[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들

CodeEngn 2010
Art of KeyloggingArt of Keylogging
Keyloggers who are nothing to do with the
keyboard security solutionkeyboard security solution
강병탁 (window31)병탁 ( )
2010.07.03
1
www.CodeEngn.com
2010 4th CodeEngn ReverseEngineering Conference

Who am I?Who am I?
• ByungTak Kang (window31)
• NEXON / Security Team – Hacking Analysis,
Security Programmingy g g
• A contributor to “Microsoftware” a monthly IT
Magazine for over 2 yearsg y
• A lecturer on hacking/reversing/security at
various institutions (KISA, security community,( y y
universities, etc)
• 2009 Microsoft MVP Developer Securityp y
2

AgendaAgenda
• Prologue
• K l i Wi d A t• Keylogging Windows Account
• Login without passwordLogin without password
• Keylogging on the website
• Social Engineering Keylogging
• Bypass Keyboard security solution
• Offensive and defensiveOffensive and defensive
3

Serious account issuesSerious account issues
5

Endless account problemsEndless account problems
• Wh d till f bl ft• Why do we still face many problems even after
Keyboard security solution is installed ?
• What is the trend of malicious code today ?
• What we must do ?What we must do ?
6

Endless account problemsEndless account problems
/Trojan-PWS/W32.WebGame.101888.K
Trojan-PWS/W32.WebGame.102768.B
Trojan-PWS/W32.WebGame.102805
Trojan-PWS/W32.WebGame.103150j /
Trojan-PWS/W32 WebGame 103810Trojan PWS/W32.WebGame.103810
T j PWS/W32 W bG 110145Trojan-PWS/W32.WebGame.110145
………………………………
Hundreds of viruses signature are added each day
7
Hundreds of viruses signature are added each day

Windows AccountWindows Account
the winlogon.exe is what you come to face when
lk t l k d l dyou walk up to a locked or un-logged-on
computer.
9

msgina structuremsgina structure
Interaction between winlogon and GINAg
10

msgina structuremsgina structure
The library file msgina.dll, is required by windows. It is
used by WinLogon within windows, when performing
user authentication.
11

WlxLoggedOutSASWlxLoggedOutSAS
int WlxLoggedOutSAS(
PVOID pWlxContext,p
DWORD dwSasType,
PLUID pAuthenticationId,
idPSID pLogonSid,
PDWORD pdwOptions,
PHANDLE phTokenPHANDLE phToken,
PWLX_MPR_NOTIFY_INFO pNprNotifyInfo,
PVOID *pProfile );PVOID pProfile );
12

WLX MPR NOTIFY INFOWLX_MPR_NOTIFY_INFO
Typedef struct _WLX_MPR_NOTIFY_INFO {
PWSTR pszUserName;PWSTR pszUserName;
PWSTR pszDomain;
PWSTR pszPassword;PWSTR pszPassword;
PWSTR pszOldPassword; } LX_MPR_NOTIFY_INFO;
Here we can see a meaningful structure !!!
13

msgina Hookingmsgina Hooking
14

Reversing msgina MalwareReversing msgina Malware
Naming
• i l Hij k• winlogonHijacker
• Domain Keylogger.Domain Keylogger.
DEMODEMO
15

Windows AccountWindows Account
If you press the Shift key 5 times…
17

StickKey PopupStickKey Popup
18

StickKey run structureStickKey run structure
Winlogon
thread
Winlogon
thread
CreateProcess
RunRunRun
sethc.exe
Run
sethc.exe
View
StickKey
Di l B
19
DialogBox

StickKey Local BackdoorStickKey Local Backdoor
• You are able to connect without ID/PW !!!
• Y th l d t t• You can see the explorer or command prompt at
the login prompt without authentication.
20

Behavior structureBehavior structure
• Disable WFP (Windows
File Protection)Disable WFP
• Replace the files.
• N If I k fi• Now, If I press key five
times, I can login at any
time
Change File
time.
press the Shift
key
Login success
21

Terminal LoginTerminal Login
22

Next actionNext action
• Create a new user account,
“c:net user iamhacker /add”c:net user iamhacker /add
•• Add this user to the administrators group
“c:net localgroup administrators iamhacker”c:net localgroup administrators iamhacker
• Remove StickKey Local Backdoor and Enable WFP
(T id d bt h ki )
23
(To avoid as doubt as hacking)

Which platform is this vulnerability?Which platform is this vulnerability?
• Windows 2000
• Wi d XP• Windows XP
• Windows 2003Windows 2003
• Windows Vista
Most of windows OS does not check the
integrity of the file that launches StickyKeysintegrity of the file that launches StickyKeys
“sethc.exe” before executing it.
24

From now onFrom now on
Don’t forget to hit the shift key five times and
see what pops up on your desktopsee what pops up on your desktop
….everyday :p
25

Remove StickKeyRemove StickKey
This is the real answer.
26

Reversing stickkey MalwareReversing stickkey Malware
DEMODEMO
27

Web-based loginWeb-based login
• Very vulnerabley
• Method of attack is varied
• Keyboard security solution exists (Almost always)
29

Attack positionAttack position
NetworkNetworkKey pressKey press
Keyboard
hardware
Keyboard
hardware
ApplicationApplication
KeyboardKeyboard MessageMessage
controllercontroller QueueQueue
Pot IOPot IO Filter driverFilter driver
ISR in IDTISR in IDT
Keyboard
class driver
Keyboard
class driver
30
class driverclass driver

Keyboard security solutionKeyboard security solution
protect
NetworkNetwork
protect
areas
Keyboard
hardware
Keyboard
hardware
ApplicationApplication
DMZ
KeyboardKeyboard MessageMessage
controllercontroller QueueQueue
Pot IOPot IO Filter driverFilter driver
ISR in IDTISR in IDT
Keyboard
class driver
Keyboard
class driver
31
class driverclass driver

Protocol handlerProtocol handler
Wininet.dll is the protocol handler for HTTP,
HTTPS and FTP It handles all networkHTTPS and FTP. It handles all network
communication over these protocols.
32

Query hookQuery hook
url=http%3A%2F%2Fwindow31.com&fail_ur
l &l i i & i id 31& d l N&l=&loginsite=&site_id=31&adult_yn=N&enc
oding_type=utf-8&ukey=1BBg yp y
7E5F2937203480D408B5196E9AC3B9DDF487
E636EA15426FAEABDAFB00A6908FE636EA15426FAEABDAFB00A6908F
2069ECB5FA6C7B618E4C68C5F37C2900DB07
DE9A0CACEC7300A6DBD342A83&game id=DE9A0CACEC7300A6DBD342A83&game_id=
13&id=window31&pwd=fucking
33

Reversing malwareReversing malware
DEMODEMO
35

Social Engineering Keylogging
36

Bad habitBad habit
We do cop and paste nconscio slWe do copy and paste unconsciously.
Even the password.
38

Funny CodeFunny Code
while(1)
{{
// …
GetClipBoardData(CF TEXT);p ( _ );
// …//
if (bMaybePW)
SendDataToHacker();();
Sleep(500);S eep(500);
}
39

ProblemsProblems
• This technique is based on the human behaviorThis technique is based on the human behavior.
• You do not have a login, you can be attacked (for
example, paperwork etc).
40

BypassBypass
Keyboard security solutiony y
41

Hooking detectionHooking detection.
13:12:31:889 [0x756E40D4] jmp msg1na.dll.0xB0A588
13:12:31:889 Found inject code !!! 5 byte diff13:12:31:889 Found inject code !!! 5 byte diff
13:12:31:889 doubt module: [pid: 420]
??C:WINDOWSsystem32winlogon exe??C:WINDOWSsystem32winlogon.exe -
c:windowssystem32msgina.dll
13:12:31:889 [KEYLOGGER] Domain Keylogger13:12:31:889 [KEYLOGGER] Domain Keylogger
detect !!!! winlogon.exe - msgina.dll inject
44

I hope AntiVirus vendorsI hope AntiVirus vendors.
• WFP check
• Ch k th• Check sethc.exe
• StickyKeys option turns off.StickyKeys option turns off.
• Winlogon dll injection, integrity check
45

ConclusionConclusion
• Keyboard security solution can not prevent
everythingy g
• Each location requires different security.
(ex. kernel : ring0, app : integrity check)
• h ld b d• Parameters should be encrypted.
• Let's try reversing a lot of malicious code We canLet s try reversing a lot of malicious code. We can
get a hint and we learn a lot of their technology.
• The AntiVirus should be upgraded more behavior-
based features
46

Question
http://www.window31.comp //
window31com@gmail.com
Twitter : @window31com
47
www.CodeEngn.com
2010 4th CodeEngn ReverseEngineering Conference

[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to [2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들

Similar to [2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들 (20)

More from GangSeok Lee

More from GangSeok Lee (20)

Recently uploaded

Recently uploaded (20)

[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들