The Mushrooming Menace of Keyloggers

There may be few things as disturbing to Internet users as the thought of someone spying on them and capturing their every keystroke. Unfortunately, this has been happening more frequently as the use of keyloggers, phishing and spoofing grows.

In 2006, Keylogging was the fastest-growing type of malware in what Kaspersky Lab calls the “TrojWare” category — and that trend is expected to carry on through 2007, according to Senior Technical Consultant Shane Coursen.

Programs classified by Kaspersky Lab as Trojan-PSWs — the majority of which are intended to steal user account information from online gamers — increased at a 125 percent rate, Kaspersky Lab research analysts wrote in “Malware Evolution 2006: Executive Summary,” a recent report available at Kaspersky’s Viruslist.com Web site.

A Growing Problem

Keylogging has been growing at a rapid clip recently, an unhealthy trend for computer and network users, recounted Jens Hinrichsen, product marketing manager for the Consumer Solutions Business Unit of RSA, the security solutions division of EMC.

“The APWG (Anti-Phishing Working Group) shows monthly increases in the number of keylogging variants. Additional sources, such as Sophos, have also recorded an ongoing increase in keylogging variants,” Hinrichsen told the E-Commerce Times.

The following stats put the problem in perspective:

• In 2006, Sophos saw more than 41,000 new malware threats;
• 41 percent of those threats contained spyware characteristics;
• Forty-two percent were “downloaders,” designed to turn off the infected PC’s security before downloading crimeware;
• Recent RSA analysis of a single Gozi/BankSniff variant showed 30,000 infected users in a single month; and
• The prices of crimeware in the digital underworld are also falling, indicating a maturing of the market for such malicious code.

Not All Fun and Games

“Keyloggers, phishing and social engineering are currently the main methods being used in cyberfraud,” according to Kaspersky Lab’s “Computers, Networks and Theft” report.

“Users who are aware of security issues can easily protect themselves against phishing by ignoring phishing e-mails and by not entering any personal information on suspicious Web sites. It is more difficult, however, for users to combat keyloggers; the only possible method is to use an appropriate security solution, as it’s usually impossible for a user to tell that a keylogger has been installed on his/her machine,” Kaspersky’s Coursen said..

“Keyloggers and password-stealing Trojans are among the most significant threat type that exists today. The repair bill goes far beyond simply cleaning the malware from the computer. Keyloggers do their damage by operating discreetly in the background, over time collecting our most confidential information, passing it back to the attacker,” Coursen added.

Three Perspectives

Keylogging can be better understood by looking at the phenomenon from three different perspectives: Geographical, the impact of a single attack, and financial institution-specific repercussions, according to Hinrichsen.

“From a geographical perspective, certain geographies are already almost exclusively hit by financial Trojans — keyloggers being a subtype therein, with the more rare and sophisticated subclassification being ‘active, session-hijacking’ trojans that take over an account once a user has logged off. For example, in Germany over 90 percent of online banking fraud stems from Trojans,” he explained.

In terms of the impact of a single attack, it is the hardiness, stealth and longevity of keyloggers that make them particularly dangerous, he continued.

To understand how big a threat Trojans are, let’s look at a phishing attack and compare it to a Trojan.

“A phishing attack usually lives between five hours if you are a customer of the RSA FraudAction antiphishing service, to 105 hours — the APWG average. We recently analyzed the logs of a Trojan called Gozi/Banksniff. It was alive for five months before being taken down; it went undetected by [all] major antivirus vendors for the entirety of that period, and it compromised 30,000 new computers on average every month. This compares to several dozen credentials that a typical phishing attack compromises.”

These attributes and the fact that financial institutions have no control over customers’ computers make them a severe threat for banks, brokerages and other financial services businesses, he added.

“Unlike a phishing attack that cannot be hidden — someone will eventually report it — or a brute force attack — someone will eventually go over the logs and see it — Trojans can remain undetected for months, causing financial institutions unattributable fraud losses and general loss of confidence in the online channel,” Hinrichsen said.

Legitimate Uses

Keylogging software is commonly and often legitimately used,” Nikolay Grebennikov, deputy director of Kaspersky Lab’s R&D department, noted.

“Legitimate programs may have a keylogging function which can be used to call certain program functions using hotkeys, or to toggle between keyboard layouts (e.g., Keyboard Ninja). There is a lot of legitimate software which is designed to allow administrators to track what employees do throughout the day, or to allow users to track the activity of third parties on their computers,” he wrote.

“Most modern keyloggers are considered to be legitimate software or hardware and are sold on the open market. However, there is an ethical boundary between justified monitoring and monitoring for the purpose of stealing confidential user information — a boundary marked by a very fine line,” he added.

There is a long list of situations cited by developers and vendors where it is both legal and appropriate to use keyloggers, according to Grebennikov.

These include parental control of children’s Internet usage; jealous spouses or partners tracking the activity of their significant others to catch “virtual cheating”; organizations tracking the use of keywords and phrases associated with proprietary commercial information, as well as computers for non-work-related purposes or the use of workstations after hours; and for law enforcement purposes to analyze and track incidents linked to personal computer use.

The Threat

Their legitimate uses do not limit their potential use as malware, however. “Keyloggers are a huge threat to corporations where they can be used in targeted attacks. For ID theft, etc., Trojans that upload entire files from victims’ computers can often obtain enough data to engage in ID theft without needing to monitor and log keystrokes. The banking trojans, especially pervasive in South America, do aggressively log keystrokes, but usually in combination with sophisticated phishing schemes,” ESET’s Randy Abrams told the E-Commerce Times.

In a recent report entitled, “Keyloggers: How they work and how to detect them,” Kaspersky’s Grebennikov reported that keyloggers — used together with phishing and social engineering methods — have become one of the most commonly used methods of cyberfraud.

“Interestingly, keyloggers present no threat to the system itself, but pose a serious threat to users, resulting in stolen PIN codes, account numbers, passwords, e-mail accounts — and ultimately, stolen funds. In fact, researchers predict the total losses in America alone to be an estimated US$24.3 million,” he wrote.

As keyloggers, which come in both software and hardware forms, are the most comprehensive and reliable tool for tracking electronic information, they are the means by which most financial cybercrimes are committed, according to Kaspersky.

The malware literature is filled with examples of how cybercriminals make illegal use of keyloggers to gain access and pilfer bank, brokerage and credit card accounts.

Its Nature

“The main idea behind keyloggers is to get in between any two links in the chain of events between when a key is pressed and when information about that keystroke is displayed on the monitor,” Grebennikov explained.

“Today, keyloggers are mainly used to steal user data relating to various online payment systems, and virus writers are constantly writing new keylogger Trojans for this very purpose,” ESET’s Abrams said, adding he was not sure whether or not the keylogging threat has grown.

“I don’t think we know how widespread the problem has been, but we do know that modern bots and other Trojans often will incorporate logging routines. The discovery of how pervasively successful phishing attacks can be has obviated the need for loggers. A simple Web site will effectively log the information the users have been duped into providing.”

Stealth Techniques

Once a cybercriminal obtains confidential user data, he or she can easily transfer money from users’ financial accounts or access users’ online gaming accounts. “Unfortunately, access to confidential data can sometimes have consequences which are far more serious than an individual’s loss of a few dollars,” Abrams noted.

In addition to being used to perpetrate online fraud and ID theft, “Keyloggers can be used as tools in both industrial and political espionage, accessing data which may include proprietary commercial information and classified government material which could compromise the security of commercial and state-owned organizations (for example, by stealing private encryption keys),” according to the Kaspersky Lab report.

There has been an increase in the number of keylogger files that have been disguised to hide from antivirus and other protective types of software.

For instance, many keyloggers hide themselves in the system (i.e., they have rootkit functionality), which makes them full-fledged Trojan programs.”

Known as rootkit technologies, there are two main types of these so-called “stealth techniques” used to disguise and hide keyloggers: masking in user mode and masking in kernel mode.

Tracking Keyloggers

Kaspersky’s antivirus database currently contains records for more than 300 families of keyloggers, not including complex threats that involve the use of keyloggers along with other types of malware, such as Trojans and worms.

“One of the first virus alerts on Kaspersky Lab’s malware information site was published on June 15, 2001,” according to the security vendor.

“Experience shows that the more complex the approach, the less likely it is to be used in common Trojan programs and the more likely it is to be used in specially designed Trojan programs which are designed to steal financial data from a specific company,” Grebennikov noted.