CodeEngn 2010

Art of KeyloggingArt of Keylogging

Keyloggers who are nothing to do with the keyboard security solutionkeyboard security solution

강병탁 (window31)병탁 ( )

2010.07.03

1www.CodeEngn.com

2010 4th CodeEngn ReverseEngineering Conference

Who am I?Who am I?

• ByungTak Kang (window31)

• NEXON / Security Team – Hacking Analysis, Security Programmingy g g

• A contributor to “Microsoftware” a monthly IT Magazine for over 2 years g y

• A lecturer on hacking/reversing/security at various institutions (KISA, security community, ( y yuniversities, etc)

• 2009 Microsoft MVP Developer Securityp y

2

AgendaAgenda

• Prologue

• K l i Wi d A t• Keylogging Windows Account

• Login without passwordLogin without password

• Keylogging on the website

• Social Engineering Keylogging

• Bypass Keyboard security solution

• Offensive and defensiveOffensive and defensive

3

Prologue

4

Serious account issuesSerious account issues

5

Endless account problemsEndless account problems

• Wh d till f bl ft• Why do we still face many problems even after Keyboard security solution is installed ?

• What is the trend of malicious code today ?

• What we must do ?What we must do ?

6

Endless account problemsEndless account problems

/Trojan-PWS/W32.WebGame.101888.KTrojan-PWS/W32.WebGame.102768.BTrojan-PWS/W32.WebGame.102805Trojan-PWS/W32.WebGame.103150j /Trojan-PWS/W32.WebGame.103182Trojan-PWS/W32.WebGame.103463Trojan-PWS/W32.WebGame.103556Trojan-PWS/W32 WebGame 103810Trojan PWS/W32.WebGame.103810Trojan-PWS/W32.WebGame.10524Trojan-PWS/W32.WebGame.10724Trojan-PWS/W32.WebGame.10764T j PWS/W32 W bG 110145Trojan-PWS/W32.WebGame.110145Trojan-PWS/W32.WebGame.111085Trojan-PWS/W32.WebGame.11218Trojan-PWS/W32.WebGame.116274Trojan-PWS/W32.WebGame.116606Trojan-PWS/W32.WebGame.116822

………………………………

Hundreds of viruses signature are added each day7

Hundreds of viruses signature are added each day

Keylogging Windows Account

8

Windows AccountWindows Account

the winlogon.exe is what you come to face when lk t l k d l dyou walk up to a locked or un-logged-on

computer.

9

msgina structuremsgina structure

Interaction between winlogon and GINAg

10

msgina structuremsgina structure

The library file msgina.dll, is required by windows. It is used by WinLogon within windows, when performing user authentication.

11

WlxLoggedOutSASWlxLoggedOutSAS

int WlxLoggedOutSAS(PVOID pWlxContext, pDWORD dwSasType, PLUID pAuthenticationId,

idPSID pLogonSid, PDWORD pdwOptions, PHANDLE phTokenPHANDLE phToken, PWLX_MPR_NOTIFY_INFO pNprNotifyInfo, PVOID *pProfile );PVOID pProfile );

12

WLX MPR NOTIFY INFOWLX_MPR_NOTIFY_INFO

Typedef struct _WLX_MPR_NOTIFY_INFO { PWSTR pszUserName;PWSTR pszUserName; PWSTR pszDomain; PWSTR pszPassword;PWSTR pszPassword; PWSTR pszOldPassword; } LX_MPR_NOTIFY_INFO;

Here we can see a meaningful structure !!!

13

msgina Hookingmsgina Hooking

14

Reversing msgina MalwareReversing msgina Malware

Naming

• i l Hij k• winlogonHijacker

• Domain Keylogger.Domain Keylogger.

DEMODEMO

15

Login without Password

16

Windows AccountWindows Account

If you press the Shift key 5 times…

17

StickKey PopupStickKey Popup

18

StickKey run structureStickKey run structure

Winlogon thread

Winlogon thread

CreateProcess

RunRunRunsethc.exe

Runsethc.exe

View StickKey

Di l B19

DialogBox

StickKey Local BackdoorStickKey Local Backdoor

• You are able to connect without ID/PW !!!

• Y th l d t t• You can see the explorer or command prompt at the login prompt without authentication.

20

Behavior structureBehavior structure

• Disable WFP (Windows File Protection)Disable WFP

• Replace the files.

• N If I k fi• Now, If I press key five times, I can login at any time

Change File

time.

press the Shift key

Login success

21

Terminal LoginTerminal Login

22

Next actionNext action

• Create a new user account,

“c:\net user iamhacker /add”c:\net user iamhacker /add

•• Add this user to the administrators group

“c:\net localgroup administrators iamhacker”c:\net localgroup administrators iamhacker

• Remove StickKey Local Backdoor and Enable WFP

(T id d bt h ki )23

(To avoid as doubt as hacking)

Which platform is this vulnerability?Which platform is this vulnerability?

• Windows 2000

• Wi d XP• Windows XP

• Windows 2003Windows 2003

• Windows Vista

Most of windows OS does not check the integrity of the file that launches StickyKeysintegrity of the file that launches StickyKeys “sethc.exe” before executing it.

24

From now onFrom now on

Don’t forget to hit the shift key five times and see what pops up on your desktopsee what pops up on your desktop ….everyday :p

25

Remove StickKeyRemove StickKey

This is the real answer.

26

Reversing stickkey MalwareReversing stickkey Malware

DEMODEMO

27

Keylogging on the website

28

Web-based loginWeb-based login

• Very vulnerabley

• Method of attack is varied

• Keyboard security solution exists (Almost always)

29

Attack positionAttack position

NetworkNetworkKey pressKey press

KeyboardhardwareKeyboardhardware

ApplicationApplication

KeyboardKeyboard Message Message controllercontroller QueueQueue

Pot IOPot IO Filter driverFilter driver

ISR in IDTISR in IDT Keyboardclass driverKeyboard

class driver

30

class driverclass driver

Keyboard security solutionKeyboard security solution

protectNetworkNetwork

protect areas

KeyboardhardwareKeyboardhardware

ApplicationApplicationDMZ

KeyboardKeyboard Message Message controllercontroller QueueQueue

Pot IOPot IO Filter driverFilter driver

ISR in IDTISR in IDT Keyboardclass driverKeyboard

class driver

31

class driverclass driver

Protocol handlerProtocol handler

Wininet.dll is the protocol handler for HTTP, HTTPS and FTP It handles all networkHTTPS and FTP. It handles all network communication over these protocols.

32

Query hookQuery hook

url=http%3A%2F%2Fwindow31.com&fail_url &l i i & i id 31& d l N&l=&loginsite=&site_id=31&adult_yn=N&encoding_type=utf-8&ukey=1BBg yp y7E5F2937203480D408B5196E9AC3B9DDF487E636EA15426FAEABDAFB00A6908FE636EA15426FAEABDAFB00A6908F2069ECB5FA6C7B618E4C68C5F37C2900DB07DE9A0CACEC7300A6DBD342A83&game id=DE9A0CACEC7300A6DBD342A83&game_id=13&id=window31&pwd=fucking

33

The API issueThe API issue

34

Reversing malwareReversing malware

DEMODEMO

35

Social Engineering Keylogging

36

Human habitsHuman habits

37

Bad habitBad habit

We do cop and paste nconscio slWe do copy and paste unconsciously. Even the password.

38

Funny CodeFunny Code

while(1){{

// …GetClipBoardData(CF TEXT);p ( _ );

// …//if (bMaybePW)

SendDataToHacker();();

Sleep(500);S eep(500);}

39

ProblemsProblems

• This technique is based on the human behaviorThis technique is based on the human behavior.

• You do not have a login, you can be attacked (for example, paperwork etc).

40

BypassBypass Keyboard security solutiony y

41

Why?Why?

42

Offensive and defensive

43

Hooking detectionHooking detection.

13:12:31:889 [0x756E40D4] jmp msg1na.dll.0xB0A58813:12:31:889 Found inject code !!! 5 byte diff13:12:31:889 Found inject code !!! 5 byte diff13:12:31:889 doubt module: [pid: 420] \??\C:\WINDOWS\system32\winlogon exe\??\C:\WINDOWS\system32\winlogon.exe -c:\windows\system32\msgina.dll13:12:31:889 [KEYLOGGER] Domain Keylogger13:12:31:889 [KEYLOGGER] Domain Keylogger detect !!!! winlogon.exe - msgina.dll inject

44

I hope AntiVirus vendorsI hope AntiVirus vendors.

• WFP check

• Ch k th• Check sethc.exe

• StickyKeys option turns off.StickyKeys option turns off.

• Winlogon dll injection, integrity check

45

ConclusionConclusion

• Keyboard security solution can not prevent everythingy g

• Each location requires different security.

(ex. kernel : ring0, app : integrity check)

• h ld b d• Parameters should be encrypted.

• Let's try reversing a lot of malicious code We canLet s try reversing a lot of malicious code. We can get a hint and we learn a lot of their technology.

• The AntiVirus should be upgraded more behavior-based features

46

Question

http://www.window31.comp //window31com@gmail.comTwitter : @window31com

47www.CodeEngn.com

2010 4th CodeEngn ReverseEngineering Conference