12

One of my friends runescape account got hacked through key-logger. He downloaded a runescape gold generator from a file sharing site and tried to use it. I have a strong doubt that it is a key-logger. So I run the software in a virtual machine and the software indeed sending some SMTP packets. but it is using gmail and I can't understand the packets. Here is the dump of the packets :

http://pastebin.com/q1d0Vv3h

Now I want to know how to read these packets as they are encrypted? What the keylogger is sending and to which email id it is sending? How I can know this?

EDIT : here is the pcap file : http://www.mediafire.com/?6ulkjdf5a4eapbg

I uploaded the entire pcap file as there may be anything else then smtp packets which I don't know. It's almost 10 mb. if some one want to check only smtp packets , kindly filter.

narayan
  • 383
  • 1
  • 4
  • 11
  • Sounds strangely like this: http://www.bbc.co.uk/news/technology-21371609 (11 year old Canadian who wrote a runescape login-info-stealing malware which sent info to his gmail account) – Mike Weller Feb 08 '13 at 16:21

1 Answers1

15

The keylogger looks to be sending email using Gmail but the SMTP communication is encrypted with TLS (SSL).

Simple Mail Transfer Protocol
    Command Line: STARTTLS\r\n
        Command: STAR
        Request parameter: TLS

Simple Mail Transfer Protocol
    Response: 220 2.0.0 Ready to start TLS\r\n
        Response code: <domain> Service ready (220)
        Response parameter: 2.0.0 Ready to start TLS

You can use Fiddler on the host running the keylogger to intercept the SMTP messages before they are encrypted with TLS (SSL). Fiddler intercepts Windows WinINET-based applications so it will not intercept all SSL connections.

Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.

If the keylogger sends email it means that it will collect keys for a certain amount of time and then send the email. Which means that it will have to store those keys somewhere. Tracking file writes for that keylogger can point you to it's cache and maybe the key file will indicate if the keylogger is targeting Runescape or the user. I recommend Process Monitor for tracking file writes.

A different way of finding the destination email address is debugging the keylogger. You could start with a memory dump and a search for strings. First you identify the keylogger process by tracking the writes that happen after key presses, then use Process Explorer to search the strings from the memory dump of the process.

enter image description here

OllyDBG and a bit of patience can be useful for debugging the code of the keylogger by setting breakpoints on SMTP functions and then inspecting the memory for email addresses.

Cristian Dobre
  • 9,797
  • 1
  • 30
  • 50
  • @CristianDobre Is it usual for a logger of this type to use a file cache? Why not just `malloc` and cache in memory? Being entirely memory-resident at runtime makes it harder to find I would have thought. – lynks Feb 04 '13 at 13:46
  • Strange things. Though I checked the box for capturing and decrypting HTTPS packets in fiddler, it is unable to catch the packets. I can clearly see the SMTP packets in wireshark, In process explorer I can't see any strings in memory , while checking process properties. – narayan Feb 04 '13 at 13:53
  • Wow, I didn't know about the find strings function of Process Explorer. You just gave me a whole new appreciation of how awesome sysinternals is. – AJ Henderson Feb 04 '13 at 13:56
  • @lynks Most keyloggers I've analysed were storing keys on disk using simple encryption or obfuscation. Writing to disk has several advantages like logging offline and having a coherent log of the keys between reboots. Logging to memory would make manual analysis and detection more difficult but most malware is not written with anti-analysis in mind. – Cristian Dobre Feb 04 '13 at 14:19