How to detect if machines have been infected with Trojans, keyloggers

RELATED CONTENT Data protection What are USB flash drive security best practices? Are iPhone encryption features on the way? How to protect employees' personal information and passwords What should be part of an employee termination checklist? Are there keylogger monitors that can effectively spot malware? Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Endpoint and NAC Protection How to prevent iPhone spying: mobile phone management tips Considering two-factor authentication? Do cost, risk analysis Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Voice data security risks on the rise, say experts The value of booting from a VHD in Windows 7 Thin-client technologies surge thanks to easier security, says Deloitte A closer look at Internet Explorer 8 security features USB drive security best practices and processes First step in forensics: Create a bootable Windows environment CD Protecting enterprise networks from new mobile application downloads

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

EXPERT RESPONSE FROM: Paul Vlissidis Pose a Question Other Security UK Categories Meet all Security UK Experts Become an Expert for this site

ANSWERED November 2009:
It's worth noting the difference between keyloggers and Trojans.

First, keyloggers do exactly what it says on the proverbial tin. They log all keystrokes typed on the keyboard and store them either to send them to a predefined location (such as a miscreant's Web server) or they can store them for local retrieval later.

There are two types: software and hardware.

Hardware keyloggers generally require someone to physically tamper with your computer to plug them in. The hardware loggers can be very small and will usually be plugged into the same USB (or PS/2) port as the keyboard. The stored keystrokes are retrieved by the miscreant later and, of course, may well contain usernames and passwords.

A simple physical inspection should be sufficient to spot a keylogger if you don't trust the computer you are using for some reason. Of course, in a public environment this can be hard to do, which is one of the reasons I urge users not to use untrusted machines (or at least be very careful). There are no defences against hardware loggers if they have been deployed correctly, and detection by software is almost impossible.

Software keyloggers are usually deployed as part of a virus or Trojan payload, and these are generally detectable by using up-to-date antivirus and security software.

Logging keystrokes is a good way for a miscreant to get hold of login credentials for most applications and websites unless two-factor authentication using tokens is in use.

The token effectively means that each time the user logs in, he or she uses a unique one-time password, rendering the keylogger ineffective for this purpose. It will still capture the username and PIN (and indeed everything typed), but without the token the criminal still won't be able to log in as next time the password will have changed.

However, as methods such as two-factor authentication gather pace, Trojans are getting considerably more sophisticated and often "hijack" users' session while they are logged on and interfere with the traffic (such as online banking) to achieve their goals.

The golden rules remain :

1. Always use up-to-date anti-virus/anti-spyware packages from trusted companies. Beware the rogue AV software which itself contains malware.
2. Never use an untrusted computer or untrusted network (e.g. free public Wi-Fi) to log in to important sites (such as banking) unless you use two-factor authentication.
3. Check that when you use secure websites, the certificate (usually accessed by clicking the padlock at the bottom of the browser window) appears valid. Any warnings at all and you should leave straight away!