By Jason Wittick • June 28, 2016

What is a Keylogger?


Contrary to popular opinion and in spite of what mainstream media might suggest, successfully breaching an information security system is no simple task. Once they’re inside your defences, however, attackers can deploy any number of tools to achieve their goals and hide their tracks.

To maximize the potential for success, many modern attack schemes aim to take advantage of a successful breach by combining several different tools into a single kit ... with each constituent malware component in the package serving a different purpose.

One ubiquitous component, often included in an attacker’s toolkit is a ‘keylogger’ or ‘system monitor’. These mechanisms are controversial, specialized tools that are designed to silently observe and record each and every input keystroke made on a compromised device. Any device … whether hardware or software … which can intercept and record input from a keyboard is considered a keylogger but the technology is not objectively malicious. There are legitimate surveillance applications that a concerned parent, an employer or law enforcement agencies might employ. Essentially, it’s the intention or motivation behind a deployed keylogging technology that determines whether its malicious.

Keyloggers come in two basic flavours: physical (hardware) or logical (software), and of these two main categories the logical variety are the most common. Logical keyloggers are often included in malware packages like trojans or rootkits and they are popular among hackers because they allow attackers to infect and monitor target machines without need of physical access to it. Physical keyloggers, however, are less common because they do require physical access to install a physical device on a target machine. Even though it’s more tricky, attackers can physically access devices before deployment while they are being manufactured via insider employee-agents at the factory, or at any time after deployment via compromised USB flash drives or fake connector dongles for a keyboard … often hiding ‘in plain sight’.

The information that a keylogger records and / or transmits is typically very small in size and capturing it requires little to no resources from a target or infected machine. They are designed to be stealthy and do not seek-out specific data or attempt to relay it to ‘command-and-control’ servers, nor do they molest or destroy data like typical malware would. Since they do not behave the same way as other malicious programs, it is more difficult to detect and remove them because keyloggers are not actually a direct threat to the systems they affect, but a threat to the users of the system.

If users suspect they might have a keylogger or they just wanted to confirm they do not, there are many anti-malware products that are available for them to try. Unfortunately, they must also remember that these applications can only target, detect and remove known or previously identified malware variants. Custom or purpose-built variants are more of a challenge because anti-malware tools do not immediately recognize them as malicious until or unless their actions on a compromised system provide data security professionals with the information or signature they need to find them and patch defences until the next new variant is discovered.

 When a user suspects their system has been compromised by a keylogger, they can:

  • Reboot from a CD or USB drive to avoid activating keylogger functionality within an operating system or on a hard disk
  • Use a virtual, on-screen keyboard to avoid physical keyboard input
  • Use a firewall to prevent unauthorized transmission of logged keystrokes to external machines
  • Update all applications and software to apply patches and best equip for detection and mitigation tools
  • Use a credential manager to avoid direct user input by automatically populating credential fields
  • Use disposable passwords and rotation to replace old credentials with new ones and eliminate the threat from any that may have been previously logged and / or stolen


 Find out how to add an additional layer, uplift and enhance your data security.

Tell Me More