HOW TO PROTECT PERSONAL INFORMATION AGAINST KEYLOGGERS

Ming Xu, Behzad Salami, and Charlie Obimbo Dept. of Computing and Information Science University of Guelph Ontario, Canada N1G 2W1 mxu@uoguelph.ca, bsalami@uoguelph.ca, cobimbo@cis.uoguelph.ca ABSTRACT
As hackers can easily abuse Keyloggers to gather information about a person or an organization; Keyloggers are a serious threat to the privacy and security of computer users. In this paper, we provide a detailed analysis of the mechanisms of three main types of Keyloggers on Windows XP, 2000 and NT operating systems, namely kernel based Keyloggers, thread based Keyloggers and hook based Keyloggers. We also present several counter measures against these key loggers and anti-Keylogger software that is able to block all hook based Keyloggers.

in as much as USD 14 billion in losses to business and USD 1.1 billion in losses to the public [1]. Following is a real story of a man that stole passwords with Keyloggers. Between early 2001 to December 2002, 24-year old Juju Jiang installed Keylogger software on computers at Kinko stores around New York City to steal passwords from customers. He used the collected usernames and passwords to access bank accounts belonging to Kinko customers and to open new bogus accounts for around two years. Jiang tried to get access to around 15 subscribers accounts to GoToMyPC, a company that provides customers with remote access to their PC from the Internet. From his home PC, he used the passwords and usernames collected from GoToMyPC users to compromise their home computer to get confidential bank details. The crime was discovered after one of the GoToMyPC subscribers watched his PC being controlled remotely by Jiang. According to a filed Complaint the victim saw his computer switch on by itself, and watched as the cursor moved along the screen and opened the website for his American Express Corporate card. Jiang could receive at most five years in prison and face a $250,000 fine [2]. Although Keyloggers are a serious threat to the security of computer users, they do not receive the same attention as viruses and worms. Most computer security books, such as [3], rarely mention Keyloggers. As Keyloggers are inherently different in behavior and operation from viruses or worms, and therefore traditional detection, removal, and prevention measures, such as using virus signatures, firewalls and etc, are ineffective in dealing with them. Methods of avoiding Keyloggers include switching to less vulnerable operating systems, educating users not to click anything on the web, installing spyware detection software, using virtual keyboards etc. More detail introduction of Keyloggers can be found in [12]. However, these anti-keylogger measures may be either inconvenient (like switching to less vulnerable operating systems, and using virtual keyboards) or impractical (like educating users not to click anything on the web). Using traditional anti-spyware program seems to be a good way, but fails to find a Keylogger whose signature is not known. In this paper, we give a detail analysis of three principles of Keyloggers under Microsoft Windows
275

KEY WORDS Keyloggers, spyware, virus signatures.

1. Introduction
The rapidly developing computing and communication technologies have produced many benefits more convenience and functionality, better performance, higher speed, etc. In the meantime, these technologies can also be used for malicious purposes and significantly impact the safety, confidentially and privacy of our daily life. Keyloggers, also called keystroke loggers, which are promoted for benign purposes like allowing parents to monitor their childrens whereabouts on the internet, can easily be abused by hackers to steal personal information such as bank account number, credit card number, username, password, a social insurance number, birthday, home address, etc. Then hackers use this information illegally collected through Keyloggers, to access bank accounts belonging to other persons, or to open new bogus accounts. This kind of crime is known as identity theft. According to a US Federal Trade Commission (FTC) survey, identity theft cost USD 32.9 billion to business and USD 3.8 billion to consumers in 2002. The survey also found that fraudsters misused the personal information of 3.3 million US consumers, resulting in bogus bank, credit card or utility accounts, or in the commission of other fraudulent acts. Other figures showed that nearly seven million people fell prey to account theft (in which credit cards or credit card numbers, ATM cards or ATM PIN codes, or financial records from accounts that already exist was stolen and then used) during 2002. Account theft may have resulted

477-084

Operating System, and suggest several strategies against these keyloggers. Each strategy is effective for one type of keyloggers. Since hook-based keyloggers are the most common type, we implemented an anti-keylogger program that is able to block any hook-based keyloggers. Briefly speaking, our approach is that, by installing a hook procedure at the first place of a hook chain, the antikeylogger intercepts all keystrokes pressed by a user. Depending on the sensitivity of the key pressed, the antikeylogger passes the keystroke to the destination window through either the regular way that may be monitored by keyloggers, or the safer way that cannot be monitored by any hook based keyloggers. We have tested our antikeylogger on several keyloggers and message monitors, including Ghost keylogger, a keylogger made by Microsoft Spy++, etc, and ourselves. The results show that our anti-keylogger has successfully prevented those keyloggers or monitors from getting keystroke events without affecting any functionality of legitimate software. There are two main reasons that we should develop our own anti-keylogger rather than use a commercial or free anti-keylogger developed by other persons. First, none of the developers of commercial or free anti-keyloggers have published their source code or methods. This is understandable, because if they published their approaches, their products would become useless or ineffective. However, the customers are taking a high risk in using these anti-keyloggers without knowing how these anti-keyloggers work, since the antikeyloggers themselves may be keyloggers and are able to steal important information of the users. The users almost have no way to control or to know what the antikeyloggers are doing. The second reason is that some anti-keyloggers may prevent the functionality of legitimate software. The purpose of this paper is to provide readers with some knowledge about how keyloggers and antikeyloggers work, and how to develop their own antikeyloggers. As the authors, we write this paper in order to learn and to meet partial requirement of the course of Computer Security. The remainder of this paper is organized as follows: In Section 2, we give a detail description of Keyloggers. In Sections 3, 4 and 5, we introduce the technologies used by kernel based Keyloggers, thread based Keyloggers and hook based Keyloggers respectively. This is followed by an introduction of the methods to hide Keyloggers in Section 6. In Section 7, we present the counter measures against Keyloggers. Finally, in Section 8 we present our conclusions.

A keystroke logger, sometimes called a system monitor, is a hardware device or small program that monitors each keystroke a user types on a specific computer's keyboard. As a hardware device, a keystroke logger is a small battery-sized plug that serves as a connector between the user's keyboard and computer. Because the device resembles an ordinary keyboard plug, it is relatively easy for someone who wants to monitor a user's behavior to physically hide such a device "in plain sight." (It also helps that most workstation keyboards plug into the back of the computer.) As the user types, the device collect each keystroke and save it as text in its own miniature hard drive. At a later point in time, the person who installed the keystroke logger must return and physically remove the device in order to access the information the device has gathered. A keystroke logger program does not require physical access to the user's computer. Someone who wants to monitor activity on a particular computer can download it on purpose or it can be downloaded unwittingly as spyware and executed as part of a rootkit or remote administration (RAT) Trojan. A keystroke logger program typically consists of two files that get installed in the same directory: a dynamic link library (DLL) file (which does all the recording) and an executable file (.EXE) that installs the DLL file and triggers it to work. The keystroke logger program records each keystroke the user types and uploads the information over the Internet periodically to whoever installed the program. Unlike hardware Keyloggers, software Keyloggers do not require physical access, and are often components of viruses, worms and Trojan Horses. [5] shows how a worm, called Sobig, works with a keystroke logger for identity theft and bank fraud. Each version of Sobig does pretty much the same thing. It spreads for a while, and in the background tries to download a keystroke logger and a proxy server. The keystroke logger allows the Sobig author to obtain your bank account username and passwords, and the proxy server allows the Sobig author to bounce Spam through your machine, to prevent people from tracing it back to the stammer. The number of methods for software Keyloggers to get information about the keys you stroke is limited. Basically, the Keyloggers under Microsoft Windows Operating System can be divided into three categories: Kernel based Keyloggers Thread based Keyloggers Hook based Keyloggers

2. Keyloggers a closer look

The definition of Keyloggers according to searchSecurity.com is as follows [4]:

All of these kinds of Keyloggers log keystrokes (some of them also log mouse clicks) and write them to a file. Some Keyloggers can encrypt the log files and send the files to a destination across the Internet. The Keyloggers log files are hidden and hard to distinguish

276

from operating system files. When Keyloggers are running, they are hidden from showing up in the task manager or the list of processes. There are many different keyloggers available, including the Blazing Tools Perfect Keylogger [6], Spector [7], Invisible Keylogger Stealth [8], and Keysnatch [9].

The following code fragment illustrates how this is done.

// Get the foreground window thread DWORD foregroundWndThread = GetWindowThreadProcessID (GetForegroundWindow(), NULL); // Get keylogger thread DWORD keyloggerThread = GetCurrentThreadId(); if (foregroundWndThread != prev_foregroundWndThread) { // Detach the previously attached thread AttachThreadInput(prev_foregroundWndThread , keyloggerThread, FALSE); // Attach keylogger thread to the // foreground Window thread if (AttachThreadInput(foregroundWndThread, keyloggerThread, TRUE)) { prev_foregroundWndThread = foregroundWndThread; }

3. Kernel based Keyloggers

Kernel based Keyloggers require the implementation of a Windows kernel device driver that sits above the keyboard driver. The device driver will receive all I/O request packets (IRPs) that are sent to the keyboard driver. This allows the monitoring of all read requests and enables an I/O completion routine to be installed for each request. When some keys are pressed, the I/O completion routine will be fired and the actual keys that are pressed can be obtained. Then these keystrokes are saved into a file or stored in a memory buffer waiting to be accessed periodically by other secret software, which may send these keystrokes to the Keylogger author through Internet. A kernel based Keylogger needs to be compiled using the Windows Driver Development Kit (DDK) and deployed as a SYS driver file. The installation of this type of Keyloggers requires Administrator privilege. Since writing a kernel driver needs high level of proficiency from the developer of the Keylogger, this method is applied extremely rarely.

This code fragment will attach the Keyloggers thread to the foreground window thread. After attached to the foreground window thread, Keyloggers thread can use GetKeyState and GetKeyboardState APIs to obtain the states of all keys. In order to record all the keystrokes typed by a user, the above code fragment must be executed periodically and frequently enough to check which thread is the foreground window thread. If the foreground window thread is changed but the Keyloggers thread is still attached to the previous foreground window thread, the Keylogger may miss some keystrokes a user types. However, if the above code fragment is executed too frequently, it may cause system obviously slowdown.

4. Thread based Keyloggers

Thread based Keyloggers do not require the help of user-written kernel device drivers. Instead, they use AttachThreadInput API to monitor the input states of the foreground threads. In Microsoft Windows Operating System, different threads typically have their own input states (focus, active, capture windows, key state, queue status, and so on), and they are not synchronized with the input processing of other threads. By using the AttachThreadInput function, a thread can attach its input processing to another thread. This allows threads to share their input states and to get key-state information by calls to GetKeyState and GetKeyboardState APIs. However, if the thread is attached by the AttachThreadInput function it does not own the foreground window and the values returned from GetKeyboardState would only reflect the state of the SHIFT keys. Hence, the AttachThreadInput API must be used to attach the thread serving the foreground window to the Keyloggers thread. In this way, the Keylogger will receive the correct key state information via the GetKeyboardState API.

5. Hook based Keyloggers

Most keyloggers under Microsoft Windows Operating System are hook-based keyloggers. A hook is a mechanism by which a function can intercept events (messages, mouse actions, keystrokes) before they reach an application. The function can act on events and, in some cases, modify or discard them. Functions that receive events are called filter functions and are classified according to the type of event they intercept [10]. The operating system maintains what is so called a hook chain, which is a list of pointers to all the procedures that have attached themselves to a particular hook. The most recently installed function is at the beginning of the chain, and the least recently installed function is at the end. When a hook has one or more filter functions attached and an event occurs that triggers the hook, Windows calls the first filter function in the filter function

277

chain. Hook based Keyloggers are not difficult to write if one knows how to use Windows Hooks. A Keylogger would place a global hook procedure in a dynamic-link library (DLL) and retrieve a handle via a call to LoadLibrary function then it would obtain a pointer to the hook procedure by calling GetProcAddress. Finally, it would call SetWindowsHookEx to install the hook procedure address in the appropriate hook chain. The sequence is outlined below:
// Step 1 HINSTANCE hDLL = LoadLibrary((LPCTSTR)c:\\windows\\sysmsg.dll) // Step 2 HOOKPROC hProc = (HHOOKPRC)GetProcAddress(hDLL,KeyboardProc) // Step 3 HHOOK hkb = SetwindowsHookEx(WH_KEYBOARD,hProc,hDLL,0)

keylogger through Internet. Some keyloggers also encrypts the key codes before saving them into a file. The Blazing Tools Perfect Keylogger [6] is a good example of a common hook-type keylogger. Although Blazing Tools markets its products to IT administrators and parents, the presence of their keylogger in many Trojans illustrates how people can package legal code and use it for malicious activities. iOpus Starr PC & Internet Monitor is another great example of a commercial invisible hook based Keylogger [11]. It has more sophisticated features than just keystroke logging. It can take screenshot pictures of the entire screen or just the active application on a specific user defined time interval.

The SetWindowsHookEx function that installs an application-defined hook procedure into a hook chain has the following syntax:
HHOOK SetWindowsHookEx( int idHook, HOOKPROC lpfn, HINSTANCE hMod, DWORD dwThreadId ) // // // // hook type hook procedure pointer to the dll thread indentifier

Also the KeyboardProc has to follow the defined syntax below:

LRESULT CALLBACK KeyboardProc( int code, // how to process the msg WPARAM wParam, // virtual key-code specifies LPARAM lParam // the repeat count, scan // code, extended-key flag, // context code, previous key// state flag, and // transition-state flag )

The KeyboardProc procedure of a typical hook based keylogger is like this:

LRESULT CALLBACK KeyboardProc (int nCode, WPARAM wParam, LPARAM lParam ) { if(nCode >= 0){ TranslateKey(wParam, lParam); } return( CallNextHookEx(key, nCode, wParam, lParam)); }

Auto starts logging when window starts and provides encrypted log files. The hacker has the choice of either leaving the log on the victims computer or letting STARR send the logs in a password protected zip file to a predefined email address. STARR allows network administrators to deploy the software remotely on the network to monitor its user web activities. We tested our anti-Keylogger on this commercial product and only found it effective against they keystroke logging. The screenshot option was not secured against.

6. Hiding Keyloggers
They are many ways one can hide applications under the Microsoft Windows Operating System. Here we will be discussing two ways. One approach is to set all the Window properties of your application at startup to invisible and another is to simply register the current process as a service process. Below is an example code snippet to hide your application from the Task Bar.
WNDCLASSEX wincl; wincl.hInstance = hInstance; wincl.lpszClassname = name; wincl.lpfnWndProc = WndProc;

This hook procedure will be called whenever a keyboard event occurs. The virtual key code is received in wParam, the scan code, repeat count, etc are received in lParam. TranslateKey is a user-written function that translates wParam and lParam to ASCII code and stores it into a secret file or sends it to the developer of the

278

wincl.styes = 0; wincl.cbSize = sizeof(WNDCLASSEX); wincl.hIcon = NULL; wincl.hIconSm = NULL; wincl.hCursor = NULL; wincl.lpszMenuName = NULL; wincl.cbClsExtra = 0; wincl.cbWndExtra = 0; ShowWindow(hwnd,SW_HIDE); wincl.hbrBackground = 0; wincl.lpszMenuName = NULL; // Set all parameters to 0 to make it // invisible in the task bar if (!RegisterClass(&wincl)) return 0; hwnd = CreateWindowEx(0,(LPCTSTR)name,,0,0,0,0,0, HWND_DESKTOP,NULL,hInstance,NULL); ShowWindow(hwnd,SW_HIDE);

However, with this approach the user is able to view the process under the process list in the Task Manager Window. A knowledgeable computer user might be able to detect this by the processs name and uncover the Keyloggers presence. A smart Keylogger writer would also hide his/her application from the above-described list and register the application as a service process. Windows does not show service processes in the process list. To create a service process, the application needs to get a handle to the KERNEL32.DLL by calling the LoadLibrary function and obtaining a pointer to the RegisterServiceProcess function. This function takes two parameters, a dwProcessId and a dwType. dwProcessId specifies the identifier of the process to be registered as a service process. One can simply specify NULL to register the current process. Further, the value of dwType can be either 1 or 0, 1 would register the process as a service process and 0 would deregister it. The disadvantage with this approach is that an experienced computer user can view the list of services by going to Start Run, typing msconfig and selecting the service tab. However, there are so many services that it would be very difficult to spot the Keylogger, especially if its name is service oriented. We included a screenshot of this list in Figure 6.1.

Figure 6.1 Screenshot ThreadInput, GetKeyboardState, GetKeyState, and SetWindowsHookEx APIs. Disabling these APIs can prevent thread-based keyloggers and hook-based keyloggers. However, complete blocking these APIs could prevent the proper operation of legitimate software. For example, some screensaver software may use SetWindowsHookEx API. Third, use anti-keyloggers that you fully trust or are developed by you. In order to explain how our anti-keylogger works, we have to know how hook procedures work first. The operating system maintains a hook chain for WM_KEYBOARD hook. When a keyboard event occurs, the system passes keystroke messages (more specifically, a pair of WM_KEYDOWN and WM_KEYUP messages or a pair of WM_SYSKEYDOWN and WM_SYSKEYUP messages) to each hook procedure referenced in the hook chain, one after the other, including the hook procedures of keyloggers. These keystroke messages can be monitored by WM_KEYBOARD hook procedures. The hook procedures are not allowed to modify the messages, but they can prevent them from reaching the next hook procedure or the destination window. The messages are passed to the next hook procedure by calling CallNextHookEx API. It seems that by installing a hook procedure into WM_KEYBOARD hook chain without calling CallNextHookEx API, we could prevent messages from reaching keyloggers. However, this does not work, since this stops the message progress through the hook chain and prevents messages from reaching the destination window. Instead of merely not calling CallNextHookEx API, we translate WM_KEYDOWN messages into WM_CHAR messages and pass these WM_CHAR messages to the destination window. Unlike a keystroke message, WM_CHAR contains the character code of the key that was pressed and is not monitored by WM_KEYBOARD hook procedures (As explained

7. Counter Measures
Keyloggers are practically difficult to track once installed. Some anti-virus software can detect some existing keyloggers, but none of them can detect all. Since keyloggers can easily be abused for the purpose of account theft, it is expected that many new and unknown will be made every year. It takes time for anti-virus software to know the signature of a new keylogger. However, there are several methods we can take. First, do not log in as Administrator. Some keyloggers, such as kernel-based keyloggers, need Administrator privilege to install and activate. Second, disable Attach-

279

above, WM_KEYBOARD hook procedures can only monitor keystroke messages, namely WM_KEYDOWN, WM_KEYUP, WM_SYSKEYDOWN and WM_SYSKEYUP). The following code fragment from our anti-keylogger program illustrates how this is done:
LRESULT CALLBACK KeyboardProc (int nCode, WPARAM wParam, LPARAM lParam ) { // Declare a WM_CHAR message variable MSG msg; if(nCode >= 0){ // translate wParam and lParam to a WM_CHAR // message TranslateKey(&msg, wParam, lParam); // // // // If the keystroke is sensitive, send it through a WM_CHAR message; otherwise, pass it to the next hook procedure if(IsSensitive(&msg)){ SendMsg(&msg); return 1; } } return( CallNextHookEx(key, nCode, wParam, lParam));

keylogger program that is able to block all hook-based keyloggers. To the best of our knowledge, our antikeylogger is the first one that selectively protects user information according to the sensitivity of keystrokes. Doing this has two benefits: one is not preventing the proper operation of legitimate software; the other is providing user with some flexibility that they can decide which keystrokes should be protected. There are two reasons that hackers like to use software keyloggers. The first one is that they can get a lot of money by using user information for identity theft and account theft. The second one is that using keyloggers is difficult to detect and track. Therefore, we expect that keyloggers using new technologies we have not discussed will emerge. As a result, the possible future work may be some of the follows: Developing new anti-keylogger technologies under the current architecture of operating system. Developing software that can only exclusively execute and does not use any message passing mechanism. Developing anti-keyloggers running on UNIX or Linux operating system. Integrating new strategies for operating systems to deal with keyloggers and at the same time allow older softwares that rely on windows hooks.

In this code fragment, the user-written function IsSensitive decides which keystroke event should be protected from keyloggers. By default, the pressing of all letters, numbers and other visible symbols, which may be parts of user names, passwords, and etc, are treated as sensitive keystrokes. The pressing of all function keys (E.g., F1 to F12) and combination keys (E.g., Alt +, CTL +, BACKSPACE, RETURN, etc), which can not be parts of user IDs and passwords but may be used by legitimate software as hot keys, etc, are not considered sensitive. IsSensitive also provides the flexibility that users can define their own sensitive keys. For all sensitive key events, the anti-keylogger sends them to the destination window by WM_CHAR messages, which cannot be monitored by any hook-based keyloggers. For nonsensitive key events, the anti-keyloggers sends them through the regular way, which may be monitored by keyloggers. One advantage of sending non-sensitive key events through the regular way is that the proper operations of legitimate software (like screen catchers, electronic dictionaries, etc) are almost unaffected by the anti-keylogger, since these legitimate software also use hook procedures to monitor key events in order to function properly. However, the key events monitored by the hook procedures of legitimate software are mainly combination keys and function keys, which are treated non-sensitive.

References:
Schultz, E., Security Views, Computers and Security, Volume: 22, Issue: 7, October, 2003, pp. 559-569 [2] Man steals passwords with keystroke logger, Network Security, Volume: 2003, Issue: 8, August, 2003, pp. 20. [3] Pfleeger, C., Security in Computing, 3rd edition, Prentice Hall, 2003. [4] Definition of keystroke logger, online document at http://searchsecurity.techtarget.com/sDefinition/0,,sid14_g ci962518,00.html [5] Sobig family set to get bigger and badder, Network Security, Volume: 2003, Issue: 9, September, 2003, pp. 12. [6] Blazing Tools Software, "Perfect Keylogger," http://www.blazingtools.com/bpk.html [7] Spector keylogger, http://www.spector.com [8] Invisible Keylogger Stealth keylogger, http://www. amecisco.com/iks2000.htm. [9] Keysnatch keylogger, http://www.fileheaven.com/ Keysnatch/download/2975.htm [10] March, K., Win32 Hooks, Windows User Interface Technical Articles, The Microsoft Developer Network (MSDN) http://msdn.microsoft.com July, 1994. [11] iOpus Starr PC & Internet Monitor. http://www.iopus.com. [12] Introduction to Spyware Keyloggers. http://www.securityfocus.com/infocus/1829. [1]

8. Conclusions and Future Work

In this paper, we provided a detail analysis of how common software keyloggers work and some counter measures to prevent them. We also implemented an anti-

280