Re: keyboard logger?

[Mark Wilson <wilsodm () AUBURN EDU>]

Jordan,
Thanks for this very useful info and the help.

Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

> > > numatrix () UFL EDU 7/21/2004 1:49:13 PM >>>
On Wed, 21 Jul 2004, Mark Wilson wrote:

> Has anyone heard of a keyboard logger keykb.exe (167kb) ?  A
compliment
> program may be named bkyek.ni (211 kb).  Any information on this is
> appreciated.  I am not that experienced in evaluating malware so any
> other tips on obtaining information about malware may help.

The keykb.exe is detected as the following:

Clamscan:       Trojan.Spy.Agent.P
F-secure:       TrojanSpy.Win32.Agent.p [AVP]
                (f-secure just uses kav to detect it in this case)
Dr. Web:        Trojan.Virtumod
Kaspersky:      TrojanSpy.Win32.Agent.p
RAV:            TrojanSpy/Win32.Agent.P

You can try searching for more info from those AV vendor sites.

It's UPX packed (thanks Kaspersky).  Here's some selected strings for
fun:

http://203.199.200.61/
:AttachThreadInput
POST
HTTP/1.1
g_PopupPerDay
g_ServerIPs
g_Upgrade
c:\Projects\GatorClone\GatorClone\Release\GatorClone.pdb
Copyright (c) 1992-2001 by P.J. Plauger, licensed by Dinkumware, Ltd.
ALL RIGHTS RESERVED.
c:\Projects\GatorClone\KillHook\Release\KillHook.pdb

The other ini file is either encrypted or compressed, doesn't contain
any
strings, or some combination of those, and doesn't have a format I can
guess at by glancing through it.


Quick and Dirty General Malware Analysis Tutorial:
--------------------------------------------------
For easy and effective malware analysis, get a copy of vmware (30 day
free
versions available, but it's well worth the cost if you can get your
university to buy a copy) and load it up with:
http://www.sysinternals.com/ntw2k/source/filemon.shtml
http://www.sysinternals.com/ntw2k/freeware/pmon.shtml
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
http://www.sysinternals.com/ntw2k/source/regmon.shtml

Along with a good sniffer (ethereal is hard to beat:
http://www.ethereal.com/) and depending on your level of guts, run it
in
the vmware environment with the network off or on and monitor what it
does.

Make sure to save a snapshot of your vmware image after you've set it
up
before infection so you can reset it to a clean state immediately
afterwards.

On the linux side of things, there are a number of anti-virus programs
you
can purchase and get for free that you can script together to scan
malware
automatically.  That and the file and strings command are essential as
well (for windows equivalents try:
http://www.sysinternals.com/ntw2k/source/misc.shtml#strings
http://gnuwin32.sourceforge.net)

Windows users could try the same assuming they were able to get the
command-line scanners of the anti-virus softwares installed and
scripted
together as well.  Alternatively, check out virustotal which does most
of
the hard work for you: http://www.virustotal.com.  One of the few
downsides to virustotal is they don't report of the packing
information
that (for example) Dr. Webb and Kaspersky report which can be essential
to
unpacking and examining malware.

For those who really want to dig deep, get a good disassembler/debugger
in
your vmware image as well.  I'd highly recommend Ollydbg (though there
was
a recent exploit announced in it, but that's why we're running it in
our
vmware image anyway, right?  We're already planning on running malware,
so
that shouldn't be that much of a problem other than the fact that
Ollydbg
can't debug code specifically built to exploit it):
http://home.t-online.de/home/Ollydbg/ though many people like the
commercial products SoftIce and IDA Pro.

--
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: Mark Wilson1.vcf
Description: