Below, is a timeline excerpt from a case I was working recently in which I saw Perfecet Keylogger running natively (ie…under the default naming convention). It should be noted, that the means of infiltration in 99% of these cases in an open remote administration port and default administrative passwords. This gave the intruders an easy path onto the target systems, and the credentials necessary to install the malware.
Pay special attention if you will, to the file names besides bpk.exe, specifically the letters after the “k” in “bpk”.
F:\timelines>strings _timeline.csv | grep -i bpk
Fri Aug 21 2009 02:42:56,499712,m..b,r/rrwxrwxrwx,0,0,13919-128-3,'C:/'/WINDOWS/system32/bpk.exe
Fri Aug 21 2009 02:42:56,19456,m..b,r/rrwxrwxrwx,0,0,13920-128-3,'C:/'/WINDOWS/system32/bpkr.exe
Fri Aug 21 2009 02:42:56,19968,m..b,r/rrwxrwxrwx,0,0,13922-128-3,'C:/'/WINDOWS/system32/bpkhk.dll
Fri Sep 04 2009 01:12:50,188895,ma.b,r/rrwxrwxrwx,0,0,14008-128-3,'C:/'/WINDOWS/security/bpk.chm
Mon Oct 19 2009 07:02:03,623,ma.b,r/rrwxrwxrwx,0,0,13996-128-1,'C:/'/WINDOWS/system32/bpk.dat
Sat Aug 21 2010 02:43:06,22586,...b,r/rrwxrwxrwx,0,0,13923-128-4,'C:/'/WINDOWS/Prefetch/BPK.EXE-06BA93D1.pf
As you can see, some of the key file names associated with Perfect Keylogger are: bpk.exe, bpkr.exe, bpkhk.dll, bpk.dat, and the configuration file not listed in the first timeline excerpt, pk.bin. These files are normally found in the C:\Windows\System32 directory, but can really run from any custom location, as indicated by the second timeline excerpt. When it’s seen in a RAM dump, it looks like this:
Below is a second example, in which the naming convention has been changed to confuse the would be investigator. Look at the letters after the “t” in “wuault.exe”. Do they look familiar? They should!
F:\timelines>strings timeline.csv | grep -i wuault
Fri Sep 04 2009 01:34:51,438272,m..b,r/rrwxrwxrwx,0,0,14055-128-3,'C:/'/WINDOWS/security/wuault.exe
Fri Sep 04 2009 01:34:51,24576,m..b,r/rrwxrwxrwx,0,0,14056-128-3,'C:/'/WINDOWS/security/wuaulthk.dll
Fri Sep 04 2009 01:34:51,40960,m..b,r/rrwxrwxrwx,0,0,14059-128-3,'C:/'/WINDOWS/security/wuaultwb.dll
Fri Sep 04 2009 01:34:51,215040,m..b,r/rrwxrwxrwx,0,0,14060-128-3,'C:/'/WINDOWS/security/wuaulti.dll
Fri Sep 04 2009 01:34:51,7680,m..b,r/rrwxrwxrwx,0,0,14061-128-3,'C:/'/WINDOWS/security/wuaultr.exe
Sat Sep 04 2010 05:44:06,16674,...b,r/rrwxrwxrwx,0,0,13976-128-4,'C:/'/WINDOWS/Prefetch/WUAULT.EXE-0E3FBF35.pf
When captured in a RAM dump, it looks like this:
Notice that the path is C:\windows\security. Also of note, look at the timeline above…see the “birth” date in my timeline? It says “Fri Aug 21 2009 02:42:56”, but the first prefetch file shows a timestamp of, “Sat Aug 21 2010 02:43:06”. About 10 seconds later…exactly one year later? What’s up with that? Well…let me tell you, but first, let’s quickly go over the Master File Table ($MFT), specifically the Standard_Information ($S_I), and File_Name ($F_N) attributes.
REAL basically, we all know that the $MFT holds information about the files on the disk. Well, one of those attributes, the $S_I, is accessible by the operating system (OS) and the user. So, what…that means that they can be changed, accessed, and yes…stomped. BUT, the $F_N attribute is not touched by anything except the kernel. So what does that mean? It means no modifications by the OS or the user…ie…no stomping.
So, Harlan sent me a Perl script he wrote which goes through the $MFT and extracts and parses the $S_I and $F_N attributes. So with our friend bpk.exe, it would look like this:
13919 FILE 14 1 0x38 4 1
0x0010 96 0 0x0000
M: Fri Aug 21 07:42:56 2009 Z
A: Tue Oct 19 16:24:13 2010 Z
C: Tue Oct 19 16:12:26 2010 Z
B: Fri Aug 21 07:42:56 2009 Z ← This is the “modified” birth date of the file on the system.
0x0030 104 0 0x0000
FN: bpk.exe Parent Ref: 847 Parent Seq: 1
M: Sat Aug 21 07:42:56 2010 Z
A: Sat Aug 21 07:42:56 2010 Z
C: Sat Aug 21 07:42:56 2010 Z
B: Sat Aug 21 07:42:56 2010 Z ← This is the actual “birth” date of the file on the system.
0x0080 88 1 0x0000
And…it matches our Prefetch file, which further supports our finding that the timestamps have been modified. So be wary…if you come across Perfect Keylogger in a case, it will be offset by one year – I have seen this to be true in every Perfect Keylogger case I have worked, and it seems to be done as part of the install script. Now, while I have seen the binaries and associated dlls renamed, I have not seen the dump file (bpk.dat) or the configuration file (pk.bin) renamed. After downloading a trial version of Perfect Keylogger, I can see that you can change the output file, and path, so it’s possible…but like I said…just never seen it. I’m not certain the same can be said for the configuration file. I have tried several times unsuccessfully, so I think it may be hard coded into the program.
So if you try to open the bpk.dat, and the pk.bin they appear to be encrypted. Or are they? Through the efforts of the SpiderLabs Research Team, we found that they are NOT really encrypted, but rather encoded with a single xor key, 0xAA. So, when you use a simple xor script, against either one, you may get something that looks like this (since this was from a real case, I have modified the output, but the methods and the output format looks the same):
PK Password: "y0uv3b33np0wn3d"
License Name: "www.hacked.ws"
Email Enabled?: true
SMTP Server: "10.10.10.10"
SMTP Port: 25
SMTP Username: "user"
SMTP Password: "p@ssw0rd"
Email Address: "firstname.lastname@example.org"
FTP Enabled?: false
Hotkey Hex: keycode=0xdc modifier=0x07
Key-combo: SHIFT + CTRL + ALT + 6
So, this is great! You have the attacker’s email, the server he was using, his username and password! Better yet, you have the key-combo which is used to bring the Keylogger out of hidden mode. If the attacker wanted to use FTP instead of SMTP, you would see the same type of login information as you do for the SMTP example provided above. If you know that it’s running, but you don’t see the icon in the bottom of the screen, it’s in hidden mode. Simply use this key combination, and BAM, the icon will suddenly appear! Then, simply enter in the “PK Password” and you have access to the admin console of the keylogger! This configuration file will give you access to the time intervals in which the dump file is emailed or FTP’d. Pretty slick eh!
Now, it also uses the same xor to encode the dump file! So if you run the same xor script, you may see something that looks like this:
F:\ >cat bpk.dat.out
BlazingTools Perfect Keylogger: Options
[Password captured: p@ssw0rd]
Nice! Note that if you don’t have any scripting-fu (Perl, Ruby, Python, etc) you can simply install the trial version of Perfect Keylogger in a vmimage, and use the “view the log” option to see the decoded versions of the logs.
Additionally, the only registry entries I have seen for Perfect Keylogger are in the UserAssist key of an ntuser.dat file, showing initial execution, and in the RUN key of the SOFTWARE hive, showing that it’s set to start up at reboot.
NTUSER.DAT – UserAssist Key
UEME_RUNPATH:C:\Documents and Settings\
C:\P15xx\DisableWriteCache.exe -s all
"C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
C:\WINDOWS\System32\bpk.exe ← Indicates that the keylogger will start each time the system boots.
So, if you are working on a case and you expect that you may have Perfect Keylogger, here are the key indicators of compromise:
• pk.bin, or bpk.dat (configuration or dump files)
• bpk.exe, wuault.exe, wuauclt.exe (running from the incorrect directory)
• binary and dlls timestopmed (check the $MFT)
• Entries in the ntuser.dat and SOFTWARE hives
• Active process running RAM with the same ending letters (as seen in the timeline example)
You can decode the configuration file and dump files with a simple xor, 0xAA key. Alternatively, you can use the demo version of the keylogger itself to open the dump file.
Good luck, and happy hunting!