klog.exe - POC

0 detections...Just goes to show how ineffective some black listing is vs unknown..

~Virus Total results removed per Policy.~

Also, Winpatrol didn't make a peep, How does your hips\bb fair?


Download Poc here,
http://www.mediafire.com/?z57l7dim13gl2rd
(This will keylog and write to a log.txt file in the working directory once you close)
It will not connect to the internet or anything else, only the above.

 

Zone Alarm Pro detects it...

 

I have PoC klog by Clandestiny, rootkitdotcom, I'm wondering is this the same or perhaps built from source code?

 

MD warned me

 

@ Kyle1420

Thanks for the POC

*

Very large file 1.71 MB

After allowing these alerts







It worked



Closed the app and went to open the .txt log on my desktop, but had to click through these first



Usually things like that end up showing mainly garbage, but it actually showed what i typed into metapad.

...Testing Klog 12345........................ABCDE$£@+klog

That's how it appeared, WITHOUT the dots, even though i'd typed

Testing Klog 12345 ABCDE$£@+klog

No big deal to reading it back though

Prevx blocked trying to sign in here plus HTTPS Hotmail & https://www.startpage.com

 

DefenseWall successfully blocks.

 

Comodo Firewall v5 successfully blocked the threat from logging the keystrokes...

 

KIS 2011 gives yellow warning about global windows hook, if you deny it fails, if allow it works, however logging the webbrowser is blocked by SafeOnline. Mamutu gives no warnings, even not in paranoid mode.

 

winpatrol plus didnt burk at all

 

spyshelter blocks it

 

Latest OA beta, and log.txt is empty after closing.

 

burk... My dog did that once. She barked and burped at the same time.

 

cool

 

What's the point of this PoC? It looks like script kiddie bloat.
Does it require .NET Framework? Because it fails to run with naked XP SP3.
With 7 I can read klog.exe, Install global message hook, Hook type: WH_KEYBOARD_LL.

Cheers

 

Prevx on maximum settings will not protect me. Added to the protected page. Trusteer Rapport protects example on ebay, but not at my bank because the bank is not their partner. My language is Polish, Windows service pack 3.

 

indeed. norton ate it soon I downloaded it its a one hungry killa

 

have you tried manually adding your bank to the protected list?

 

Yes

 

i tried that too, it didn't work.
oh well.

 

No idea about the one posted by Kyle1420, because mediafire will require me allow cookies (it gave me the shivers ), but the one mentioned by Meriadoc is detected by MSE v2, avast! 5 and AVG 2011. All with definitions nearly 1 week old. I haven't checked virustotal. I have those three in a virtual machine and just decided to give it a run.

If you could upload it to rapidshare instead? No cookies needed here.

 

Only took a cursory look I was hoping for some more info. Looks to be obfuscated some what, Python, a lot of String info...I did unpack the file to get any useful information, and run it in an anti-anti sandbox config.

the one at rkdotcom is well know

 

After unpacking there are 191 files.
It's created with pyHook...



"pyHook is a python wrapper for global input hooks in Windows."
http://sourceforge.net/apps/mediawiki/pyhook/index.php?title=Main_Page

No comment.

Cheers

 

Can't run in a restricted sandbox and a default sandbox creates a logfile within the sandbox.

 

Yes it was created with python, packed with py2exe and compressed with UPX. I apologize for the larger file size as I had to include the python interpreter to run on people's pc's who do not have python installed.

 

@ Kyle1420

Hi, i hadn't initially realised that you'ld written this POC !

Can you please comment on these from my earlier post ?