A keylogger, sometimes called a keystroke logger or system monitor, is a type of surveillance technology used to monitor and record each keystroke typed on a specific computer's keyboard. Keylogger software is also available for use on smartphones, such as Apple's iPhone and Android devices.
Keyloggers are often used as a spyware tool by cybercriminals to steal personally identifiable information (PII), login credentials and sensitive enterprise data. Keylogger recorders may also be used by employers to observe employees' computer activities, parents to supervise their children's internet usage, users to track possible unauthorized activity on their devices or law enforcement agencies to analyze incidents involving computer use. These uses are considered ethical or appropriate in varying degrees.
Types of keyloggers
A hardware-based keylogger is a small device that serves as a connector between the computer keyboard and the computer. The device is designed to resemble an ordinary keyboard PS/2 connector, part of the computer cabling or a USB adaptor, making it relatively easy for someone who wants to monitor a user's behavior to hide such a device.
Most workstation keyboards also plug into the back of the computer, keeping the connections out of the user's line of sight. A hardware keylogger may also come in the form of a module that is installed inside the keyboard itself. When the user types on the keyboard, the keylogger collects each keystroke and saves it as text in its own miniature hard drive, which may have a memory capacity of up to several gigabytes. The person who installed the keylogger must later return and physically remove the device in order to access the information that has been gathered. There are also wireless keylogger sniffers that can intercept and decrypt data packets being transferred between a wireless keyboard and its receiver.
A keylogging software program Bottom of Form does not require physical access to the user's computer for installation. It can be downloaded on purpose by someone who wants to monitor activity on a particular computer, or it can be malware downloaded unwittingly and executed as part of a rootkit or remote administration Trojan (RAT). The rootkit can launch and operate stealthily in order to evade manual detection or antivirus scans.
A common keylogger program typically consists of two files that get installed in the same directory: a dynamic link library (DLL) file that does all the recording and an executable file that installs the DLL file and triggers it to work. The keylogger program records each keystroke the user types and uploads the information over the internet periodically to whoever installed the program. There are many other ways that keylogging software can be designed to monitor keystrokes, including hooking keyboard APIs to another application, malicious script injection or memory injection.
Some keylogging programs may include functionality for recording user data besides keystrokes, such as capturing anything that has been copied to the clipboard and taking screenshots of the user's screen or a single application.
Detection, prevention and removal
As there are various types of keyloggers that use different techniques, no single detection or removal method is considered the most effective.
Antikeylogger software is designed specifically to scan for software-based keyloggers, by comparing the files on a computer against a keylogger signature base or a checklist of common keylogger attributes. Using an antikeylogger can be more effective than using an antivirus or antispyware program, as the latter may identify a keylogger as a legitimate program instead of spyware.
Depending on the technique the antispyware application uses, it can possibly locate and disable keylogger software with lower privileges than it has. Use of a network monitor will ensure the user is notified each time an application tries to make a network connection, giving a security team the opportunity to stop any possible keylogger activity. Application whitelisting can also be used to allow only documented, authorized programs to run on a system.
While visual inspection can be used to identify hardware keyloggers, it is impractical and time-consuming to implement on a large scale. System cages that prevent access to or tampering with USB and PS/2 ports can be added to the user's desktop setup. Extra precautions include using a security token as part of two-factor authentication (2FA) to ensure an attacker cannot use a stolen password alone to log in to a user's account, or using an onscreen keyboard and voice-to-text software to circumvent using a physical keyboard.