Analysis of the Fimbel Keylogger and Pace University Converter Christopher Funk, Sheryl Hanchar, and Ned Bakelman

Keyloggers

   Record Keystokes  Not intrinsically good or evil Potential Uses  Data Grabbers (Evil)  Active Identification (Good) Visibility of Keyloggers  Rootkit vs. Normal Process

Tools for finding Anatomy of any program  Analyze it as if it was malicious software  Ultimate Packer for eXecutables (UPX)      Fakenet – Network Diagnostics Process Explorer – Process Information OLLYdbg – Showing Flow of Program IDA Pro – Interactive Disassembler CFF Explorer – Decompile .Net directory

Keylogger Software Pack

 Originally three programs  Fimble Keylogger   Pace Keylogger Launcher  Focus of in-depth analysis Pace Converter  Newer Version is two programs  Combined the two Pace tools

Pace Keylogger Anatomy

 Opens connect to Pace Server that remains open  User Agent is a .Net program

Pace Keylogger Anatomy

  UPX strings showing where the program is sending the data Password is blacked out

Pace Keylogger Anatomy

 Process Explorer showing the call to start the Fimble Keylogger

Pace Keylogger Anatomy

 Ollydgb showing uniquely .Net Calls

Pace Keylogger Anatomy

 IDA Pro showing .Net

boolean variable  Says if Fimble is running  Very Visible Program

Pace Keylogger Anatomy

   CFF Explorer – only works with .Net programs Entry Point where malicious software can take control Or just inject code into other benign program

Pace University Combination Project Breakdown   Goal – Combining Software Tools   Keylogger Launcher Converter Issues    Different Programming Languages External Program Control from Java Environment Parallel work being done by customer on code

Two Different Tools

Pace University

Pace University

Goal Breakdown

 Expanding converter to encompass launcher functions   Start and Stop the keylogger Working with previous code   Naming Convention  Identify keylogging target application   Field for name information Numbering Outputs Adding in customer revisions

Pace University Step 1: Working with Previous Code   Compiling issues when exporting to Jar  Netbeans Meta data Very messy code  Did not follow best practices  Obsoleted code that still was in use  Main() issues  Moving it from Login() class to converter() class

Pace University Step 2: Start and Stop Keylogger   External Program Executioner  Java Process Builder / Process classes Issues    Unable to find the program  Documentation does not specify necessary parameters  Error Messages Unclear Working only on one machine Re-arranging GUI and how to identify the keylogger

Pace University `ProcessBuilder builder =

new

ProcessBuilder( keyloggerDirectoryField .getText() + "startkeylogger.exe" ); builder.directory(

new

File ( keyloggerDirectoryField .getText())); Process javap = builder.start();`

Pace University Step 3: Naming Convention     LastName_Firstname_Application_Number.xml

Identify Target Program  Drop down menu  Hard coded string, not filtering the output Name information  Fields where there but by default were invisible even though necessary Numbering  Had to find the last number with the name output name and then iterate

Pace University Step 4: Combining Customer Code   Costumer has added to the code after the original version that was combined  Need for communication after last step to make sure that his new changes work with new code Did not change the converting code classes  Allows for change as the code as long as the function calls stay the same

Pace University Communication with Customer / Testing    Constant email communication  Only one meeting at the last class Very easy to work with Indispensable to combining project     Test it on other machines to ensure it was working Try out functions in different ways Guide my steps to ensure all necessary functions were worked on first Work with the previous code and understand what the function did

Pace University Final KeyLogger Launcher and Converter

Questions, Comments, Concerns, or well wishes