10-Days of learning - Day 4 - Keylogger and Data Stealing Malware
What is Keylogging?
Keylogging is a cyber-attack technique where malware records every keystroke made by a user on their keyboard without letting the victim know.
The goal of keylogging is to capture sensitive information that the user types, including:
- Login credentials: usernames, passwords, PIN codes, etc.
- Credit card numbers: from online transactions.
- Personal messages: emails, chats, etc.
- Search queries or other private information.
- Keyloggers are particularly dangerous because they run in the background without the user’s knowledge, often transmitting the captured data to an attacker. They can be used for data theft, identity theft, or espionage.
Types of Keyloggers
There are several types of keyloggers, and they can be categorized based on how they operate:
Hardware Keyloggers:
- These are physical devices that are inserted between a computer’s keyboard and the system. They record keystrokes in real-time and store them on internal memory, yes! like in the movies.
- Example: A small USB device inserted between a keyboard and the computer that logs every key pressed.
Software Keyloggers:
- These are malicious programs that are installed on a victim’s computer. They can be implemented in different ways, such as:
- Kernel-level Keyloggers: Operate at the lowest level of the operating system to capture keystrokes before the OS even sees them.
- User-mode Keyloggers: Operate at the application level of the OSI model and often focus on capturing input from specific programs or websites (like a web browser or email client).
- Browser-based Keyloggers: A specific type of keylogger that can be delivered via malicious web pages or extensions. Its used as an attached process on a web browser and the intention is to capture the keystrokes from the user
Keylogger in Python
As mentioned on previous posts, keylogging is a technique used by malware to record user input, such as keystrokes, passwords, and other sensitive information. Keyloggers can be implemented using various programming languages, including Python.
Here’s an example of a simple keylogger using the pynput library:
from pynput.keyboard import Listener
def on_press(key):
print("{0} pressed".format(key))
with Listener(on_press=on_press) as listener:
listener.join() 
In this example, we import the Listener class from the pynput.keyboard module. We define a function on_press() that prints the pressed key to the console. We then create a Listener object and pass the on_press function as an argument. The join() method keeps the listener running until it is explicitly stopped.
Data stealing
Data-stealing malware its designed to extract information from systems, such as files, databases, or network traffic or anything that can be considered sensitive or useful for the attacker. These threats can operate across various platforms, depending on their programming and the success of the attacker’s strategy to infiltrate the system.
Lets create a basic extracting user data script through an API call using Python's `requests` library:
import requests
url = 'https://catfact.ninja/fact'
response = requests.get(url)
data = response.json()
print("Data:", data) 
In this example, we use the requests module to interact with a public API. A GET request is sent to the specified URL "https://catfact.ninja/fact" (kuddos to catfact as was useful for this example), and the response is parsed as JSON data. The script then prints the retrieved information to the console. While this example demonstrates legitimate data retrieval, similar techniques can be adapted maliciously to extract sensitive information, such as cookies, session data, or credentials, if security vulnerabilities exist.
This highlights the importance of securing APIs, encrypting sensitive data, and implementing robust authentication mechanisms to mitigate the risk of data-stealing attacks.
Stealing files
Let’s now focus on stealing files (for references on file manipulation go back to the day 3 of this series).
import os
import shutil
# Function to steal files
def steal_files(source_dir, target_dir):
for root, dirs, files in os.walk(source_dir):
for file in files:
file_path = os.path.join(root, file)
shutil.copy2(file_path, target_dir)
# Steal files from a source directory to a target directory
steal_files('/path/to/source/directory', '/path/to/target/directory') 
In this example, we define the function steal_files() that accepts two arguments: a source directory and a target directory. The function uses the os.walk() method to iterate through the source directory and its subdirectories. For each file encountered, it constructs the full file path and copies the file to the target directory using the shutil.copy2() function, which preserves file metadata such as timestamps.
This demonstration provides a simplified view of how file-stealing malware can be implemented. These types of malicious scripts can be crafted in countless ways, limited only by the attacker’s creativity and technical knowledge.
Protecting Against File-Stealing Malware
While the example above is purely educational, it underscores the importance of implementing strong security measures. Ensure proper file permissions, monitor for unauthorized file transfers, and employ endpoint protection solutions to safeguard your systems against such threats.
By understanding how these methods works, organizations and individuals can better prepare to prevent and mitigate the impact of file-stealing malware and that is why is important to consider all the methods we just mentioned.
As I have been telling you in this series, remember to practice ethical hacking and follow the law when performing malware analysis and development. Any misuse of the content is strictly prohibited.
