Educause Security Discussion mailing list archives
Re: keyboard logger?
From: Jordan Wiens <numatrix () UFL EDU>
Date: Wed, 21 Jul 2004 14:49:13 -0400
On Wed, 21 Jul 2004, Mark Wilson wrote:
Has anyone heard of a keyboard logger keykb.exe (167kb) ? A compliment program may be named bkyek.ni (211 kb). Any information on this is appreciated. I am not that experienced in evaluating malware so any other tips on obtaining information about malware may help.
The keykb.exe is detected as the following: Clamscan: Trojan.Spy.Agent.P F-secure: TrojanSpy.Win32.Agent.p [AVP] (f-secure just uses kav to detect it in this case) Dr. Web: Trojan.Virtumod Kaspersky: TrojanSpy.Win32.Agent.p RAV: TrojanSpy/Win32.Agent.P You can try searching for more info from those AV vendor sites. It's UPX packed (thanks Kaspersky). Here's some selected strings for fun: http://203.199.200.61/ :AttachThreadInput POST HTTP/1.1 g_PopupPerDay g_ServerIPs g_Upgrade c:\Projects\GatorClone\GatorClone\Release\GatorClone.pdb Copyright (c) 1992-2001 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED. c:\Projects\GatorClone\KillHook\Release\KillHook.pdb The other ini file is either encrypted or compressed, doesn't contain any strings, or some combination of those, and doesn't have a format I can guess at by glancing through it. Quick and Dirty General Malware Analysis Tutorial: -------------------------------------------------- For easy and effective malware analysis, get a copy of vmware (30 day free versions available, but it's well worth the cost if you can get your university to buy a copy) and load it up with: http://www.sysinternals.com/ntw2k/source/filemon.shtml http://www.sysinternals.com/ntw2k/freeware/pmon.shtml http://www.sysinternals.com/ntw2k/freeware/procexp.shtml http://www.sysinternals.com/ntw2k/source/regmon.shtml Along with a good sniffer (ethereal is hard to beat: http://www.ethereal.com/) and depending on your level of guts, run it in the vmware environment with the network off or on and monitor what it does. Make sure to save a snapshot of your vmware image after you've set it up before infection so you can reset it to a clean state immediately afterwards. On the linux side of things, there are a number of anti-virus programs you can purchase and get for free that you can script together to scan malware automatically. That and the file and strings command are essential as well (for windows equivalents try: http://www.sysinternals.com/ntw2k/source/misc.shtml#strings http://gnuwin32.sourceforge.net) Windows users could try the same assuming they were able to get the command-line scanners of the anti-virus softwares installed and scripted together as well. Alternatively, check out virustotal which does most of the hard work for you: http://www.virustotal.com. One of the few downsides to virustotal is they don't report of the packing information that (for example) Dr. Webb and Kaspersky report which can be essential to unpacking and examining malware. For those who really want to dig deep, get a good disassembler/debugger in your vmware image as well. I'd highly recommend Ollydbg (though there was a recent exploit announced in it, but that's why we're running it in our vmware image anyway, right? We're already planning on running malware, so that shouldn't be that much of a problem other than the fact that Ollydbg can't debug code specifically built to exploit it): http://home.t-online.de/home/Ollydbg/ though many people like the commercial products SoftIce and IDA Pro. -- Jordan Wiens, CISSP UF Network Security Engineer (352)392-2061 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- keyboard logger? Mark Wilson (Jul 21)
- <Possible follow-ups>
- Re: keyboard logger? Ken Shaurette (Jul 21)
- Re: keyboard logger? Jordan Wiens (Jul 21)
- Re: keyboard logger? Mark Wilson (Jul 21)