Types of Keylogger

As mentioned in my previous article, keyloggers are applications that monitor a user's keystrokes and then send this information back to the malicious user. This can happen via email or to a malicious user's server somewhere on the Internet. These logs can then be used to collect email and online banking usernames and passwords from unsuspecting users or even capture source code being developed in software firms. To know more, click here..

Keyloggers are divided into different categories depending upon system layer they run. Here, we will consider two system layers, namely : Application Layer and Internal Layer.

There are in general two types of Keyloggers :

• Software Keyloggers : It is defined at application level. This type logging is accomplished by using the Windows function SetWindowsHookEx() that monitors all keystrokes. The spyware (keylogger) will typically come packaged as an executable file that initiates the hook function, plus a DLL file to handle the logging functions. An application that calls SetWindowsHookEx() is capable of capturing even autocomplete passwords. Here, it will over-ride the control of SetWindowsHookEx() - The function in windows which controls the keystrokes and also autocomplete actions of system.
• Hardware Keyloggers : It is defined at internal level. These are small inline devices placed between the keyboard and the computer. Because of their size they can often go undetected for long periods of time -- however, they of course require physical access to the machine. These hardware devices have the power to capture hundreds of keystrokes including banking and email username and passwords.

Software Keyloggers :

A Software Keylogger is further divided into many types depending on the method it uses to save and transfer logs from victims' computer to the attacker.

• Offline Keylogger : Here, the keylogger stores all the keystrokes offline i.e on the victim's device without his awareness. Obviously, the attacker here needs a physical access to victim's computer to get the log file (The file in which keystrokes are stored). The attacker knows the path at which the log file is located.
• FTP Keylogger : It is an extended part of Offline Keylogger. The process of saving the keystrokes is same as that of offline keylogger. That means, it stores the log file at a specified location. Now, when the victim's computer gets access to the internet, the keylogger sends the log file with the help of FTP protocol to the attacker's server. Hence, FTP keylogger differs from Offline keylogger in the process of transferring log file.
• Email Keylogger : An Email keylogger is similar to FTP keylogger (also an extended part of Offline keylogger). It differs from the FTP keylogger in the process of transferring the log file. Here, when the victim's computer gets connected to the internet, the keylogger sends an Email from its in-built Email sender to the attacker's Email. Hence, here log file is transferred via email.
• PHP Keylogger : PHP keylogger is different from above defined keyloggers. In PHP keylogger, live data is captured. That means, when the victim types something, the keystrokes are captured (but not saved to log file) and are instantly transferred to the attacker's server via internet. The attacker's server contains PHP script which handles the incoming data (keystrokes) and hence keystrokes are saved on the attacker's server. Here, the most important element is internet -- The victim's computer should have internet connection and also the attacker's server should be online all the time. In case where victim's device does not possess internet, the keystrokes are lost or queued (saved temporarily until the device acquires internet).

Kernel Keyloggers :

Kernel Keyloggers are neither hardware nor software keylogger. As we know, kernel is something which operates between hardware and software of the system but is a combination of Hardware (ROM) and Software (HDL - Hardware Definition Language). The same are Kernel Keyloggers.

This type of keylogger is at the kernel level and receives data directly from the input device (typically, a keyboard). It replaces the core software for interpreting keystrokes. It can be programmed to be virtually undetectable by taking advantage of the fact that it is executed on boot, before any user-level applications start. Since the program runs at the kernel level, one disadvantage to this approach it that it fails to capture autocomplete passwords, as this information is passed in the application layer.

NOTE : The most used of the above types is Software - email keylogger,  as it is easy to design and use. Also it can capture the autocomplete keywords stored in device.