Keylogger

M

miks

Guest
How does one go about detecting a keylogger or other similar utility that may have been installed on a computer. How does one locate the data that has been stored and remove it as well as the offensive utility.
Note: This a personal home computer not a work or employer owned system. Thanks in advance. :)
 


Not really sure about Linux but if you are using windows, however, you might want to open up the task manager. Do we have a task manager in Linux?
 
There is a task manager in most, if not all, Linux distributions. The menu to access it can vary depending on what you are running, but I believe it is normally found under the 'System' menu with the title 'Task Manager'. I am trying to remember what you can enter when pressing ALT + F2 to pull up the Run Program menu, but my mind is drawing a blank. I must say that I am not too familiar with having a key logger (or a problem with one) on any Linux system, was this a key logger that you installed?
 
1. I am Assuming windows.
2. I am assuming the machine is on.
3. You can do the same in linux, I just don't know the tools.

Ok Firstly. You wanna stop using your plugged in keyboard. Go to the onscreen keyboard on the screen - this will not be logged by a keylogger.

Secondly. You wanna find out what ports you have open, and where they are connecting to. Close all web browsers and everything connecting outwards. If you see anything going out, not the ip address.

Open a process viewer (task manager will do) look for any processes taking up more ram / cpu than the others. Download and install process explorer from sys internals. Use this to "varify" all processes running. Right click process, click properties, click varify.

If any do not varify. They are suspect.

Disconnect the machine from the internet. If it is a text keylogger you need to look for several things. Any stange exes, and any strange text files. To find these. I would boot into a linux live cd. Grep for exe. See what you find. Grep for .txt or .log see what you find.

If you are still unsure. Type in some random characters onto the live running machine using your keyboard. Make it a unique string. so like "hdnsnakaishtbam292834dsa" something you would not have typed before. Boot into linux, and do a grep for that string. If you find it saved in a text file, or find it anywhere on the drive OTHER THAN the pagefile.sys. You have a keylogger on your machine. Once you find out where your string is stored, you have the temp file of the keylogger. Google its name, and check the folder where it is saved. You will likely find the keylogger hidding in the same, or a few folders back in the tree.

I hope this helps. I do this for a living. I have detected and removed keyloggers on windows machines before. So I can try my best to help you.

Once you find any suspect files. Upload them to virustotal.com and see what they rank as, either good or bad.
 
1. I am Assuming windows.
2. I am assuming the machine is on.
3. You can do the same in linux, I just don't know the tools.

Ok Firstly. You wanna stop using your plugged in keyboard. Go to the onscreen keyboard on the screen - this will not be logged by a keylogger.

Secondly. You wanna find out what ports you have open, and where they are connecting to. Close all web browsers and everything connecting outwards. If you see anything going out, not the ip address.

Open a process viewer (task manager will do) look for any processes taking up more ram / cpu than the others. Download and install process explorer from sys internals. Use this to "varify" all processes running. Right click process, click properties, click varify.

If any do not varify. They are suspect.

Disconnect the machine from the internet. If it is a text keylogger you need to look for several things. Any stange exes, and any strange text files. To find these. I would boot into a linux live cd. Grep for exe. See what you find. Grep for .txt or .log see what you find.

If you are still unsure. Type in some random characters onto the live running machine using your keyboard. Make it a unique string. so like "hdnsnakaishtbam292834dsa" something you would not have typed before. Boot into linux, and do a grep for that string. If you find it saved in a text file, or find it anywhere on the drive OTHER THAN the pagefile.sys. You have a keylogger on your machine. Once you find out where your string is stored, you have the temp file of the keylogger. Google its name, and check the folder where it is saved. You will likely find the keylogger hidding in the same, or a few folders back in the tree.

I hope this helps. I do this for a living. I have detected and removed keyloggers on windows machines before. So I can try my best to help you.

Once you find any suspect files. Upload them to virustotal.com and see what they rank as, either good or bad.


Great and detailed post. I would do it as Scotty said. Another method you might want to consider assuming it is still in windows is to use safe mode. Just reboot your windows and switch to safe mode then manually delete/uninstall that keylogger. If anyone can teach us how to do it in Linux, it would be a great help.
 
Great and detailed post. I would do it as Scotty said. Another method you might want to consider assuming it is still in windows is to use safe mode. Just reboot your windows and switch to safe mode then manually delete/uninstall that keylogger. If anyone can teach us how to do it in Linux, it would be a great help.

Yes for linux, I am not so sure. The best thing you can do is unplug from the network, and not restart. That way if anything is transmitting / running now you will get it. If you restart you run the risk that you might not catch it again.
 
I'm just curious... If there is a keylogger running in Linux, would you be able to find it on your running processes by typing "ps x"? If so, maybe you could just kill that process then search and destroy it. I haven't encountered any keylogger yet so I'm not quite sure.
 
If you're on Windows what anti-virus are you running? Because constantly browsing the web with Windows and no anti-virus, even a free one, is just asking to get infected with something. If you don't want to spend money, then at least download the free versions of Avast and Malwarebytes. If you're willing to put out a couple of bucks, then Kaspersky and Bitdefender are also quite good. The paid version of Kaspersky (3-PC license for 2012) also has a free $50 rebate on Newegg right now (ends 4/18) so you essentially get it for free.
 
I'm just curious... If there is a keylogger running in Linux, would you be able to find it on your running processes by typing "ps x"? If so, maybe you could just kill that process then search and destroy it. I haven't encountered any keylogger yet so I'm not quite sure.

Yes you could if you could find the process. A lot of keyloggers hide at the rootkit level, so finding the process is sometimes difficult, as it can either be hooked into something else like the acpi drivers, for example.
 
Yes you could if you could find the process. A lot of keyloggers hide at the rootkit level, so finding the process is sometimes difficult, as it can either be hooked into something else like the acpi drivers, for example.

Any ideas on how to trace the process for the keylogger? Is there like a reference for the names of those programs or symptoms so that we know there is a keylogger on our computer?
 
Yes you could if you could find the process. A lot of keyloggers hide at the rootkit level, so finding the process is sometimes difficult, as it can either be hooked into something else like the acpi drivers, for example.
I see. Yeah, finding it could be a lot of work. Thanks for the info.
 
I did a bit of digging and the person on this reference talks about booting from a known safe - CD image and then having to manually scan for anything suspicious. His recommended tools are chkrootkit and debsums.

Credits to source.
 
I did a bit of digging and the person on this reference talks about booting from a known safe - CD image and then having to manually scan for anything suspicious. His recommended tools are chkrootkit and debsums.

Credits to source.

The concept and philosophy of this is sound; happy hunting.
 
rootkit hunter is good as well. Basically if you think the keylogger is operating at a rootkit level, the best thing you can do is to boot outwith the operating system, then run a virus scan. The easiest way to do this is through a Live CD. It bypasses the controls set b the OS protecting the Keylogger /Rootkit, so you have a better chance of finding it.

If you wan to find it running, do not do this! To get it running, like I said look through all your processes. Commonly, in Windows at least, they will hid in svchost, or something that looks legitimate. Using somethign like process explorer by sys internals, which can help you varify processes would work. For linux, you would have to use...I don't know. Basically your own knowledge. Trial and error. Try shutting down certain threads, and see what happens in the run time.

Using a disk like Hirens Boot CD over a straight linux live CD in a windows Machine would also be advised. As you can go in and disable things running at start up, from the LiveCD. Meaning, if it is running at rootkit level, you can disable it, restart into windows and then re-mediate from there.
 
Great and detailed post. I would do it as Scotty said. Another method you might want to consider assuming it is still in windows is to use safe mode. Just reboot your windows and switch to safe mode then manually delete/uninstall that keylogger. If anyone can teach us how to do it in Linux, it would be a great help.

The first thing I did when I smelled a RAT was to use my wireless keyboard then used this program http://www.blazingtools.com/antispy.html
 
Best way to detect key loggers is with the task manager. I have used it before in my online gaming days >=) but that was like 8 years ago so i am not sure if the key logger programs have evolved or what.
 
i have also used keylogger software because of computer security from outsiders
 
Check your outgoing connections and see if any data is being sent to a unknown source. If so you can easily block the connection or you can try and find where the logger is hiding on your computer and attempt to remove yourself. If unable to find try and find some sort of anti-virus to run a system scan to help look more thoroughly.
 

Members online


Top