Programs that record data about users’ activity in keystrokes per hour and send them to their developers are called Spyware. Their activity can have different results – from pop-up advertisements to serious violations of OS, including personal data theft, pressed keys record, “back door” installation, etc.
Also known as ‘drive-by downloads’, Spyware-applications use up-to-date methods of intrusion. Many users do not know that most spyware-applications penetrate into their computers when they visits different web-pages, opens archived files, clicks on pop-ups that contain active elements like ActiveX, Java Applet, etc. Spyware-modules can also be bundled with graphic files and sometimes with drivers for new hardware.
Spyware-applications may function in different ways – it depends on the data they collect. Some of them collect data about user’s habits in Internet for marketing purposes, others are more dangerous. Anyway, spyware-applications try to identify data sent over the network by using a unique identifier (cookie for example) which is located on user’s PC, or a Global Unique Identifier (GUID). After that spyware sends logs to a remote user or to the server that collects the data. Usually, this data include host’s name, IP-address and GUID, as well as logins, passwords, etc.
Keystroke logger is an application that spies on pressed keyboard buttons and sends this information to the malevolent user. This can be performed by mail or by sending data directly to the server located somewhere in the global network.
Keystroke loggers have been around for a pretty long time. However, the increase of their amount requires new attention nowadays. The reason is easiness of infecting a PC – all a user needs to become infected is to visit a certain web-page.
These are miniature built-in devices, located between the keyboard and the PC. Due to their tiny size they remain unnoticed for a long time. However, they require physical access to the equipment. These devices can record hundreds of symbols (including mail and bank data) that were typed from the keyboard.
This type uses Windows function called API SetWindowsHookExe that monitors the reports of pressed keyboard buttons. Usually, this spyware-application consists of the exe-file that initiates the function of interception and the dll-file that controls the functions of data recording
This type of keystroke loggers locates on the kernel level and receives data directly from the input device (keyboard). It replaces the main software that controls all pressed keys. As the program is launched on the kernel level, it cannot intercept autofill passwords because this information is handed over on the application level.
With its actions and work spyware-application differs fundamentally from a virus or a worm. That is why many anti-viruses consider it to be a usual program. The thing is that virus signatures differ from spyware signatures.