
How I Cracked a Keylogger and Ended Up in Someone's Inbox - Spydar007
https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/
======
lossolo
Website that we were running was under DDOS couple of years ago, what we did
is we took ips of servers that made ddos. Then we scanned the ports, found
vulnerability in the application that was running on it then get into the
server using this vulnerability. We checked open connections and found one
used for command and control server (irc server) then we listened to irc
channel. DDOSers were talking private things on that channel... Then we
entered their channel and disabled all their bots using their own software
that we got source from link pasted on their channel. Then we confronted them,
period of silence after they have read what we wrote was priceless. They never
ddosed us again.

~~~
kuschku
I’ve had a very similar experience – I’m surprised I’m not the only one who
did that.

I’d have expected the DDoSers to have better security

~~~
sp0rk
Botnets have notoriously bad security. Many of the people running them have no
technical knowledge and/or are using "cracked" versions of paid botnet
software that are backdoored or intentionally left unsecured. A lot of the
software is heavily modified or even left incomplete by the person that leaked
it, leading to vulnerabilities open to anybody with some technical competence
and the time to poke around a little.

~~~
6stringmerc
Unrelated to this discussion, I must compliment you on your chosen handle. I
used a variation of that back in the day during Half-Life and early Counter-
Strike. Zero and everything hehe. Cheers.

------
gesman
Thanks to domaintools.com - I also found that the guy
(seemaexports3@gmail.com) used to own domain: bdmtsteel.com

I also find similarities between above domain and these: transitoin-asia.com
seabunker.net

See this: [http://imgur.com/tsxqwiQ](http://imgur.com/tsxqwiQ)

If someone wants to do more research - would be fun to dig deeper.

~~~
55555
Good research. Can I ask what you used to make that graphic?

~~~
shocks
I'd also like to know the answer to this question! :)

~~~
gesman
Sure, I used Maltego (commercial version + commercial domaintools access):
[https://en.wikipedia.org/wiki/Maltego](https://en.wikipedia.org/wiki/Maltego)
(although Maltego also has a free version).

I love domaintools as it allows to find anything by anything. Like domains
(current and historical) by email, or even by fragment of registrant
information, such as by phone number or by zip code.

~~~
hughesey
For those without domaintools commercial accounts...
[http://viewdns.info/reversewhois/?q=seemaexports3%40gmail.co...](http://viewdns.info/reversewhois/?q=seemaexports3%40gmail.com)

~~~
Eupolemos
Thank you

------
popey456963
Is the header sticky for anyone else? It seems to take up ~30% of my screen
(Windows 7, Chrome Stable) [0].

[0] [http://puu.sh/pNYUH/d42d8395fc.jpg](http://puu.sh/pNYUH/d42d8395fc.jpg)

~~~
thesimon
Same on Chrome & Safari on Mac, but didn't notice it while reading, only when
I read your comment :)

~~~
alexpetralia
Same here, just noticed upon rechecking

------
vmp
I've done this a few times for fun, simply search YouTube for a "game code
generator" or something like that, take your pick, download their magic "tool"
from the link in the video description and get disassembling with ILSpy [1]. A
ton of these "account stealers" are written in VB.NET and seem to be generated
from a template. Remember to stay safe and use a sandbox or virtual machine
when dealing with malicious code.

[1] [http://ilspy.net/](http://ilspy.net/)

~~~
yowmamasita
Anyone knows a better decompiler for .net other than ilspy? It's a hit or miss
for me with ilspy, would like to try something better even if it's paid.

~~~
Sir_Cmpwn
Try dotPeek:
[https://www.jetbrains.com/decompiler/](https://www.jetbrains.com/decompiler/)

------
libeclipse
Aha I love those little messages at the end telling users to update their
software to the latest version. It's a cry to the void.

~~~
zyx321
On one hand, the average user will never update his software unless you
literally force them to.

On the other hand, your free upgrade to Windows 10 is ready. Would you like to
install it right now or later tonight?

~~~
libeclipse
Damn it, even Linux wants me to get windows 10 now?

------
piqufoh
That's a great little story, interesting to read how these sorts of scams are
carried out, but I also found the code analysis and decompilation tale fun!

~~~
skraelingjar
I agree, it's amazing how stupid criminals can be, even online. It's scary to
think what someone as smart as these security researchers could do if they
went black hat...

~~~
ufmace
I'm thinking that's who's working on stuff like Stuxnet, Flame, etc. I wonder
what color hat we would consider Government-sponsored malware to be?

~~~
sorokod
National colours

------
unknown2374
I just hope someday the general public realize what a poor job Microsoft has
done regarding security on Windows operating systems and embrace other (and
more promising) alternatives

~~~
nchelluri
broadly speaking, how would you design things? All I can think of doing is
putting explicit permission grants on everything, requiring everyone to click
a million times as was done with the first version of Vista's UAC, IIRC, which
is no solution IMO.

~~~
digler999
ever heard of code signing ? Maybe MSFT could use some of its 23 BILLION
dollars of yearly profit to test some of the programs and conditionally
approve them if they pass muster, also based on the historical reputation of
the signer (like ebay feedback). Then if they contain sleeper code or other
exploits, the keys are pulled, updates are pushed to ALL users of the program
that revokes the key, thereby preventing mass exploits

Come on, you're talking about the biggest and one of the oldest technological
conglomerates on earth. They could fix the ecosystem if they wanted. But since
they dont care about users, they'll wait till google does it for them and then
sue over IP rights

~~~
lazaroclapp
Sure, because it is not like anyone would accuse them of abusive business
practices and of trying to kill open source if they made it impossible to run
software not signed by them... /s

Even if you assume they would add a UEFI "enable developer mode" setting, this
would get them so much bad press (and, also, it would actually make developing
and distributing software on Windows a lot harder for smaller and open-source
developers, and deploying custom software harder for enterprise costumers).

~~~
digler999
One of the things I love to criticize MS for is their "user account control" :
_gee, looks like you 're actually trying to....USE.... your computer for
something. You know, actually ...USING...your computer might damage it. Since
making a secure platform isn't profitable, we'll just make the screen darker,
cause you know, darkness kills the spyware_.

See, the signing system doesn't have to be mandated. It could pop up a UAC-
like screen but with an actually useful message: this code is _known_ to have
malware, we recommend you dont run it. If you absolutely want to, press OK at
your own risk.

Another message could say it's completely unsigned, so devs could still write
and distribute their own code. But make it _free_ to submit to the "app store"
and get reviewed by MS. That would work wonders to improve security across
their whole ecosystem, and not force anything down the users' throats.

------
matt_wulfeck
> It also attempts to steal password manager credentials and Windows keys.

Ugh I hate reading this. I keep everything in my password manager. If I lose
that I'm hosed. I wish more sites supported 2FA.

~~~
LoSboccacc
or had no authentication at all, just authorization. imagine having only a
openid password to memorize... one can dream right

~~~
bobsoap
Wouldn't that just consolidate the attackable footprint? What if openid, or
your openid account, got hacked?

~~~
LoSboccacc
Eh same is for email. Anyone with acces to that can trigger a password
recovery exchange on most sites or pass an id verification check on the
stricter ones.

------
jacquesm
Scary that a vulnerability that old is still worth exploiting.

~~~
wila
In spam runs a success factor of one in thousand still can pay off. I'm afraid
their results are better as that.

~~~
im3w1l
It doesn't have to be the case that it actually paid off. All we know is the
spammer thought it would.

------
nchelluri
a few questions I'm wondering about, if anyone can help:

\- how do those PW stealers work? are they similar to the Steam one, where
it'd delete existing creds and then sniff newly entered ones?

\- can this thing detect certain apps like FileZilla and then say "user
entered <FTP site creds>" and send individual fields, and is that what is
meant by supporting say FTP and FileZilla?

\- what does PHP support mean? maybe looks for common stuff like php.ini,
various other conf files like FPM, and tries to find DB/cache connection
creds?

there's one other thing I'm wondering about, which is the light/easily
crackable encryption of the keylogger's internals, and I vaguely remember
reading about Google's encryption on the new recaptcha and people talking
about all this stuff like complicated encryption routines baked into the
client side JS that I really didn't understand except at a handwavy level, and
wonder if that's the kind of thing some, say, intelligence/espionage outfit
could use.

very interesting/engaging (fun) article, all in all, for me. and I appreciated
the understatement of the (well-deserved) plug at the end.

~~~
ufmace
> can this thing detect certain apps like FileZilla and then say "user entered
> <FTP site creds>" and send individual fields, and is that what is meant by
> supporting say FTP and FileZilla?

Could well be. I haven't messed with Win32 in a while, but I'm pretty sure
that you can sniff the contents of other applications' windows and dialogs.
With a little work, you should be able to take a common app and work out how
to detect it's login windows, find the username and password and other
relevant fields, and pull out the contents.

I know if I was writing a hostile keylogger, I'd go to a lot of trouble to
know exactly what was entered where, instead of having to see a long stream of
keyboard input and figure out what the usernames and passwords are, and what
services they go with.

~~~
sb8244
Winspy++ offered the ability to look at the content of password fields in
native applications IIRC. It's been a few years since I've done anything on
Windows.

------
gruez
I'm surprised the .net executable wasn't obfuscated (as they usually are)

------
Koahku
Using Volafile to host the keylogger executable seems like a pretty bad choice
considering that this website will delete your files after only 2 days. Or
maybe this shouldn't surprise me so much considering the "skills" of the
attacker.

~~~
wtracy
They probably expect to upload a new build every few days, anyway. Note the
login credentials hard-coded into the executable.

Presumably, people who take more than 48 hours to open their email were deemed
an edge case not worth worrying about.

------
heisenburgzero
where did ).exe came from? I thought you need to use VBscript of some sort to
download a file from command line.

------
Zhycrin
10/10 brilliant. If only i was smart enough to do this...

------
Zhycrin
Actually, this is interesting.

------
darekdk
Fantastic write up! Good work.

------
ascotan
Nice writeup.

