species we would need to elevate our collective humanity considerably for that to be truly beneficial and to avoid the tremendous potential dangers I see with that, and that is not looking back all that far either.... As to further advantages, I hope not... We don't experience good without pain if the contrast is erased. But that's a philosophical question and perhaps indeed very much long term future which we may not be able to foresee, if we even survive that long, and it's not a computer tech subject like for this post, but interesting and thought provoking. It does remind me of Michiu Kaku's type 1 civization. Is that the only answer? Would it need to be mutually exclusive or can we have both?
Thanks for your reply, always nice to connect with intellect that leaves me thinking. I MUST go to sleep, recovering from a couple illnesses. Thanks again for the discussion. I appreciate your insights.
Form is loading...