Effective Keylogger Defense


Ted McKendall

Google recently presented some interesting findings on the causes and risks of credential theft. Presented at the recent ACM Conference on Computer and Communications Security, the results describe a year-long study jointly carried out with the University of California, Berkeley. While the phishing findings have gotten some attention as a major threat to users, less has been said about another key threat: keyloggers.

During the study researchers identified 788,000 potential victims of off-the-shelf keyloggers, and through correlation they find that such victims have a 12% likelihood of having their Google password exposed. This is particularly damaging due to transitive trust: many people use Gmail as their password recovery account, so once in control of that account an attacker can take over other accounts and therefore take over the victim’s online identity.



As to the attackers’ tools, the study identified 52 keyloggers responsible for these attacks. However, attackers appear to have little incentive to innovate – the researchers observed that keylogger capabilities remain largely unchanged since the mid-2000s. The study focused on off-the-shelf keyloggers but this conclusion corroborates Trusted Knight’s own experience: most modern crimeware still uses a relatively consistent set of tried-and-true techniques to actually commit fraud. While it is true that the exploits used to infect computers have evolved over the years to defeat advancements in defense, when it comes to the ‘payload’ of the infection (the actual objective of the crimeware) keylogging is still the primary method used. These harken back to the days of Zeus, with still-used techniques such as man-in-the-browser used to steal keystrokes, manipulate web transactions, and steal confidential information such as usernames and passwords.

So how can an enterprise mitigate this threat? Traditional endpoint security products will only be partly effective. This kind of crimeware has a steadily increasing number of variants using zero-day or sophisticated exploits to infect devices. Some measurements such as those published by Watchguard in their Q2 2017 Internet Security Report show that almost half of all malware is missed by traditional antivirus products that rely on signature-based detection techniques. The Google/UC Berkeley researchers developed a technique to identify potential keylogging victims by monitoring SMTP connections (email). They were able to create a set of 315 rules that covered thousands of keylogger binaries. If employed by an enterprise this detection technique would undoubtedly take another bite out of the problem, however it still does not solve it since SMTP is but one exfiltration technique, with others being FTP and perhaps most commonly HTTP.

In information security we often encourage a layered approach. At Trusted Knight we have long believed that a key layer in this defense lies in using solutions that actually prevent the crimeware from stealing the credentials in the first place, so there is nothing for the malware to exfiltrate, or at least to use protective techniques that make the stolen data useless to the criminals. In other words, accept the reality that detection techniques will fail at times and that crimeware will infect at least some users at some point, and employ a solution that will block the payload of the crimeware – the most pervasive ones being keyloggers.