Functioning - Legal situation - Detecting – Countermeasures
They would have been the dream of the Stasi: Keylogger. Programs that are actually Trojans but legal. They ruthlessly spy on an unsuspecting PC user. A keylogger documents everything the user does: he logs passwords, visited web pages and e-mails. He determines when which programs were started. He regularly saves screenshots to capture even the last detail.
Keyloggers hide so deeply in the operating system that they are hard to detect even for the trained eye. In a suitably equipped computer - for example an internet café - there is hardly any chance for the user to notice the total monitoring. Employee-installed keyloggers are also hard to detect for the employee.
How does a keylogger work? What is the legal status of these monitoring tools? How can one elude total espionage? We give answers.
1. Functioning: Hardware and software keyloggers
Keylogger is available in two variants: as hardware and as software. Hardware keyloggers usually look like adapters and are for the spied to find only by actual "under-the-desk creep". On the other hand, the one who has placed the hardware keylogger must come along regularly to dismantle and read it. In contrast, software keyloggers run - like a Trojan - as a program on the PC. They can log much more than their hardware brothers and also send their findings by e-mail.
Most hardware keyloggers are specialized devices that resemble normal adapters. They are inserted between keyboard and computer and store every keystroke made on the prepared PC. A more sophisticated variant is the already equipped with a keylogger keyboard: The recording takes place in the keyboard itself, so no more treacherous pseudo-adapter can be seen.
All hardware keyloggers can record hundreds of thousands of keystrokes so they can stay installed for months and years. But they are also limited to this: recording keystrokes. They can not take screenshots, they also often do not send e-mails. In addition, it means a considerable effort to read the keylogger: The device must be dismantled and connected to another PC. Although you can also read on the same PC, where the keylogger is installed: but you have to have a long time undisturbed access to this PC and that is not always guaranteed.
Software keyloggers follow a less elaborate approach. It is software that is installed to monitor other users of the prepared computer. This software usually digs deep into the system to prevent the user to notice that he is being under surveillance. If he knew that his behavior is logged, he would hardly do anything forbidden and the logging would be pointless.
Software keyloggers are closely related to clearly illegal programs: Trojans and rootkits. Like Trojans, they spy on PC users without them noticing. And like rootkits, they hide deep inside the operating system. How this hiding game works exactly is a trade secret of the respective manufacturers. It is usually only revealed that the keyloggers hook themselves into the system as a modified driver.
The functionality of the various monitoring tools varies. The recording of the keystrokes they all master, the sending of the created log file by e-mail can also be expected. It is particularly important that the software runs very stable and is quick and easy to use and set up. After testing lots of keylogger, one can say that these are the best keylogger on the market:
The Best Keyloggers:
Ardamax Keylogger ( https://www.ardamax.com/ )
Refog Keylogger ( https://www.refog.com/ )
SpyAgent ( https://www.spytech-web.com/spyagent.shtml )
Spytector ( https://www.spytector.com/index.html )
Revealer Keylogger ( https://www.logixoft.com/ )
Wolfeye Keylogger ( https://www.wolfeye.us/ )
A very popular surveillance software in many areas is Wolfeye Keylogger one should note. The Keylogger also makes screenshots on a regular basis and allows to receive all kind of passwords like email and facebook passwords as well as monitor all visited websites. What is remarkable is how stable Wolfeye Keylogger runs without consuming much system resources. Also, it offers the best support: in case of any question, they always help immediatelly.
2. The legal situation
The legal situation for monitoring on the PC is - as so often in computer questions – unclear and differs from country to country. Basically, the general total monitoring of a user without him knowing is inadmissible. On the other hand, random samples are sometimes allowed only for control purposes. Where the limit for sampling is will be determined on a case-by-case basis.
For employees, the legal situation is divided into two different scenarios. In the first scenario, the employer allows private use of the internet during working hours. In such a scenario the employer must respect the secrecy of telecommunications. He may not log the content of private e-mails and other private communications. Any control samples must be limited to excluding excessive use of the Internet at company expense. This should be done by logging the connection duration.
In the second scenario, the employer prohibits private surfing. If this is the case, the employer is not bound by the secrecy of telecommunications, yet he may not monitor the employee without restraint. The right to informational self-determination stands in the way in some countries like Germany for example.In both scenarios, the employer must inform the employee that surveillance is taking place.
The legal situation for pupils and students who go online at the school or at the university is this: The university must maintain the secrecy of telecommunications. Thus, the legal situation would be similar to that in scenario 1 between employee and employer.
However, for students who have network access at school, teachers have a special duty of supervision. From this it could be deduced that monitoring software could be allowed in schools in the interest of the protection of minors.
3. Detecting keyloggers
One of the key features of keyloggers is to make themselves invisible. Accordingly, it is difficult to find out whether there is a keylogger on the computer or not. Another complication is the fact that at work or university PCs usually only a login with restricted rights is possible. Installing and running software designed to detect keyloggers may be prohibited. What the user is allowed and what is not, has to be tried out in the respective individual case.
If you are on the hunt for keyloggers, you should exercise caution when not working on your own PC. No changes may be made to a third party system unless they have been agreed with the owner. A keylogger hunter must limit himself to finding the monitoring tools on a third-party PC. The subsequent removal or blocking of the keylogger is likely to be prohibited. However, the information that monitoring takes place at all is enough to adjust your own behavior accordingly.
Inspect the PC
The first step in finding a keylogger should be to carefully inspect the PC in question. Because even if hardware keyloggers are unusual, you should not forget them anyway. If there is a strange adapter between the keyboard and the computer, you can simply test whether the PC runs without this adapter. If he does that, you've probably found a hardware keylogger.
The normal Windows Task Manager is tricked by some keyloggers. You can not rely on him when searching for surveillance software. The Process Monitor from Microsoft provides more comprehensive information. The program is a single executable that does not require installation. With a little luck, the Process Monitor will also run from a limited user account.
The Process Monitor continuously lists all processes and their activities in the registry and on the hard disk. So to find a keylogger, this list must be searched for suspicious entries. At this point, profound knowledge of the internals of Windows is required because the mass of list entries can quickly confuse. If you are not able to differentiate the unusual from everyday things, the Process Monitor will help you a lot.
Keylogger-Detector (KL Detector)
The Keylogger-Detector (KL Detector) can also be downloaded as a simple executable file. The program uses a clever approach to keyloggers: it scans the hard drive for files that are constantly growing. If a keylogger is present on the system, it has somewhere to keep a log file into which it writes its logs. So this file has to get bigger and bigger and thus the Keylogger-Detector discovers it.
Of course, the Keylogger-Detector also provides some "false positives", false alarms. Even so, the list he prints out is a very good guide to finding keyloggers. And his clever approach does not limit him to tracking down certain surveillance programs, but also finds new and deeply buried Stasi tools.
Anti-virus tools & rootkit remover
Many anti-virus programs recognize keyloggers as malware because of their relationship to Trojans and rootkits. On a properly equipped spy PC, however, the anti-virus software will not reveal its own keylogger. But it might be worthwhile to start another virus hunter to see if he might find a keylogger.
The same applies to rootkit hunters. Although success is not guaranteed, rootkit detection dogs such as Sophos Anti-Rootkit may provide clues to the presence of a keylogger. Both anti-virus programs and rootkit hunters have the added benefit of scanning the system for viruses and rootkits, a process that should be done regularly anyway.
If a keylogger is discovered, the question arises: what to do? The program may not be removed from a foreign PC. You do not always have the option of simply not using the prepared PC. So there is no more than a concealment tactic: At least the most sensitive data such as passwords and login information should not be given to the keylogger.
One way to trick keyloggers is on-screen keyboards. These programs display a keyboard on the monitor, which is then operated with the mouse. No key is pressed, so the keylogger has nothing to record. But not all screen keyboards come around the monitoring programs. For example, the supplied on-screen keyboard of Windows XP is easy prey for newer keyloggers. It is logged as well as the normal keyboard.
Two on-screen keyboards that are a problem for keyloggers are Neo's SafeKeys ( http://www.aplin.com.au/ ) and the Mouse OnlyKeyboard. Both offer the advantage that the virtual keys are always rearranged. This will prevent keyloggers recording which key was pressed.
Password manager also help to prevent keyloggers from stealing your passwords. They do it by a similar technique as the on screen keyboards mentioned.
The simplest and most effective trick against keyloggers is to take advantage of their stupidity. Keylogger dulls every keystroke. You cannot tell where and why these keystrokes are made. So if you need to enter a password on a possibly compromised system, you can do the following: For each letter entered in the password field, enter several other letters randomly in any other window or just on the desktop. Depending on the keylogger used this could prevent your data to be stealed.
An example: The password to enter is "sarah17". To enter it, click on a spy PC somewhere on the desktop and enter "dhgt". Then click in the password input field and enter the first letter "s". Then click on the desktop again and enter any letter sequence, for example "tireq". Next, one-click returns to the password field and enters the second letter of the password, "a". Then again the desktop is clicked and any nonsense entered, something like "nve". With this method you can hide the password in confused letter salad by constantly switching back and forth between the desktop and the input field. A keylogger would record all keystrokes and record something like "dhgtstireqanverlhkoamndshnjfz1naas7krie" instead of "sarah17". This does not restore the actual password.
Keyloggers - whether as hardware or as software - are a threat to the security of your data. Their use always represents a violation of the privacy of the observed person.
Most jurisdiction have been only marginally concerned with the monitoring tools. Under certain narrow conditions, however, their use is legal. The prerequisite is that the monitored person is at least informed by the software.
Tracking down keyloggers is not easy. They hide themselves, much like rootkits, deep in the operating system. Restricted user rights often complicate the search for the Stasi programs even further. Nevertheless, clever search tools such as the KL detector can provide clues to existing keyloggers.
Anyone who suspects that he is being spied on by a keylogger can, with a little trick, poke around particularly important entries in the total surveillance. But more modern Keyloggers like Wolfeye Keyloggers are not easy to trick. The most secure solution is not use the prepared PC - or always to be good.