The fight against keylogging attacks

Getting to the kernel of the problem in the fight against keylogging attacks.

Keyloggers are on the rise. Last year amid fears around Covid-19, a phishing campaign involving emails claiming to be from the World Health Organisation tried to plant the HawkEye keylogger variant inside unsuspecting users’ PCs. Another instance was a keylogger used by a student on college staff computers in order to enhance his exam results and, notoriously, the Olympic Vision keylogger which hijacked the emails of accounting employees at companies in over 18 countries threatening multiple financial transactions.

Originally used by the Soviet Union in the 1970s to monitor classified letters and memos being typed on electric typewriters by diplomats, keylogging is one of the oldest forms of cyber threats. It has lost none of its potency over the intervening years.

How does a keylogger work?

Keyloggers are designed to track successive keystrokes made on a keyboard and generally operate without the device user being aware. They can even harvest data from the session after the login, basically roaming through the data allowing cybercriminals to monitor and record the user’s activity with a view to stealing passwords and log-in details either for blackmail or theft. Many sell the details to other criminals.

They have a role to play in advanced persistent threats (APTs), the sophisticated attacks that involve a number of intrusion methods, and are researched, customised and focused for particular target organisations. The danger of these is that they can extend over a prolonged period of months, quietly harvesting sensitive information with devastating effects on the victim. Along with keylogging, the other malware used is impervious to conventional protection methods.

As a monitoring tool, a keylogger can also have legitimate use within a corporate organisation as a means to troubleshoot issues, enhance customer experiences or monitor employees, while the police and intelligence agencies also use it for surveillance.

There are multiple forms of keylogger but one of the most difficult to detect works insidiously inside the core of the computer operating system, at the kernel. Any keyboard input enters at the kernel level and the keylogger malware intercepts it at that point. This type of malware is not easy for cybercriminals to create. It requires advanced software development skills and knowledge of writing code that can operate at the kernel. Unlike the keyloggers that operate above the kernel at userland or application level and which can often be thwarted by anti-virus and endpoint detection and response tools, kernel level keyloggers are deeply challenging to detect and eradicate, proving resistant to most standard security solutions, including anti-virus software.

Protecting the kernel

Guarding against kernel level keyloggers and stopping them from moving around undetected means getting in between the keystroke and the kernel. The only way to do this is by using a keyboard filter driver which places itself first in the list of filters. This replaces the actual keys entered by the user with fake, randomly generated characters. It is a technique that effectively protects sensitive data entry from all kernel level keystroke loggers, which instead pick up the random entries and not the sensitive data being entered by the user. Solutions that enable this ensures that the driver filter order check is performed every time it runs and carries out an integrity check to ensure that the driver has not been tampered with.

The authentic keyboard entries are encrypted and securely stored in memory, using a 128-bit encryption key. Those entries are then only decrypted when the host application requests the inputted characters using the API of the solution used to protect entry.

Experienced security experts might suggest that it could be possible for a malicious actor to reverse the random character and put it back into the real character. However, while the data can be decrypted, it cannot be reversed because there is no relationship between the random key and the actual key. The keylogging malware cannot access the keystrokes through the memory because they don’t reach that far, and the kernel is protected because the anti-keylogging filter steps in first.

Specialist protection for a specialist threat

Developing a solution that can provide a filter between the keyboard and the kernel is complex, in the same way, that keyloggers are complex. Cybercriminals have spent long years perfecting their ability to infect computers with malware that can lie, undetected at the core of the device. It is not just that anti-virus software or endpoint detection and response solutions fail to spot the presence of keyloggers, it is also because of the proliferation of polymorphism.

It is thought that over 90% of malware is polymorphic, having the ability to constantly adapt its makeup so it can evade detection, quarantine and deletion. Kernel level keyloggers can change their signature frequently, even with every keystroke, and like other polymorphic malware, use encryption to hide their code.

Keeping up with this level of challenge means thinking differently about protecting data entry and interjecting a barrier that allows keystrokes to be re-routed safely and encrypted. This is the only way that users can be sure that every time they enter a key on their keyboard, their personal data is not being collected at the kernel level and used for nefarious purposes.