Are there keylogger monitors that can effectively spot malware?

Expert Ken Munro explains which keyloggers are the easiest to detect.

What are keyloggers? How do I detect them? And how can I get rid of them?
The hardware keylogger is a tiny piece of kit which usually resembles a USB key or a PS/2 connector. It usually sits in between the keyboard cable and system case. Unless you knew what you were looking for, you could quite easily overlook it. Basically, it just sits there and records keystrokes; when the person who planted it retrieves the device, they can analyse the keystroke stream to look for sensitive information, such as passwords or credit card details.

A number of vendors have developed keylogger monitors. Having subjected these to a number of tests, they aren't too bad at detecting software keyloggers, but when it comes to hardware keyloggers, they're pretty ineffective. None of the applications we tested were able to detect a PS/2 hardware keylogger in situ, either active or inactive. They simply don't work.

In theory, it's possible to detect a PS/2 hardware keylogger by comparing current consumption of the keyboard sleep mode to the average of consumption of the keyboard circuit for periodic events. We haven't found a product that successfully detects this yet. Short of physically inspecting your equipment, you simply wouldn't know it was there.

Fortunately, USB keyloggers are somewhat easier to manage, with various USB port control packages available to manage what can and can't be connected to workstations. The same software that stops employees from connecting iPods can be used to prevent USB keylogger use.

If you do still have PS/2 keyboards, then you might consider physically securing the keyboard cable by super gluing it to the system case. Whilst effective, this does limit your options if you want to replace your keyboard.

Virtual keyboards are an interesting solution. They run on the screen itself with the user 'pressing' keys using the mouse. While this may be suitable for minor keyboard functions such as inputting passwords or usernames, it's far from practical for everyday use. Malware running locally could 'sniff' this activity also.

Even better would be to see a keyboard connection on the inside of the system case, instead of the outside, that way the keyboard cable would be protected by system case locks.

Finally, we would like to see more development in secure keyboards: it's quite possible to encrypt the keyboard-system communication with software based decoding at the PC. It doesn't stop the keystrokes being logged, but the data logged will be meaningless.

The other option is to improve your physical security measures. If the keylogger can't be installed in the first place, or you can catch the thief during or soon after the event, you've cracked the problem.

Check your cleaners and other 'service' personnel -- the incident at Sumitomo Mitsui was purported to involve placement of a keylogger by a social engineer that infiltrated the contract cleaning team.

Read more on Hackers and cybercrime prevention