Lazybit

It's been a while since I interacted with a keylogger last time. Many years ago, I used a tool called HookDump to log all the keystrokes. It turned out to be a very efficient solution against frequent power surges. If there were problems with the power grid (this was a common phenomenon those days), I didn't lose anything, because the logs had it all. Another use of the program was "logging where there is no logging": I like to keep records of everything I do, whether it is instant messaging, or email, etc. If an application I use does not support logging - a keylogger is an elegant solution. A keylogger also helped me to retrieve several passwords I forgot, which was pretty cool. (Ok ok, I admit that a couple of friends checked their email on my computer, so I accidentally had their passwords too, but I never used them, really) :-)

But those days are long since gone.

• The state economy is better, there is no energy crisis, the chance to get into power trouble is minimal;
• I recently switched to a laptop anyway, so power problems are 100% out of the question;
• All the applications I use support a history mode, which dumps all the activity to a plain-text log file;
• There are great password management tools that solve the "forgotten password" type of problems;

This is what made keyloggers obsolete.

"Hold on buddy!" is the first thing that comes to your mind, isn't it so? And you're right!

Today keyloggers turned into a real problem. Sure, I found a peaceful use for such tools, but nowadays, they are much more popular among people with negative intentions, creating tens of thousands of victims all over the planet. This is why keyloggers can be extremely dangerous. Unlike phishing scams, keyloggers operate at a lower level, allowing the attacker to gather all your passwords and private details, not only those that you fill into the forms of a fake site. Because of that, each of us has to make sure that:

• Their computer is 100% keylogger-free;
• The chance of identity theft is minimized (or null);
• Or at least make sure that the attacker will have to spend a hell of a lot of time to actually find your password (in case you had to use a public computer);

The purpose of this story is to teach you how to achieve the previously stated objectives with your bare hands (i.e. without paying for expensive software that is supposed to do the dirty work for you).

Using the on screen keyboard

This is probably the easiest thing to do. Many people request a security-related application to have a built-in virtual keyboard to allow them to input passwords without using the keyboard. Only few people know that such an utility comes with Windows, OSK - On-screen keyboard.

It can be launched in an easy way:

1. Press Start\Run;
2. Type osk;
3. Press Enter;

Ta-da! If you've done things right, then this window will appear on the screen.

You can use your mouse to click on buttons, and the keystrokes will be reflected in the currently active application. Note that the on screen keyboard will not steal the focus of the current application, in other words, when you press a virtual key, the keystroke will be directed to the window you expect it to. Just give it a try and see how it works.

Another use for the on screen keyboard - it's an easy way to find out which special characters are available in the current keyboard layout, and which buttons you need to press in order to type those characters. Have you ever wondered how to print an umlaut using a standard keyboard? The same applies to French specific letters, Romanian ones, and so on.

The pros of using the on screen keyboard:

• Simple keyloggers are fooled;
• Can be used for typing passwords with non-standard characters in them;
• Can be used for typing passwords in a foreign language (have you tried to type in Russian on a keyboard that only has English labels on the buttons^?);
• You can impress your friends;

The cons of using the on screen keyboard:

• Mouse-clicking is usually slower than actual typing, so somebody who stands by you can see your password with ease (unless you're an expert mouse-clicker);
• Smart keyloggers will still get your password;
• It does not exist in all Windows versions (2000 and above only);
• Smart malware can be programmed to disable the on screen keyboard;

What makes a smart keylogger? Well, some of them have an option which writes the final content of the window to the log file. In other words, if a web-page has 5 fields, you fill them in (the keystrokes are logged, or logged not if you use the on screen keyboard), but as soon as you press the Submit button, the text in all those fields will be logged. This makes things a bit more complicated for the attacker, as he or she will have a lot of redundant data in the log. But hey, wouldn't you take your time to carefully read a 100 page log if you knew that somewhere in it is a key that will bring you a fortune?

Which is why we move on to the second method of "bare hands anti keylogging".

Mouse::highlight & overwrite + arrow keys

This method is pretty efficient, being able to trick simple and advanced keyloggers, it will also exert a greater psychological pressure on the attacker, getting him her frustrated very fast.

Here's how it works (click on the screenshot to watch the actual demo, it will open in a new window):

In the first line you see the real password, in the second line is the field in which the password is typed; the yellow tooltip will illustrate the current contents of the log.

As you can see, the keylogger will write a lot of characters to the log, even though those characters are not a part of the real password. Of course, the attacker cannot find out which characters are needed and which ones are redundant.

The pros of using the this kind of keylogger protection:

• Both, simple and advanced keyloggers are fooled;
• The logs cannot be processed automatically, requiring a human to actually read them and try to understand what is happening. An attacked gets frustrated very fast, so it is very possible that your password will remain unrevealed;
• Even if the log was read by a human and a password was obtained, it is very likely that it is an incorrect one. When somebody will try that password, access will be denied, making one conclude that you didn't know the right password yourself (thus the attacker will switch to the next victim);
• Does not require any additional utilities or system configurations;
• Works in any operating system, any application, any type of form, and so on;
• You can impress your friends;

The cons of using the this kind of keylogger protection:

• You can easily get confused, don't forget that in the real world, characters are masked with asterisks;
• It takes a lot of time before you are skilled enough to apply this technique;
• Smart keyloggers can make things easier for the attacker (but you can apply an alternative strategy to protect yourself better);

What makes a smart keylogger? As in the previous case, the keylogger might store the final contents of the field in a separate location, rendering all the wizardry useless. But this is still good news for you, because the logs will contain information which contradicts itself, thus the evil person will have to personally try each possible option. Of course, we live in the real world, where people are too lazy to do something. This tiny detail will always work for you. Keep in mind the fact that the attacker probably needs to read a tonn of other material in search of passwords and other private details; if there is a minor barrier, the person will switch to a different task (which appears to be easier).

Here is a small story that fits into the context:

Two tourists were spending their time in the wild, they noticed that a lion (that looked very hungry) was coming their way. One of the tourists quickly went to the car, found his sneakers and put them on.

Tourist#1: Why do you do that? The lion is still faster.
Tourist#2: I don't have to be faster than the lion, I only have to be faster than you!

In other words, there are millions of Internet users who are much easier targets than you are ;-)

Back to smart keyloggers. Some of them have the option to store data about the special keys that were pressed, such as Backspace, the Arrow keys, Delete, etc.

Assume that:

• @ = left arrow;
• # = home;
• ! = end;

In the previous example, we used shift+arrows to select a part of the text and then overwrite it. A smart keylogger will record the following text to the log:

anti@@keylogger#y!@@@@@@

If you take into account the notations, you can backtrace all the keypresses and obtain the actual text, which is

yankey

Certainly, 'yankey' looks pretty different from 'anti@@keylogger#y!@@@@@@'. One cannot obtain the real password just by looking at the log. Besides, the more complex your wizardry was, the greater is the chance that the attacker will do the reverse engineering incorrectly, obtaining a password such as 'antiyankey' or 'antikeylogger' :-)

The good news is that most attackers will choose not to record the special keys, because that would make the log grow much faster, making it more difficult to read. Just imagine how much redundant data a log will contain if a keylogger will write all the copy/paste operations! What about the zillions of key-presses on Ctrl, Shift and Alt in 3D-shooters...

The final trick is to use the mouse. In the previous example, '@@' means 'Backspace was pressed twice'. But what if you selected that part of the text with the mouse and typed over the highlighted text? The keylogger will not be able to reflect that action, making reverse engineering impossible. The only way to handle that is to write the coordinates of the mouse-pointer to the log whenever it moves, but even this will be useless, because screens have different resolutions, people use mouse pointers of different sizes, different applications use different fonts, etc. Finally, the attacker will need to manually read and reverse engineer (i.e. try to obtain the correct password by undoing your operations) a log that will grow to several hundred megabytes in a few hours - now that's a lot of fun! What else... How can such a log be sent via Internet without drawing a lot of attention? Your browsing speed will decrease, which will certainly make you take a look at the firewall and see what's going on.

Avoid keyloggers in the first place

This is the best solution.

• Don't click on all the links that are included in your emails;
• Do not execute attachments that are executable files (EXE, COM, SCR, etc);
• Do not break the previous rule, even if the email seems to be from a person you trust;
• Avoid downloading anything from sites that are open in pop-up windows (usually these sites are malicious, even though pop-up windows can be used for noble purposes too);
• Check all the files that come to your computer on a USB flash disk or a DVD (even if the person who brought the disk is a friend you trust);

The above list is incomplete, but these guidelines (if respected carefully) will certainly make you one of the fastest tourists on the Internet ;-)

Conclusions:

• Keylogger protection is not a complex process, you can protect yourself from keyloggers without paying anything;
• Your privacy is in your own hands, identity theft can be avoided if you apply one of the keylogger protection techniques described in this guide. Combining these techniques will bring better results;
• If you often need to log on to your accounts using public computers, and time is a significant constraint, and your passwords are very strong ones (ex: 'kpDp0o5;Z'), then password management tools might be a good idea. Otherwise you can use the protection strategies described in this story;

^ I do that every day :-)