How to do the analysis of a keylogger installed on our system so as to get the user id and password bindind with the keylogger, the id is of gmail and hence wireshark is not showing anything due to an ssl connection. Also due the use of L3 switch MITM from BT is not working.
Is there any other way or tool that can help me to get theses things.
The keylogger is scripted in AUTOIT.
Before going to reverse engineering, let others can understand –
what isAutoit ? and what isAutoitkeylogger ?AutoIt is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control manipulation in order to automate tasks in a way not possible or reliable with other languages (e.g. VBScript and SendKeys). AutoIt is also very small, self-contained and will run on all versions of Windows out-of-the-box with no annoying “runtimes” required!
AutoIt was initially designed for PC “roll out” situations to reliably automate and configure thousands of PCs. Over time it has become a powerful language that supports complex expressions, user functions, loops and everything else that veteran scripters would expect.
— Easy to learn BASIC-like syntax
— Simulate keystrokes and mouse movements
— Manipulate windows and processes
— Interact with all standard windows controls
— Scripts can be compiled into standalone executables
— Create Graphical User Interfaces (GUIs)
— COM support
— Regular expressions
— Directly call external DLL and Windows API functions
— Scriptable RunAs functions
— Detailed helpfile and large community-based support forums
— Compatible with Windows 2000/XP/2003/Vista/2008/Windows 7/2008 R2
— Unicode and x64 support
— Digitally signed for peace of mind
— Works with Windows Vista’s User Account Control (UAC)
AutoIt has been designed to be as small as possible and stand-alone with no external .dll files or registry entries required making it safe to use on Servers. Scripts can be compiled into stand-alone executables with Aut2Exe.
Also supplied is a combined COM and DLL version of AutoIt called AutoItX that allows you to add the unique features of AutoIt to your own favourite scripting or programming languages! AutoIt continues to be FREE
Source URL: http://www.autoitscript.com/site/autoit/
(Book) AutoIt v3: Your Quick Guide: http://shop.oreilly.com/product/9780596515126.do
(Book) Windows Admin Scripting Little Black Book, 2nd Edition: http://shop.oreilly.com/product/9781932111873.do
Lets now understand about some malwares/worm examples that are already analysed by Microsoft Malware Protection Center
Encyclopedia entry: Worm:Win32/Autorun.AGUEncyclopedia entry Updated: Jan 14, 2013 | Published: Dec 25, 2012Aliases
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection initially created:
Released: Dec 19, 2012
The following system changes may indicate the presence of this malware:
The presence of the following files:
c:\documents and settings\administrator\local settings\temp\windows.exe
c:\documents and settings\administrator\start menu\programs\startup\55b3825ee39ada2fcddf7c7accbde69e.exe
— The presence of the following registry modifications:
Adds value: “55b3825ee39ada2fcddf7c7accbde69e”
With data: “”c:\documents and settings\administrator\local settings\temp\windows.exe” ..”
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
— Adds value: “C:\Documents and Settings\Administrator\Local Settings\Temp\windows.exe”
With data: “c:\documents and settings\administrator\local settings\temp\windows.exe:*:enabled:windows.exe”
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\St andardProfile\AuthorizedApplications\List
— Removable drives
Worm:Win32/Autorun.AGU may create the following files on targeted drives when spreading:
Source URL: http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fAutorun.AGU
Quick overview of Worm:Win32/Autorun.AGU
Here is Naming standard of malwares/worms
Worm:Win32/Autorun.AGU — Type:Platform/FamilyName.Variant!Additional_information
Now we understand two things from this post and that is
1) Scripting language – Autoit and Autoit Keylogger
2) Example of Autoit worm (Worm:Win32/Autorun.AGU)
— System changes – Presence of files on Windows platform
— Installation location
— Spreading location/Information
— Payloads and Contact Remote Host
Now we come to your question, lets devide it.. (due to insufficient input to us)
1) how to analyse the keylogger installed on your system (wireshark – SSL connections or any other tool)
2) Can we analyse those packets with wireshark and over ssl connections..
3) L3 switch MITM(Man in the middle) in BT is not working
1st question is about Analyse the keylogger –
From my previous example of Autoit malware Worm:Win32/Autorun.AAO (Its different now ). we understand system changes, location, presence, Spread and payloads etc etc..
Now we can focus on Packet analysing.. either your worm/keylogger contact remote host, so we have to analyse/understand the packets those who are travelling thru your machine or those packets you are installing.. hahahaa…
Lets analyse the installed packet/worm/keylogger – Autoit Keylogger/malware has their own custom packets. initially we cannot examine packets so we have to try out with various Unpackers
well There are lot more things on google to study, so thati am not that much explaining about various packersetc etc.. we directly moving tounpacker known asPEiDPEiD: http://www.aldeid.com/wiki/PEiD
PEiD detects most common packers, cryptors and compilers for PE files.
It can currently detect more than 470 different signatures in PE files.
With the help of PEiD we got(suppose) the packer named as UPX..
UPX URL: http://upx.sourceforge.net/
Decompress that packer with upx
Find out Autoit Script string within your keylogger scipting..
Many Reverse engineers used Autoit decompiler, so grab and drag your Autoit script into Autoit decompiler for example myAuto2Exe – most known decompiler
Hopefully you will get many things after following these steps
2nd question is about wireshark —
SSL traffic, you wouldn’t be able to read any of the data contained in the packets, and you certainly wouldn’t see all usernames and passwords transmitted in the clear…Source Contents from Book: Practical Packet Analysis, 2nd Edition
Topic: Protocol Dissection, Page:74
Basic username & password captured image example URL by sans:
3rd question is about MITM configuration — Mostly BT forum can help you lot instead of me.
Thread Name: Sniffing SSL traffic using MITM attack / ettercap, fragrouter, webmitm and dnsspoof.
Thread URL: http://www.backtrack-linux.org/forums/showthread.php?t=6021
Source URL: http://www.backtrack-linux.org/forums/forum.php or you can paste your actual configurations/steps so that we can help you..
Some different packet reverse engineering URL: http://blogs.technet.com/b/mmpc/archive/2011/06/27/malware-packer-integrates-with-upx.aspx
Hopefully we study/understand lot with such reverse engineering topic – Keep posting lot..