How to hack into a hacker

How to hack into a hacker

Recently, when I checked junk information, I accidentally saw such a very common email. It uses a simple gossip scam to speculate on Obama's sexual orientation and provides a link pointing to a proof image.

 

This spam information is nothing special, but the link points to this with a dual suffix, called"You.jpg.exeBut it is a bit of research value. Out of curiosity, I downloaded the file and checked what it would do.

First, let's look at the real file type of this file. Obviously, it is not an image about Obama, but a self-extracting rarfile.

Through the RAR Extraction Tool, I opened this self-extracting file and saw the content in it.

Decompress"You.jpg.exe", Check every file in it, but find that they are encrypted. Therefore, I directly run “you.jpg.exe on the test machine to see what will happen. Double-click it and the image below jumps out. Hey, it's not Obama.

In the background, the following files are automatically installed in the Windows system32 directory:

• BPK. dat
• Bpk.exe
• Bpkhk. dll
• Bpkr.exe
• Inst. dat
• PK. Bin

In addition, an automatic Autorun command is created in the registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runbpk = <%windir%\System32\bpk.exe>

I searched for the names of these files on Google and found some useful information. These files installed on the test machine are a keyboard monitoring program. In particular, this is a commercial version of the software, from Blazing tools, called Perfect keylogger (PK ). This keyboard monitoring software can be purchased and used through normal channels. It is used to publicize and monitor the online behavior of children or employees. As you can imagine, it can also be used to do bad things.

My analysis is almost finished. But a few minutes later, interesting things appeared. The monitoring software is connected to a remote FTP server, so that I have the opportunity to capture the FTP account information of this intruder.

Through the user name and password intercepted, I logged on to the FTP server and found a large number of folders containing monitoring logs and victim desktop screenshots. From these large numbers of logs, we can see how effective this spam information maker's gossip trick is.

The registration information of the FTP server is as follows:

I don't want to end this way. I have made further research on the installation program of this monitoring software. I hope to find the person behind this eavesdropping event.

According to the information on the online help page of the software, this program has a shortcut key that can be used to call out the hidden administrator control interface or System Tray Icon. The default shortcut key is CTRL + ALT + L, but I tried it. So I tried various key combinations in brute force mode and finally found the correct button. But it is frustrating that the following window appears:

Before I tried to decompile the software and crack its password, I searched the internet and found some tips. I found Chris Pogue's personal blog. He happened to be a colleague at trustwave spiderlabs and met this software before. In his blog, he pointed out that the password and some other configuration attributes are stored in a PK. in the bin encrypted file, the monitoring data is stored in a BPK. in the DAT encrypted file. He also said that these files can be cracked by a simple XOR operation on the bytes and 0xaa.

I guess Chris analyzed an old version, because XOR on 0xaa cannot decode the configuration file. However, from the BPK of the conversion. in the DAT file, we can see that this XOR operation is partially effective. In order to make the transcoding effect better, I used the dual-byte 0xaa, 0 × 00 for XOR operation:

I am more interested in the PK. BIN file, because it contains detailed configuration information about the software, which may contain information about the software intruders. But this requires more work, because obviously, simple XOR operations with 0xaa cannot be decoded. All of my guesses are likely to require a different XOR value.

The following figure shows how to view this file in text mode. Pay attention to reading many repeated fragments!

In hexadecimal mode, I retrieve the repeated characters and perform the XOR operation on them:

I decrypted the file through some Python scripts:

if len(sys.argv) > 1:    pkhandle = open(sys.argv[1],'rb')    pkbuffer = pkhandle.read()    pkhandle.close()    key=[0x0D,0x0A,0x08,0x05,0x01,0x02,0x06,0x03,0x03,0x0E,0x01,0x08,0x03,0x0C,0x09,0x07,0x05,0x0D,0x0C,0x0B,0x03]    dec = ''    ctr = 0    for i in range(11,len(pkbuffer)):        a= ord(pkbuffer[i])        b =key[ctr%len(key)]        x = a^b        dec = dec+(chr(x))        ctr+=1    dechandle = open('pk.dec','wb')    dechandle.write(dec)    dechandle.close()

Look! (Note: I have removed some details to prevent leakage of the victim's information on the FTP server)

The decoded PK. the binfile shows me enough information to access the administrator control panel, including the software's administrator password, FTP server password, software purchase license registration name and registration number. I entered the administrator password, which is easy to use. I saw what information the intruders want to steal and more information about software configuration.

In the configuration file, the software license registration name is Charles onuigbo.

Now, I'm not sure that Charles onuigbo is the intruder or has a real person. The only thing worth mentioning is that this is a very common name in Nigeria-the country where spam is made!

I reported the FTP site to the ISP via email, hoping that the site will be closed as soon as possible.

Update:I received an email from the company managing this server, which says:

"Hi-I don't know if my colleague has replied to you about this matter. We have disabled the access permission of the account you mentioned on this server ..."

I tried to log on to the FTP server again and confirmed that the malicious FTP account had been blocked. Thanks to Alex kwiecinski of liquid web and your team for taking such rapid actions.

[Link to the original article: pwning a spammer's keylogger]