1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for detecting keyloggers.
2. Description of the Background Art
Keyloggers track and record keys struck on a keyboard. While keyloggers may be employed for legitimate purposes, they are typically employed in a covert manner to steal confidential information, such as passwords and account information, entered by way of a keyboard of an infected computer.
Keyloggers may be implemented in hardware or software. Hardware based keyloggers require physical access to the computer to install a keystroke recording device. Hardware based keyloggers are thus harder to deploy compared to software based keyloggers. Software based keyloggers are a form of malicious code and may thus be easily propagated by infecting unprotected computers. A keylogger may steal confidential information from an infected computer for subsequent transmission to a remotely located computer operated or controlled by a cyber criminal.
FIG. 1 schematically illustrates example keystroke processing in a conventional computer. In the example of FIG. 1, the computer comprises a keyboard 150 that is electrically connected to a main module 160. The main module 160 may be a motherboard, for example. In operation, a keyboard input is generated by pressing a key of the keyboard 150. A key matrix 151 detects the location of the particular key that was pressed and forwards the location information to a keyboard processor and read only memory (ROM) 152 (arrow 171). The keyboard processor and ROM 152 translates the location information to a character or control code, which is transmitted to a keyboard controller 161 for processing as the keyboard input (arrow 172). A keyboard driver 163 of the operating system 162 receives the keyboard input (arrow 173), which is subsequently forwarded to an application 164 intended to receive the keyboard input (arrow 174).
Keyboard inputs may be monitored at various points in the computer. For example, keyboard inputs may be monitored using an electrical circuit connected between the keyboard 152 and the main module 160, such as inline with the keyboard's cable connector. Keyboard inputs may also be monitored at the kernel level by using kernel driver and hooking on the interrupt descriptor table, monitoring I/O (input/output) port status, or replacing the operating system's keyboard driver. At the application level, keyboard inputs may be monitored using an application programming interface (API) hook, using a form grabber, or by capturing network traffic, to name some examples.
Hardware based keyloggers may be detected by physical inspection and securing the location of the computer. Software based keyloggers, being a form of malicious code, are more problematic for the average computer user as they are easily contracted, such as by receiving infectious files over a computer network or from computer-readable storage medium inserted into the computer.
There are various ways of protecting a computer from malicious code that is configured as a keylogger. Example methods include using a virtual keyboard, automatic form filler, or speech recognition. While these methods may prevent a keylogger from monitoring and logging keyboard inputs, they do not detect the presence of the keylogger. That is, the keylogger remains in the infected computer to monitor keyboard inputs, i.e., inputs entered by way of the physical keyboard 150. Antivirus software may be employed to detect software based keyloggers using pattern-matching and heuristic algorithms. However, because of the large number of keyloggers and their variants, the size of the pattern file containing the keylogger patterns may get very big. Furthermore, the behavior of keyloggers operating at the kernel level is relatively difficult to detect.