klog.exe - POC

Discussion in 'other anti-malware software' started by Kyle1420, Oct 24, 2010.

Thread Status:
Not open for further replies.
  1. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    479
    0 detections...Just goes to show how ineffective some black listing is vs unknown..

    ~Virus Total results removed per Policy.~

    Also, Winpatrol didn't make a peep, How does your hips\bb fair?


    Download Poc here,
    http://www.mediafire.com/?z57l7dim13gl2rd
    (This will keylog and write to a log.txt file in the working directory once you close)
    It will not connect to the internet or anything else, only the above.
     
    Last edited by a moderator: Oct 24, 2010
  2. Hawk82

    Hawk82 Registered Member

    Joined:
    Feb 11, 2007
    Posts:
    29
    Zone Alarm Pro detects it...:cool:
     

    Attached Files:

  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I have PoC klog by Clandestiny, rootkitdotcom, I'm wondering is this the same or perhaps built from source code?
     
    Last edited: Oct 24, 2010
  4. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    MD warned me ;)
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Kyle1420

    Thanks for the POC :thumb:

    *

    Very large file 1.71 MB :eek:

    After allowing these alerts

    pg1.gif

    pg-k1.gif

    z1.gif

    It worked ;)

    klog.gif

    Closed the app and went to open the .txt log on my desktop, but had to click through these first

    bm.gif

    Usually things like that end up showing mainly garbage, but it actually showed what i typed into metapad.

    ...Testing Klog 12345........................ABCDE$£@+klog

    That's how it appeared, WITHOUT the dots, even though i'd typed

    Testing Klog 12345 ABCDE$£@+klog

    No big deal to reading it back though :D

    Prevx blocked trying to sign in here plus HTTPS Hotmail & https://www.startpage.com :thumb:
     
  6. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    DefenseWall successfully blocks. :D
     

    Attached Files:

  7. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    Comodo Firewall v5 successfully blocked the threat from logging the keystrokes...
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    KIS 2011 gives yellow warning about global windows hook, if you deny it fails, if allow it works, however logging the webbrowser is blocked by SafeOnline. Mamutu gives no warnings, even not in paranoid mode.
     
  9. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    winpatrol plus didnt burk at all:D
     
  10. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    spyshelter blocks it:D
     
  11. burebista

    burebista Registered Member

    Joined:
    Mar 4, 2010
    Posts:
    208
    Location:
    Romania
    Latest OA beta, and log.txt is empty after closing.
     

    Attached Files:

  12. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    burk... My dog did that once. She barked and burped at the same time.:p
     
  13. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
  14. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    What's the point of this PoC? It looks like script kiddie bloat.
    Does it require .NET Framework? Because it fails to run with naked XP SP3.
    With 7 I can read klog.exe, Install global message hook, Hook type: WH_KEYBOARD_LL. :p

    Cheers
     
  15. ELWIS1

    ELWIS1 Registered Member

    Joined:
    Sep 29, 2010
    Posts:
    60
    Prevx on maximum settings will not protect me. Added to the protected page. Trusteer Rapport protects example on ebay, but not at my bank because the bank is not their partner. My language is Polish, Windows service pack 3.
     
  16. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    indeed. norton ate it soon I downloaded it:( its a one hungry killa:D
     
  17. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    have you tried manually adding your bank to the protected list?
     
  18. ELWIS1

    ELWIS1 Registered Member

    Joined:
    Sep 29, 2010
    Posts:
    60
    Yes:)
     
  19. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i tried that too, it didn't work.
    oh well.
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    No idea about the one posted by Kyle1420, because mediafire will require me allow cookies (it gave me the shivers :D), but the one mentioned by Meriadoc is detected by MSE v2, avast! 5 and AVG 2011. All with definitions nearly 1 week old. I haven't checked virustotal. I have those three in a virtual machine and just decided to give it a run.

    If you could upload it to rapidshare instead? No cookies needed here. :)
     
  21. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Only took a cursory look I was hoping for some more info. Looks to be obfuscated some what, Python, a lot of String info...I did unpack the file to get any useful information, and run it in an anti-anti sandbox config.

    the one at rkdotcom is well know
     
    Last edited: Oct 24, 2010
  22. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
  23. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Can't run in a restricted sandbox and a default sandbox creates a logfile within the sandbox.

    Test.JPG
     
  24. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    479
    Yes it was created with python, packed with py2exe and compressed with UPX. I apologize for the larger file size as I had to include the python interpreter to run on people's pc's who do not have python installed.
     
  25. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Kyle1420

    Hi, i hadn't initially realised that you'ld written this POC !

    Can you please comment on these from my earlier post ?

     
Thread Status:
Not open for further replies.