🛡️

Understanding Keyloggers, Logic Bombs, and Rootkits

May 25, 2025

Lecture Notes on Keylogging, Logic Bombs, and Rootkits

Keylogging

  • Overview:

    • Attackers use keyloggers to capture keystrokes from keyboards to obtain sensitive information.
    • Information captured can include website URLs, usernames, passwords, credit card information, and other personal data.

  • Functionality:

    • Keylogger records keystrokes and stores them in a file.
    • This file is periodically sent to attackers.
    • Keyloggers can also capture clipboard information, screenshots, instant messages, and search queries.

  • Example:

    • Dark Comet - a Remote Access Trojan (RAT) that includes keylogging capabilities.
    • Demonstrated capturing a username and password typed in notepad.

Logic Bombs

  • Definition:

    • A type of malware that executes a destructive action in response to a specific event.
    • Can be triggered by dates/times or user actions (such as logging in).

  • Characteristics:

    • Usually user-created with specific goals.
    • Difficult to detect due to no antivirus signatures.
    • Monitoring tools can help detect changes to critical system files.

  • Case Study:

    • March 19, 2013, South Korea: A logic bomb affected banks and broadcasting companies after a malicious email attachment was executed.
    • Activated on March 20, 2013, erasing data and the master boot record.
    • Impacted ATMs which showed errors post-reboot.

  • Prevention:

    • Set process and procedure limits on operating system file changes.
    • Monitor user permissions and privileges.

Rootkits

  • Overview:

    • Named after Unix's "root" user; hides within the OS kernel.
    • Difficult to detect with traditional antivirus software.

  • Functionality:

    • Rootkits run as part of the OS, making them invisible in process lists.
    • Allows full control over the infected system.

  • Detection and Removal:

    • Not all rootkits are kernel-based; some can be detected as traditional processes.
    • Standalone rootkit removal tools are available.

  • Prevention:

    • Secure Boot in UEFI BIOS checks for OS signature changes and prevents rootkits during boot.

Summary

  • Keyloggers, logic bombs, and rootkits pose serious security threats by capturing sensitive data, causing system disruptions, and evading detection.
  • Effective monitoring, user permission management, and security protocols like Secure Boot are essential in combating these threats.

Full transcript