The Keylogger Spyware Attack

Published Date: 02 Nov 2017

Malware steals information from a computer or can cause damage. Type includes keylogger, spyware, adware, rootkit etc. In short we can say that it is a program that is intentionally developed to cause harm or exploit people computers especially which are connected to Internet [19]. The thing which makes them more hazardous is that they reinstall themselves again even after they have been removed and are difficult to be cleaned as they hide themselves deep within Windows [20]. It has become very crucial to provide efficient security solutions for these attacks. A keylogger spyware is a different kind of malware attack which uses two malwares program in a combined script. In this paper we have proposed a Client and Server Honeypot based detection technique for the keylogger spyware attacks. We have created two honeypots i.e. Client Honeypot and Server Honeypot. The Client Honeypot deployed at the client side is capable of monitoring the malicious activities occurring in the infected client system and reports them to Server Honeypot. At Server Honeypot a database is maintained in which the information sent by Client Honeypot is recorded. The malicious activities (i.e. email sending after every one minute) can be easily detected in an inspection process. Moreover information sent can be further used to prevent this attack. The overall paper is organized as: in Section 2 we discussed related work. Section 3 contains the related terminology. Section 4 defines problem definition followed by methodology of this work in section 5. Section 6 contains various proposed algorithms. The work done is concluded in section 7 with future work.

2 Literature Review

In paper [1] authors have proposed a framework for detection and prevention of keylogger spyware attack. It is capable to defend against such kind of attacks using a combination of malwares. The paper [2] focused on the honeynet technology and for network security technology it provides new powerful means, the optimization of system to improve the honeypot for target, integrity from system detection rate and safety. Experiments show that the improved honeypot system achieves higher detection rates and higher safety. In this paper [3] the authors present an agent-based honeynet framework for protecting servers in a campus network. In this framework, agents remove malicious processes and executable files on servers infected by zero-day attacks as soon as the honeynet detects them. The proposed framework provides a novel defense mechanism that protects servers from new types of internet worms effectively, without the use of signatures. In paper [4] an intrusion detection module based on honeypot technology is presented. This detection technique makes use of IP Trace back technique. The use of mobile agents provides it with the capability of distributed detection and response. By using honeypot technology, this module traces the intrusion source farthest. In [5] authors both honeypot client and server technologies are used in combined way of malware collection and analysis. The main objective of this paper was the analysis of collected malwares from honeypots. Classification of Honeypots is done as server honeypots and client honeypots. Server Honeypots provide us the knowledge of server side attacks are passive honeypots. Client honeypots provide us the deep knowledge of client side attacks; therefore they are also called as active Honeypots or Honeyclient. In the proposed integrated framework for malware collections and analysis, there are 5 components: URL data source, Honeypot controller, Central Database, Analysis Server and Management Server. In paper [6] an improved intrusion detection system is designed based on the analysis of traditional IDS, which combined the advantages of data capture techniques by honeypot and two layer Detection. The system can detect intruders not only outside but also abusers within the system. The system provides a complete, controllable, reliable proactive protection for computers and network. For the shortcoming of traditional intrusion detection system (IDS) in complex and unknown attack detection, distributed intrusion detection system based on honeypot was proposed in paper [7]. In [8] authors explain a new generation of malware attack for VoIP infrastructures and services. If strong security measures are not deployed then these malwares produces a real threat to the deployed VoIP architectures. The proposed bot architecture stack of different protocols provides the bot with an application interface to use these protocols. The SIP stack is responsible for sending and receiving, manufacturing and parsing SIP messages. The RTP stack is responsible for coding and decoding, compressing and expanding, encapsulation and demultiplexing of media flows. The introduced "VoIP bots" support a wide set of attacks ranging from spam over internet telephony spit (SPIT) to distributed denial of service attack (DDoS). They are tested against several VoIP platforms. In [9] authors discuss some problems (i.e. Gap between spamtraps and phoneytokens, Online verification of phoneytokens etc.) of existing anti phishing solutions based on honeypots. Spamtraps are used only as a tool to detect phishing emails (i.e. URLs of phishing sites included in the phishing emails) and submissions of phoneytokens are triggered after a phishing site is confirmed (often by a human inspector). A framework is provided which can overcome these problems by transforming the real e-banking system itself into a honeypot equipped with honeytokens. A phishing detector is used which can automatically detect suspicious phishing attempts. In paper [10] authors proposed a worm detection and defense system named bot-honeynet which combines the best features of honeynet, anomaly detection and botnet. The combination of honeynet and anomaly detection system offers a tradeoff between false positive and false negative rates. Bot-honeynet is designed to not only detect worm attacks but also defend against malicious worms. The authors conclude from simulation that P2P based benign worm is provided with high efficiency on defending against malicious worms and is better than traditional benign worm even if the release time is later. Thus, it saves more time for security researchers to prepare benign worms. In paper [11] on the basis of the research on honeypot technology, in view of the many problems in current traditional security resource applications, the honeypot technology is used in network security defense and a Honeypot-based distributed intrusion prevention model is presented. The experimental results show that the program can successfully remedy the deficiencies of existing monitoring system and improve the performance of the safety defense systems. The experimental results show that the program can successfully remedy the deficiencies of existing monitoring system and improve the performance of the safety defense systems. In paper [12] the authors proposed a new architecture, which is composed of distributed cooperative agents to reduce the false alarm ratio of the intrusion detection systems (IDS) in a twofold contribution. A theoretical analysis of agents' behavior is given and its extensions are explained. In paper [13] an analysis framework is developed to gain access to honeynet data. The forensics procedure used here finds groups of network traces share various kinds of similar pattern within a data set of attack. In [14] it is explained how a spyware running in a system can be confused by entering data. It has been found in this paper that the problem of password security can be improved by biometric based authentication and graphical authentication. In paper [15] the authors presented a signature analysis and extraction system for web services. A similar existing tool was able to help administrator in generating precise signatures of various attacks on HTTP, SMTP and FTP etc. In this work, an important issue of intrusion attack analysis and precise signature extraction for web services has been addressed. The developed system is able to alert the system administrator about the attack patterns on the web services. In paper [16] the authors discussed their experience in analyzing benefits of honeynets for intrusion detection. The purpose for their work is to examine how to integrate multiple intrusion detection sensors and honeynets in the order to minimize the number of incorrect-alarms. The authors presented a framework for designing honeynets based project for network security analysis and an example of the framework. In [17] authors propose a hybrid and adaptable honeypot-based approach that improves the currently deployed IDSs for protecting networks from intruders. In paper [18] the authors developed J-Honeypot, a Java based network deception tool with web-based monitoring and rule-based intrusion detection capability. They have interfaced it with SQL database, developed a rich set of logging functionalities, and provided a convenient GUI for users to visualize the results.

3 Related Terminology

Malwares are the biggest threats on Internet. They can hijack the browser, redirect search attempts, serves up pop-up ads and track the websites that are being visited. Malware programs make the computer slow and unstable which is unbearable to the user along with causing other wrecks. Malware can infect computers in many a ways. Some malware programs like pop-up ads are used for earning revenue from the ads. Majority of malware needs to get installed by the user. It is very difficult to get rid of malware because they have the tendency to multiply once they get installed.

Some related terminologies are discussed as follows:

3.1 Malwares

Malwares are classified into various categories include: adware, spyware, hijackers, toolbars and dialers.

Spyware

Spyware programs spy confidential information and send this to specified system. Some Spywares are having the task of sending the URL information or may send information you type in Internet Explorer or the names of files you download. Some of them can search the hard drive and report back what programs you have installed, contents of your e-mail address book can be stolen which will be further sold to spammers. Any other useful information about you such as your name, browser history, login names and passwords, credit card numbers, and your phone number and address can be easily stolen [1][20].

Keylogger

Keylogger or keystroke logger is a software or hardware device used to monitor the keys typed on the keyboard. Its presence can’t be detected as it runs in the background and its information is not present in the list of programs running in the task manager or control panel. It can be used to obtain very secret information like username and passwords in case you logged on to your online bank account [1] [20][21].

3.2 Honeypot

Honeypot is an Internet attached server acts as a decoy. It lures the potential hackers and studies their activities to monitor how they are able to break into a system. Honeypots are such designed that they mimic systems that an intruder would like to break into but also limits the intruder from having access to an entire network giving the intruder no idea that they are being tricked and monitored. Collection of honeypots forms a network this network is defined as honeynet.

4 Problem Definition

Hackers use malware to breech the security of a system and when they get success it causes lots of trouble to security experts. Malware can be of many type i.e. keylogger, spyware, rootkit etc. We can use them in a combination i.e. keylogger spyware as a common program. In this paper we have proposed a technique for detection of keylogger spyware attacks. The proposed technique uses a Client Honeypot and a Server Honeypot. Client Honeypot is deployed at the client side where it detects the malicious activity being performed by the Keylogger spyware if present. This information is reported to the Honeypot server where a database is maintained having all the entries of the malicious activities taking place at the client side. It contains Timestamp, IP address of the client and the Process ID of the email sending process. The Honeypot based technique is capable to detect such kind of attacks.

5 Methodology

The methodology of proposed work is divided as into two sections keylogger spyware attack, Client-Server Honeypot Based Detection:

5.1 Keylogger Spyware Attack

We have designed an attacking scenario for keylogger spyware attack on user’s system as shown in figure 1. There are 2 users, accessing various services via Internet i.e. online banking, email etc. A malicious server hosting keylogger spyware enters into the system like application software as it appears to the user as some useful application which he is in need of leading him to download it. Once the downloaded program is installed, it starts capturing every keystroke. A log is generated corresponding to each keystroke (i.e. spylog file).

The included spy script within the malicious software installed email this log file to the specified email address of the hacker.

Fig. 1. Keylogger Spyware Attack Fig. 2. Transfer (emailing) of confidential information from user’s system

The red colored arrows in figure 1 show the entry of keylogger spyware program into user’s system. Figure 2 shows automatic email process performed by the spyware script. It is shown by blue colored arrows in figure 2. As the end users are not aware of the functioning of this malicious program within their system, they continue using their online banking account, email account etc. through their systems which leads to the theft of their credentials (i.e. through spylog shown in figure 4).This process of sending the keystroke information in the form of spylog to email address of the hacker occurs periodically i.e. after every 1 minute. The credentials and the confidential information lost can be misused.

Fig. 3. Email send by Mohammad Wazid to [email protected]

Mohammad Wazid a system user sends an email to [email protected] at 3:14 pm, as shown in figure 3.

Fig. 4. Snapshot of spylog file received at [email protected]

The keylogger spyware generated a log file (spylog) as shown in figure 4 corresponding to each keystroke. The information contains in generated log file has the important credentials of the user i.e. for Mohammad Wazid the username is wazidkec2005 and password is hnic@050124.

Fig. 5. Snapshot of spylog file received at [email protected]

Figure 5 shows the message typed by the user Mohammad wazid which was sent to [email protected]. The entire message is leaked, the message was

Hello,

We have a meeting at 4.00 PM

Regards,

Wazid

Fig. 6. Spyware logs file received at hacker’s email account

Figure 6 shows the snapshot of email received at hackers specified address i.e. [email protected]. The spylogs shown in figure 5 and 6 are received at this email id at 3:14 and 3:15 PM respectively.

5.2 Client-Server Honeypot Based Detection

The proposed technique uses a Client Honeypot and a Server Honeypot. Client Honeypot is deployed at the client side where it detects the malicious activity being performed by the keylogger spyware if present. This information is reported to the Honeypot server where a database is maintained having all the entries of the malicious activities taking place at the client side.

We have deployed the Client Honeypot in the system of the user. This Client Honeypot monitors the malicious activities of the keylogger spyware and reports these to the Server Honeypot. It contains three fields i.e. Timestamp, IP address of the client system and the Process ID of the email sending process.

Fig. 7. Deployment of Honeypot client Fig. 8. Communication between Client Honeypot and Server Honeypot

Figure 7 shows keylogger spyware monitoring process performed by deployed Client Honeypot. The black arrows show the entry of keylogger spyware into the user’s system having Client Honeypot program. Figure 8 shows that the communication between Client Honeypot and Server Honeypot. The information sent by the Client Honeypot is entered in the database maintained at the Server Honeypot. This database will be further used in the inspection process of malicious programs.

Fig. 9. Entries in the maintained database at Server Honeypot

Figure 9 shows the snapshot of database containing information send by the honeypot client to the honeypot server. This database is having three columns Timestamp, IP address and Process ID of the email sending process.

6 Proposed Algorithms

For the proposed technique we have designed following algorithms:

6.1 Keylogger Spyware Algorithm [1]

Keylogger_Algorithm ( ){ /*Algorithm for keystroke capturing*/

While (true)

{

OPEN ( )

GET ( )

Append the time in the log file.

LISTEN ()

Enter the activity into log file as soon as the valid status of particular key pressed or mouse click is observed.

CLOSE ( )

APPEND ( )

}

}

Spyware_Algorithm ( ){ /* Algorithm for emailing*/

While (true){

Keylogger_Algorithm ( )

SLEEP ( )

GET_NAME ( )

Select that log file.

ATTACH_AND_EMAIL ( )

KILL ( )

Keylogger_Algorithm ( )

}

}

6.2 Client Honeypot Algorithm

Honeypot_Client_ Algorithm ( )

// TCP processes are those processes that are using the TCP protocol at transport layer in the layered architecture of the network

// APPL_SMTP processes are those processes that are using SMTP protocol at Application Layer

// BUFFER is a Buffer having PIDs that can be implemented by using BufferedReader Class of JAVA at Client Honeypot

// sleep (2): go into sleep mode for 2 seconds

1. Get the PID’s of all the TCP processes by using the COMMAND netstat –o –p.

2. Store the PID’s of the APPL_SMTP processes in a BUFFER.

3. if the result of Step-2 is NULL then

Sleep(2)

GOTO step-1

otherwise

GOTO step-4

4. Using TCP Socket establish the connection with honeypot server

5. Send the BUFFER content with the time stamp and client’s IP address to honeypot server.

6. Close the connection and GOTO step-1.

6.3 Server Honeypot Algorithm

Honeypot_Server_Algorithm ( )

// BUFFER is a Buffer having PIDs that can be implemented by using BufferedReader Class of JAVA at Client Honeypot

1. Open TCP connection with Client Honeypot.

2. Get the BUFFER content at client with time stamp and IP address.

3. Maintain the LOG information at honeypot server and insert BUFFER|| time stamp || IP address in this LOG.

4. Close the connection with Client Honeypot.

5. Goto step-1.

6.4 Keylogger Spyware Inspection Algorithm

Keylogger_ Spyware_ Inspection_ Algorithm ( )

// detected_IP_address is IP address of client’s system stored in database maintained at Server Honeypot

// detected_PID is the process ID of email sending process stored in database maintained at Server Honeypot

// time_stamp is a time when email was sent from user’s system

if detected_IP_address & detected_PID is same after every nT time_stamp value then

keylogger spyware is present in the user’s system

otherwise

System is safe

7 Conclusion

The discussed attacking scenario is very threatening as it is making a combination of two malwares i. e. keylogger and spyware. It can steal the credentials or any confidential information typed can be leaked. So the detection and prevention of this attack becomes very crucial. In this paper we have designed the technique making use of two kinds of honeypots i.e. Client and Server Honeypots. Client Honeypot is deployed at the client side monitors the malicious activity going on and reports them to the Server Honeypot. The database maintained at Server can be inspected by the administrator to carry out the further process of prevention.

The detection of the keylogger spyware attack is completed in this paper. The future work includes the prevention of the keylogger spyware attack with the use of the information being sent by the Client Honeypot to the Server Honeypot.