How to detect if machines have been infected with Trojans, keyloggers

New data protection expert Paul Vlissidis explains the difference between keyloggers and Trojans before revealing how to find both on your machines.

How do I know if any of my machines have been infected with Trojans or keyloggers, and how can I get rid of them, and be sure they won't return?
It's worth noting the difference between keyloggers and Trojans.

First, keyloggers do exactly what it says on the proverbial tin. They log all keystrokes typed on the keyboard and store them either to send them to a predefined location (such as a miscreant's Web server) or they can store them for local retrieval later.

There are two types: software and hardware.

Hardware keyloggers generally require someone to physically tamper with your computer to plug them in. The hardware loggers can be very small and will usually be plugged into the same USB (or PS/2) port as the keyboard. The stored keystrokes are retrieved by the miscreant later and, of course, may well contain usernames and passwords.

A simple physical inspection should be sufficient to spot a keylogger if you don't trust the computer you are using for some reason. Of course, in a public environment this can be hard to do, which is one of the reasons I urge users not to use untrusted machines (or at least be very careful). There are no defences against hardware loggers if they have been deployed correctly, and detection by software is almost impossible.

Software keyloggers are usually deployed as part of a virus or Trojan payload, and these are generally detectable by using up-to-date antivirus and security software.

Logging keystrokes is a good way for a miscreant to get hold of login credentials for most applications and websites unless two-factor authentication using tokens is in use.

The token effectively means that each time the user logs in, he or she uses a unique one-time password, rendering the keylogger ineffective for this purpose. It will still capture the username and PIN (and indeed everything typed), but without the token the criminal still won't be able to log in as next time the password will have changed.

However, as methods such as two-factor authentication gather pace, Trojans are getting considerably more sophisticated and often "hijack" users' session while they are logged on and interfere with the traffic (such as online banking) to achieve their goals.

The golden rules remain :

  1. Always use up-to-date anti-virus/anti-spyware packages from trusted companies. Beware the rogue AV software which itself contains malware.
  2. Never use an untrusted computer or untrusted network (e.g. free public Wi-Fi) to log in to important sites (such as banking) unless you use two-factor authentication.
  3. Check that when you use secure websites, the certificate (usually accessed by clicking the padlock at the bottom of the browser window) appears valid. Any warnings at all and you should leave straight away!

Read more on Endpoint security