Commercial Keyloggers
December 30th, 2007

I’m sure we’re all familiar with the world of malware keyloggers – the ones installed through drive-by-downloads or received as attachments embedded within the latest batch of spam email messages.  They’re often bundled with stealthy functions that hide them from popular anti-virus products and have the ability to regularly email criminals any passwords or login credentials they happen collect on the infected host.

While that kind of malware keylogger is typically developed and deployed by criminal gangs, did you know that there is a whole bundle of commercial-grade software-based keyloggers as well? These commercial keyloggers are designed for use by corporate IT/Security/Audit teams and law enforcement agencies, and they’re way more advanced than their malware cousins.

Professional Use

To a lot of security professionals, the mere mention of commercial keyloggers brings thoughts of thinly veiled spyware and browser popups.  While there is still a gray-market for that kind of spyware, today’s commercial keyloggers are polished (and dare I say “trustworthy”) software monitoring applications geared towards corporate deployment and use.

The quality and feature-sets of these commercial keyloggers have matured in to very advanced monitoring and surveillance toolkits, and there is a pretty clear demarcation between those geared to a corporate clientele and those for use in monitoring spouses and children on home PC’s.

New regulatory requirements and high profile data losses have reinvigorated the commercial keylogger business.  Data Leakage Prevention (DLP) has become a growth industry with major security vendors clamoring to purchase or secure exclusive rights to software companies specializing in on-the-fly data classification and extrusion blocking.  As such, many of the newer developments in keyloggers have been honed or tuned to address this market (in some cases it’s just been to change the advertising literature and use the latest buzzwords).

What sort of corporate features can you expect from a commercial software keylogger?

  1. Multiple operating system support. Most good keyloggers will work on multiple operating systems (Windows Vista/XP/2003/2000/9x/ME/NT, Mac OSX, Solaris, Linux, BSD, etc.) – using the same command, control and reporting functions – even if different installation kits are required.
  2. Multiple log transfer options. In order to get the captured data off the monitored host, the keylogger may support the use email, FTP, HTTP, LAN-based file transfers and other physical transfer options. These transfers may be conducted at scheduled times, live, or whenever convenient (e.g. when a laptop user plugs in to the corporate LAN).
  3. Stealthy and selective operation. In most cases the keylogger is designed to hide its processes from the monitored user(s) and any anti-virus software that may be installed, and often come with selectable encryption libraries and passwords for securing the data they collect on the host.  They can also be quite selective about the users they monitor and the specific applications that need to be monitored.
  4. Multiple language support.  Given the way keyboard keys are mapped in different languages, most commercial keyloggers do all the necessary conversions – as well as provide interfaces and analysis tools in multiple languages so that local support teams can manage the monitored systems.
  5. Managed Installation. The ability to selectively install, uninstall and administer a distributed network of keyloggers is a critical component of the newest families of keyloggers.

While they still go by the name “keylogger”, the tools themselves have evolved beyond the name used to describe them and can best be described as local surveillance systems.  What sort of monitoring capabilities do these commercial keyloggers typically provide?

  • System logon (password)
  • Recording keystrokes (keychars only or all keys)
  • File-activity monitoring (created files, deleted files, copied files, renamed files and opened files)
  • Visited URLs (within Internet Explorer, Mozilla Firefox, Safari or Opera)
  • Emails (incoming and outgoing)
  • Clipboard interception
  • Started applications monitoring
  • System logoff and logoff
  • Printer queue capture
  • Mouse-clicks recording
  • Sound recording
  • System inactivity time recording
  • Screenshots (adjustable screenshot frequency, adjustable screenshot quality, ability to choose between fullscreen and active window screenshots, on-mouse-click screenshots and the ability to make screenshots of visited web-sites)
  • Parental control (ability to restrict certain programs starting, ability to restrict certain web-sites visiting)
  • Filtering (reaction to a specific keyword, ability to exclude users from monitoring, timestamps of events, monitoring scheduler, ability to watch certain programs, timestamps of events, search by keywords, several days report building, daily reports and automated clearance of a log-file)
  • Instant messenger interception (MSN, YahooIM, AIM, ICQ, Skype)

By way of example, here are some screen shots of a popular commercial keylogger suite – Spy Lantern.

Getting your hands on a keylogger

The keyloggers themselves are very easy to get hold of.  Most can be purchased online and range from $40-$200, with heavy discounts for bulk license purchases, and can be downloaded from the publishers site after receiving a credit card payment.

Many of the commercial keylogger suits marketed as home computer monitoring systems (e.g. keeping track of the spouse and children) also provide avenues to ‘trial’ the software before purchase.

There are a great number of commercial keylogger software providers out there – with many concentrating on local markets (to take account of language and popular peer-to-peer messaging applications specific to a country) – but luckily there are several good keylogger review sites.  One of the better keylogger sites is KEYLOGGER.ORG.

Why would a criminal use a commercial keylogger?

One problem with the online purchase and download of these keyloggers is the fact that they are so easy to get your hands on.  For only a few dollars, advanced monitoring solutions can be acquired by all and sundry, and easily deployed on hosts for which the attacker has no rights to install upon.  Therefore, the barrier to entry for criminal identity theft and fraud is very low – you can almost think of it as a “no assembly required” sticker on the box – and any unskilled attacker can quickly get up to speed and begin their latest criminal endeavor.

Just as interestingly, a quick analysis of the top-10 rated keyloggers on KEYLOGGER.ORG revealed that 80% of them already had publicly available cracks or keygens (quick searches on KeyGen.US) – effectively meaning that the cost of these keylogging suites is $0 to any criminals.

Another interesting perspective in using a commercial keylogger over some uber-elite one-of-a-kind malware keylogger (rather than concerns over quality and reliability) is the fact that many of these keyloggers have been designed for, and are in use within, corporate environments.  Consequently, whilst almost all anti-virus products are capable of detecting their presence, many commercial and popular anti-virus products downgrade their alerts when detecting them.  Why? Because, in a lot of cases, corporations deploy this keylogger software inside their own networks and don’t want any “false alerts” popping up on the monitored hosts.


    Copyright 2001-2007 © Gunter Ollmann