What are the limitations of keystroke recorders?
February 4, 2005 3:11 PM   Subscribe

Keystroke recorders. What are their limitations? A Windows XP computer where I work had a trojan which was described by antivirus companies to use a keystroke recorder to steal information and send it somewhere over the net. Does the OS have built-in protection against this? Can these things record any keystroke made on a computer, or does it depend on the application?
posted by shoos to Technology (10 answers total)
It all depends on how much of windows it intends to infect.

If it gets into Ring 0 (kernel) it's game over. The trojan can do anything at all, period. No limits at all, except what the computer hardware is physically capable of. To do that the user would have to have administrator rights (which windows XP gives by default).

A user with regular rights generally would only be able to affect operation of the computer as regards to his own account only, which would mean things like login passwords and the like probably wouldn't get recorded.

Of course, with the daily exploits found for windows XP, getting Admin rights as an executable executed with only regular rights isn't tough from what I see. :-D
posted by shepd at 3:16 PM on February 4, 2005

Perhaps your work put a keylogger on you intentionally?

This is why you shouldn't surf mefi so much. ;-)
posted by u.n. owen at 3:16 PM on February 4, 2005

Windows keystroke recorders, if they're made at all well, "hook" into the operating system -- essentially, the operating system, when a key is pressed, as part of the processing of the keystroke, informs the logger.

The OS doesn't have built-in protection against, it in fact facilitates it. There are several "layers" to the keystroke processing, and the operating system is built so that a keystroke recorder (or other software) can inject itself at any of several layers.

This is actually a good thing, as it makes possible such things as Dvorak key layouts implemented in software, or key handling that aids the handicapped, or applications that are invoked by system-wide "hotkeys". Or keystroke loggers.

In fact, I for a while found it useful to run a key logger on my own computer. Why that was useful is left as an exercise for the reader.

The cure for unwanted keystroke loggers and all other Trojans is to have a firewall and a virus scanner and to not run software you're unfamiliar with. A software firewall that prevents outgoing connections will at the least stymie the trojan's attempt to "phone home" with the stolen information. A firewall like Kerio, which also blocks processes from running other processes, makes phoning home via, say, the browser, also difficult for the trojan.

While it's not a foolproof, a good practice is to periodically look at the running processes on your machine, and google those that you don't recognize. ( Of course it's also possible to write a key-logger that doesn't show up in the process list, by for example making it a keyboard device driver -- but this is often going to be more work than the trojan author cares to do.)
posted by orthogonality at 3:26 PM on February 4, 2005

To reiterate:

What are their limitations? generally speaking, none.

Does the OS have built-in protection against this? nope.

Can these things record any keystroke made on a computer, or does it depend on the application? generally speaking, any keystroke.
posted by escher at 3:35 PM on February 4, 2005

In the case of windows, they almost always hook into the keyboard DLL, and grab everything.

In Unix/Mac OS X, things are harder -- a bit of code at the user level has to attack the kernel level to get access to all the keystrokes. Easier is to attack the terminal processes, but you need to attach to each one to get all the keystrokes.

An easier (and more fruitful) attack is to go after X terminals (xterms and whatnot) via the X server process -- getting that gets every terminal running on that X server, which, back in the day, meant you'd be keysniffing on several boxes. In the micro age, though, everything's running locally. This doesn't affect Mac OS, which doesn't use X as the primary GUI interface, but a similar attack could theoretically be mounted.

Finally, there's the hardware sniffers that plug into the keyboard port. They get everything, and there's nothing the OS can do to stop them -- the OS doesn't even know they are there.
posted by eriko at 7:03 PM on February 4, 2005

Think of it this way - your keyboard driver, a small piece of software, is aware of EVERY KEYSTROKE YOU MAKE. Any keystroke it isn't aware of more or less didn't really happen. I have no idea whether keyboard manufacturers build high security into their driver software, but I tend to doubt it.
posted by scarabic at 7:09 PM on February 4, 2005

As has been said above, generally it has no limitations. As it got installed, you should consider the machine compromised and reformat. AV software will tell you it has "cleaned" your system, and it probably has, but...

The (Windows) OS doesn't protect against this, but there is software that tries to called Host Based Intrustion Protection. Cisco's CSA and McAfee's Entercept being examples.

Products like these are going to become inseperable with your AV software, if not your OS, in years to come, but they aren't there yet.

Finally, I've played with hardware keyboard loggers that just look like an adaptor and can collect over a week's worth of keystrokes. Those are cool.
posted by sohcahtoa at 7:19 PM on February 4, 2005

In Mac OS X, any app can read the keyboard surreptitiously, by design. There's an option in Terminal to disable this (File > Secure Keyboard Entry), which is intended to be used when you are e.g. typing passwords into a ssh session. It keeps other programs from snooping. However, it will also keep some programs from working properly, since they peep the keyboard regularly to see whether you're holding down certain keys. (Photoshop, obviously, does this constantly.)
posted by kindall at 11:35 PM on February 4, 2005

Additionally -- some keyloggers record not only every keystroke made, but every copy/paste, every AIM conversation (incoming and outgoing), the name of every window text was entered in, every URL they clicked on, etc.
posted by Jairus at 12:05 AM on February 5, 2005

Thanks for the info, everyone.
posted by shoos at 4:28 AM on February 5, 2005

« Older Seeking beautiful, deep European films like those...   |   Purpose of undulated staples? Newer »
This thread is closed to new comments.