Saturday, October 23, 2010

The “Not So” Perfect Keylogger

I have seen a number of cases lately in which the method of data aggregation on Point of Sale Terminals was the use of Blazing Tools Perfect Keylogger. This is a commercial tool that is used to track the computer use of individuals within a family or a company. This blog is not about the legality or ethics of this tool, but rather about the technical specifics when looking for this tool during a compromise.

Below, is a timeline excerpt from a case I was working recently in which I saw Perfecet Keylogger running natively (ie…under the default naming convention). It should be noted, that the means of infiltration in 99% of these cases in an open remote administration port and default administrative passwords. This gave the intruders an easy path onto the target systems, and the credentials necessary to install the malware.

Pay special attention if you will, to the file names besides bpk.exe, specifically the letters after the “k” in “bpk”.

F:\timelines>strings _timeline.csv | grep -i bpk
Fri Aug 21 2009 02:42:56,499712,m..b,r/rrwxrwxrwx,0,0,13919-128-3,'C:/'/WINDOWS/system32/bpk.exe
Fri Aug 21 2009 02:42:56,19456,m..b,r/rrwxrwxrwx,0,0,13920-128-3,'C:/'/WINDOWS/system32/bpkr.exe
Fri Aug 21 2009 02:42:56,19968,m..b,r/rrwxrwxrwx,0,0,13922-128-3,'C:/'/WINDOWS/system32/bpkhk.dll
Fri Sep 04 2009 01:12:50,188895,ma.b,r/rrwxrwxrwx,0,0,14008-128-3,'C:/'/WINDOWS/security/bpk.chm
Mon Oct 19 2009 07:02:03,623,ma.b,r/rrwxrwxrwx,0,0,13996-128-1,'C:/'/WINDOWS/system32/bpk.dat
Sat Aug 21 2010 02:43:06,22586,...b,r/rrwxrwxrwx,0,0,13923-128-4,'C:/'/WINDOWS/Prefetch/BPK.EXE-06BA93D1.pf

As you can see, some of the key file names associated with Perfect Keylogger are: bpk.exe, bpkr.exe, bpkhk.dll, bpk.dat, and the configuration file not listed in the first timeline excerpt, pk.bin. These files are normally found in the C:\Windows\System32 directory, but can really run from any custom location, as indicated by the second timeline excerpt. When it’s seen in a RAM dump, it looks like this:






Below is a second example, in which the naming convention has been changed to confuse the would be investigator. Look at the letters after the “t” in “wuault.exe”. Do they look familiar? They should!

F:\timelines>strings timeline.csv | grep -i wuault
Fri Sep 04 2009 01:34:51,438272,m..b,r/rrwxrwxrwx,0,0,14055-128-3,'C:/'/WINDOWS/security/wuault.exe
Fri Sep 04 2009 01:34:51,24576,m..b,r/rrwxrwxrwx,0,0,14056-128-3,'C:/'/WINDOWS/security/wuaulthk.dll
Fri Sep 04 2009 01:34:51,40960,m..b,r/rrwxrwxrwx,0,0,14059-128-3,'C:/'/WINDOWS/security/wuaultwb.dll
Fri Sep 04 2009 01:34:51,215040,m..b,r/rrwxrwxrwx,0,0,14060-128-3,'C:/'/WINDOWS/security/wuaulti.dll
Fri Sep 04 2009 01:34:51,7680,m..b,r/rrwxrwxrwx,0,0,14061-128-3,'C:/'/WINDOWS/security/wuaultr.exe
Sat Sep 04 2010 05:44:06,16674,...b,r/rrwxrwxrwx,0,0,13976-128-4,'C:/'/WINDOWS/Prefetch/WUAULT.EXE-0E3FBF35.pf

When captured in a RAM dump, it looks like this:



Notice that the path is C:\windows\security. Also of note, look at the timeline above…see the “birth” date in my timeline? It says “Fri Aug 21 2009 02:42:56”, but the first prefetch file shows a timestamp of, “Sat Aug 21 2010 02:43:06”. About 10 seconds later…exactly one year later? What’s up with that? Well…let me tell you, but first, let’s quickly go over the Master File Table ($MFT), specifically the Standard_Information ($S_I), and File_Name ($F_N) attributes.
REAL basically, we all know that the $MFT holds information about the files on the disk. Well, one of those attributes, the $S_I, is accessible by the operating system (OS) and the user. So, what…that means that they can be changed, accessed, and yes…stomped. BUT, the $F_N attribute is not touched by anything except the kernel. So what does that mean? It means no modifications by the OS or the user…ie…no stomping.

So, Harlan sent me a Perl script he wrote which goes through the $MFT and extracts and parses the $S_I and $F_N attributes. So with our friend bpk.exe, it would look like this:

13919 FILE 14 1 0x38 4 1
0x0010 96 0 0x0000
0x0000
M: Fri Aug 21 07:42:56 2009 Z
A: Tue Oct 19 16:24:13 2010 Z
C: Tue Oct 19 16:12:26 2010 Z
B: Fri Aug 21 07:42:56 2009 Z ← This is the “modified” birth date of the file on the system.
0x0030 104 0 0x0000
0x0000
FN: bpk.exe Parent Ref: 847 Parent Seq: 1
M: Sat Aug 21 07:42:56 2010 Z
A: Sat Aug 21 07:42:56 2010 Z
C: Sat Aug 21 07:42:56 2010 Z
B: Sat Aug 21 07:42:56 2010 Z ← This is the actual “birth” date of the file on the system.
0x0080 88 1 0x0000
0x0000

And…it matches our Prefetch file, which further supports our finding that the timestamps have been modified. So be wary…if you come across Perfect Keylogger in a case, it will be offset by one year – I have seen this to be true in every Perfect Keylogger case I have worked, and it seems to be done as part of the install script. Now, while I have seen the binaries and associated dlls renamed, I have not seen the dump file (bpk.dat) or the configuration file (pk.bin) renamed. After downloading a trial version of Perfect Keylogger, I can see that you can change the output file, and path, so it’s possible…but like I said…just never seen it. I’m not certain the same can be said for the configuration file. I have tried several times unsuccessfully, so I think it may be hard coded into the program.

So if you try to open the bpk.dat, and the pk.bin they appear to be encrypted. Or are they? Through the efforts of the SpiderLabs Research Team, we found that they are NOT really encrypted, but rather encoded with a single xor key, 0xAA. So, when you use a simple xor script, against either one, you may get something that looks like this (since this was from a real case, I have modified the output, but the methods and the output format looks the same):

PK Password: "y0uv3b33np0wn3d"
License Name: "www.hacked.ws"
License: "PGTDFADBEPRCHGB"
Email Enabled?: true
SMTP Server: "10.10.10.10"
SMTP Port: 25
SMTP Username: "user"
SMTP Password: "p@ssw0rd"
Email Address: "p0wn3d@hackmemail.com"
FTP Enabled?: false
Hotkey Hex: keycode=0xdc modifier=0x07
Key-combo: SHIFT + CTRL + ALT + 6

So, this is great! You have the attacker’s email, the server he was using, his username and password! Better yet, you have the key-combo which is used to bring the Keylogger out of hidden mode. If the attacker wanted to use FTP instead of SMTP, you would see the same type of login information as you do for the SMTP example provided above. If you know that it’s running, but you don’t see the icon in the bottom of the screen, it’s in hidden mode. Simply use this key combination, and BAM, the icon will suddenly appear! Then, simply enter in the “PK Password” and you have access to the admin console of the keylogger! This configuration file will give you access to the time intervals in which the dump file is emailed or FTP’d. Pretty slick eh!

Now, it also uses the same xor to encode the dump file! So if you run the same xor script, you may see something that looks like this:

F:\ >cat bpk.dat.out
06-09-2010 03:22
wuault.exe
BlazingTools Perfect Keylogger: Options
[Password captured: p@ssw0rd]
15
$#$#$#$#$#$#$#$#$#$#$#$#$#$
19-10-2010 10:53
Explorer.EXE
Run
cmd
$#$#$#$#$#$#$#$#$#$#$#$#$#$
19-10-2010 10:54
cmd.exe
C:\WINDOWS\system32\cmd.exe
d:
dir
mkdir images
cd im
$#$#$#$#$#$#$#$#$#$#$#$#$#$
19-10-2010 10:56
cmd.exe
C:\WINDOWS\system32\cmd.exe
mkdir vol

Nice! Note that if you don’t have any scripting-fu (Perl, Ruby, Python, etc) you can simply install the trial version of Perfect Keylogger in a vmimage, and use the “view the log” option to see the decoded versions of the logs.

Additionally, the only registry entries I have seen for Perfect Keylogger are in the UserAssist key of an ntuser.dat file, showing initial execution, and in the RUN key of the SOFTWARE hive, showing that it’s set to start up at reboot.

NTUSER.DAT – UserAssist Key
=========================
UEME_RUNPATH:C:\Documents and Settings\\Desktop\i_bpk2007.exe (3) ← Indicates execution of the installation binary.


Software Hive
=========
Software\Microsoft\Windows\CurrentVersion\Run
C:\P15xx\DisableWriteCache.exe -s all
"C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
C:\WINDOWS\System32\bpk.exe ← Indicates that the keylogger will start each time the system boots.

So, if you are working on a case and you expect that you may have Perfect Keylogger, here are the key indicators of compromise:

Presence of:
• pk.bin, or bpk.dat (configuration or dump files)
• bpk.exe, wuault.exe, wuauclt.exe (running from the incorrect directory)
• binary and dlls timestopmed (check the $MFT)
• Entries in the ntuser.dat and SOFTWARE hives
• Active process running RAM with the same ending letters (as seen in the timeline example)

You can decode the configuration file and dump files with a simple xor, 0xAA key. Alternatively, you can use the demo version of the keylogger itself to open the dump file.

Good luck, and happy hunting!

11 comments:

  1. Hey Chris - Nice post. It was like Déjà vu especially the “wuault.exe” files. Nice try to mask the windows update process names

    ReplyDelete
  2. Hi there.
    Great info.
    On a compromised mac where this has been found and removed, there was a "com.BT.BPK.plist" file which can be opened with a plist editor, you can see lots of the same info and the file has all the configuration lines the same as the windows dat file it seems.
    Can this file be analysed to retrieve the smtp server settings etc as you have shown above?

    As even though the file can be opened, although the basic settings such as email frequency can be seen - the server it was sending to and address etc are hex/md5/hashed or otherwise coded in an unreadable format.

    Could you please post a very basic howto about how you opened the dat file with what script and what other things would need installing?
    Either on windows or linux.

    Thanks

    ReplyDelete
  3. I want to know how you found the decryption mechanism. I know nothing about it and would like to know how you were able to approach determining the decryption method/key.

    ReplyDelete
  4. Wow, I found this topic particularly interesting.

    ReplyDelete
  5. Too late to help the anonymous poster from Dec 29th, but for the benefit of other people who find this on a Mac: the encrypted values in the com.BT.BPK plist file are simply xored with 0xAA and then base64-encoded. To extract them, base64-decode and xor with 0xAA.

    ReplyDelete
    Replies
    1. I don't think that's the case anymore.

      Delete
  6. Hi what tools can i use to decode .dat files?

    ReplyDelete
  7. None that I am aware of. You have to figure out the xor string, and write a decoder. Mine was written in Ruby.

    ReplyDelete
  8. Hello, I've been hacked on my mac and would like to analyse the ftp/email settings in com.BT.BPK.plist
    How concretely can I base64-decode this file and xor with 0xAA

    To base64-decode, I used the following instruction on my terminal:
    perl -MMIME::Base64 -ne 'print decode_base64($_)' < com.BT.BPK.plist > out

    On http://www.darkfader.net/toolbox/convert/ I found a XOR calculator but I probably miss the basics as I cant get to a meaningful string...

    Thanks for helping / or direting me to a post where this is explained..!

    ReplyDelete