[bobsam]

> keyloggers generally aren't exploiting any vulnerability

That's a very odd definition you have.

Rest assured, nobody is saying this kind of apps are acceptable. But calling them malware is not right when they technically don't use more than they been given access to (network + some cpu time)?

[openasocket]

Which part is odd? You can use standard APIs like GetAsyncKeyState() or various utilities for screen scraping and reading the paste buffer to make a key logger, no vulnerabilities required. We still consider such a thing malware of course. The point is exploiting vulnerabilities is not a necessary condition for something to be considered malware.

[yeukhon]

He's probably referring to injecting/deploying the keylogger in the first place. Either it came with a malicious software, via a system exploit, or someone installed it having physical access.

[openasocket]

Or, like in the case of Judy, people installed it willingly, because it was hidden inside a game. If a game or some sort of application people install on their machine had a key logger component, we'd consider that malware, and still no vulnerabilities needed, just basic social engineering.