Keylogger - what is it? What danger comes from them? Is it possible to take advantage of a keylogger? What does this entail?
general information
In the modern information world, the security issue is very acute. Among the whole variety of malicious programs, the keylogger program stands separately. What is she like? What are the dangers? How to deal with them? Those who know English well probably translated the name of the program and realized that the conversation would be about a keyboard recorder. That's exactly what their name is translated - keylogger. But in the open spaces of the former USSR, their official name is keyloggers. What is their feature?
When the program gets to the computer, it begins to perform its tasks in the form of espionage functions without the knowledge, participation and consent of a person. It is worth asking the question “Keylogger - what is it?”, As it turns out that many people don’t even imagine what such a program is. And from this follows the sad fact that many users simply underestimate their threat. But in vain. After all, the main goal of these programs is to steal and transfer to their creator the logins and passwords of user accounts, wallets, banking applications.
How do they work?
Let's look at a small example. Suppose a person has a bank account with a hundred thousand rubles on it - the amount is pretty good. He periodically logs into his user’s electronic account, using the password and login. And to enter them, you have to use the keyboard. The keylogger records what and where it was entered. Therefore, an attacker, knowing the password and login, can take advantage of the means if additional safety lines are not provided, such as confirmation by phone. The keylogger acts as a repeater, which at a certain moment merges all the collected information. Some of these programs can even recognize the input language and with what element of the browser a person interacts. And it complements all the ability to take screenshots.
History of development
It is worth mentioning that the keylogger for Windows is not a new phenomenon. The first such programs were the same age as MS-DOS. Then these were ordinary keyboard interrupt handlers, the size of which fluctuated around the 1 Kb mark. And since then their main function has not changed. They still still primarily secretly register keyboard input, record the collected information and transmit it to their creator. The question may arise: "If they are so primitive, why do not numerous anti-virus applications catch keyloggers?". After all, this is a simple program. Nevertheless, dealing with specialized applications is quite difficult. The fact is that a keylogger is not a virus or a trojan. And to find it, you need to install special extensions and modules. In addition, there are so many of these malicious programs that the signature search, which is considered one of the most advanced protection solutions, is powerless against them.
Spread
How do they get to users' computers? There are a large number of distribution paths. There is also a keylogger with mailing to everyone who is in the address book, they can also be distributed under the guise of other programs or by going as an addition to them. Suppose a person downloads an unlicensed version of some application from a completely third-party site. He installs the main application for himself, and with it the keylogger. Or maybe strange messages with attached files came from friends? It is possible that this was a keylogger with sending by mail. Opening a message does not carry a threat on most services, since it is just typing. But applications to it can be fraught with danger. When a similar situation is detected, it is best to get rid of potentially dangerous files. After all, a remote keylogger is not dangerous and will not be able to harm anything.
Mail Distribution
I would like to pay particular attention to this particular path of transition between computers. Sometimes messages come that seem to have valuable information or something like that. In general, the calculation is made on the fact that a curious person will open a letter, upload a file where there is “information” about “enterprise accounting”, “account numbers, passwords and access logins” or simply “someone’s nude photos”. Or if the mailing is carried out according to some company, then the person’s name and surname may even appear. It should be remembered that you should always be careful with any files!
Creation and use
After reading the previous information, someone might think: but I would have had my own free keylogger. And even they’ll go search and download them. Initially, it is necessary to mention that this case is punishable from the position of the Criminal Code. In addition, one should not forget the old saying that free cheese only happens in a mousetrap. And in the case of following this path, one should not be surprised if the “free keylogger” will serve only its owner or even turn out to be a virus / trojan. The only more or less sure way to get such a program is to write it yourself. But again, this is criminally punishable. Therefore, it is worth weighing the pros and cons before proceeding. But then what should one strive for? What could be the end result?
Standard keyboard trap
This is the simplest type, based on one general principle of operation. The essence of the program is that this application is introduced into the signal transmission process from the moment the key was pressed, and until the symbol is displayed on the screen. Hooks are widely used for this. In operating systems, this is the name of a mechanism whose task is to intercept system messages, during which a special function is used, which is part of Win32API. As a rule, of the presented tools, WH_Keyboard is most often used, a little less often - WH_JOURNALRECORD. The peculiarity of the latter is that it does not require a separate dynamic library, so that the malware spreads more quickly across the network. Hooks read all the information that is transmitted from the input equipment. This approach is quite effective, but has several disadvantages. So, you need to create a separate dynamic library. And it will be displayed in the address space of processes, making it easier to identify the keyboard recorder. What defenders use.
Other methods
Initially, it is necessary to mention such a primitive ridiculous method as periodic polling of the state of the keyboard. In this case, a process starts, which checks 10-20 times per second whether certain keys have been pressed / released. All changes are recorded. Creating a keylogger based on a driver is also popular. This is a fairly effective method that has two implementations: developing your own filter or your own specialized software for an input device. Rootkits are also popular. They are implemented in such a way as to intercept data during the exchange between the keyboard and the control process. But the most reliable are the hardware for reading information. If only because it is extremely difficult to detect them by software, it is literally impossible.
What about mobile platforms?
We have already considered the concept of “keylogger”, that is how they are created. But when considering the information, the sight was on personal computers. But even more than a PC, there are many different mobile platforms. And what about them? Let's see how the keylogger for Android works. In general, the principle of operation is similar to that described in the article. But there is no ordinary keyboard. Therefore, they aim at the virtual, which is displayed when the user plans to enter something. And then it is worth entering the information - how it will be immediately transferred to the creator of the program. Since the security system on mobile platforms is lame, the keylogger for android can successfully and for a long time work and spread. Therefore, whenever you download the application, you must consider the rights that are granted to them. So, if a book reader asks for access to the Internet, a keyboard, various administrative services of a mobile device, this is a reason to think about whether it is a malicious subject. The same fully applies to those applications that are in official stores - because they are not checked manually, but by automation, which is not perfect.