-2

I realize that keyloggers (I am thinking malware that is trying to be as insidious as possible) use various methods to send logged keystrokes elsewhere. If for example I attempted to use a tool like MS Network Monitor and somehow could see the data being sent externally and I typed "foobar" it would naive to expect to see that exact string show up in this data: it could easily be encrypted to hide the nature of what was being sent.

However, it seems to me that such keyloggers would send something periodically. So if I had the machine in a quiescent state, watching the MS Network Monitor with nothing else running and then suddenly typed even a single character would I then expect activity to suddenly occur in the Monitor?

Now, even a "quiet" machine connected to the network is doing something all the time so the Monitor seems never to be quiet. Is there a way to segregate what is happening normally with what a keylogger might do?

Or is this entire approach wrong?

Jeff
  • 1,513
  • 4
  • 18
  • 34
  • With all due respect, random person @thang, your response was not particularly helpful. Or respectful. I have submitted plenty of questions in this manner without the "yap yap yap" comment. – Jeff Dec 26 '14 at 05:36
  • 5
    This question appears to be off-topic because it belongs to http://security.stackexchange.com/ – Lior Kogan Dec 26 '14 at 16:06

1 Answers1

1

Sure, network monitoring tools can be used to detect a keylogger assuming the following:

  • The keylogger, at some point in time will use the network you are monitoring.
  • You can come up with a scheme that can differentiate the keylogger data from other data.

So if I had the machine in a quiescent state, watching the MS Network Monitor with nothing else running and then suddenly typed even a single character would I then expect activity to suddenly occur in the Monitor?

That rarely be the case. Usually, the logs will be buffered and a threshold set for the data is burst to the hackers server.

jim
  • 8,670
  • 15
  • 78
  • 149