Does this look like a hardware keylogger?

Networking/Security Forums -> Physical Security and Social Engineering

Author: kvantum PostPosted: Fri Mar 14, 2008 5:15 pm    Post subject: Does this look like a hardware keylogger?
    ----
So we had a new guy start at my work. He shares a workstation with a few other people. One of the first things he did was replace the USB keyboard with a PS/2 one.
Now, even though the docking station has a PS/2 port, he used a PS/2-to-USB adapter to connect it. This is where the interesting part comes in. The adapter is not like any other that I've seen. It doesn't have a single marking, no part/serial/model numbers, nothing. Any other adapter I've seen would've had something. Also most adapters would have two PS/2 ports, or would at least support keyboard OR a mouse. PS/2 mouse does not work with it. Optical light goes up, but PC receives no signal.
We've tried checking the driver, but it detects as a standard adapter. As I would expect from a good keylogger. There is also no way to bruteforce it, since the password would have to be actually typed into a keyboard plugged into the PS/2 port. This guy looks very sketchy so from a personality standpoint I wouldn't be surprised if he installed a keylogger.
So here's the dillema. We can't do anything with him unless we know for sure. Also, the adapter was installed for quite some time before we found it, so if it is indeed a keylogger, he already has a lot of stuff. I've searched the net stores for a similar looking device, but there's too many out there to go through them all.
Does anyone know of a way to break into these things? Google didn't bring up anything. Or even if not, does anyone recognize this unit? As long as I know for sure whether it's a keylogger or not without even breaking into it, we can do something about it.


Author: PhiBerLocation: Your MBR PostPosted: Fri Mar 14, 2008 7:08 pm    Post subject: Re: Does this look like a hardware keylogger?
    ----
kvantum wrote:
One of the first things he did was replace the USB keyboard with a PS/2 one.


First sign of suspicion. Why change a USB keyboard to a PS/2 one?

Quote:

Now, even though the docking station has a PS/2 port, he used a PS/2-to-USB adapter to connect it.


Second sign of suspicion - bypassing the built-in port.

Quote:
We've tried checking the driver, but it detects as a standard adapter. As I would expect from a good keylogger.


You are correct, hardware keyloggers use the standard USB drivers and generic HID keyboard drivers and will not appear suspicious to the OS.

Quote:
We can't do anything with him unless we know for sure. Also, the adapter was installed for quite some time before we found it, so if it is indeed a keylogger, he already has a lot of stuff.


Before confronting or firing the guy, make sure you have changed all of the credentials for important accounts that may have logged onto that computer (e.g. domain admins, management, etc) to prevent further damage. I think your main goal at this point is to see what was compromised and come up with a plan to mitigate the consequences of the compromise.

Quote:
I've searched the net stores for a similar looking device, but there's too many out there to go through them all.


Often times, some vendors will not show the actual device "for security reasons". From a vendor site: "for security reasons, the photo is only a representation of what the KeyGhost looks like. The actual KeyGhost II is injection molded to look exactly like an EMC Balun."

Quote:
Does anyone know of a way to break into these things?


Typically, you need to type in some type of key combination or keycode. For example, the KeyGhost keylogger requires you to open an editor and type a secret Personal Unlock Code.




This KeyGhost device looks a lot similar to the one you have posted.

I would definitely seek out professional legal representation before proceeding with this case and make sure no one else uses that computer for anything.

Author: moondoggie PostPosted: Sat Mar 15, 2008 7:46 pm    Post subject:
    ----
i can't speak to the functionality of the device, but would it not be company policy to force him to use the provided keyboard and take this device away "for study with compliance with IT user policy"? i mean, you can always make the excuse that the compatibility of the device needs to be studied before he can use it on his system at work.

Author: PhiBerLocation: Your MBR PostPosted: Sat Mar 15, 2008 8:54 pm    Post subject:
    ----
moondoggie wrote:
i can't speak to the functionality of the device, but would it not be company policy to force him to use the provided keyboard and take this device away "for study with compliance with IT user policy"? i mean, you can always make the excuse that the compatibility of the device needs to be studied before he can use it on his system at work.


Its too late for that in my opinion. The damage has probably already been done and confidential information compromised. Don't let him know you are aware of the device and get legal help.

Author: AdvocateLocation: Amsterdam, NL PostPosted: Mon Mar 17, 2008 12:33 pm    Post subject:
    ----
I'm certainly not advocating this (no pun intended) however you could always install a software keylogger to discover the password for the hardware keylogger...Assuming he accesses the data at work.

Depending on your companies privacy policy, employment contracts and local laws this may or may not be legal.

Personally I believe the professional and legal advice route from a subject matter expert is the way forward.

Smile

Author: kvantum PostPosted: Mon Mar 17, 2008 4:26 pm    Post subject:
    ----
I can't get any approval from above for keylogger or legal advice until we know whether it is a keylogger in the first place. Suspicion is not enough. In case it is not a keylogger, it would compromise more information. Besides nothing is stopping him from taking device home overnight. So far we have replaced the machine with a new one, wrote it off as an upgrade, with a new image, just in case there is any software we don't want there. The device has been held, we just "don't know what happened to it during the upgrade". But this brings us no closer to the root of this.
At this point I don't think there is any way to know for sure. I was thinking of wiring up a device that would output from serial and hook up to a PS2 port, simulating a keyboard, and bruteforce it.... But that sounds like waaay too much work.
On the other hand, this just gave me an idea on how to bruteforce the keylogger.
We use KVMs for our servers that can be controlled remotely. It opens something like an RDP session on the client, and interfaces directly with VGA/PS2 on the machine so you can access the bios on the machine. Just plug that thing in and run a keystroke generator on the client....
That will still take some time, but at least it's hope.

Author: PhiBerLocation: Your MBR PostPosted: Mon Mar 17, 2008 5:19 pm    Post subject:
    ----
kvantum wrote:
In case it is not a keylogger, it would compromise more information. Besides nothing is stopping him from taking device home overnight.


Kvantum, you seem to contradict yourself. I thought you "don't know what happened to [the device] during the upgrade," how could he take it home?

And if the device is not a keylogger, what else is it - I've been in I.T. for years and can't think of anything else it is. How would it compromise more information if it is not a keylogger?

Quote:
Just plug that thing in and run a keystroke generator on the client....
I'm not sure it will be that simple. You will first need to run the correct set of keystrokes to even open up the session to the software portion of the keylogger itself. Just don't want you wasting your time.

On the other hand, Advocates idea sounds feasible as a last case scenario.

Author: kvantum PostPosted: Mon Mar 17, 2008 5:33 pm    Post subject:
    ----
Quote:
Kvantum, you seem to contradict yourself. I thought you ""don't know what happened to [the device] during the upgrade," how could he take it home?

If we were to install a software keylogger and expect him to get anything that way, we would have to put the device back and make it look like nothing happened so he tries to log into it. Which, it's too late for it now anyway, we already said he can't use it. And installing a software keylogger when the device is not present is even a bigger waste of time then trying to bruteforce it.
Quote:
And if the device is not a keylogger, what else is it? How would it compromise more information if it is not a keylogger?

It could just be a PS/2 to USB adapter.
Too many suspicions, but nothing solid to state otherwise.
Keylogger is a malicious tool. Using it on the network just to find that we were chasing a false idea? It will not go well. We have bureaucracy to deal with too.

Author: Contag PostPosted: Sun Jun 22, 2008 6:17 pm    Post subject: Traces of software used to download the log?
    ----
Quote:
Too many suspicions, but nothing solid to state otherwise.

There could be traces left in the system.

The default software used to download the keystroke log from the "KeyCarbon USB" hardware keylogger device is the "KeyCarbon Rapid Downloader", see http://keycarbon.com/products/keycarbon_usb/overview/. If the software was installed at any point, there might be traces left on the machine in the registry.


Author: geester PostPosted: Thu Sep 11, 2008 7:19 pm    Post subject:
    ----
We had a similar issue at a library, were people were using the computers in public areas and we ended up buying protective enclosures, that encased the computers from anyone.

If anyone needed to connect a cable the computer case had to be opened, for extra security we bolted it to desks!

Moderator note: spam URL removed - capi

Author: Silverblue PostPosted: Wed Sep 24, 2008 10:31 am    Post subject:
    ----
wow, that's a story Shocked i thought physical keyloggers are gone forever Rolling Eyes

Author: The_Real_GandalfLocation: Athens,Greece PostPosted: Wed Sep 24, 2008 1:29 pm    Post subject:
    ----
too many things are wrong here...

1- Corporate machines , since they are registered in official repository need to use the registered software/hardware and not something brought from home. If that was the case i could easily plugin a usb drive and take everything i wanted home. There is a reason to uphold this policy. Take it up to your management and lawyers and tell them this same example. If anyone can install and use what he/she wants on the devices then it would be a chaotic case to deal with.

2- Users should not be local administrators on the PC. Only one amin should exist in network on both servers and PCs. Otherwise you will face much more serious problems than this supposed keylogger.

No matter what credentials he might have taken with this keylogger, by the time you enforce policies you can also change all credentials for accessing network resources and then what he might have taken would be useless.

I also find very disturbing that this user can change hardware on his own without asking permission from the IT Department who are in charge of the company's equipment and have to answer for it , if anything happens.

In other words... as an IT dpt, you do not need to ask anyone to take off or uninstall h/w which is not company's official and registered hardware.
It is supposed to be your dutty to do that. I think that there is also a law about this. Ask your legal dpt... i am pretty sure they should know this.

Gandalf

Author: OddOne PostPosted: Fri Oct 03, 2008 11:18 pm    Post subject:
    ----
kvantum wrote:
The device has been held, we just "don't know what happened to it during the upgrade". But this brings us no closer to the root of this.


Oh, you have the suspect device? Thatchanges everything and might give you legal options if it turns out to be a situation involving industrial espionage.

Cut the casing off and do a Google search for the part #s for any ICs on the board. One should be a USB driver, obviously, but if there's also a strangely large (read: more than like 64 kilobytes) capacity memory IC there as well you're dealing with a keylogger.

Also, with the PC board exposed you might find manufacturer and device info that could turn up more details with a quick search.

Author: desinet1 PostPosted: Fri Feb 27, 2009 5:53 pm    Post subject:
    ----
Silverblue wrote:
wow, that's a story Shocked i thought physical keyloggers are gone forever Rolling Eyes

No, they are always in use. Last month itself, I detected one such devide in my office comp.



Networking/Security Forums -> Physical Security and Social Engineering


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group