Inspired by this thread in the Facepunch programming forum, I thought I’d try my hand in reverse engineering some kid’s shitty key logger.
Since running maliacious programs on my main PC would be a really stupid idea, I set up a virtual machine running Windows 7 and loaded it with:
- JetBrains dotPeek
- Telerik JustDecompile
- Sysinternals’ Process Explorer and Process Monitor
- Some hex editor
- Visual Studio 2012 Express
- Sublime Text
Also make sure to take snapshots or whatever of your VM before you start.
With all of that out of the way, let’s get to the good stuff!
Finding a victim
Finding one of these trojans on YouTube isn’t hard at all. The hard part about it is finding one that doesn’t make you fill out a fucking survey to download or get the password to the zip file. Tricking people into downloading malware AND profiting from it? That’s pretty harsh man.
Finally I manage to find one that doesn’t require a survey to download.
Don’t leak this you guys!!!
Even Google Chrome is not too happy about this file. I’m sure if I was running MSE in the VM that would be going off right about now.
For this part, we’re going to break rule #1 (don’t run malware you idiot) for science. Discovering what the program does be beneficial to ultimately reverse engineering it. To do that we’re going to open up Process Monitor to log what the application does.
I’ll say this one last time. All of this is running inside of a closed environment. Running malicious code on your main PC or even a PC connected to your home network is a very bad idea. Don’t fucking do that.
Time to run it!
And nothing happens. Must be a bad application, I guess we’ll try another one right?
Wrong. The application is still running in the background and has a whole slew of events in procmon. I’ve attached the process monitor log file if you’d like to follow along. Let’s take a look to see if we find anything of interest, shall we?
Okay, it’s loading .NET libraries so it must be a .NET app.
Reading its own exe this late into execution? There must be something of value tacked on at the end.
This one is a bit interesting and I noticed this happen while watching Process Explorer. It seems to start another process of itself and then close the initial one.
More self reads, this time by the child process.
This one is my favorite. If you look closely you can see it replacing windows defender (if it was installed) with itself and adding it to the startup list. Nice.
Stealing cookies (from the cookie jar). Nice.
Other interesting things found in this log:
- A (failed) attempt to write to the hosts file
- Windows Version and computer name fetched from the registry
- A load of thread creations and exits
But most importantly
We now know how it phones home. Great. Where exactly is that data going? Well,
- 126.96.36.199 belongs to Google
- Port 587 is encrypted SMTP
I betcha can’t figure out what that means! (It’s sending email to gmail ya dingus)
If you’re writing malware, make sure it doesn’t error like this. To keep it fair I’m going to ignore this message box although it does give me some good clues.
That’s all for now
I’m going to be splitting this series up into separate posts so I can release it quicker. In the next part we’ll actually get into reverse engineering and less detective work like in this article.
Please let me know what you think of my posts so far.