Keyloggers, a type of malware that tracks a person’s keystrokes through either hardware or software may be one of the lesser-known IT security threats, but, according to a just-released McAfee white paper, they are very much on the rise — and a booming business for cyber-criminals.
The Internet security company recently released “Identity Theft,” a white paper by McAfee Avert Labs’ senior virus research engineer Francois Paget, that details how the perpetrators go about obtaining the information. The first key finding relates the fact that, “between January 2004 and May 2006, the number of keyloggers increased by 250 per cent.”
Keyloggers, according to McAfee threat researcher Craig Schmugar, use an application or device to intercept all the keystrokes on a particular machine. It can get on the computer two ways: via software or hardware. (The latter is much less popular, as the cyber-criminal needs physical access to the machine.)
When it comes to the application route, how the program infiltrates a person’s machine is a familiar story: “The malware’s installing mechanism looks to exploit a hole, say, a weakness in Internet Explorer if the owner hasn’t downloaded the latest patch, or they’re (in between patches) in zero-day vulnerability. They’re surfing, or get an e-mail, with a Web link; when they follow it to the Web site, the program there silently installs the keylogger,” said Schmugar.
The program then monitors all keystrokes that are entered on the computer, and converts them into log files that are either uploaded to a Web page or e-mailed to the cyber-criminal.
Cyber-criminals can actually connect remotely to the keylogger-infected computer, effectively turning the computer into a server. There, the files are installed to a directory. “You won’t even see it,” said Schmugar. “They’re hidden within your operating system.”
Keyloggers often now have even stealthier rootkit capabilities, said Schmugar. “They’re getting better at hiding themselves, so we’re working on techniques to look underneath the malware to see what’s hiding under there.”
Schmugar said that the majority of users suffering from keyloggers took an action (i.e. clicked on a link) that resulted in the keylogger infestation, but the most threatening of all keylogger carriers are bots, the “robots” that infiltrate a nearby computer automatically via the Internet, allowing the “commander” to control the now-“zombie-fied” machine. An employee, for instance, could pick up a bug from their wireless Internet at home, bring the device into the office, and spread the bot to the company’s computers. “Out of the one million bots in the world today,” said Schmugar, “at any one time, more than half carry keyloggers. And that’s just when they get there. (The cyber-criminal) could put one in.”
And you don’t have to be a tech-genius to do so. “The people who have the technical skills have built the programs, and the people without the technical skills buy them. It’s like Malware for Dummies,” according to Schmugar.
He said that the Web sites offering keylogger applications are not overly difficult to find, and once there, “you can customize them, enter a field, push a button, and this fairly technically advanced (programming) comes out the other end.” Those with rudimentary programming skills can find keylogger code on the web and tweak it to perfection. These cyber-criminals aren’t playing around, either, said Schmugar. “What was once perceived as the high-school kid/geek/loner doing this for kicks is now a slightly older person who is very serious.” He said that cyber-criminals are now often being hired into professional attack groups to write better keylogger code for them.
While many businesses are likely unaware of the growing threat of these legions of keyloggers, they certainly aren’t unaware of other identity theft methods. According to Joe Greene, IDC Canada‘s vice president of security research, in a recent survey of 500 medium and large businesses, the No. 2 threat was phishing, the practice of using fake e-mails and Web sites to try and elicit information input. “It’s difficult to gather statistics (on how many businesses have actually been infected) due to brand image and brand damage,” said Greene. But another IDC Canada survey shows that a significant number of businesses aren’t putting their money where their fear is: it found that almost a third of large businesses did not have any anti-spyware programs in place.
Greene said, “They’re still struggling to come to terms with what the threats are, as they change every day, and they have limited resources, and, often, an it-just-won’t-happen-to-me attitude.”
This is despite a couple of incidents reported in the Canadian media in the last couple of years. In 2005, the Parkland Regional Library in Lacombe, Alberta, installed keystroke logging software on an employee’s computer to monitor his job performance; when they thought the results weren’t up to snuff, they fired him, prompting the man to take his case to the Alberta privacy commissioner, who ruled that monitoring him like that went against his Freedom of Information and Protection Privacy Act rights. In 2006, an Alberta judge sentenced a man to a year in prison for cyberstalking, which included using keystroke logging software to get her personal information.
Comment: [email protected]