Hackers (and sometimes employers) install keystroke loggers to record
keystrokes. One of the better know is Invisible Keylogger Stealth ( IKS )which is a commercial
utility (more likely to be used by employers than hackers). Arne Vidstrom has
released the freeware klogger utility (more likely to be used by hackers and
penetration testing teams). There are any number of freeware, shareware and
commercial keystroke loggers available for every operating system. They are
mostly written as keyboard device drivers and as such are invisible to the user
of the PC. There are also hardware versions of keystroke loggers including
keyboards that have a dual function – keyboards and keystroke logging and
keystroke loggers that are little boxes that plug in between the keyboard cable
and the PC. See my Penetration Testing Tip #22: Keystroke loggers and spy software /
hardware for more information on software and hardware keystroke loggers.
OK. Thats all well and good but why is this tip in the registry section. It
turns out that IKS uses NT’s registry. You can use it to find whether IKS has
been installed on the PC:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\iks
Name:
DisplayName
Type: REG_SZ
Value: IKS
Name: LogName
Type: REG_MULTI_SZ
Value: \%SystemRoot%\iks.dat
The IKS documentation gives instructions on how to hide this “red flag”. Even
with values changed and the key name iks changed, search for the key “LogName”
under Services for IKS’s footprint.
