Keyloggers and Spyware (ITSB-49)

ITSB-49 | March 2008

Purpose

The purpose of this Bulletin is to advise Government of Canada (GC) departments and agencies of the security threat posed by modern "keylogger" software with enhanced data capture capabilities which utilize "stealth" techniques to hide from anti-virus and anti-spyware scanners.

Background

A ‘keystroke logger' or ‘keylogger' is a type of software that is commonly associated with spyware, which is any unauthorized or malicious software installed to secretly monitor user activity and/or to gather data which is stored on a compromised computer.

In reality, like many malicious hacker tools, keyloggers originated as an administrative and diagnostic tool; however, even helpful tools may be subverted and used for illegal or questionable activities. Such is the case with keylogging software.

A traditional keylogger program has the ability to record every keystroke typed at the keyboard at any time. Keyloggers have been used to capture user names, passwords, account numbers or other sensitive information typed at the keyboard. These keystrokes are saved to a log file that can be transmitted to an unknown third party – e.g., in February 2006, it was publicly reported in the EU that foreign criminal organizations utilized keylogger software to capture users' bank account numbers and passwords, and stole over 1 million Euros.

In this attack, a keylogger program was invisibly installed on users' machines through e-mail attachments or "drive-by" downloads (web content which exploits known system security problems in operating systems, web browser and messaging software to automatically download and install arbitrary code) when users visited certain Web sites.

Recently, a new type of keylogger software containing greatly enhanced features has appeared. This new generation of keylogger software not only captures keystrokes, but is also able to:

  • Record mouse activity, identifying buttons and icons selected during computer use
  • Monitor Internet activity, websites and web pages visited
  • Record application activity, showing which programs were launched
  • Capture all e-mails sent or received on the compromised PC, no matter if an e-mail client program or a web-interface is used
  • Record desktop activity by making snapshots of the computer screen at regular defined intervals
  • Surreptitiously send all logged data to any specified recipient via e-mail
  • Use "stealth" techniques to hide from all major anti-virus and anti-spyware scanners; some variants are even capable of hiding their program folder on the hard drive (in 2007, one such program listed over 60 current anti-virus/anti-spyware scanners that it defeats, including industry leaders such as Norton and McAfee)

The advanced capability of these new keyloggers now make available to an attacker a more complete picture of the activities performed on a computer with minimal danger of discovery, and dramatically increases the risk of compromise of sensitive data.

Many of these keyloggers are now packaged as commercial software and available for anyone to download and install, increasing the threat due to insider activity.

Technical

Several common methods of "hiding" a process from the operating system or scanning software exist:

  • Unlinking process entry from OS Process Table: process continues to run, but is rendered invisible to utilities used to enumerate system processes such as "Task Manager".
  • Interception of Windows API calls: process inserts additional code to modify the behaviour of operating system functions; there are many possible variations, but typically two common methods are used, often in conjunction with each other:

Method 1: System calls to enumerate disk directories are altered to prevent listing of files used by the keylogger. Files then become invisible to File Manager and "dir" command, so anti-virus and spyware scanners cannot see or scan the files.

Method 2: System calls to open and read files are altered so that when compromised operating system files are scanned, an unaltered version of the file is presented and passes the scan.

Such techniques are often used to make keyloggers and other spyware virtually invisible to the current generation of virus and spyware scanners, and also complicate the removal of such unwanted software because the host operating system is also compromised.

Typically, off-line "forensic"-style scanner tools are used to detect/defeat these "stealth" techniques; the disadvantages of these types of tools include the fact that system must be rebooted with the tool CD. Unlike current virus scanners which run in conjunction with user process and allow the user to continue to work, off-line tools need to boot into a protected environment to remove the influence of a compromised host operating system. As well, most tools of this nature are either proprietary or, in the case of freely available toolsets, still experimental or undergoing active development.

All operating systems (Windows, Unix/Linux/MacOS) are vulnerable to similar techniques, although Windows tends to be the primary target due to the large number of installations.

The new Microsoft Windows Vista operating system contains features (e.g., the Hypervisor) that makes it more resistant, but not immune, to such "stealth" techniques. A number of commercial keylogger packages already advertise full Windows Vista compatibility.

Impact on Government of Canada Departments

Traditionally, the risk arising from traditional keyloggers is high but considered as having only minimal impact because the amount of data that can be typed at a keyboard is comparatively low and without context (i.e., the application or system a password is for may not be evident in a keystroke log).

However, beyond the threat resulting from compromise of user names, passwords and other data typed in from a keyboard that traditional keyloggers pose, the new generation of enhanced key and data loggers introduce several serious security threats to GC departments and agencies:

  • Increased contextual content (e.g., states which application is launched) increases the likelihood of successful attacks using the captured keystrokes
  • Ability to capture screen images can result in a disclosure of sensitive GC communications and documents
  • Ability to capture events and activities performed on a computer, even if no sensitive information is disclosed, may give an attacker information on work methods and procedures that might facilitate other forms of attack (e.g. social engineering)
  • Ability to automatically e-mail captured data increases the scale of the compromise, and may seriously impair damage containment efforts
  • "Stealth" capabilities make new keyloggers undetectable by many common virus and spyware checkers, and increase the probability that compromised systems may potentially exfiltrate sensitive data indefinitely, thereby further increasing the scale of the compromise.

Recommendation

Because new generation keyloggers may not be detectable by common virus and spyware scanners, GC departments and agencies can minimize the risks from keyloggers by:

  • Ensuring users have an awareness of safe Internet usage practices to avoid viruses and spyware - "watch where you surf", and do not open unknown files or e-mail attachments. Because most instances of computer compromise arise from web, email and, "instant messaging", the first line of defence lies with the user.
  • Improving separation of sensitive and unclassified data by encouraging users to refrain from personal Internet activities, or at least to limit such activities to known legitimate addresses, when such activities are conducted on departmental networks containing sensitive data. In cases where access to Internet sites of unknown content is required, a standalone or personal machine for such purposes should be used. Refrain from using public Internet terminals or untrusted computers for processing sensitive data.
  • Ensuring departmental computers are updated with the latest operating system security patches and anti-virus/anti-spyware definitions, and that scans are run on a regular basis. Even if not all keylogger software is detectable by virus and spyware scanners, such tools remain an important part of overall system security.
  • Ensuring that user accounts have the minimum of privileges required to perform day-to-day activities, as spyware usually relies on a user operating with Administrative privileges. Users that require elevated privileges (e.g., system administrators) should only enable such privileges when absolutely required and use regular unprivileged accounts for normal operations.
  • Upgrading to Windows Vista or using an alternate operating system, where the IT department has approved such installations, can help reduce the risk from keylogger attacks.
  • Establishing a program of regular off-line system scanning to ensure that computer systems have not been compromised with unauthorized software, particularly if sensitive data protection requirements are warranted.

Contacts and Assistance

Head, IT Security Client Services
Communications Security Establishment Canada
PO Box 9703, Terminal
Ottawa, Ont K1G 3Z4
Telephone: 613-991-8495
e-mail : itsclientservices@cse-cst.gc.ca

Originally signed by

Gwen Beauchemin
Director, IT Security Mission Management

Date modified: