Keystroke logging, also called keylogging or keyboard capturing, is the action of recording and saving each keystroke on a keyboard over sometime, usually covertly. This is so that the person who enters the information onto to the keyboard remains unaware of having their information be monitored. The action is done through a logging program which is called a keylogger and it can be either software or hardware.
Keyloggers are legal to use freely anywhere in the world despite their somewhat suspicious purpose. This is because there are plenty of companies who utilize the programs to monitor their employees' actions while on their machines. There are even some who use the program to study human-computer interaction as there are various methods to create the program. For example, as mentioned before, there are ways to create the program through software or hardware, but there is also an acoustic method as well. Nevertheless, the most common use of these programs, however, is for nefarious actions such as capturing an unsuspecting victim’s password or credit card details.
Software keyloggers, in particular, were used primarily in Information Technology (IT) organizations with the goal of helping troubleshooting technical problems with the company's networks and systems. It should still be noted, however; that even these keyloggers, although intended to be used for good intention, can still be used for malicious reasons. From a technical standpoint, software keyloggers can be broken down further into various types based on their application and purpose: A hypervisor-based keylogger can, theoretically, exist within a malware hypervisor just under the computer’s operating system; thus, making it become something like a virtual machine.
A kernel-based keylogger has obtained root access to the operating system and hides itself which makes them difficult to detect and the key focus of rootkits by malicious users to gain access to another's system.
API-based keyloggers function by having an API keyboard integrated into a running application; thus allowing it to capture keystrokes as if it was a normal application and not malware on the system.
Form grabbing-based keyloggers are used typically for recording web form submissions by capturing the information when the user submits a form.
A Javascript-based keylogger relies on having a malicious script tag injected into a web page which will then listen for keyboard events (such as, "OnKeyUp()") to capture the keystrokes.
On the other hand, hardware keyloggers are usually used for ease of use although they are more difficult for attackers to utilize unless they're within physical range of the target computer. They also do not depend on any type of software as the program exists at the hardware-level. Like with the software keyloggers, hardware keyloggers can also be broken down into a few types:
Firmware-based keyloggers are BIOS-level firmware which handles keyboard events to allow the input to be logged as it is processed; however, it does require root and/or physical access to the target machine.
Keyboard keyloggers are designed with a focus of some type of hardware circuit between the keyboard and the target system itself. These can also be Universal Serial Bus (USB)-based keyloggers as well which would only need to be plugged into a USB port to perform the same task.
Wireless keyboards and mouse sniffers actively send data collected from a wireless keyboard and its receiver; although, this data might be encrypted which means decryption might also be needed to see the data.
Acoustic keyloggers function by using acoustic cryptanalysis to capture the sound made by each keystroke on a keyboard as someone is typing.
Keyboard overlays are the most common type of keyloggers used by criminals to capture someone’s banking information as they would play the overlay atop an ATM which would allow a person to enter their information successfully but also capture it to the overlay as well.
As there are so many different types of keyloggers, the countermeasures can have their effectiveness vary from case to case as the right countermeasure is needed for the right keylogger. For instance, Microsoft’s Windows 10 OS does use its own keylogging system but to fix that, one can simply turn off the setting; but if it was a hardware keylogger, one would have to use an on-screen keyboard, speech recognition software, or handwriting recognition software to avoid their keystrokes being recorded.
For instance, one can use a Live CD / USB to boot their operating system from, provided the media is clean of malware and the OS on it is secure. This method will avoid all forms of software keyloggers without issue; however, hardware and BIOS-based keyloggers will still be able to capture information through this method.
There are also anti-keyloggers available as well; software which was designed specifically to detect keyloggers on a system by comparing files against a known list of them in search of similarities. As such, the software can usually yield quite some more successful than other alternatives; however, newer keyloggers might not be on the database and it is not guaranteed to find all keyloggers 100% of the time either.
Anti-virus and anti-spyware programs are also other countermeasures that can be used to detect, quarantine, and clean some software-based keyloggers but as mentioned before, as keyloggers are legal and actually considered legitimate programs, it may not be very efficient.
Having a network monitor can also help in the case of identifying keyloggers as well. This would be accomplished by the monitor providing the user with a notification whenever a program initiates a connection which the user can then inspect for themselves and potentially locate the keylogger.