Sound and webcam loggers

Every sensor has the potential to be used for malicious logging - and anti-virus based systems aren't an effective defence says Janusz Siemienowicz who adovcates monitoring of behaviour.

Sound and webcam loggers
Sound and webcam loggers

Sound and webcam loggers are increasingly being deployed by malware to spy on users. They are one of the most sophisticated and dangerous forms of spying, turning on your computer's microphone or camera to record data without your knowledge or consent. Yet they are not the only threat out there; sound and webcam loggers are among many other types of “logging” features that sit under the keylogging label. Your keyboard isn't the only thing that can be monitored. But what are these different forms of keylogging, why are they so under-reported, and why can't traditional anti-virus suites protect against them?

The silent threat

Keyloggers have been around for decades now, but today they are regarded by many as the most dangerous of all cyber-threats; not least because they have evolved beyond simply tracking keyboard strokes. Sound loggers for example can record your Skype and other IM conversations, while some can even access your PC's microphone permanently, effectively turning your PC into a bug which monitors anything you say when near your desk. Most monitoring software and malware store the recorded picture, audio and key log files onto the PC for later retrieval, however more advanced keyloggers will routinely upload recorded sounds, video and text files to a remote server or even stream those directly online, effectively broadcasting yourself live to the web.

It is very hard to find references to more sophisticated logging methods in all but the most technical of security press (and even there, articles are still few and far between). Yet while accounts of specific sound or webcam logging cases may be rare today, the technology is certainly out there and has most likely been involved in some of the high profile hacking cases that are now routinely reported around the world. Blocking such logging activities, which intrude upon privacy to a significant level, should therefore be considered by anyone who wishes to take their security and privacy seriously.

The undetected threat

The main challenge with keyloggers and their other “logging” companions is that, despite many claims to the contrary, most of the generalist security suites are unable to detect them. This is because they are reactive; they rely on databases of known viruses and malware in order to detect and remove a threat. Sure, they may recognise a well-known commercial keylogger or a virus that's been out for six months, but most hackers are more sophisticated than that! If a keylogger is not known to the security application then it will not find it, rendering the so-called “real time protection,” of the world's best known security suites ineffective against monitoring software – both legal and illegal, whether for simply monitoring employees or for malicious purposes like stealing sensitive information. Even the commercial keylogger vendors are offering custom-builds, which are 100 percent undetectable by anti-virus software.

Is this why references to more sophisticated logging is so hard to find in the press? Do the PR machines of the major security suites purposefully avoid discussing the issue because they are fearful of highlighting their own shortcomings?

This lack of protection against keyloggers is a result of the design of the security suites, which started their lives as anti-virus tools first-and-foremost. While other security features such as firewalls, spyware detection, anti-keylogging etc have been added over time, they remain anti-virus tools at their core, and are therefore inherently reliant on a 'threats signature' database for their threat protection. Protecting against modern monitoring software requires an entirely different approach. Instead of monitoring for specific known threats, real-time behavioural protection software must monitor the system for keylogging behaviour and block it accordingly.

A new approach to security; monitoring for behaviour, not specific malware

Every sensor within a device has the potential to be used for malicious logging activity, so the number of threats today are as varied as they are numerous; there are simply too many for the security press to even write about, let alone for security companies to discover and track in their threats databases! The days of relying on an anti-virus application paired with a firewall for all of your security needs are long gone.

Anti-keylogging protection is therefore no longer just about protecting your keyboard - it is about monitoring every I/O device attached or built into your device. While anti-virus databases will always remain an essential part of any security solution, they cannot be relied upon on their own. The only way to truly protect yourself from keyloggers is with a dedicated real time anti-keylogger which looks for and blocks suspicious logging behaviour instead of specifically blacklisted apps.    

Contributed by Janusz Siemienowicz, founder and lead developer, SpyShelter