Trying to decrypt VB .Net keyloggers - Developers

[QUOTE=supersnail11;44132193]That's way more difficult than just decompiling it. The amount of skill gone in to making this crap is little-to-none.[/QUOTE] If they're unobfuscated or you're good at reading obfuscated code, then yes. But these days they often are.

out of 30 programs i downloaded off of youtube, I could only decompile 7~ of them and only 1 of them actually had info that wasn't obfuscated in any way.

Hey, I decompiled some programs and all they have is Form.. is it possible that there is some underlying assembler code or C++ code before NET runs? I use ILSpy [editline]5th March 2014[/editline] [QUOTE=HeatPipe;44137824]Hey, I decompiled some programs and all they have is Form.. is it possible that there is some underlying assembler code or C++ code before NET runs? I use ILSpy[/QUOTE] Also using DotPeek.. Also what is this..MyComputer.cs, MyProject.cs, MySettings.cs, MyApplication.cs, and all they have are some empty methods or __ENCList... Are those important or can I ignore them? Thanks!

They might be extracting embedded resources and running those.

Mine just sends the data through a bunch of free hosting websites, which eventually pass through to my proper one, all I've got to do then is download them as a .csv file. I don't get why they don't just use free hosting.

Well, sad day. I spent most of today working to decrypt and unpack Confuser 1.9 (but I did it!) and all I got in return was a fake forms application that asks for your username and password and... actually does nothing with it. Yeah. The entire point of the application was the little bit of malware stapled on to the executable. Damn. To the next! [QUOTE=HeatPipe;44137824] Also what is this..MyComputer.cs, MyProject.cs, MySettings.cs, MyApplication.cs, and all they have are some empty methods or __ENCList... Are those important or can I ignore them? Thanks![/QUOTE] Those seem to be something VB.NET includes for new windows forms applications. I had that in mine too

is it safe to download viruses in a virtual OS like in Microsoft Virtual PC 2007?

[QUOTE=nuttyboffin;44141029]is it safe to download viruses in a virtual OS like in Microsoft Virtual PC 2007?[/QUOTE] Why not just use VMWare or VirtualBox?

[QUOTE=supersnail11;44141067]Why not just use VMWare or VirtualBox?[/QUOTE] Because my college has dreamspark so we get free software to muck around with and keep (installing all the OS-s the supply and putting them on HDDs to keep for future use)

[QUOTE=nuttyboffin;44141093]Because my college has dreamspark so we get free software to muck around with and keep (installing all the OS-s the supply and putting them on HDDs to keep for future use)[/QUOTE] VirtualBox is free, though.

Its mainly because i might as well make use of what ive got... :P eh, il download VirtualBox anyway

Technically there was an exploit posted awhile ago that was capable of taking itself out of a VM and executing code on the original machine but it's incredibly complicated not something you're going to encounter.

[QUOTE=KillerLUA;44139407]Mine just sends the data through a bunch of free hosting websites, which eventually pass through to my proper one, all I've got to do then is download them as a .csv file. I don't get why they don't just use free hosting.[/QUOTE] It probably didn't fit the post size limit of the tutorial. [QUOTE=nuttyboffin;44142091]Its mainly because i might as well make use of what ive got... :P eh, il download VirtualBox anyway[/QUOTE] Just because something (usually) costs money doesn't mean it's better than the free alternatives out there.

[QUOTE=supersnail11;44139364]They might be extracting embedded resources and running those.[/QUOTE] Can't find any C# code related to this in ILSpy.. Or is C# code just a mask?

Just decrypted another Confuser 1.9 application [img]https://dl.dropboxusercontent.com/u/256471/soclose.PNG[/img] I'm so close aaahhhh Just need to restore the original string constants... shouldn't be too hard, right?

Well, I did it. I simultaneously won and lost. The story along the way was incredibly interesting though. But, for now, here's the results: [code] Username: iiobapiiobap@gmail.com Password: a131313a [/code] The sad part: [img]https://dl.dropboxusercontent.com/u/256471/nooooo.PNG[/img] Ah, oh well. Here's the story though... I was incredibly dumbfounded when I got done decrypting the strings to realize that the strings that contained the email and password weren't even located inside the code itself. It was doing a call like this: [code]string expression = File.ReadAllText(Application.ExecutablePath);[/code] It was actually opening the original file as a text file and reading the contents. Now, I'm not exactly sure how packing strings inside an executable works, but apparently it was capable of isolating only the important username and password strings inside the executable. So, after doing all this work beating the Confuser packer and getting to the important parts of the code, the last thing I had to do was... open the executable in notepad++. I opened it up and did a couple of control + F searches and found the username and password in there. It also explains why after unpacking and correctly restoring the OEP of the program, the unpacked program wouldn't run at all, it errored out at something similar to what would happen if it tried to read itself as a text file and couldn't find something. All in all, very interesting experience!

[QUOTE=supersnail11;44132193]That's way more difficult than just decompiling it. The amount of skill gone in to making this crap is little-to-none.[/QUOTE] Ehh, you have various programs that log all calls to the WinAPI, which allows you to read all data networked, and all files read/written and a lot of other things. Especially for .NET applications its significantly easier then actually working with the disasm [editline]6th March 2014[/editline] [QUOTE=Ott;44013286]What's wrong with good old IRC servers?[/QUOTE] IRC is for 2 way viruses, Mail is 1 way. On top of that there aren't as many IRC servers where you could hide it anymore, and it scales badly.

Welp, these are all either survey scams, or already taken care of. [editline]7th March 2014[/editline] fuck you myownbotnet.com [editline]7th March 2014[/editline] i found an actual aimbot written in .net

[QUOTE=SteveUK;44011727]These are made by kids who literally copy and paste code from tutorials. Do you really expect them to be doing anything more advanced than that?[/QUOTE] I always love your posts-avatar combinations, as rarely as I see them.

RE some random virus, it was obfuscated 7x times (fixed this with de4dot), at first couldn't open it with reflector. Then I imported the code to visual studio with jetBrains dotPeek.. (I modified code a little from original, dont want to infect myself! , also then renamed testfile.txt |> testfile.exe) [img]http://i.imgur.com/uCXV7KO.png[/img] And I got another exe file out, which I could also open with decompiler, it was also obfuscated 6x times or something... Then later I figured out it is timebomb :) [img]http://i.imgur.com/HZBlZJX.png[/img] I then converted this timestamp to actual date (by just running code and calling Console.Write(date)..) The date is 16.03.2014 Well, that is all folks! I still have work to do!

reverse engineering this stuff is really fun [editline]7th March 2014[/editline] also how do you guys get you 1337 hax, i usually search on youtube for shit like dota 2 inventory editor, free steam games, etc

Also search with terms like 2014 or 2015.. u will get most recent shit :) Hey, Got SMTP details like password and shit, the trojan/bot connects to no-ip dynamic address... is it possible to hijack stuff?

[QUOTE=HeatPipe;44163267]Also search with terms like 2014 or 2015.. u will get most recent shit :) Hey, Got SMTP details like password and shit, the trojan/bot connects to no-ip dynamic address... is it possible to hijack stuff?[/QUOTE] Well, the reasons right now that people are hijacking these accounts is that google provides a free SMTP address to anyone who has a gmail account. So, they use their free gmail account information to access the SMTP server, which also gives everyone access to their main account as well. If they're using any other SMTP service, it's unlikely that their account is going to be as easy to hijack.

Does this actually just directs you to a survey? [url]https://www.youtube.com/watch?v=u_w8P_gmLac[/url] It logs your ip though, couldn't find if they actually send anything out.

[QUOTE=aurum481;44164115]Does this actually just directs you to a survey? [url]https://www.youtube.com/watch?v=u_w8P_gmLac[/url] It logs your ip though, couldn't find if they actually send anything out.[/QUOTE] I wonder where those fake comments come from. Are those people bots or what? Or infected zombies?

[QUOTE=HeatPipe;44163267]Also search with terms like 2014 or 2015.. u will get most recent shit :) Hey, Got SMTP details like password and shit, the trojan/bot connects to no-ip dynamic address... is it possible to hijack stuff?[/QUOTE] You generally won't be able to hijack a botnet this way, as modern bots connect to the C&C instead of the other way around to avoid NAT/firewall issues. However, there is a RAT which is still supposedly in wide use despite having ceased development a long time ago and a publicly known vulnerability allowing you to read files on the C&C. And I think it has SQL injection opportunities too. Haven't seen a DarkComet though, only njRAT. [editline]8th March 2014[/editline] [QUOTE=johnnyaka;44164149]I wonder where those fake comments come from. Are those people bots or what? Or infected zombies?[/QUOTE] Most likely the attacker using the victim's stolen login data.

[QUOTE=Gbps;44163531]Well, the reasons right now that people are hijacking these accounts is that google provides a free SMTP address to anyone who has a gmail account. So, they use their free gmail account information to access the SMTP server, which also gives everyone access to their main account as well. If they're using any other SMTP service, it's unlikely that their account is going to be as easy to hijack.[/QUOTE] Hey thanks, that explains a lot! :) Will still try to find way tomorrow and if all else fails, I can still troll him a bit lol.

I think it would be fun to make a fake bot that displays a shock image / screamer when the skid tries to use the remote control or webcam function. Or fake login data, luring them to a shock site (or malware of your own)... The possibilities are endless.

[img]http://4st.me/VP57r.png[/img] Cool, obfuscated information! I bet it's really hard to-- [img]http://4st.me/hYiH1.png[/img] Oh, ok. Result was a GMail inbox with a few pages of Runescape account data. Ended up deleting the account :v:

[code] smtpClient.Credentials = new NetworkCredential(?0?.?1?("~ŴɦͧѢմپݦࡽऻ਻଺ొ൮๥སၯᅩሪ፠ᑭᕬ"), ?0?.?1?("FŸɿͪѧլټݳ࡯५ਵ଺఻ഹ")); uhhhhhh[/code] okay! [code] public static string ?1?(string ?1?) { int length = ?1?.Length; char[] array = new char[length]; for (int i = 0; i < array.Length; i++) { char c = ?1?[i]; byte b = (byte)((int)c ^ length - i); byte b2 = (byte)((int)(c >> 8) ^ i); array[i] = (char)((int)b2 << 8 | (int)b); } return string.Intern(new string(array)); } [/code] [IMG]http://i.imgur.com/tf1aJjm.png[/IMG] That's the password btw. Culprit has his GMail in number confirmation mode. Well it was my first credential capture. Edited: damnit let me edit my post FP Edited: Oh wow we did the same one simultaneously :v: