Problem solve Get help with specific problems with your technologies, process and projects.

How to detect keyloggers

In this expert response, Michael Cobb explains how to detect the many rootkits available to today's attackers.

What are the signs that a keystroke logger is on my computer, and if I find one, how can I confirm that I've gotten rid of it?

Having devices and/or software that captures all of your keystrokes and sends them to a malicious third party is a pretty terrifying concept. It's important to keep in mind, however, that there are different types of keyloggers available to attackers. Hardware-based keyloggers, for example, attach between the keyboard and the USB or serial port on the back of a computer. These can be easily detected by tracing the cable from your keyboard to your computer and seeing if there is anything between them.

Software keyloggers, though, can be far more difficult to detect and remove. After all, they are rarely named "evil keylogger.exe" when installed. Often malware, like keyloggers, have names that are similar to other normal processes like svchost.exe, making it difficult to distinguish between a safe process and a malicious one.

I recommend becoming familiar with tools that are generally used for detecting rootkits. Many of the tricks that rootkits use to hide on computers are also used by keyloggers, and keyloggers are often incorporated into various rootkits.

Tools like IceSword, FileMon and F-Secure plc's Backlight utility are great for seeing the internal workings of a system. I would also recommend keeping your antivirus product up to date, since many of the AV vendors have signatures for common keyloggers.

To verify that the malicious code is gone, monitor the network traffic to and from your system with a tool like Wireshark to ensure that the system is not communicating with the attacker.

This was last published in March 2009

Dig Deeper on Malware, virus, Trojan and spyware protection and removal