Keylogger question

By gubar
Apr 25, 2011
Post New Reply
  1. Hi,

    just been helped clean my system after a keylog infection, posting this question in this general forum because I believe that one is for active help only.

    I found the infected file, and it held personal details (passwords etc), thankfully it was caught early.

    My question though is, how would this have been used? It was just a text file, not sure if another file was removed during cleaning. Would there have been an application on my computer which would have sent this information out? Or would the creator have tried to access my computer somehow?

    Thanks for any info,

  2. Zen

    Zen TechSpot Paladin Posts: 861   +45

    I know this information doesn't clearly tell you what the end result could be from a key-logger, but maybe the information may point you in the right direction, as to become more knowledgeable with it.

    Information Secured From

    Definition: A keylogger is a hardware device or a software program that records the real time activity of a computer user including the keyboard keys they press.

    Keyloggers are used in IT organizations to troubleshoot technical problems with computers and business networks. Keyloggers can also be used by a family (or business) to monitor the network usage of people without their direct knowledge. Finally, malicious individuals may use keyloggers on public computers to steal passwords or credit card information.

    Keylogger software is freely available on the Internet. These keyloggers allow not only keyboard keystrokes to be captured but also are often capable of collecting screen captures from the computer. Normal keylogging programs store their data on the local hard drive, but some are programmed to automatically transmit data over the network to a remote computer or Web server.

    Detecting the presence of a keylogger on a computer can be difficult. So-called anti-keylogging programs have been developed to thwart keylogging systems, and these are often effective when used properly.

    Trojan Virus Key-logger Information Secured From

    In its simplest form, a keylogger trojan is malicious, surreptitious software that monitors your keystrokes, logging them to a file and sending them off to remote attackers. Some keyloggers are sold as commercial software - the type a parent might use to record their children's online activities or a suspicious spouse might install to keep tabs on their partner.

    Keyloggers may record all keystrokes, or they may be sophisticated enough to monitor for specific activity - like opening a web browser pointing to your online banking site. When the desired behavior is observed, the keylogger goes into record mode, capturing your login username and password.

    Some sites attempt to thwart keyloggers by having the user respond to visual cues they must point to with their mouse instead of using their keyboard. However, some keylogger trojans also capture screenshots, thereby negating the effect of this strategy.

    Keyloggers and other forms of remote-access trojans tend to be the most determined malware, taking extra steps to stealth its presence, including through the use of rootkits.

    The best defense against keyloggers is prevention. One of the most common infection sources is peer-to-peer (P2P) filesharing networks, such as Kazaa, Morpheus, Gnutella, and dozens of others. Keyloggers are also commonly sent as email attachments and via links in instant messages that point to the infected file.

    Too often, people are lulled into a false sense of security, believing, for example, that if they simply switch to a different browser they will be safe from harm. It's simply not so simple. To stay safe means becoming proactively engaged in your own security.

    Hope this all helps, if not a little bit!
  3. SeshOrch

    SeshOrch TS Rookie

    How do i remove a keylogger from my PC
  4. mailpup

    mailpup TS Special Forces Posts: 6,964   +355

    You would have to post your question in the Virus and Malware Removal forum. However, before posting please read the "stickies" (permanent threads at the very top of the forum) and follow their directions.
  5. gubar

    gubar TS Enthusiast Topic Starter Posts: 105

    Hi Zen,

    I never realized you had posted this until I recieved instant notification relating to the next two posts - so I'd like to offer a very belated thanks! Very detailed and useful information.

    Thanks again,

  6. jobeard

    jobeard TS Ambassador Posts: 9,153   +598

    I didn't see reference to 'calling-home' so I'll offer this:

    Any file which contains the data captured is just data (also a very poor implementation).
    This would then need to be accesses by some remote command-control server to suck that data up to the intruder,
    OR wait for a new browser session to contact the intruders site.

    The hard to detect key-loggers would keep data in memory only and thus not disclose their presence via the file (regardless of the file name or location).

    They would also have a backdoor(ie: an ipaddress & port) to call-home and push the data collected.
    This is where your firewall *might* protect you, but that depends upon the controls in the FW and they very from vender to vender.
    Most all can control a destination+port number and some can allow programA to use that pair while restricting all other programs from doing so.

    The nightmare is a key-logger calling home on ports 80, 443 or 110
    (the first 2 are web server access ports and the latter is the common email reading port).
    As we all use these and the FW must open them, the sole stop-gap criteria is the application itself. If your browser is corrupted, then there's no way to stop the data from being pushed.

    Now guess the most common FW configuration - -
    • block all incoming, unbound data (ie no existing connection from/to the origin IP)
    • allow all outgoing new connections
  7. Neil010

    Neil010 TS Rookie Posts: 53

    I think you should also be aware for phishing attempts. They masquerade websites and steal sensitive information. For example, a phishing attack on Facebook would mean that when you enter the website, you will be redirected to another URL which will look exactly like Facebook and when you enter the password they can retrieve it. No one really notices the address and the attack pulls off easily without you knowing it. Newer techniques place a picture of the address of the website you assume you are in, in place of the phishing site's address bar.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...