Malicious Firefox Add-Ons: Keylogger

August 13, 2013 by

A keylogger, also known as a keystroke logger, is a software program or hardware device that is used to monitor and log each of the keys a user types on his/her keyboard. It is a type of surveillance software that has the capability of recording each and every keystroke and making a log file of them.

A software-based keylogger doesn't require physical access to the victim's computer. It can be easily downloaded from the Internet for the purpose of spying activity on a particular system. It can be also installed on a system unwillingly as a spyware and executed as a part of a remote administration tool, which is also known as a Trojan. Basically, a keylogger program has two files, DLL (dynamic link library) and EXE (executable). These two files are installed in the same directory; the DLL file records all keystrokes and the EXE file helps to install the DLL file trigger. After being successfully installed, the program starts making a log of all keystrokes and uploads the data over the Internet to whoever installed the program. Keyloggers often run in a stealth mode and they usually don't sit in the systems tray. They also hide the program from the task menu within windows files.

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

A keylogger has some advantages, also; in the corporate world, keyloggers are often used to monitor employees' activities when they use the company's computer. Keyloggers are also helpful in the home, monitoring the online activities of children.

Types of Keylogger

There are basically two types of keylogger, software-based and hardware-based.

Software-based keylogger—This type of keylogger is found in executable format. It uses the Windows function SetWindowsHookEx(), which monitors all keystrokes and can even capture autocomplete passwords. Software-based keyloggers are classified into different types, according to their work. Those are:

  1. Offline keylogger—This type of keylogger saves logs in the victim machine, so it doesn't require any Internet connection to work. But it requires physical access for installation. Attackers rarely used these keyloggers for stealing vital information.
  2. Email keylogger: These keyloggers are configured to send the keylogs to the attacker's email address. They are very easily spread by attacker via Internet by using social engineering techniques. They just convert the keylogger's exe into a self-extracting archive (SFX) with the Winrar application. After that they change the icon of the SFX into MS word or any other application that can be sent via mail as an attachment.

  3. FTP keylogger—FTP keyloggers are configured to send logs to an FTP server; these keyloggers are really easy to read and fun to use.

    4. PHP keylogger—A PHP keylogger is a little bit different from all other keyloggers.
    These keyloggers send the data into a PHP file and that PHP file saves the data on the server where the PHP files are hosted. Such keyloggers are not easily detected by antivirus programs.

Hardware-based keylogger—A hardware-based keylogger requires physical access to the computer; this kind of keylogger is the size of a USB flash drive. The device serves as a connector between the keyboard and the computer's port. Because it looks like an ordinary keyboard plug, it is relatively easy for someone who wants to monitor a user's activity to physically hide such a device in plain sight. As the user types, the device collects each keystrokes in its hard drive . At a later point in time, the person who installed the keylogger must return and physically remove the device in order to access the information from its harddrive.

Tutorial on Configuring a Browser-Based Keylogger

In this tutorial I am going to show you a different kind of keylogger, which works on the Mozilla Firefox browser. Basically we will create a Firefox add-on that works as a keylogger and sends the logs in the server.

For developing a Firefox add-on you can see here: https://developer.mozilla.org/En/Developing_add-ons.

First download the source code of keylogger from here: http://sites.google.com/site/netinfinityprojects/home/downloads/firefox-KL.tar.gz. I suggest you to use the Linux operating system. After downloading the source code extract the file and we get some files and folder like this:

In the above figure we can see some files over there, basically chrome.manifest and install.rdf. These two files are files for developing a Firefox add-on.

Firefox reads a simple plaintext chrome.manifest file to determine what packages and overlays your extension provides.

The install.rdf file has information such as add-on like description, author name, version, etc. Let us open the install.rdf file and see:

In the figure above, we see that we can make some simple changes here, such as renaming the name of add-on to "Ad Blocker," because the users will believe this add-on and will readily install it on their browsers.

The third file is key_strokes.php. It is the main file, which will receive the logs and make a text file of all keystrokes.

Now we have to upload this key_stroke.php to a remote server. For example, here we are using www.000webhost.com, which is a free hosting server.

We can see here we uploaded our key_strokes.php file to the server; now, after uploading the file, we will have a URL for this uploaded file in this format yourdomainname.com/key_strokes.php. So here is mine: http://rootinjector.comoj.com/key_strokes.php.

Now there is another folder named chrome in the keylogger source code folder. Inside the chrome folder is another folder named content, which contains a XUL file named remote_keylogger.XUL . We have to do some minor editing in this file, so open the file.

As we can see, there is a URL in the above figure; we have to change this URL to our server address like this:

Now we can proceed to make an add-on. Zip the three files, chrome folder, chrome.manifest, and install.rdf, into one and change the extension of zip file into xpi.

After zipping these three files, we change the name and extension of the zipped file to adblocker.xpi. Now let us install this add-on to the Firefox browser.

Yeah! Our add-on is working. It's asking for installation; click on "Install Now," as we see in above figure.

Now it's asking to restart your browser to complete the installation.

We can see that our "Ad Blocker" is successfully installed. Let us see if it is working or not. Go to Google and type anything you want; for example, here I am typing in Google search "let us try some hacking..our keylogger is working or not."

After that, check our server to see if any text file was created or not.

Here we can see the loggger.txt file has been created; let us view this text file for logs:

Yeah! Our logs are generated.


Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.



Warlock works as a Information Security Professional. He has quite a few global certifications to his name such as CEH, CHFI, OSCP and ISO 27001 Lead Implementer. He has experience in penetration testing, social engineering, password cracking and malware obfuscation. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.