The main idea behind keyloggers is to get in between any two links in the chain of events between when a key is pressed and when information about that keystroke is displayed on the monitor. This can be achieved using video surveillance, a hardware bug in the keyboard, wiring or the computer itself, intercepting input/ output, substituting the keyboard driver and finally, requesting information from the keyboard using standard documented methods.
Experience shows that the more complex the approach, the less likely it is to be used in common Trojan programs and the more likely it is to be used in specially designed Trojan programs which are designed to steal financial data from a specific company.
Keyloggers can be divided into two categories: keylogging devices and keylogging software.
Keyloggers which fall into the first category are usually small devices that can be fixed to the keyboard, or placed within a cable or the computer itself. The keylogging software category is made up of dedicated programs designed to track and log keystrokes.
The most common methods used to construct keylogging software are as follows:
I will provide a more detailed explanation of the different ways keyloggers are constructed in the part 4 of this series). But first, here are some statistics.
A rough breakdown of the different types of keyloggers is shown in the pie chart below:
Recently, keyloggers that disguise their files to keep them from being found manually or by an antivirus program have become more numerous. These stealth techniques are called rootkit technologies. There are two main rootkit technologies used by keyloggers:
A rough breakdown of the techniques used by keyloggers to mask their activity is shown in the pie chart below:
Zachary T. Brown