If there’s a keylogger on your machine, there is no way to know for sure if or how it can be bypassed to prevent it from capturing your keystrokes.
Let’s review just what it means to be a keylogger, and then look at your suggested work-arounds to explain why (for the most part) they won’t work.
Become a Patron of Ask Leo! and go ad-free!
A keylogger is malware that records your keystrokes. It can also record much more. While some might be simple to sidestep, sophisticated keyloggers are nearly impossible to “bypass”. Each technique trying to bypass keyloggers suffers from weaknesses that advanced keyloggers easily avoid. The only true solution is to not allow malware on your machine in the first place.
A keylogger (short for keystroke logger) is a form of malware, plain and simple.
As its name implies, its primary job is to capture your keystrokes and share the collected data with someone else. The most obvious example is capturing your login credentials and sending them off to some hacker, who uses them to sign into your account.
The name is misleading. Keyloggers log much more than keystrokes, and it’s that aspect that prevents most “bypasses” from working.
Keyloggers use several techniques to gather and share the information they collect.
- They may send each keystroke immediately to a remote server via the internet.
- They may collect keystrokes into a file and periodically upload that file.
- They may collect keystrokes into a file and periodically receive instructions to upload it.
- They may collect keystrokes into a file that someone with access to the machine could copy.
- They may not even be on your machine, but rather be hardware devices inserted between keyboard and computer.
While almost all of those can be bypassed, there’s more to the game than just keystrokes.
Keylogger advanced techniques
Yes, keyloggers collect keystrokes. But they’re not limited to that — not at all.
So let’s stop calling them keyloggers, and call them what they really are: malware.
- Malware can insert itself into the software that’s receiving the keystrokes — the username and password fields of a login form, for example — and collect the entries when you press Enter.
- Malware can insert itself into the clipboard chain and capture anything copied to the clipboard.
- Malware can monitor your internet connection — even before it’s encrypted on your machine — and capture the data being transmitted.
That’s all focused around text and keystrokes. It gets worse.
- Malware can take a screenshot every time you click your mouse.
- Malware can record your mouse movement and the positions of any clicks.
It’s this last technique that effectively thwarts many of the so-called keylogger bypass tools and techniques.
Why so-called solutions don’t work
“File/Work Offline” — instructing your email program to act as if there were no internet connection — does nothing. The keystroke logger either isn’t paying attention to it and will go online anyway, or it’s recording to a file to be sent and picked up later, when you are online.
The on-screen keyboard can either be recorded just as easily as any keyboard (it truly does mimic a keyboard, after all), or your interactions with it can be captured using screen shots and mouse captures.
The clipboard, as we’ve seen, can easily be monitored and its contents captured.1
Password managers either mimic keyboards (and hence can be captured) or fill in fields (which can also be captured).
Even so-called “key scramblers” are ineffective, since at some point the application you’re typing into must be able to see the actual keystrokes you’ve typed. At that point, malware could insert itself and capture whatever has been entered.
And, of course, hardware keyloggers can only be “bypassed” by removing the malicious hardware.
Sometimes isn’t good enough
One of the more frustrating parts of this discussion is the fact that almost any bypass technique will, indeed, be effective for many keyloggers.
A keylogger that only logs keys as they are entered from a keyboard can be bypassed using a password vault or on-screen keyboard, for example.
Here’s the catch: how do you know you will only be impacted by that kind of keylogger? You don’t.
How do you know you don’t have a much more sophisticated piece of malware that’s logging keystrokes and screenshots and mouse movement and all of the actual unscrambled data your applications need to see?
How do you know your approach to “bypassing” keyloggers will work?
There is no bypass for all possible keyloggers.
There is no bypass for all possible malware — because that’s what keyloggers are: malware; malware with all the capabilities of malicious software that makes it onto your machine.
There’s only one effective bypass
Prevention is the only bypass.
“Bypass” allowing keyloggers, or any form of malware, onto your machine in the first place.
If they’re not present, they can’t capture anything. That’s the only 100% reliable solution you can count on.
Footnotes & References
1: We’ve even seen this rather blatantly in recent months, as an update to Apple’s iOS exposed just how many applications were peeking at the clipboard on the iPhone.