CodeEngn 2010
Art of KeyloggingArt of Keylogging
Keyloggers who are nothing to do with the
keyboard security solutionkeybo...
Who am I?Who am I?
• ByungTak Kang (window31)
• NEXON / Security Team – Hacking Analysis,
Security Programmingy g g
• A co...
AgendaAgenda
• Prologue
• K l i Wi d A t• Keylogging Windows Account
• Login without passwordLogin without password
• Keyl...
Prologue
4
Serious account issuesSerious account issues
5
Endless account problemsEndless account problems
• Wh d till f bl ft• Why do we still face many problems even after
Keyboa...
Endless account problemsEndless account problems
/Trojan-PWS/W32.WebGame.101888.K
Trojan-PWS/W32.WebGame.102768.B
Trojan-P...
Keylogging Windows Account
8
Windows AccountWindows Account
the winlogon.exe is what you come to face when
lk t l k d l dyou walk up to a locked or un-...
msgina structuremsgina structure
Interaction between winlogon and GINAg
10
msgina structuremsgina structure
The library file msgina.dll, is required by windows. It is
used by WinLogon within window...
WlxLoggedOutSASWlxLoggedOutSAS
int WlxLoggedOutSAS(
PVOID pWlxContext,p
DWORD dwSasType,
PLUID pAuthenticationId,
idPSID p...
WLX MPR NOTIFY INFOWLX_MPR_NOTIFY_INFO
Typedef struct _WLX_MPR_NOTIFY_INFO {
PWSTR pszUserName;PWSTR pszUserName;
PWSTR ps...
msgina Hookingmsgina Hooking
14
Reversing msgina MalwareReversing msgina Malware
Naming
• i l Hij k• winlogonHijacker
• Domain Keylogger.Domain Keylogger....
Login without Password
16
Windows AccountWindows Account
If you press the Shift key 5 times…
17
StickKey PopupStickKey Popup
18
StickKey run structureStickKey run structure
Winlogon
thread
Winlogon
thread
CreateProcess
RunRunRun
sethc.exe
Run
sethc.e...
StickKey Local BackdoorStickKey Local Backdoor
• You are able to connect without ID/PW !!!
• Y th l d t t• You can see the...
Behavior structureBehavior structure
• Disable WFP (Windows
File Protection)Disable WFP
• Replace the files.
• N If I k fi...
Terminal LoginTerminal Login
22
Next actionNext action
• Create a new user account,
“c:net user iamhacker /add”c:net user iamhacker /add
•• Add this user ...
Which platform is this vulnerability?Which platform is this vulnerability?
• Windows 2000
• Wi d XP• Windows XP
• Windows ...
From now onFrom now on
Don’t forget to hit the shift key five times and
see what pops up on your desktopsee what pops up o...
Remove StickKeyRemove StickKey
This is the real answer.
26
Reversing stickkey MalwareReversing stickkey Malware
DEMODEMO
27
Keylogging on the website
28
Web-based loginWeb-based login
• Very vulnerabley
• Method of attack is varied
• Keyboard security solution exists (Almost...
Attack positionAttack position
NetworkNetworkKey pressKey press
Keyboard
hardware
Keyboard
hardware
ApplicationApplication...
Keyboard security solutionKeyboard security solution
protect
NetworkNetwork
protect
areas
Keyboard
hardware
Keyboard
hardw...
Protocol handlerProtocol handler
Wininet.dll is the protocol handler for HTTP,
HTTPS and FTP It handles all networkHTTPS a...
Query hookQuery hook
url=http%3A%2F%2Fwindow31.com&fail_ur
l &l i i & i id 31& d l N&l=&loginsite=&site_id=31&adult_yn=N&e...
The API issueThe API issue
34
Reversing malwareReversing malware
DEMODEMO
35
Social Engineering Keylogging
36
Human habitsHuman habits
37
Bad habitBad habit
We do cop and paste nconscio slWe do copy and paste unconsciously.
Even the password.
38
Funny CodeFunny Code
while(1)
{{
// …
GetClipBoardData(CF TEXT);p ( _ );
// …//
if (bMaybePW)
SendDataToHacker();();
Sleep...
ProblemsProblems
• This technique is based on the human behaviorThis technique is based on the human behavior.
• You do no...
BypassBypass
Keyboard security solutiony y
41
Why?Why?
42
Offensive and defensive
43
Hooking detectionHooking detection.
13:12:31:889 [0x756E40D4] jmp msg1na.dll.0xB0A588
13:12:31:889 Found inject code !!! 5...
I hope AntiVirus vendorsI hope AntiVirus vendors.
• WFP check
• Ch k th• Check sethc.exe
• StickyKeys option turns off.Sti...
ConclusionConclusion
• Keyboard security solution can not prevent
everythingy g
• Each location requires different securit...
Question
http://www.window31.comp //
window31com@gmail.com
Twitter : @window31com
47
www.CodeEngn.com
2010 4th CodeEngn Re...
Upcoming SlideShare
Loading in …5
×

[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들

856 views

Published on

2010 CodeEngn Conference 04

각종 논문 데이터나 기타 연구자료들을 살펴보면 키보드보안의 한계점에 대해 지목하고 그것에 대한 보완 대책을 논의하고 있는 내용이 많다. 물론 그러한 학문적인 접근도 중요하지만, 실제 키로깅을 하고 있는 해커의 입장에서는 어떤 식으로 키입력과 계정을 가져가는지 해커의 접근 방법을 살펴보는 것도 필요하다. 일반적으로 해커들은 커널 레벨이나 하드웨어 지식 베이스에 입각한 난해한 기법보다는, 보다 간편하며 실용적인 방법을 통해 계정을 가져간다. 그리고 그 같은 행위는 현재 키보드보안의 커버 범위를 뛰어넘는 새로운 기법을 보여주는 경우가 대다수이다. 이런 상황을 배경으로 실제 기업에서 발생하고 있는 사례나, 유저의 감염케이스를 리버스 엔지니어링으로 살펴보는 시간을 마련했다. 바이너리 해킹의 예술을 맛볼 수 있는 Art of Keylogging 발표에서 키 입력 탈취에 대한 새로운 트렌드를 소개한다.

http://codeengn.com/conference/04

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
856
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들

  1. 1. CodeEngn 2010 Art of KeyloggingArt of Keylogging Keyloggers who are nothing to do with the keyboard security solutionkeyboard security solution 강병탁 (window31)병탁 ( ) 2010.07.03 1 www.CodeEngn.com 2010 4th CodeEngn ReverseEngineering Conference
  2. 2. Who am I?Who am I? • ByungTak Kang (window31) • NEXON / Security Team – Hacking Analysis, Security Programmingy g g • A contributor to “Microsoftware” a monthly IT Magazine for over 2 yearsg y • A lecturer on hacking/reversing/security at various institutions (KISA, security community,( y y universities, etc) • 2009 Microsoft MVP Developer Securityp y 2
  3. 3. AgendaAgenda • Prologue • K l i Wi d A t• Keylogging Windows Account • Login without passwordLogin without password • Keylogging on the website • Social Engineering Keylogging • Bypass Keyboard security solution • Offensive and defensiveOffensive and defensive 3
  4. 4. Prologue 4
  5. 5. Serious account issuesSerious account issues 5
  6. 6. Endless account problemsEndless account problems • Wh d till f bl ft• Why do we still face many problems even after Keyboard security solution is installed ? • What is the trend of malicious code today ? • What we must do ?What we must do ? 6
  7. 7. Endless account problemsEndless account problems /Trojan-PWS/W32.WebGame.101888.K Trojan-PWS/W32.WebGame.102768.B Trojan-PWS/W32.WebGame.102805 Trojan-PWS/W32.WebGame.103150j / Trojan-PWS/W32.WebGame.103182 Trojan-PWS/W32.WebGame.103463 Trojan-PWS/W32.WebGame.103556 Trojan-PWS/W32 WebGame 103810Trojan PWS/W32.WebGame.103810 Trojan-PWS/W32.WebGame.10524 Trojan-PWS/W32.WebGame.10724 Trojan-PWS/W32.WebGame.10764 T j PWS/W32 W bG 110145Trojan-PWS/W32.WebGame.110145 Trojan-PWS/W32.WebGame.111085 Trojan-PWS/W32.WebGame.11218 Trojan-PWS/W32.WebGame.116274 Trojan-PWS/W32.WebGame.116606 Trojan-PWS/W32.WebGame.116822 ……………………………… Hundreds of viruses signature are added each day 7 Hundreds of viruses signature are added each day
  8. 8. Keylogging Windows Account 8
  9. 9. Windows AccountWindows Account the winlogon.exe is what you come to face when lk t l k d l dyou walk up to a locked or un-logged-on computer. 9
  10. 10. msgina structuremsgina structure Interaction between winlogon and GINAg 10
  11. 11. msgina structuremsgina structure The library file msgina.dll, is required by windows. It is used by WinLogon within windows, when performing user authentication. 11
  12. 12. WlxLoggedOutSASWlxLoggedOutSAS int WlxLoggedOutSAS( PVOID pWlxContext,p DWORD dwSasType, PLUID pAuthenticationId, idPSID pLogonSid, PDWORD pdwOptions, PHANDLE phTokenPHANDLE phToken, PWLX_MPR_NOTIFY_INFO pNprNotifyInfo, PVOID *pProfile );PVOID pProfile ); 12
  13. 13. WLX MPR NOTIFY INFOWLX_MPR_NOTIFY_INFO Typedef struct _WLX_MPR_NOTIFY_INFO { PWSTR pszUserName;PWSTR pszUserName; PWSTR pszDomain; PWSTR pszPassword;PWSTR pszPassword; PWSTR pszOldPassword; } LX_MPR_NOTIFY_INFO; Here we can see a meaningful structure !!! 13
  14. 14. msgina Hookingmsgina Hooking 14
  15. 15. Reversing msgina MalwareReversing msgina Malware Naming • i l Hij k• winlogonHijacker • Domain Keylogger.Domain Keylogger. DEMODEMO 15
  16. 16. Login without Password 16
  17. 17. Windows AccountWindows Account If you press the Shift key 5 times… 17
  18. 18. StickKey PopupStickKey Popup 18
  19. 19. StickKey run structureStickKey run structure Winlogon thread Winlogon thread CreateProcess RunRunRun sethc.exe Run sethc.exe View StickKey Di l B 19 DialogBox
  20. 20. StickKey Local BackdoorStickKey Local Backdoor • You are able to connect without ID/PW !!! • Y th l d t t• You can see the explorer or command prompt at the login prompt without authentication. 20
  21. 21. Behavior structureBehavior structure • Disable WFP (Windows File Protection)Disable WFP • Replace the files. • N If I k fi• Now, If I press key five times, I can login at any time Change File time. press the Shift key Login success 21
  22. 22. Terminal LoginTerminal Login 22
  23. 23. Next actionNext action • Create a new user account, “c:net user iamhacker /add”c:net user iamhacker /add •• Add this user to the administrators group “c:net localgroup administrators iamhacker”c:net localgroup administrators iamhacker • Remove StickKey Local Backdoor and Enable WFP (T id d bt h ki ) 23 (To avoid as doubt as hacking)
  24. 24. Which platform is this vulnerability?Which platform is this vulnerability? • Windows 2000 • Wi d XP• Windows XP • Windows 2003Windows 2003 • Windows Vista Most of windows OS does not check the integrity of the file that launches StickyKeysintegrity of the file that launches StickyKeys “sethc.exe” before executing it. 24
  25. 25. From now onFrom now on Don’t forget to hit the shift key five times and see what pops up on your desktopsee what pops up on your desktop ….everyday :p 25
  26. 26. Remove StickKeyRemove StickKey This is the real answer. 26
  27. 27. Reversing stickkey MalwareReversing stickkey Malware DEMODEMO 27
  28. 28. Keylogging on the website 28
  29. 29. Web-based loginWeb-based login • Very vulnerabley • Method of attack is varied • Keyboard security solution exists (Almost always) 29
  30. 30. Attack positionAttack position NetworkNetworkKey pressKey press Keyboard hardware Keyboard hardware ApplicationApplication KeyboardKeyboard MessageMessage controllercontroller QueueQueue Pot IOPot IO Filter driverFilter driver ISR in IDTISR in IDT Keyboard class driver Keyboard class driver 30 class driverclass driver
  31. 31. Keyboard security solutionKeyboard security solution protect NetworkNetwork protect areas Keyboard hardware Keyboard hardware ApplicationApplication DMZ KeyboardKeyboard MessageMessage controllercontroller QueueQueue Pot IOPot IO Filter driverFilter driver ISR in IDTISR in IDT Keyboard class driver Keyboard class driver 31 class driverclass driver
  32. 32. Protocol handlerProtocol handler Wininet.dll is the protocol handler for HTTP, HTTPS and FTP It handles all networkHTTPS and FTP. It handles all network communication over these protocols. 32
  33. 33. Query hookQuery hook url=http%3A%2F%2Fwindow31.com&fail_ur l &l i i & i id 31& d l N&l=&loginsite=&site_id=31&adult_yn=N&enc oding_type=utf-8&ukey=1BBg yp y 7E5F2937203480D408B5196E9AC3B9DDF487 E636EA15426FAEABDAFB00A6908FE636EA15426FAEABDAFB00A6908F 2069ECB5FA6C7B618E4C68C5F37C2900DB07 DE9A0CACEC7300A6DBD342A83&game id=DE9A0CACEC7300A6DBD342A83&game_id= 13&id=window31&pwd=fucking 33
  34. 34. The API issueThe API issue 34
  35. 35. Reversing malwareReversing malware DEMODEMO 35
  36. 36. Social Engineering Keylogging 36
  37. 37. Human habitsHuman habits 37
  38. 38. Bad habitBad habit We do cop and paste nconscio slWe do copy and paste unconsciously. Even the password. 38
  39. 39. Funny CodeFunny Code while(1) {{ // … GetClipBoardData(CF TEXT);p ( _ ); // …// if (bMaybePW) SendDataToHacker();(); Sleep(500);S eep(500); } 39
  40. 40. ProblemsProblems • This technique is based on the human behaviorThis technique is based on the human behavior. • You do not have a login, you can be attacked (for example, paperwork etc). 40
  41. 41. BypassBypass Keyboard security solutiony y 41
  42. 42. Why?Why? 42
  43. 43. Offensive and defensive 43
  44. 44. Hooking detectionHooking detection. 13:12:31:889 [0x756E40D4] jmp msg1na.dll.0xB0A588 13:12:31:889 Found inject code !!! 5 byte diff13:12:31:889 Found inject code !!! 5 byte diff 13:12:31:889 doubt module: [pid: 420] ??C:WINDOWSsystem32winlogon exe??C:WINDOWSsystem32winlogon.exe - c:windowssystem32msgina.dll 13:12:31:889 [KEYLOGGER] Domain Keylogger13:12:31:889 [KEYLOGGER] Domain Keylogger detect !!!! winlogon.exe - msgina.dll inject 44
  45. 45. I hope AntiVirus vendorsI hope AntiVirus vendors. • WFP check • Ch k th• Check sethc.exe • StickyKeys option turns off.StickyKeys option turns off. • Winlogon dll injection, integrity check 45
  46. 46. ConclusionConclusion • Keyboard security solution can not prevent everythingy g • Each location requires different security. (ex. kernel : ring0, app : integrity check) • h ld b d• Parameters should be encrypted. • Let's try reversing a lot of malicious code We canLet s try reversing a lot of malicious code. We can get a hint and we learn a lot of their technology. • The AntiVirus should be upgraded more behavior- based features 46
  47. 47. Question http://www.window31.comp // window31com@gmail.com Twitter : @window31com 47 www.CodeEngn.com 2010 4th CodeEngn ReverseEngineering Conference

×