I see posts on the Ubuntu forums quite often about keyloggers in Linux. Many people are under the impression that a keylogger can merely download itself onto a machine without any user intervention (like through a browser exploit) and suddenly begin logging keystrokes. Eventually, as the theory goes, the user will elevate privileges and the keylogger will steal the root password and send it back to some shady eastern European hacker. I call BS on this.
For one, I have never seen any examples of this occurring in the wild and certainly someone somewhere would have done it by now if for nothing else than as a POC. Sure, there are numerous Linux keyloggers out there, but not one of them (that I can find) can work from the user account; they all need root access to install onto the machine in the first place. I am not saying it is impossible to create a user account keylogger, just that I have not found a single one. I have consorted with numerous kernel hackers who have said that a keylogger needs access to /dev, which is root owned. I suppose they could be wrong as I have heard others say that it can be done.
So, I want to challenge any reader of this blog who happens to be familiar enough with Linux kernel internals to write a POC keylogger that does not need root to install itself. Send the code to me and I will post it here (with full credit going to the author, of course). I want to put this to rest once and for all.