Keylogging programs are the epitome of online stealth, and theyre also a mushrooming problem on the Internet, where identity and intellectual property thefts are fueling an explosion of key-capture tools.
Reports of new keylogging programs soared higher this year, as part of a wave of multifunction malware with integrated keylogging features, according to VeriSign Inc.s security information company iDefense Inc. The programs often evade detection by anti-virus tools and can be difficult to detect once installed, experts warn. However, at least one anti-spyware company believes that reports about the danger posed by keyloggers are overstated.
More than 6,000 keylogging programs will be released by the end of this year, according to projections by iDefense. Thats an increase of 2,000 percent over the last five years, company officials said.
Keyloggers have been around for years and are also sold as legitimate applications—often as monitoring tools for concerned parents or suspicious spouses—according to Ken Dunham, director of malicious code at iDefense, in Reston, Va.
Security companies occasionally lock horns with makers of commercial keyloggers. For example, earlier this month, anti-spyware software maker Sunbelt Software Inc. was threatened with a lawsuit by RetroCoder Ltd., a U.K. company that was angry about Sunbelt listing RetroCoders SpyMon keylogger in its threat database, according to a blog entry by Sunbelt President Alex Eckelberry in Clearwater, Fla.
SpyMons EULA (end-user license agreement) forbids anti-spyware and anti-virus companies from using or analyzing the program, and RetroCoder threatened to enforce that provision in European Union court unless the program was removed from the threat database, according to Sunbelt officials.
Malicious keyloggers are increasingly part of modular programs that contain Trojan horse, spamming and remote control features, as well, Dunham said.
Anti-virus companies have developed signatures that will stop many of those programs before they can be installed, but new programs with unique signatures are readily available from malicious code download sites. In some cases, the programs source code can be purchased so buyers can create their own keylogger variants, Dunham said.
Keyloggers are particularly common in countries where online banking fraud is a problem, such as Brazil, said Joe Stewart, a senior security researcher at Lurhq Corp., in Chicago. The keyloggers are coupled with Trojan programs, such as the Banker and PWSteal families, and are programmed to spring to life when victims type the URL of a specific bank or banks into their Web browser or when they launch a Web page with a specific name, Stewart said.
Keyloggers are also pouring out of countries in Eastern Europe that are less discriminating about what kind of log-in information they capture. China is a major source of Trojan and keylogger programs, such as Myfip, that are customized to steal intellectual property, such as Microsoft Corp. Word or CAD/CAM files, rather than personal or financial information, he said.
Still, some take issue with the dire warnings about keylogging programs.
Eckelberry used his blog to question iDefenses statistics on keylogging programs. He wrote that his companys researchers have identified only "a couple dozen" new keylogging programs since August, affecting only about 8,000 people.