pointer

How to Kill a Keylogger

WildPackets welcomes this guest blog post from independent security consultant Dr. Gordon Mitchell, who details below using Wildpackets OmniPeek Network Analyzer to discover and thwart a keylogger who had compromised a local government network.

Keylogging tracks the keys struck on a keyboard in a discreet manner so that the person using the keyboard is unaware that their actions are being monitored. There are several keylogging methods, ranging from hardware and software-based approaches to electromagnetic and acoustic analysis.

A while back, I found evidence of a keylogger on a local government computer… hunting time.

Using Wildpackets Etherpeek (now included in Omnipeek) as my weapon of choice a live analysis was performed. It turned out that a “smoking gun” email had started it all by explaining how to install the keylogging  software. This is obviously a concern, especially in a government setting where information is at high risk of being compromised.

So, what had been stolen? If no keystrokes were captured there wasn’t much to worry about. I went to work.

A clone of the computer’s hard drive was created to connect the machine to the Internet. Before plugging in the Ethernet cable, I made sure to limit the export of data.

blog_1.png

The restored computer was allowed to connect to the Internet through a firewall, which only allowed it to get DNS information. By hacking the Windows hosts file connections were directed to a test machine that was set up with a fake SMTP server. The computer was turned on and text was typed into Notepad.

If there was an active keylogger, this text would have likely been picked up and emailed off with previously recorded activity. Not long after plugging the Ethernet cable in, I saw activity. The test machine was monitored with a Peek-equipped PC. All the traffic between the restored computer and the test machine was recorded, thanks to Wildpackets.

The first intercepted traffic included the material below:


blog_2.png

This information came from the keylogger report that was being sent to an offshore email account. The good thing was that classified reference related to staff categories was not secret government information.


blog_3.png

Next came the text that I had typed on the restored machine keypad. This was confirmation that the keylogger was stealing information. A bit more analysis defined the scope of the loss, allowing repair of the damage…. and identification of the person who installed the keylogger. RIP, keylogger.

One thought on “How to Kill a Keylogger

  1. network management

    Keyloggers can definitely hurt our network system if not dealt properly. Users should be cautious and very observant in using their system so they can detect if there is a keylogger somewhere out there. It is very important that we keep our files safe and network system working properly.

Leave a Reply