Blog
Previous Posts
March 2007| 03/26/2007 | Live.it Poisoned » |
| 03/26/2007 | The Perfect Keylogger » |
| 03/15/2007 | Viral Video, Redneck Slingshots ? » |
| 03/12/2007 | Norwegian Bank Malware Analysis » |
+ February 2007
+ January 2007
+ December 2006
+ November 2006
+ October 2006
The Perfect Keylogger attempts to capture every keystroke occurring on the keyboard of the computer where it is installed. The information it gathers is then sent to the person attempting to spy on the system. Let’s see how the story unfolds.
Everything starts with a very kind email, offering us a unique opportunity for investment, where we can make a minimum of 15% profit per day for a period of 10 days. When we visit the web page, we find something like this:
But there’s more going on than what we can see. What we do not see is the code trying to exploit the MDAC vulnerability it contains. Through that code, it downloads and executes a file called Junix.exe, which is a self-extracting, compressed file that contains several other files:
- bpk.exe
- bpkhk.dll
- bpkr.exe
- inst.dat
- pk.bin
The two exe files and the dll are in charge of handling the keystrokes and sending the information to the attacker. The inst.dat file contains configuration data for installing the application. The pk.bin file contains the email address where the information is being sent, along with additional data. To avoid being discovered, the files bpk.exe, bpkhk.dll, and pk.bin are encrypted with a simple XOR operation.
After everything has been installed on the system, the malware notifies the attacker that the installation has been successfully carried out.
After alerting the attacker, it remains vigilant for anything typed on the keyboard and captures it. Additionally, every five minutes it takes a full-sized screenshot and prepares a thumbnail of it. These are both kept in a directory called dt, which the Trojan has previously created.
Then the captured information is sent to the attacker, so that he or she can check which pages we have been visiting and what we have been typing. The email looks something like this:
Attached to the attacker’s email is a file called websites.html, where the attacker can see URLs for the web pages that we have visited, along with the information that has been transmitted:
A second attached file called keystrokes.html shows the title of each web page we visited and what we typed at the keyboard:
So, the Perfect Keylogger is not only an effective keylogger but also a good screenshot maker. It may not be perfect, but its many abilities make it dangerous enough. So we give you one important piece of advice. Watch out; next time it could be you!
