5/01/2013

Elite Keylogger Detection and Analysis

Elite Keylogger is a kind of malware (from the victim POV) that is sold by a company called WideStep, this company are marketing this product as being "100% undetectable" as you can see in info page:

Invisible to anti-virus software

It’s no secret that anti-virus and anti-spyware applications will constantly try to detect and block even legitimate monitoring applications like Elite Keylogger. Elite Keylogger does a great job hiding its own modules from anti-virus, anti-rootkit and anti-spyware apps. Elite Keylogger ensures it's not detected during regular scans and even after you update your anti-virus software. It implements a number of unique algorithms to stay hidden.
Here i will show you how to detect if this keylogger is installed on the computer and how to access its configuration GUI interface in order to see all of the configuration the attacker has set.

The version this article address is the latest version (5.0.183) currently being sold by WideStep.


Detection

First off this keylogger is in the opposite side from "100% undetectable", the keylogger is injecting a DLL file to almost every process currently running and hook the usual functions keyloggers are hooking (i.e. GetMessage, PeekMessage...).

The fact that this keylogger using such awkward method of injecting DLL to almost every process makes this keylogger very noisy. I was able to detect that a keylogger was installed just by launching an anti rootkit software which protect itself by preventing DLL injection into its address space:

Rootkit Unhooker warning message

Here are the hooks this DLL implementing:

Hooked functions

In my particular case i needed to know what kind of keylogger is insalled on the computer, so in order to continue the investigation i looked at the strings in the DLL file that is being injected and as you can see in the follwing picture there is strings that contains the name of the company that sells the Elite Keylogger:

The string in the file point you to widestep.com

Now we know that Elite Keylogger is installed on the computer, the next step is to download this keylogger installer and install it on a VM in order to investigate how to get in to its configuration window.


Files

Every installation of the keylogger put files at different locations in the file system (Windows 7):
  • C:\Windows\System32\

  • C:\Windows\System32\drivers\
  • ADS in C:\ProgramData\TEMP

There are more files ( in the %TEMP% directory) that being created during the runtime of the keylogger as well as a file that is being injected with a set name of thunk.dll, but since my goal here isn't to anaylse these files i wouldn't cover it in great detail.

From what i have seen at every installation of the keylogger the file names are different except for the last three letters (on the driver it seems like only the two last letters) of the files name that aren't changing, so you can detect the keylogger files in other computers using the last three letters as identifier.

The data and time of the files are interesting it seems to me that they are based on the time you get your installation file from the web site and not on the time the keylogger has been installed, hence i have made the date and time of the files in the pictures above blurred (.....), As we will see later you can actually detect the installation date and time of the keylloger using a different method.

Configuration

In order to read the configuration of the keylogger and see where it is sending the data it captures we have to access its GUI interface. The exe file at C:\Windows\System32\openfsvr.exe (the "openf" letters are random) will lead us to the UI of the keylogger, but simply double click the exe file doesn't going to open the GUI interface since the keylogger has a protection that require you to type a special string in the Run box in order to be able to access the GUI interface.

The string that you need to type in the run box is set by the attacker at the installation phase so in order to open the UI we need to find another way.

To bypass this protection you should open the exe file with the following parameter:


"C:\Windows\System32\openfsvr.exe" VIEW


Once you open the interface you should type in a password in order to access to the configuration window, to bypass that we should open the keylogger's process in a debugger.

I have used OllyDbg v2.01 (Beta 2 update H)  in order to pass the password requirement, i have tried to use OllyDbg v1 or Immunity Dbg without success (probably the keylogger is detecting it somehow).

After you open the debugger to the keylogger's password window you should set breakpoints in the following locations:
  • 0x0064E0D5
  • MessageBoxEx (A and W)
Then type in a dummy password and hit the Unhide button, now the debugger should break at one of these locations depending on the version of the keylogger:
  • Paid version will break on the MessageBoxEx, then you should set the EIP to 0x0064E0D7 and keep running (F9).
  • Demo versions will break right on 0x0064E0D5 and we should toggle the ZF (to be 1) and keep running (F9).
Afterwards you can access the GUI of the keylogger and see every configuration that was set by the attacker (i.e. where the captured data is sent to, what is being captured and so on).

bypass the password requirement

 If you are lucky enough and the attacker used FTP server as one of its target to upload the captured data you can see the username and the password of the FTP server since it isn't encrypted.

Time of installation

Since this keylogger try to be "100% undetectable" it deletes the logs related to its installation and operations in the system so that you can't see anything (almost) related to it using Event Viewer.
As you can see in the product info page:

Invisible to other users

Elite Keylogger stays absolutely hidden to other users of the monitored computer. They won't find Elite Keylogger among running processes, in the list of installed applications, in the history of used programs, in the Start Menu, or anywhere else! Guaranteed!

But i found one log that is left behind and you can get from this log the right date and time of when the keylogger has been installed by the attacker.

As part of the installation process the keylogger require you to restart the computer in order to finish the installation and start the key logging activity, when the user agree to restart the computer the event is written to the system logs.

The log gives the time of installation

As you can see in the Event Viewer the log is pointing you to the file name that triggered the restart of the system, and as we can see the file name is the same as file of the keylogger GUI (main file).

With that evidence you can conclude that this keylogger has been installed on 30/4/2013 by user user-PC\user.


Conclusion

In this article i have tried to conclude the steps i have taken in my analysis of this keylogger, as you can see my goal was to gain access to the configurations of the keylogger and not on the analysis of the keylogging itself.

This keylogger isn't the usual keylogging activities we see in malware, since this keylogger require a proper installation with admin rights (although there is a silent installation procedure that you can use), as you can see in their website they actually call this kind of program "monitor software" so that a parent can monitor his children but you can call any RAT a monitor software.

Since AV vendors detect this Elite Keylogger as a keylogger variant and protect the end user against it hence i decided to analyze it here.

Regards.
r3shl4k1sh

2 comments:

  1. Sensational!

    ReplyDelete
  2. Thanks but how to uninstall anykeylogger? It is here: http://www.anykeylogger.com/. Last week I install it on my PC to test to monitor my son, after view one day's logs there is nothing special, then I log off my PC. Today, I remember it and want to uninstall it, but it expired trial days and remind me to buy it. It's 7 day-trial. Now I can't open it and can't unintall it, how should I do?

    ReplyDelete