“I don’t know what happened! I don’t remember visiting any dodgy websites, downloading any weird apps, opening any suspicious emails or attachments, let alone links! Why am I receiving these sms & email notifications from my Bank!?!?”
Does it sound familiar?
In most cases the unsuspecting victim is being honest. This can happen to anyone, in fact, I was once a victim!
A keylogger is a hardware device or software application that captures every key you press on your keyboard. Logging is done in stealth mode, in such a way that the victim (person using the keyboard) is unaware that their actions are being recorded or monitored.
Typically, keyloggers are installed to steal passwords, credit card details, personal messages, monitor network usage, basically everything one types on a keyboard.
There are several ways keyloggers get installed on a victim’s (affected user’s) computer:
Hardware keyloggers that are physically installed by someone. As an example; for corporate espionage.
Software keyloggers that are installed by a protective parent to spy on his / her child or children. In most cases, to check or monitor their online activities, that is; websites they visit, who they talk to or with; basically what they do on the affected device.
Software keyloggers installed by a jealous / suspicious spouse to spy on his / her partner. As an example, when one suspects their spouse is cheating, to keep a tab on their whereabouts or to monitor patterns leading to strange or unusual behaviour in a marriage; e.g. when faced with sudden marital financial issues; that is, (ascertain) is he or she involved in online gambling.
Keyloggers installed by employers to spy on their employees. As an example, when employers want to keep a tab on what their employees are doing during working hours, some call it the “Time is money, I am paying you to work here!” approach or investigate employees they are suspicious of.
Keylogger Attack Vectors
I will be focusing on software based keyloggers, to be specific, keyloggers that are covertly installed on one’s computer in the form of malware.
All attack vectors involve the keylogger being delivered and installed / executed in the form of malware. The malware usually comes in two forms, that is, one that already (armed) has keylogging capabilities or one that installs a backdoor that enables the attacker to remotely take over & control your machine and carry out malicious activities, one of them being, that which allows them to run a keylogger remotely.
The installation of malware can done through the following vectors (to name a few):
Social Engineering – Phishing, an attempt that involves tricking the victim into disclosing private information by opening a malicious email; attacker poses as a trustworthy entity in an electronic communication. Malware with keylogging capabilities is usually disguised in the email attachment or link and is installed once you open, either the malicious attachment or click on the infected link in the email body.
Drive-by downloads – Involves victim unintentionally receiving data (downloading) from the internet to their local machine (Note: local machine can be a computer, laptop or mobile device). The silent download takes place when an unsuspecting individual visits, surfs, browses or drives-by a compromised or malicious web page. Of major concern is, most of these drive-by downloads (with keylogging capabilities) are placed in normal and decent looking websites.
Downloading & installing software from unknown or untrusted sources – This is one of the most common ways of getting malicious software onto your computer. You download that file (executable program), that cracked game you love playing the most onto your machine but little do you know it also comes with a backdoor / malicious piece of code with keylogging capabilities. Untrusted sources can also involve the installation of malicious ‘backdoor’ed’ applications from External media like Flash Drives.
Man-in-the-middle (MitM) Attack – takes place on poorly secured Local Area Networks (LAN) or WiFi’s, usually Public WiFi’s, or even your poorly secured Home or work WiFi router; it involves the Attacker (also) connecting to the same WiFi (or network) and scanning for certain weakness such as default passwords, poorly configured services or application vulnerabilities on the same network. Once vulnerabilities are found, they insert themselves between the user’s computer and websites the user visits and intercept the traffic between the two.
Vulnerable machines connected to the Internet or Local Network – Connecting that unpatched & outdated machine of yours directly to the internet or local network.
How Keyloggers Work
Without being too technical, the main objective behind keyloggers is to get in between (interface) any two links in the chain of processes or events between when a key is pressed and when information about that key punch / keystroke is displayed on the monitor / screen.
Below is a demonstration of how an attacker could remotely carry out this attack on an unsuspecting victim’s computer, that is, directly connected to the Internet and running outdated & unpatched (vulnerable) software applications / programs.
(Please Note; the hack was carried out over the Internet. Both tests (local & remote) are in a controlled and authorised environment. Do not try this on machines you are not authorised to access, it is illegal and I (and iAfrikan) will not be held liable for any policy breaches and damages caused.)
As can be seen on the left, the victim (named Mr X whose name we will see shortly, in the next screenshot) is currently logged onto a vulnerable computer (also shown in the next screenshot) with the following information:
Computer Name: Placebo
IP Address: 188.8.131.52
Software (OS): Microsoft Windows 7 Ultimate
Note: A screenshot of the current desktop can also be taken remotely by the attacker.
Following a successful attack on the Victim’s PC (Placebo) whose currently logged on user is Mr X over the Internet (Wide Area Network (WAN)), we can see that there is a connect back connection from the victim’s machine to the attacker (attacker’s internal IP Address is: 192.168.5.253).
Successfully exploiting the victim’s machine enables the attacker to take over and control the victim’s machine.
The attacker’s machine sits behind a robust firewall that logs incoming & outgoing traffic. As can be seen in the firewall logs, a (connect back) connection was successfully initiated from the victim’s machine sitting somewhere (remote) to the Attacker’s machine, over the Internet.
As can be seen, the attacker has a shell of the victim’s machine on her computer. We can see the victim’s Host name, Operating System details, IP Address as shown earlier.
What Does It Mean?
In a nutshell, the following sequence of events happened (took place); that led to the victim being compromised:
Attacker sets out on a mission to look for a vulnerable machine on the internet, if found, exploit and take control of it.
Attack can be random or targeted at a specific machine or machines (victim). Targeted machine has to meet specific requirements in order for the attack to be successful.
Attacker requires a Windows machine that is susceptible to a particularly known vulnerability (to exploit), procedure resembling an earlier post (Windows XP Hack). In this case, exploit is one only found on a Windows 7 machine (vulnerable), that is, one that is not patched (updated) with a specific update that addresses (prevents) this particular weakness that is going to be taken advantage of.
Attacker arms his exploit (exploit is a piece of code that takes advantage of a particular weakness / flaw in a system’s application or service, usually for malicious purposes), which he / she further arms with a specific payload (payload is a piece of software that carries out a specific function (executes a malicious activity) once a particular machine has been exploited), in this case a reverse shell.
A reverse shell is a user interface for accessing the operating system’s services, which connects back from victim (target) to attacking machine.
Attacker explicitly specifies the connect back details of his attacking machine so victim dials back home. That is, connects back to that specific machine on the internet.
Exploit can be delivered using “keylogger Attack Vector” methods specified above!
In the above case, the Attacker manages to get the Victim’s machine to connect back to his / her machine. The situation enables the Attacker to remotely access the Victim’s “Command Prompt” on his local machine, similar to a scenario where it’s like one is actually sitting in front of the victim’s physical machine (despite them being geographically apart).
That being said, in recent years there has been a rapid increase in the use of Keyloggers by Cyber criminals! Are you safe?
Shell access is just the beginning! The worst is yet to come! In Part 2, I will be demonstrating how the Attacker proceeds to remotely launch a keylogger that captures all the Victim’s keystrokes! Say what!? Yes you heard me, I said the good news is, there are ways to protect yourself from keyloggers!