Keyloggers and Linux
W. eWatson
doesn't have the experience to pull apart the laptop to find it, and I'm too
far away to help. She's recently had trouble with restoring Win Vista to the
laptop, and it may be because her install DVDs are bad. To get her back on
her feet, I told her to install Fedora, which she is in the process of
doing. My question is how likely is that the keylogger will be effective
under Linux? I might think 0, since it seems likely a h/w keylogger would
more likely built for Win than Linux. Comments?
--
W. eWatson
(121.015 Deg. W, 39.262 Deg. N) GMT-8 hr std. time)
Obz Site: 39° 15' 7" N, 121° 2' 32" W, 2700 feet
Web Page: <www.speckledwithstars.net/>
Baron
> A friend believes that someone put a h/w keylogger on her laptop. She
> doesn't have the experience to pull apart the laptop to find it, and
> I'm too far away to help. She's recently had trouble with restoring
> Win Vista to the laptop, and it may be because her install DVDs are
> bad. To get her back on her feet, I told her to install Fedora, which
> she is in the process of doing. My question is how likely is that the
> keylogger will be effective under Linux? I might think 0, since it
> seems likely a h/w keylogger would more likely built for Win than
> Linux. Comments?
>
If its hardware it wouldn't matter what O/S you used !
However its unlikely to be hardware unless someone had the skills to
take the laptop apart and physically install it !
--
Best Regards:
Baron.
John Reiser
It's certainly possible. Consider the USB flash memory device
"Micro Vault Tiny" by Sony: 1.25 inch x 0.56 inch x 0.13 inch,
and much of that is the USB connector.
> My question is how likely is that the keylogger
> will be effective under Linux?
The most likely mode of operation is: store keystrokes into
flash memory *whenever* they are typed. Dump the buffer
when next queried by accomplice software running on the CPU.
This could be the next boot or shutdown of Windows, or periodically.
Keystrokes under Linux would be vulnerable, particularly
on a dual-boot machine.
--
John Hasler
> The most likely mode of operation is: store keystrokes into flash memory
> *whenever* they are typed. Dump the buffer when next queried by
> accomplice software running on the CPU. This could be the next boot or
> shutdown of Windows, or periodically. Keystrokes under Linux would be
> vulnerable, particularly on a dual-boot machine.
Not if she never boots the infected Windows installation again, unless
whoever installed the logger breaks in again and carries off the flash
memory.
Of course, it could be a pure hardware logger in which case it will work
with any OS, but more likely it is a pure software one and so will not
affect Linux at all.
--
John Hasler
jo...@dhh.gt.org
Dancing Horse Hill
Elmwood, WI USA
Baron
>> A friend believes that someone put a h/w keylogger on her laptop.
>
> It's certainly possible. Consider the USB flash memory device
> "Micro Vault Tiny" by Sony: 1.25 inch x 0.56 inch x 0.13 inch,
> and much of that is the USB connector.
Surely this person can't be so daft as to not see a USB device sticking
out of a port on their laptop... Could they ??
>> My question is how likely is that the keylogger
>> will be effective under Linux?
If it really is hardware, very likely !
> The most likely mode of operation is: store keystrokes into
> flash memory *whenever* they are typed. Dump the buffer
> when next queried by accomplice software running on the CPU.
> This could be the next boot or shutdown of Windows, or periodically.
> Keystrokes under Linux would be vulnerable, particularly
> on a dual-boot machine.
>
> --
Certainly that is one way to do key logging !
--
Best Regards:
Baron.
notbob
> It's certainly possible. Consider the USB flash memory device
> "Micro Vault Tiny" by Sony: 1.25 inch x 0.56 inch x 0.13 inch,
> and much of that is the USB connector.
Another USB device. If the person has a USB h/w logger on a laptop and
doesn't suspect it, they need to give up computing. It's no doubt possible
to install a laptop h/w logger inside the body, but would require very
skilled knowledge of both electronics and laptop construction.
I think the "friend" is either very paranoid or the OP is a troll.
nb
Maxwell Lol
> Another USB device. If the person has a USB h/w logger on a laptop and
> doesn't suspect it, they need to give up computing.
Don't be so sure.
You would have to inspect every inch of all USB devices to make sure
some in-line device wasn't installed, and you have to know the
function of each any every one.
And then again, some devices could be disguised as another USB device.
You might have some sort of cable storage system:
` http://www.thinkgeek.com/clearance/on-sale/a689/
Perhaps it was modified.
A keyboard is a USB device. It could have a keystore logger built inside.
Have you opened it up and inspected the insides? What about the mouse?
People have lights, fans, and lots of other gadgets.
Examples:
http://www.thinkgeek.com/interests/usb/?cpg=nbi
I like the frayed USB plug:
http://www.thinkgeek.com/computing/drives/ab63/
It looks like a gag, but has a secret function.
There there are devices that could be used as a logger, but look like
a power plug, like the SheevaPlug:
http://www.engadget.com/2009/02/24/marvells-sheevaplug-linux-pc-fits-in-its-power-adapter
The government uses keystore loggers, and I'm sure their technology is
MUCH better that the toys I mentioned above.
Perhaps the cable itself is modified? Heh heh heh. Have you examined
every inch of the cable?
Frankly, a software keystroke logger is easier to install. Most
hackers would do that, because it's free.
IMHO The only ones who would use a hardware keystroke logger would be the
government, or someone who isn't a hacker, and buys something off the
shelf, like
http://www.thinkgeek.com/gadgets/electronic/ae83/
Maxwell Lol
> http://www.thinkgeek.com/gadgets/electronic/ae83/
Sorry - That's a gag, not a keystroke logger. I'm sure the spy stores
sell real ones. Usually hackers make their own with a U3 drive, and a
modified Switchblade package. And then you only need to plug it in for
a few seconds....., and you can retrieve it remotely.
Here's a off-the-shelf device
http://www.keycobra.com/usb-keylogger.html?gclid=CJzk4JGXlJkCFQxKGgodkwRSag
You plug it in-line to the keyboard.
But you have to manually retrieve the data. :-(
And it's $80.
Tim Greer
> A friend believes that someone put a h/w keylogger on her laptop. She
> doesn't have the experience to pull apart the laptop to find it, and
> I'm too far away to help. She's recently had trouble with restoring
> Win Vista to the laptop, and it may be because her install DVDs are
> bad. To get her back on her feet, I told her to install Fedora, which
> she is in the process of doing. My question is how likely is that the
> keylogger will be effective under Linux? I might think 0, since it
> seems likely a h/w keylogger would more likely built for Win than
> Linux. Comments?
>
I'd not think it'd be a hardware device, especially on a laptop, but if
this exists, your friend should call someone to take a look. I wonder
how this would have been installed in the first place? Unlikely would
a different OS installed would help (and if they can do that, they
should just have the hardware device removed or use a different
system), because it'll likely be between the keyboard and mother board
itself.
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!
Darren Salt
[snip]
> The government uses keystore loggers, and I'm sure their technology is
> MUCH better that the toys I mentioned above.
Stick a database in one, and I guarantee you that they'll lose it. ;-)
[snip]
--
| Darren Salt | linux or ds at | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| + Output less CO2 => avoid boiling weather. TIME IS RUNNING OUT *FAST*.
If life gives you lemons, make lemonade.
John Reiser
> out of a port on their laptop... Could they ??
That USB flash memory device is merely an example of how small the
electronics can be. For another example, see the microSecureDigital
flash memory card of many cell phones. In many keyboards there is an
8051 microcontroller with microcode that controls the keyboard. The
communication with the CPU is over a one-wire, bi-directional serial line.
Change the 8051 microcode to record keystrokes to special-purpose flash
memory, and dump the buffer over the serial line on command frpm the CPU.
--
notbob
> 8051 microcontroller with microcode that controls the keyboard.
What the heck is "microcode"?
> communication with the CPU is over a one-wire, bi-directional serial line.
Sounds like geek doubletalk.
> Change the 8051 microcode to record keystrokes to special-purpose flash
> memory, and dump the buffer over the serial line on command frpm the CPU.
....and this "special-purpose" flash memory is where? Sure, pal.
nb
terryc
>> My question is how likely is that the keylogger will be effective under
>> Linux?
Not.
>
> The most likely mode of operation is: store keystrokes into flash memory
> *whenever* they are typed.
Oh, so the fedora install is going to automatically install a process to
do this?
Rick Pikul
A hardware logger installed in the right place does not need the help of
the O/S to work. For that matter, it would likely _continue_ working even
if the O/S has locked solid or never booted in the first place.
--
Chakat Firepaw - Inventor & Scientist (Mad)
terryc
> A hardware logger installed in the right place does not need the help of
> the O/S to work.
Yep, lots of space for one inside a lappie.
now back to the software question.
Baron
> On 2009-03-09, John Reiser <jrei...@comcast.net> wrote:
>
>> 8051 microcontroller with microcode that controls the keyboard.
>
> What the heck is "microcode"?
>
>> communication with the CPU is over a one-wire, bi-directional serial
>> line.
>
> Sounds like geek doubletalk.
Microcode is the tiny bit of software stored on a device that controls
how it behaves and how it talks or appears to the outside world.
>> Change the 8051 microcode to record keystrokes to special-purpose
>> flash memory, and dump the buffer over the serial line on command
>> frpm the CPU.
The 8051 is a programmable CPU (Microcontroller) Its dumb until you tell
it what you want it to do ! Those instructions are "microcode"
> ....and this "special-purpose" flash memory is where? Sure, pal.
In the case of the 8051 and many other similar devices, it is internal
to the device itself ! Yes that code can be changed by an external
source whilst in the machine. Unlikely but it could be.
> nb
But that wouldn't necessarily be considered a "hardware" device since
its internal to and part of the machine itself. In other words the
machine wouldn't work without it or if it were damaged.
--
Best Regards:
Baron.
Baron
This is a major risk for anyone who has hardware service carried out by
an external agency ! They would never know if a device was installed !
I seem to recall that a major organisation had a very similar attack
some time last year. I think that it was discovered that employees of
a contract cleaning firm planted keyloggers on some of the machines, in
the form of a device plugged in-between the keyboard and console. I
don't know if the devices were to be collected of if they transmitted
the data collected to somewhere else.
--
Best Regards:
Baron.
John Hasler
> Microcode is the tiny bit of software stored on a device that controls
> how it behaves and how it talks or appears to the outside world.
> The 8051 is a programmable CPU (Microcontroller) Its dumb until you tell
> it what you want it to do ! Those instructions are "microcode"
Microcode: <http://en.wikipedia.org/wiki/Microcode>
> In the case of the 8051 and many other similar devices, it is internal to
> the device itself !
The keystrokes would most likely be stored in a seperate flash memory
chip. The entire device could still be made to fit inside a 1/4" cube.
Maxwell Lol
> I demand that Maxwell Lol may or may not have written...
>
> [snip]
>> The government uses keystore loggers, and I'm sure their technology is
>> MUCH better that the toys I mentioned above.
>
> Stick a database in one, and I guarantee you that they'll lose it. ;-)
Maxwell Lol
>
>> In the case of the 8051 and many other similar devices, it is internal to
>> the device itself !
>
> The keystrokes would most likely be stored in a seperate flash memory
> chip. The entire device could still be made to fit inside a 1/4" cube.
i.e. Inside a keyboard.
Heck - the keyboard may already have a 8051 chip inside.
W. eWatson
> A friend believes that someone put a h/w keylogger on her laptop. She
> doesn't have the experience to pull apart the laptop to find it, and I'm
> too far away to help. She's recently had trouble with restoring Win
> Vista to the laptop, and it may be because her install DVDs are bad. To
> get her back on her feet, I told her to install Fedora, which she is in
> the process of doing. My question is how likely is that the keylogger
> will be effective under Linux? I might think 0, since it seems likely a
> h/w keylogger would more likely built for Win than Linux. Comments?
>
thread has dissolved into fine arguments between individuals.
I've seen small circuit board like devices for sale on the internet. Here
are a few devices:
<http://www.keyghost.com/>
<http://www.keelog.com/diy.html>
<http://wirelesskeylogger.com/index.php/controller/product/product_id/1>
he person who is suspected of doing it, is in her opinion very savvy with
hardware. He works for a fairly large computer company in Silicon Valley. He
and his computer buddy probably had access to her computer for several
hours. Don't ask. Yes, it make sense that a keylogger hooked into a keyboard
may work on any OS, but she has used a virtual keyboard, and claims info
have leaked off her laptop, and even the culprit has deliberately shut down
her computer remotely. She's going ahead with Linux.
Baron
So it isn't hardware ! I'll bet that the machine has been rootkited !
Real easy to do if she has left her machine unattended for an hour or
so.
--
Best Regards:
Baron.
Rick Pikul
> On Mon, 09 Mar 2009 03:55:45 +0000, Rick Pikul wrote:
>
>
>> A hardware logger installed in the right place does not need the help of
>> the O/S to work.
>
> Yep, lots of space for one inside a lappie.
Just how big do you think one needs to be?
Go take a look at how small a USB drive can be, then consider how much
smaller it could be if it didn't need to have a USB plug but was directly
wired in.
W. eWatson
s/w, and he opened the laptop, and found several places where unconventional
items appear. He told her that installing neither Linux or Vista would
help, but XP would. Tomorrow they will finish off the XP install. I guess
what I'd like to see is turning the table on the culprit by using whatever
these items are to trace back to him.
What is rootkitted?
John Hasler
> She met a fellow who has extensive experience with h/w and s/w, and he
> opened the laptop, and found several places where unconventional items
> appear. He told her that installing neither Linux or Vista would help,
> but XP would.
I don't believe that.
> What is rootkitted?
What she may be about to get. <http://en.wikipedia.org/wiki/Rootkit>
Baron
> W. eWatson writes:
>> She met a fellow who has extensive experience with h/w and s/w, and
>> he opened the laptop, and found several places where unconventional
>> items appear. He told her that installing neither Linux or Vista
>> would help, but XP would.
>
> I don't believe that.
No neither do I. Someone is getting conned here !
>> What is rootkitted?
>
> What she may be about to get. <http://en.wikipedia.org/wiki/Rootkit>
John: Thanks for putting that link in, you beat me to it ! :-)
--
Best Regards:
Baron.
Maxwell Lol
> It is hardware. She met a fellow who has extensive experience with h/w
> and s/w, and he opened the laptop, and found several places where
> unconventional items appear. He told her that installing neither Linux
> or Vista would help, but XP would.
That doesn't make any sense to me. I'm not sure how the same hardware
would work on Linux and Vista, but the XP has a mechanism to preven
thte keylogger from working.
I would have guessed the opposite.
W. eWatson
I'll see if I can get some idea of what the XP people think on an XP NG.
Maxwell Lol
> Maxwell Lol wrote:
>> "W. eWatson" <notv...@sbcglobal.net> writes:
>>
>>> It is hardware. She met a fellow who has extensive experience with h/w
>>> and s/w, and he opened the laptop, and found several places where
>>> unconventional items appear. He told her that installing neither Linux
>>> or Vista would help, but XP would.
>>
>> That doesn't make any sense to me. I'm not sure how the same hardware
>> would work on Linux and Vista, but the XP has a mechanism to preven
>> thte keylogger from working.
>>
>>
>> I would have guessed the opposite.
> XP has a mechanism to prevent keylogging?
I am just repeating your words.