Keyloggers explained: How attackers record computer inputs

While sometimes keyloggers can be used legally, generally they're used to snoop on you for illicit purposes.

Blurry hands typing on computer keyboard
Thinkstock

What is a keylogger?

A keylogger is a tool that can record and report on a computer user's activity as they interact with a computer. The name is a short version of keystroke logger, and one of the main ways keyloggers keep track of you is by recording what you type as you type it. But as you'll see, there are different kind of keyloggers, and some record a broader range of inputs.

Someone watching everything you do may sound creepy, and keyloggers are often installed by malicious hackers for nefarious purposes. But there are legitimate, or at least legal, uses for keyloggers as well, as parents can use them to keep track of kids online and employers can similarly monitor their workers.

What does a keylogger do?

The basic functionality of a keylogger is that it records what you type and, in one way or another, reports that information back to whoever installed it on your computer. (We'll go into the details in a moment.) Since much of your interactions with your computer—and with the people you communicate with via your computer—are mediated through your keyboard, the range of potential information the snooper can acquire by this method is truly vast, from passwords and banking information to private correspondence.

Some keyloggers go beyond just logging keystrokes and recording text and snoop in a number of other ways as well. It's possible for advanced keyloggers to:

  • Log clipboard text, recording information that you cut and paste from other documents
  • Track activity like opening folders, documents, and applications
  • Take and record randomly timed screenshots
  • Request the text value of certain on-screen controls, which can be useful for grabbing passwords

What types of keyloggers are there and how do they work?

The term "keylogger" covers a wide variety of tools, some of which produce the same results in wildly different ways. We'll drill down into the different types and talk a little bit about how they work.

The first general category is keylogger software. These are programs that live on your device and record your keystrokes and other activity.

Perhaps the most common type of keylogger software is a user mode keylogger, sometimes called API-level keyloggers. These programs don't have administrative privileges, but still manage to intercept information transmitted by the application programming interfaces (APIs) that allow different applications to receive keyboard input. On Microsoft Windows, such keyloggers track GetAsyncKeyState or GetKeyState API functions and use a DLL to record the harvested data.

Kernel-level keyloggers are more difficult to create and install, but once they're in place, they get their hooks into the operating system itself and are more difficult to detect and eradicate as a result. At the other end of the spectrum, there are screen scrapers, which don't log keystrokes but rather use the computer's screenshot capabilities to record onscreen text, and browser-level keyloggers, which can only detect text entered into a browser form (but considering how much of our online life takes place within a web browser, that's still pretty dangerous).

In addition to keylogging software, there's also keylogging hardware, including recording devices that can be installed in the keyboard wiring itself, or a keylogging device might be built to look like a USB thumb drive and slipped into a port on the laptop or the computer. There are also gadgets that can record the Bluetooth communication between a wireless keyboard and a computer.

One particularly esoteric version of keylogger, which has been tested in the lab, is an acoustic keylogger that can determine with uncanny accuracy what you're typing just based on the noise your fingers make on the keys. Considerably simpler is the idea of third-party recording, which essentially consists of a camera surreptitiously pointed at your screen and keyboard.

All of these different kinds of keyloggers have to save that data somewhere; with hard drives much larger than they once were, it generally isn't hard to find a place to stash it. Keylogging software will occasionally send the information it's harvested over the internet back to whoever's controlling it, sometimes disguising the data to keep its activities hidden. Hardware keyloggers may be able to do this too, although sometimes their controllers must come physically collect them.

Before we move on, we should discuss one other kind of distinction we can make among different kinds of keyloggers. This one isn't about how they work on a technical basis; instead, it's about their legality. Any of the above types of keyloggers could be installed by a malicious attacker who's looking to steal your personal information or passwords.

However, when the owner of a device installs a keylogger on their own system, things get murkier. Many commercial keyloggers are marketed to parents who wish to monitor their children's online activities, and this is generally considered legal if the parents own the computers being monitored. Keyloggers are often found on computers in school or work settings as well, and in most jurisdictions in the United States they are considered legal if used for legal purposes. In other words, your boss can use data gathered from a keylogger installed on your work laptop as evidence to fire you if they discover you're engaging in some unsanctioned activity. But it would still be illegal for them to, say, harvest your banking passwords if you happen to log in to your financial institution at work.

How does a keylogger get on your system?

A physical keylogger has to be physically plugged into a computer, and so requires direct access, which is a tricky business often executed via social engineering techniques or a compromised insider.

But the most common type of illicit keylogger is the software variety, and that can best be described as keylogger malware. In fact, keyloggers, because they can harvest such lucrative data, are one of the most common malware payloads delivered by worms, viruses, and Trojans.

Thus, the way a keylogger gets onto your system is the same way any other type of malware gets onto your system, and that means that if you exercise good cybersecurity hygiene, you should be able to keep keylogger software at bay. To do that, you should:

  • Watching out for phishing emails, and don't open or download attachments if you're not absolutely certain where they came from
  • Similarly, don't download or install applications unless they come from a trusted source. That includes browser navbars, which are a common malware vector.
  • Keep your computer safe with updated antivirus software.

How to detect a keylogger

How can you know if there's a keylogger on your system? For a hardware keylogger, of course, you should check for the hardware. If there's a thumb drive or something that looks unfamiliar plugged into your computer, investigate it. If you work on a corporate desktop, check the back panel once in a while to see if something new and strange has popped up.

With software keyloggers, there are some signs that you might be able to pick up on yourself. Keyloggers can sometime degrade web performance, spawn unusual error messages, and interfere with loading web pages. These are all features of malware generally; sometimes you can just tell that something is "off" with your computer. Keylogger-specific signs could include lags in your mouse movement or keystrokes, where what you type doesn't appear on screen as quickly as it should. On a smartphone, you might notice that screenshots are degraded. (Yes, keyloggers can be installed on smartphones, just like any other kind of malware.)

However, if a keylogger is causing those sorts of visible problems on your computer, it probably isn't a very good one. That's not to say you won't ever be infected by a keylogger that causes those symptoms—there are plenty of cybercriminals willing to unleash quick-and-dirty "good enough" malware on their victims. But don't get a false sense of security just because your computer is working smoothly: a commercial keylogger or one implemented by a skilled criminal or nation-state hackers can do its business in the background without you ever knowing. That's why a good endpoint security solution is key: these platforms hunt for keylogger code on your machine, and are continuously updated with the latest malware signatures to help them spot new variants.

Network security systems also have a role to play in detecting keyloggers. Remember, that data has to get back to the keylogger's controller somehow, and generally it's sent out over the internet. While many keyloggers go to great lengths to disguise their data as ordinary internet traffic, good network security tools can sniff it out.

Still, you should always be prepared for the possibility that a keylogger is lurking somewhere on your system. One good defensive mechanism against potential snooping is to use a password manager, which fills passwords into browser windows securely in ways most keyloggers can't detect.

How to remove a keylogger

The bad news is that you're probably not going to be able to remove a keylogger on your own. You might find some websites that recommend hunting through your operating system's task manager or list of installed programs and deleting anything that looks unfamiliar or suspicious; while that's not a terrible idea, a keylogger of any degree of sophistication will not be visible in those contexts.

The good news is that endpoint security suites almost all delete malware in addition to detecting it. If you search through reviews and ratings of anti-keylogger software, like the ones from AntiVirus Guide or Best Antivirus Pro, what you find are lists of the heavy hitter antivirus and endpoint protection vendors, like McAfee, Kaspersky, Norton, Bitdefender, and so on. If you find an endpoint protection suite you like, it will almost certainly do the job when it comes to cleaning your computer of keylogger software.

History of keyloggers: Examples and famous attacks

The earliest known keylogger actually predates the computer age. In the 1970s, Soviet intelligence developed a device that could be hidden in an IBM electric typewriter and send information about keystrokes via radio bursts; these were deployed in the typewriters at U.S. diplomatic facilities in Moscow and Leningrad.

The first computer keylogger was developed by then-graduate student Perry Kivolowitz in 1983 as a proof of concept. One particularly noteworthy example of a keylogger "in the wild" was distributed with a Grand Theft Auto V mod in 2015. In 2017 hundreds of models of Hewlett Packard laptops were found to have shipped from the factor with a keylogger installed, though HP insisted that this was a tool meant to diagnose keyboard performance that should've been deleted before shipment rather than an attack.

Two of the most widespread keylogger malware programs in recent months are the Snake keylogger and Phoenix, an older program recently resurrected with new capabilities. Both programs are evidence that cybercriminals are innovating in this area—so stay on your guard.    

Related:

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.