
Pwning a Spammer's Keylogger  - wglb
http://blog.spiderlabs.com/2012/04/pwning-a-spammers-keylogger.html
======
pilif
> Well, for the dump file BPK.DAT, the XOR key partially worked, but to make
> it more readable I XORed it using two bytes 0xAA, 0x00

I'd say the older version that was analyzed before wasn't using unicode yet,
whereas the later version was.

Very cool how you see the effects of character encodings all over the place -
even where you don't expect them.

Also, if done right, the "encryption" should IMHO have been done after the
file has been written in its native encoding using an input byte sequence. But
seeing that the XOR key had that second 0 byte, I'd say that the encryption
was done using a "string" key instead of plain bytes.

And don't get me started on the idea of using XOR as "encryption" - especially
with repeated pattern like this, this can't even be reasonably called
obfuscation IMHO.

~~~
ajross
Peeve: Not unicode, UTF16. Unicode apps aren't synonymous with wide characters
(though on Windows you're pretty much stuck as that's what the API picked,
sigh), and in fact UTF8 is an objectively better encoding for almost all
users.

~~~
pilif
Yes. Probably even UCS2 - I stopped doing a lot of Windows API stuff before I
was running into situation where I need characters outside of the basic
multilingual plane, so I couldn't say how wcslen("💩") would behave.

But I was talking about the build of the software. The old was probably a
build linking against the old ANSI API ("A" suffix), whereas the new one is
using the wide version ("W" suffix), usually referred to as the Unicode
variant of the API - hence my incorrect terminology.

Looking at the screenshots of that application, if I had to take a really wild
guess, I would say that the application might have been built in delphi which
moved to the Unicode API with Delphi 2010 IIRC.

That changed the byte-width of a the standard Delphi string (and the more
basic PChar type) to 2 bytes and switched over to using the W-suffix API.

I guess all those years of doing Delphi work are rubbing off.

------
yread
Ah good old HIEW. It's the simplest and nicest disassembler - open a file
switch to disassembly with one keypress. Move one line or one byte at a time
for defeating code that jumps in the middle of instructions, edit the assembly
(ok code bytes) in place with live preview what instructions you're writing.
All in 130KB of code :) <http://www.hiew.ru/>

EDIT: I wonder why is the author using a version from 2004 though... I had to
double check the date of the article. This tool is well worth the money!!!

~~~
StavrosK
> This tool is well worth the money!!!

To you, maybe. I have no use for it, so it's not, especially when it costs
$200.

~~~
yread
...version 6.86 is the most spread cracked version

~~~
StavrosK
What do you mean? We're talking about buying it.

------
tallanvor
Although a year old, Mark Russinovich's posts talking about analyzing Stuxnet
using only Windows Internals tools is another really interesting read:
[http://blogs.technet.com/b/markrussinovich/archive/2011/03/3...](http://blogs.technet.com/b/markrussinovich/archive/2011/03/30/3416253.aspx)

It is fun to figure out how malware works.

------
jiggy2011
Reverse engineering stuff like this can be fun. I remember trying to reverse
engineer some random .exe that got emailed to me once.

I disassembled it but all I found was some basic initialization code and then
a jmp to an address that didn't seem to exist. However when I ran it (in a VM)
with a debugger it seemed to go through all kinds of Win32 Calls.

Very odd

~~~
chas
It's very common for malware (or other code that doesn't want to be reverse
engineered) to be decrypting itself in the that initialization loop to
generate the code that is jumped to. It is also very common for malware to use
exception handling as control flow, which could also explain a nonsense jump.

~~~
jiggy2011
That certainly makes sense, I wonder if it is encrypted using any proper
scheme or something simple like XOR?

If it is strong encryption I suppose the thing to do would be to capture the
key in memory, but that would require more patience than I have.

~~~
Sapient
Usually it doesn't matter, you just let the exe decrypt itself, then grab the
decrypted code and rebuild the PE with it.

------
evilswan
Great post, really enjoyed following the trail along with the author. The sad
part is, knowing how useless a lot of ISP's abuse@ emails are, the FTP might
never be taken down this way.

~~~
underwater
I'm hoping that "emailed the ISP" means "deleted the contents of the server
and emailed the ISP".

~~~
TazeTSchnitzel
Deleting the contents is illegal, heck, even accessing the server is illegal.
Furthermore, it destroys evidence the ISP needs to shut it down.

~~~
underwater
That's why I hoped it was code. He wouldn't want to acknowledge illegal
activity on his blog; though technically logging into the FTP server is
probably illegal in itself.

~~~
mjwalshe
depends I didn't see any banner and one could argue that his posting was
covered by hue and cry :-)

"In common law, a hue and cry is a process by which bystanders are summoned to
assist in the apprehension of a criminal who has been witnessed in the act of
committing a crime."

------
farmdawgnation
I would have replaced all the existing keylogger files with pictures of Rick
Astley and Rebecca Black, but that's just me.

~~~
jiggy2011
You're getting into dangerous legal territory there (technically you are by
just connecting to the FTP I guess).

Bear in mind that many of the servers used by these guys do not belong to them
and are probably a neglected server somewhere that was setup by an innocent
party for other purposes but was subsequently pwned by the malware people.

~~~
Magnin
Yes, but I was disappointed that he didn't at least change the password so
that future FTP connections from the bots were refused.

~~~
jiggy2011
Still arguably breaking the law. You'd also most likely need more access than
just FTP to do that so that so that would involve having to break into a shell
or something.

It would difficult to know what to do in these situations because your choices
are going to be limited to doing nothing and letting them get away with it or
going vigilante and possibly exposing yourself to legal risk.

You could inform law enforcement but they are likely to either do nothing or
decide to arrest you instead (I knew someone who had the police come to his
house and confiscate his computer for over a year because a fellow student saw
him using DOS prompt on a school computer and decided to report him for
"hacking").

~~~
bkruse
I find this very hard to believe (the last part). With any confiscation, you
can argue in court. 1 year without a computer was his fault. I'd slap that
agency with a lawsuit.

~~~
jiggy2011
I'm sure he could have got his computer back much sooner if he was sensible
but he was a dumb kid, I imagine he just waiting for the police to give it
back to him (probably low on their list of things to do).

He had a habit of rubbing people up the wrong way, bragging about being having
'leet' computer skills (he didn't) and doing idiotic things like mass net
sends at school so I'm sure it was in many ways his fault. Does show how
paranoid the police can be about "hackers" though.

------
drostie
Hey, let's use XOR-encrypt -- it works so well in the movies!

But seriously, it's nice to see this sort of post about breaking into the
inbreakers' code.

I'm a little surprised that people are treating logging into the FTP server
(if not deleting the keylogs) as a legal gray area. I understand the _moral_
dilemma of vigilante justice, but in principle, just doing an FTP connect and
LIST seems to be well within your right, given that they gave you software
which logs in and makes a directory and sends your keylog. Is there a real
concern that someone will take you to court for that?

~~~
DanBC
> _Is there a real concern that someone will take you to court for that?_

I think the concern is more along drawing a bright line between black hat and
white hat.

Researchers have to do stuff which is borderline illegal; at least it's
sometimes tricky to know if they're breaking any laws. Thus, they'll create a
set of clear and easy to understand rules and work to those, which means that
they reduce their risk of legal action.

"Don't fight abuse with abuse" is (at least was) very common phrase. That's
pretty good idea, when some people aren't capable of knowing who the bad
person is. We don't want denial of service attacks against innocent people.

Having said that, it's annoying as hell that ISPs don't do more to stop this
kind of thing.

------
datagramm
"This keylogger program can be legitimately purchased and used, ostensibly for
monitoring your kids’ or employees’ browsing habits, etc. As you can imagine,
PK can also be used for badness."

Is this person suggesting that using a keylogger to spy on your
employees/children without their knowledge is not 'badness'?!

~~~
sequoia
Recording your employees' use of company computers, given proper disclosure,
is an employers prerogative. It's also legal (in some locales) for parents to
do this to their children. I find it immoral, personally (the latter), but
this is _not the point of the story at all_ and the story was interesting and
highly relevant, so I'm really disappointed to see this is the top comment.

~~~
jiggy2011
Yes, although usually a keylogger is not necessary. A few places I have worked
the IT dept/Management had a VNC server running on every desktop (it showed up
in the process list, I wasn't working in IT at the time).

I pointed this out to a few people who would use IM programs to 'flirt' with
each other all day.

------
dkersten
I remember coming across a malicious piece of javascript that found its way
onto some websites a few years back. Just for fun, I traced it through the
various stages to find out what it did. I decoded the js to find out that it
downloaded an executable. I used objdump to look at the executable and through
some tinkering and google searching found out it was packed with upx. So I
unpacked it and I think I went through one or two more stages (with the help
of people on various forums) before we got to the raw binary. Someone on the
forums also ran it in a VM and we found out it connected to one of a handful
of ip addresses. After some tinkering and looking through the code, someone on
the forums figured out that it stole WoW account passwords.

It was a lot of fun and felt a bit like being a detective of some kind.

------
martingordon
Correct me if I'm wrong, but one of the additional benefits of using a
password manager such as 1Password is that it thwarts keyloggers. They may
only get your master password (which shouldn't be your password on any site)
but your site specific user name and password are never actually typed.

~~~
bockris
I don't know if you're wrong but how do those password programs work? If they
emulate a keyboard by sending keystokes to the appropriate input field they
are most likely logged by programs like these. (not HW keyloggers tho).

If the password programs use the clipboard, then it is just another source for
the keylogger to capture and trivial to add. (edit: a screenshot lower in the
article of the 'Perfect Keylogger' options screen shows a clipboard option.)

~~~
qeorge
Its been a while (AOL ;), but IIRC the Windows API lets you SET_TEXT directly
by window handle.

Assuming that's how 1Password works, it should be safe. I think that's a fair
assumption because using the clipboard or SendKeys to an input box is all
kinds of trouble in practice, and the API is easy.

~~~
bockris
But isn't that in itself another vector to 'hook' and redirect (just like the
keystokes and clipboard)?

I'm going to agree with jiggy2011. Once you are compromised at that level then
it's pretty much game over.

~~~
qeorge
Definitely. I meant that it probably didn't use the clipboard or keyboard
emulation, and so it would be safe from those particular attacks. Didn't mean
to imply it would be safe from everything.

To nitrogen's point, there's definitely a corresponding GETTEXT message.
There's even hooks[1].

But that's about all I know. Haven't written a desktop app in > 10 years.

[1] [http://msdn.microsoft.com/en-
us/library/ms644990%28v=vs.85%2...](http://msdn.microsoft.com/en-
us/library/ms644990%28v=vs.85%29.aspx)

------
ertdfgcb
I wonder how he just happened to notice the keylogger connecting to FTP? Did
he have a monitor in the background or something? Seems like that would be a
good practice for doing things like this, and this guy obviously knows his
stuff.

~~~
drtse4
I guess he simply had a firewall that monitors active connections on his
workstation (when an unregistered program tried to access the network an alert
showed up).

~~~
infinity
It looks like the author of the article was using Wireshark to intercept
network traffic. In the article there is a screenshot of a window with the
title "follow TCP stream" and a headline "Stream content", exactly like in
Wireshark.

I have used the same trick sometimes when nobody could remember the FTP
credentials, but they were stored in the FTP program and a connection to the
FTP server was still possible. Sometimes the guy with access to the admin
panel is just not available, so a possible solution is to use Wireshark to
retrieve the password, which is usually transmitted without encryption.

------
infinitivium
This is an awesome post! I want to see more of this on HN. There is a mac
program called Private Eye that monitors netstat and shows if programs connect
to remote addresses. I always run it after downloading a new app so I can see
where it's phoning home too

------
SjuulJanssen
Would be nice if there would be a community site for stuff like this where
people would work together. A bit similar to <http://www.419eater.com> but
then just only the technical stuff.

------
_ikke_
Google cache version:
[https://webcache.googleusercontent.com/search?q=cache:http:/...](https://webcache.googleusercontent.com/search?q=cache:http://blog.spiderlabs.com/2012/04/pwning-
a-spammers-keylogger.html)

------
hobbyist
Why didnt the attacker directly use the details in his code, rather than
creating a configuration file and decrypting it from the code?

------
acron0
I _love_ stories like this. Victory over the dark side, muahaha!

------
Duckaz
I inspire to be like you when I am older, great work :)

