Friday, October 10, 2014
The main idea behind keyloggers is to get in between any two links in the chain of events between when a key is pressed and when information about that keystroke is displayed on the monitor. This can be achieved using video surveillance, a hardware bug in the keyboard, wiring or the computer itself, intercepting input/ output, substituting the keyboard driver and finally, requesting information from the keyboard using standard documented methods.
Experience shows that the more complex the approach, the less likely it is to be used in common Trojan programs and the more likely it is to be used in specially designed Trojan programs which are designed to steal financial data from a specific company.
Keyloggers can be divided into two categories: keylogging devices and keylogging software.
Keyloggers which fall into the first category are usually small devices that can be fixed to the keyboard, or placed within a cable or the computer itself. The keylogging software category is made up of dedicated programs designed to track and log keystrokes.
The most common methods used to construct keylogging software are as follows:
- a system hook which intercepts notification that a key has been pressed
- a cyclical information keyboard request from the keyboard
- using a filter driver (requires specialized knowledge)
Recently, keyloggers that disguise their files to keep them from being found manually or by an antivirus program have become more numerous. These stealth techniques are called rootkit technologies. There are two main rootkit technologies used by keyloggers:
- masking in user mode;
- masking in kernel mode.
Zachary T. Brown