Anti-Keyloggers

[cross]

We run windows 2000 server and windows xp. Are the Anti-keyloggers around the web effective? My boss is suddenly very concerned that passwords might be log'd on our servers. I'm not convinced that an anti-keylogger would be effective at all, considering how keyloggers make their way onto systems (ie: physical access, virus, spyware). Is there such an (automated) application that is somewhat effective? I know nothing can be 100%, but some security is better then none sometimes, and this is where we are leaning. Or would something like TeaTimer with SpyBot be better...? Any suggestions/reviews of software or any good input on this topic would be appreciated.

Thanks in advance.

[nihil]

Not sure of your setup but I would have thought that a keylogger on your client would be the danger?

After all you don't normally log directly into the server via a console do you.................I would have thought it more normal to enter the data into the client then submit that data to the server for authentication.

[Tedob1]

tripwire is pretty good at tracking additions and changes to a file system. it keeps an encrypted database of the md5 hashs of the files that it's watching and compares them to the current md5 of the files on the system and can email you an alert if it finds something has been added/changed.

of course it helps if the system is clean to begin with.

[Katja]

At http://www.thinkgeek.com/ there used to be a hardware-based keylogger that no software would be able to deal with. It was something you could plug in between the keyboard and the computer and perhaps an inch in length. No need to install any drivers either. It had 64 MB (128 MB) of RAM in it just like any flashdisk and it recorded every keystroke. It's not available there anymore, though.
There is no good protection against these hardware-based keyloggers except for common sense and a bit of paranoia.

Software-based anti-keyloggers can work in two ways. They can either check the system for keylogging software, like an anti-virus or anti-spyware software is doing. Or they examine the keyhook-chain of your system and check every process that is hooked into this chain. But there are some applications that have valid reasons to hook into the keyboard-hook system.

A keylogger might also work on a much lower level, like in the keyboard driver itself. If the keylogging functionality is part of the keyboard driver itself, there isn't much that can be done about that by any piece of software. Dell, for example, has been accused of doing such a thing on some of the systems they have sold. These systems came with some additional software that supposedly is used to support additional keyboard functionality for their keyboards but which also seem to a bit more. Other hardware vendors might do similar things to keep an eye on their customers.

Still, keyloggers will have to send their information to someone who is interested in this information. So they either need physical access to the computer or you will notice some suspicious traffic on the network. These are the things to be aware of. Dare to be suspicious. Paranoia is really healthy when the whole world wants to get you!

[therenegade]

Pardon my naivette..but wouldnt a better solution be to make a security policy that doesnt allow loggers to get in in the first place?Additionally,Tedob1..I havent tried tripwire..does it continuously monitor the system for changes or does it compare hashes after a certain time interval or something like that?

[dinowuff]

Still, keyloggers will have to send their information to someone who is interested in this information. So they either need physical access to the computer or you will notice some suspicious traffic on the network. These are the things to be aware of. Dare to be suspicious. Paranoia is really healthy when the whole world wants to get you!

Interesting. Exactly what type of suspicious traffic would I see? What ports do software keyloggers communiciate on?

[Katja]

Originally posted here by dinowuff
Interesting. Exactly what type of suspicious traffic would I see? What ports do software keyloggers communiciate on?

Like with trojans and viruses, this could actually be any port. But all they have to do is send the collected information once in a while to some other system. This other system could be just a webservice on port 80, an FTP site to which the data gets uploaded or even just a simple email. Or they use some more obscure port to connect to some remote server.

To detect it, you would need to monitor all your network traffic, checking constantly for ports being opened and then logging this information in a file. Ethereal is able to collect any traffic that is sent and there are many other tools available that can provide additional information. SysInternals has a tool called 'tcpview.exe' that will show any connections on your system and the application that is connected to it. You could use tcpview to check for any suspicious connections and if you discover any, use ethereal to find out what exactly is being sent. And hope the keylogger doesn't have any stealth-methods in it to stay hidden from these tools.

As said before, a keylogger needs to send it's information in some way to the person who is interested in this information. If this person has physical access to the system, no network traffic would be required. Otherwise, some kind of remote access is needed. Either the keylogger who 'call home' or a server that checks if a keylogger is installed on a certain port. But the last method is more used by worms that want to provide the hacker access to the system at any time.

[dinowuff]

OK So what is the difference between a packet sent by keylogging software and a packet sent by a web browser, both on port 80? Again, how would the port 80 traffic look different or suspicious?

If you're suggesting the packett itself is different, would it be the header structure; differences in the protocol fields maybe?

And are you suggesting that tcpview is a stateful packet inspector?

[Nokia]

Most keyloggers try to send their log file via email as usually port 25 is unfiltered where as port 80 may restrict access to certain sites which could hinder the sending of the log file.

Sending the log file via email is quite effective as it is still an email and will use your normal email client settings/servers to send. Ways to spot this traffic are examining the size of the email or/and the regularity of it. The keylogger will be configured to either send it when the log file reaches a set size or at a certain time on a certain day and will be to the same email address.

So go through your logs and see if there is any patterns regarding email, a certain one that is always say 100KB in size or one that is always sent at 12:00 on friday look for it always being addressed to the same person.

If your boss is really concerned about this tell him you will examine you smtp logs to check for these tell tale signs.

If you find a keylogger installed on a box in your network but is not set up to send email then the chances are it is an employee that has installed it, if this is the case, words with the sys admin are required!!!

I was asked roughtly a year ago to write a paper on keyloggers and I found Spybot always detected every keyloger I played around with, but that was a year ago.

[Katja]

Originally posted here by dinowuff
OK So what is the difference between a packet sent by keylogging software and a packet sent by a web browser, both on port 80? Again, how would the port 80 traffic look different or suspicious?

If you're suggesting the packett itself is different, would it be the header structure; differences in the protocol fields maybe?

And are you suggesting that tcpview is a stateful packet inspector?

It's actually a lot easier than that. The keylogger will call home in regular intervals. This could be after a certain amount of time or just even after a certain amount of keystrokes. The technique used for this is similar to that of regular applications. And thus it won't easily get noticed.

But as Nokia already says, there would be a detectable pattern in it. A fixed size in the data being sent. Or a regular time interval at which it starts sending. And of course it will contact a certain server every time. So you would see that site turn up regularly. If you'd see regular connections to hacker-inc.org while you never even visited it, then be suspicious. If you apparantly accessed that server on another port than port 80, be very suspicious.

Keyloggers can use email as one way to call home. They could use MAPI to send their data but then it might leave an easy trace. Others will have their own SMTP-client code within and will attempt to connect to an SMTP server to send the data. And the SMTP server used for this can depend on many factors. It could e.g. try to check the settings of Outlook Express. Or it might have a list of usable servers that should be available.

But like any communication tool (Skype, Yahoo Messenger, Firebird, Outlook) a keylogger can use any kind of technique. But it might have a detectable pattern in it's communications. (e.g. always the same size, or always around the same time) It might also be detected because it tries to contact an unknown server every time. It doesn't have to do anything special, but that doesn't mean they don't do anything special...

About tcpview, it is a simple tool that just shows you any connections that it can detect and the state of this communication. There are better tools. And tools with more options. But tcpview is free and easy to use. Just a good thing to start with, if you suspect something. Use Ethereal if you want to examine the packages, which too is free. Or use any of the many other network tools to keep an eye on your system. There are many free tools and many commercial tools that all offer some useful kind of functionality.

I have the knowledge to write a simple keylogger. I even wrote one myself based on some example code from someone else, in Delphi. It's not that difficult but just takes some time to write. At http://www.bitlogic.co.uk/keyhook.htm you can even find a commercial library for Delphi with a whole component written around it. For about $40 you will even have the source for it. But basically you just need the SetWindowsHookEx API with WH_KEYBOARD or WH_KEYBOARD_LL as filter parameter, a callback routine, th instance handle of the process you want to monitor and the thread ID of the thread you want to monitor. (But you can make them system-wide.) By placing this function call and callback procedure in a DLL, you can "inject" this DLL within the process space of another process or even make it system-wide. Thus the actual keylogging can be real simple. But sending the data to a place where it can be used (or abused) is the big trick here.