> Well, for the dump file BPK.DAT, the XOR key partially worked, but to make it more readable I XORed it using two bytes 0xAA, 0x00
I'd say the older version that was analyzed before wasn't using unicode yet, whereas the later version was.
Very cool how you see the effects of character encodings all over the place - even where you don't expect them.
Also, if done right, the "encryption" should IMHO have been done after the file has been written in its native encoding using an input byte sequence. But seeing that the XOR key had that second 0 byte, I'd say that the encryption was done using a "string" key instead of plain bytes.
And don't get me started on the idea of using XOR as "encryption" - especially with repeated pattern like this, this can't even be reasonably called obfuscation IMHO.
Peeve: Not unicode, UTF16. Unicode apps aren't synonymous with wide characters (though on Windows you're pretty much stuck as that's what the API picked, sigh), and in fact UTF8 is an objectively better encoding for almost all users.
Ah good old HIEW. It's the simplest and nicest disassembler - open a file switch to disassembly with one keypress. Move one line or one byte at a time for defeating code that jumps in the middle of instructions, edit the assembly (ok code bytes) in place with live preview what instructions you're writing. All in 130KB of code :)
http://www.hiew.ru/
EDIT: I wonder why is the author using a version from 2004 though... I had to double check the date of the article. This tool is well worth the money!!!
Reverse engineering stuff like this can be fun.
I remember trying to reverse engineer some random .exe that got emailed to me once.
I disassembled it but all I found was some basic initialization code and then a jmp to an address that didn't seem to exist.
However when I ran it (in a VM) with a debugger it seemed to go through all kinds of Win32 Calls.
It's very common for malware (or other code that doesn't want to be reverse engineered) to be decrypting itself in the that initialization loop to generate the code that is jumped to. It is also very common for malware to use exception handling as control flow, which could also explain a nonsense jump.
Great post, really enjoyed following the trail along with the author. The sad part is, knowing how useless a lot of ISP's abuse@ emails are, the FTP might never be taken down this way.
You're getting into dangerous legal territory there (technically you are by just connecting to the FTP I guess).
Bear in mind that many of the servers used by these guys do not belong to them and are probably a neglected server somewhere that was setup by an innocent party for other purposes but was subsequently pwned by the malware people.
Hey, let's use XOR-encrypt -- it works so well in the movies!
But seriously, it's nice to see this sort of post about breaking into the inbreakers' code.
I'm a little surprised that people are treating logging into the FTP server (if not deleting the keylogs) as a legal gray area. I understand the moral dilemma of vigilante justice, but in principle, just doing an FTP connect and LIST seems to be well within your right, given that they gave you software which logs in and makes a directory and sends your keylog. Is there a real concern that someone will take you to court for that?
> Is there a real concern that someone will take you to court for that?
I think the concern is more along drawing a bright line between black hat and white hat.
Researchers have to do stuff which is borderline illegal; at least it's sometimes tricky to know if they're breaking any laws. Thus, they'll create a set of clear and easy to understand rules and work to those, which means that they reduce their risk of legal action.
"Don't fight abuse with abuse" is (at least was) very common phrase. That's pretty good idea, when some people aren't capable of knowing who the bad person is. We don't want denial of service attacks against innocent people.
Having said that, it's annoying as hell that ISPs don't do more to stop this kind of thing.
"This keylogger program can be legitimately purchased and used, ostensibly for monitoring your kids’ or employees’ browsing habits, etc. As you can imagine, PK can also be used for badness."
Is this person suggesting that using a keylogger to spy on your employees/children without their knowledge is not 'badness'?!
Recording your employees' use of company computers, given proper disclosure, is an employers prerogative. It's also legal (in some locales) for parents to do this to their children. I find it immoral, personally (the latter), but this is not the point of the story at all and the story was interesting and highly relevant, so I'm really disappointed to see this is the top comment.
There are legitimate uses for a keylogger. You can argue about children, but I can certainly imagine circumstances where I'd think about using one on my kids.
As for employees, if it's a work computer I pretty much say anything is fair game.
I remember coming across a malicious piece of javascript that found its way onto some websites a few years back. Just for fun, I traced it through the various stages to find out what it did. I decoded the js to find out that it downloaded an executable. I used objdump to look at the executable and through some tinkering and google searching found out it was packed with upx. So I unpacked it and I think I went through one or two more stages (with the help of people on various forums) before we got to the raw binary. Someone on the forums also ran it in a VM and we found out it connected to one of a handful of ip addresses. After some tinkering and looking through the code, someone on the forums figured out that it stole WoW account passwords.
It was a lot of fun and felt a bit like being a detective of some kind.
Correct me if I'm wrong, but one of the additional benefits of using a password manager such as 1Password is that it thwarts keyloggers. They may only get your master password (which shouldn't be your password on any site) but your site specific user name and password are never actually typed.
I don't know if you're wrong but how do those password programs work? If they emulate a keyboard by sending keystokes to the appropriate input field they are most likely logged by programs like these. (not HW keyloggers tho).
If the password programs use the clipboard, then it is just another source for the keylogger to capture and trivial to add.
(edit: a screenshot lower in the article of the 'Perfect Keylogger' options screen shows a clipboard option.)
They may also get your 1Password username, since it's your e-mail address. Then all they have to do is download 1Password, try your master password combination with various e-mails you may have typed (signing up for a website, etc.) and suddenly, it's much, much, much worse.
I wonder how he just happened to notice the keylogger connecting to FTP? Did he have a monitor in the background or something? Seems like that would be a good practice for doing things like this, and this guy obviously knows his stuff.
A simple firewall should do the job, or failing that wireshark. I'm assuming the guy did this inside a VM and had the host machine monitoring what was happening.
I guess he simply had a firewall that monitors active connections on his workstation (when an unregistered program tried to access the network an alert showed up).
This is an awesome post! I want to see more of this on HN. There is a mac program called Private Eye that monitors netstat and shows if programs connect to remote addresses. I always run it after downloading a new app so I can see where it's phoning home too
Would be nice if there would be a community site for stuff like this where people would work together. A bit similar to http://www.419eater.com but then just only the technical stuff.
[+] [-] pilif|14 years ago|reply
I'd say the older version that was analyzed before wasn't using unicode yet, whereas the later version was.
Very cool how you see the effects of character encodings all over the place - even where you don't expect them.
Also, if done right, the "encryption" should IMHO have been done after the file has been written in its native encoding using an input byte sequence. But seeing that the XOR key had that second 0 byte, I'd say that the encryption was done using a "string" key instead of plain bytes.
And don't get me started on the idea of using XOR as "encryption" - especially with repeated pattern like this, this can't even be reasonably called obfuscation IMHO.
[+] [-] ajross|14 years ago|reply
[+] [-] yread|14 years ago|reply
EDIT: I wonder why is the author using a version from 2004 though... I had to double check the date of the article. This tool is well worth the money!!!
[+] [-] emillon|14 years ago|reply
http://hte.sourceforge.net/screenshots.html
[+] [-] malkia|14 years ago|reply
Also cygwin's midnight commander (when it fits the purpose).
I love console tools :)
[+] [-] StavrosK|14 years ago|reply
To you, maybe. I have no use for it, so it's not, especially when it costs $200.
[+] [-] tallanvor|14 years ago|reply
It is fun to figure out how malware works.
[+] [-] jiggy2011|14 years ago|reply
I disassembled it but all I found was some basic initialization code and then a jmp to an address that didn't seem to exist. However when I ran it (in a VM) with a debugger it seemed to go through all kinds of Win32 Calls.
Very odd
[+] [-] chas|14 years ago|reply
[+] [-] evilswan|14 years ago|reply
[+] [-] underwater|14 years ago|reply
[+] [-] farmdawgnation|14 years ago|reply
[+] [-] jiggy2011|14 years ago|reply
Bear in mind that many of the servers used by these guys do not belong to them and are probably a neglected server somewhere that was setup by an innocent party for other purposes but was subsequently pwned by the malware people.
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] drostie|14 years ago|reply
But seriously, it's nice to see this sort of post about breaking into the inbreakers' code.
I'm a little surprised that people are treating logging into the FTP server (if not deleting the keylogs) as a legal gray area. I understand the moral dilemma of vigilante justice, but in principle, just doing an FTP connect and LIST seems to be well within your right, given that they gave you software which logs in and makes a directory and sends your keylog. Is there a real concern that someone will take you to court for that?
[+] [-] DanBC|14 years ago|reply
I think the concern is more along drawing a bright line between black hat and white hat.
Researchers have to do stuff which is borderline illegal; at least it's sometimes tricky to know if they're breaking any laws. Thus, they'll create a set of clear and easy to understand rules and work to those, which means that they reduce their risk of legal action.
"Don't fight abuse with abuse" is (at least was) very common phrase. That's pretty good idea, when some people aren't capable of knowing who the bad person is. We don't want denial of service attacks against innocent people.
Having said that, it's annoying as hell that ISPs don't do more to stop this kind of thing.
[+] [-] datagramm|14 years ago|reply
Is this person suggesting that using a keylogger to spy on your employees/children without their knowledge is not 'badness'?!
[+] [-] sequoia|14 years ago|reply
[+] [-] monochromatic|14 years ago|reply
As for employees, if it's a work computer I pretty much say anything is fair game.
[+] [-] dkersten|14 years ago|reply
It was a lot of fun and felt a bit like being a detective of some kind.
[+] [-] martingordon|14 years ago|reply
[+] [-] bockris|14 years ago|reply
If the password programs use the clipboard, then it is just another source for the keylogger to capture and trivial to add. (edit: a screenshot lower in the article of the 'Perfect Keylogger' options screen shows a clipboard option.)
[+] [-] pavel_lishin|14 years ago|reply
[+] [-] vaksel|14 years ago|reply
[+] [-] ertdfgcb|14 years ago|reply
[+] [-] jiggy2011|14 years ago|reply
[+] [-] drtse4|14 years ago|reply
[+] [-] nicksuan|14 years ago|reply
[+] [-] infinitivium|14 years ago|reply
[+] [-] SjuulJanssen|14 years ago|reply
[+] [-] _ikke_|14 years ago|reply
[+] [-] hobbyist|14 years ago|reply
[+] [-] acron0|14 years ago|reply
[+] [-] Duckaz|14 years ago|reply