> Well, for the dump file BPK.DAT, the XOR key partially worked, but to make it more readable I XORed it using two bytes 0xAA, 0x00
I'd say the older version that was analyzed before wasn't using unicode yet, whereas the later version was.
Very cool how you see the effects of character encodings all over the place - even where you don't expect them.
Also, if done right, the "encryption" should IMHO have been done after the file has been written in its native encoding using an input byte sequence. But seeing that the XOR key had that second 0 byte, I'd say that the encryption was done using a "string" key instead of plain bytes.
And don't get me started on the idea of using XOR as "encryption" - especially with repeated pattern like this, this can't even be reasonably called obfuscation IMHO.
Peeve: Not unicode, UTF16. Unicode apps aren't synonymous with wide characters (though on Windows you're pretty much stuck as that's what the API picked, sigh), and in fact UTF8 is an objectively better encoding for almost all users.
But I was talking about the build of the software. The old was probably a build linking against the old ANSI API ("A" suffix), whereas the new one is using the wide version ("W" suffix), usually referred to as the Unicode variant of the API - hence my incorrect terminology.
Looking at the screenshots of that application, if I had to take a really wild guess, I would say that the application might have been built in delphi which moved to the Unicode API with Delphi 2010 IIRC.
That changed the byte-width of a the standard Delphi string (and the more basic PChar type) to 2 bytes and switched over to using the W-suffix API.
I guess all those years of doing Delphi work are rubbing off.
Ah good old HIEW. It's the simplest and nicest disassembler - open a file switch to disassembly with one keypress. Move one line or one byte at a time for defeating code that jumps in the middle of instructions, edit the assembly (ok code bytes) in place with live preview what instructions you're writing. All in 130KB of code :)
http://www.hiew.ru/
EDIT: I wonder why is the author using a version from 2004 though... I had to double check the date of the article. This tool is well worth the money!!!
Great post, really enjoyed following the trail along with the author. The sad part is, knowing how useless a lot of ISP's abuse@ emails are, the FTP might never be taken down this way.
That's why I hoped it was code. He wouldn't want to acknowledge illegal activity on his blog; though technically logging into the FTP server is probably illegal in itself.
depends I didn't see any banner and one could argue that his posting was covered by hue and cry :-)
"In common law, a hue and cry is a process by which bystanders are summoned to assist in the apprehension of a criminal who has been witnessed in the act of committing a crime."
Reverse engineering stuff like this can be fun.
I remember trying to reverse engineer some random .exe that got emailed to me once.
I disassembled it but all I found was some basic initialization code and then a jmp to an address that didn't seem to exist.
However when I ran it (in a VM) with a debugger it seemed to go through all kinds of Win32 Calls.
It's very common for malware (or other code that doesn't want to be reverse engineered) to be decrypting itself in the that initialization loop to generate the code that is jumped to. It is also very common for malware to use exception handling as control flow, which could also explain a nonsense jump.
You're getting into dangerous legal territory there (technically you are by just connecting to the FTP I guess).
Bear in mind that many of the servers used by these guys do not belong to them and are probably a neglected server somewhere that was setup by an innocent party for other purposes but was subsequently pwned by the malware people.
>You're getting into dangerous legal territory there (technically you are by just connecting to the FTP I guess).
How would you be? The software which was unsolicitedly installed on your computer is already going to be making that connection whether you want it to or not.
Still arguably breaking the law. You'd also most likely need more access than just FTP to do that so that so that would involve having to break into a shell or something.
It would difficult to know what to do in these situations because your choices are going to be limited to doing nothing and letting them get away with it or going vigilante and possibly exposing yourself to legal risk.
You could inform law enforcement but they are likely to either do nothing or decide to arrest you instead (I knew someone who had the police come to his house and confiscate his computer for over a year because a fellow student saw him using DOS prompt on a school computer and decided to report him for "hacking").
I find this very hard to believe (the last part). With any confiscation, you can argue in court. 1 year without a computer was his fault. I'd slap that agency with a lawsuit.
I'm sure he could have got his computer back much sooner if he was sensible but he was a dumb kid, I imagine he just waiting for the police to give it back to him (probably low on their list of things to do).
He had a habit of rubbing people up the wrong way, bragging about being having 'leet' computer skills (he didn't) and doing idiotic things like mass net sends at school so I'm sure it was in many ways his fault. Does show how paranoid the police can be about "hackers" though.
When did the "DOS Hacking" happen ? I did the same thing in middle-school (launched tracert from DOS) and was caught by a professor but didn't get reported to police luckily.
Hey, let's use XOR-encrypt -- it works so well in the movies!
But seriously, it's nice to see this sort of post about breaking into the inbreakers' code.
I'm a little surprised that people are treating logging into the FTP server (if not deleting the keylogs) as a legal gray area. I understand the moral dilemma of vigilante justice, but in principle, just doing an FTP connect and LIST seems to be well within your right, given that they gave you software which logs in and makes a directory and sends your keylog. Is there a real concern that someone will take you to court for that?
> Is there a real concern that someone will take you to court for that?
I think the concern is more along drawing a bright line between black hat and white hat.
Researchers have to do stuff which is borderline illegal; at least it's sometimes tricky to know if they're breaking any laws. Thus, they'll create a set of clear and easy to understand rules and work to those, which means that they reduce their risk of legal action.
"Don't fight abuse with abuse" is (at least was) very common phrase. That's pretty good idea, when some people aren't capable of knowing who the bad person is. We don't want denial of service attacks against innocent people.
Having said that, it's annoying as hell that ISPs don't do more to stop this kind of thing.
I remember coming across a malicious piece of javascript that found its way onto some websites a few years back. Just for fun, I traced it through the various stages to find out what it did. I decoded the js to find out that it downloaded an executable. I used objdump to look at the executable and through some tinkering and google searching found out it was packed with upx. So I unpacked it and I think I went through one or two more stages (with the help of people on various forums) before we got to the raw binary. Someone on the forums also ran it in a VM and we found out it connected to one of a handful of ip addresses. After some tinkering and looking through the code, someone on the forums figured out that it stole WoW account passwords.
It was a lot of fun and felt a bit like being a detective of some kind.
"This keylogger program can be legitimately purchased and used, ostensibly for monitoring your kidsβ or employeesβ browsing habits, etc. As you can imagine, PK can also be used for badness."
Is this person suggesting that using a keylogger to spy on your employees/children without their knowledge is not 'badness'?!
Recording your employees' use of company computers, given proper disclosure, is an employers prerogative. It's also legal (in some locales) for parents to do this to their children. I find it immoral, personally (the latter), but this is not the point of the story at all and the story was interesting and highly relevant, so I'm really disappointed to see this is the top comment.
Yes, although usually a keylogger is not necessary.
A few places I have worked the IT dept/Management had a VNC server running on every desktop (it showed up in the process list, I wasn't working in IT at the time).
I pointed this out to a few people who would use IM programs to 'flirt' with each other all day.
There are legitimate uses for a keylogger. You can argue about children, but I can certainly imagine circumstances where I'd think about using one on my kids.
As for employees, if it's a work computer I pretty much say anything is fair game.
Correct me if I'm wrong, but one of the additional benefits of using a password manager such as 1Password is that it thwarts keyloggers. They may only get your master password (which shouldn't be your password on any site) but your site specific user name and password are never actually typed.
I don't know if you're wrong but how do those password programs work? If they emulate a keyboard by sending keystokes to the appropriate input field they are most likely logged by programs like these. (not HW keyloggers tho).
If the password programs use the clipboard, then it is just another source for the keylogger to capture and trivial to add.
(edit: a screenshot lower in the article of the 'Perfect Keylogger' options screen shows a clipboard option.)
Not to mention the fact that once the attacker has enough access to your machine to get a keylogger installed they have pretty much pwned at least your user account so getting cookies/settings or whatever out of your browsers data folders shouldn't be too much of an issue.
> Not only is this manual work inconvenient, but as soon as βcopy and pasteβ are mentioned, you become vulnerable to keyloggers and phishing attacks.
Its been a while (AOL ;), but IIRC the Windows API lets you SET_TEXT directly by window handle.
Assuming that's how 1Password works, it should be safe. I think that's a fair assumption because using the clipboard or SendKeys to an input box is all kinds of trouble in practice, and the API is easy.
If you can SET_TEXT, you can probably also get text. I've heard stories of win32 "password stealers" that constantly loop through all the window handles on the system looking for password fields, and if one is found, they log the contents of all nearby text fields (to get the username) and the password field to a file.
Definitely. I meant that it probably didn't use the clipboard or keyboard emulation, and so it would be safe from those particular attacks. Didn't mean to imply it would be safe from everything.
To nitrogen's point, there's definitely a corresponding GETTEXT message. There's even hooks[1].
But that's about all I know. Haven't written a desktop app in > 10 years.
They may also get your 1Password username, since it's your e-mail address. Then all they have to do is download 1Password, try your master password combination with various e-mails you may have typed (signing up for a website, etc.) and suddenly, it's much, much, much worse.
Your 1Password keychain is stored locally and is never uploaded to Agile's servers. The attacker would have to upload the keychain first (or break into your Dropbox, if you have it stored in there)
I wonder how he just happened to notice the keylogger connecting to FTP? Did he have a monitor in the background or something? Seems like that would be a good practice for doing things like this, and this guy obviously knows his stuff.
A simple firewall should do the job, or failing that wireshark. I'm assuming the guy did this inside a VM and had the host machine monitoring what was happening.
I guess he simply had a firewall that monitors active connections on his workstation (when an unregistered program tried to access the network an alert showed up).
It looks like the author of the article was using Wireshark to intercept network traffic. In the article there is a screenshot of a window with the title "follow TCP stream" and a headline "Stream content", exactly like in Wireshark.
I have used the same trick sometimes when nobody could remember the FTP credentials, but they were stored in the FTP program and a connection to the FTP server was still possible. Sometimes the guy with access to the admin panel is just not available, so a possible solution is to use Wireshark to retrieve the password, which is usually transmitted without encryption.
This is an awesome post! I want to see more of this on HN. There is a mac program called Private Eye that monitors netstat and shows if programs connect to remote addresses. I always run it after downloading a new app so I can see where it's phoning home too
Would be nice if there would be a community site for stuff like this where people would work together. A bit similar to http://www.419eater.com but then just only the technical stuff.
I'd say the older version that was analyzed before wasn't using unicode yet, whereas the later version was.
Very cool how you see the effects of character encodings all over the place - even where you don't expect them.
Also, if done right, the "encryption" should IMHO have been done after the file has been written in its native encoding using an input byte sequence. But seeing that the XOR key had that second 0 byte, I'd say that the encryption was done using a "string" key instead of plain bytes.
And don't get me started on the idea of using XOR as "encryption" - especially with repeated pattern like this, this can't even be reasonably called obfuscation IMHO.