Undetectable Keylogger in 30 minutes

I noticed that all 60 out of 60 popular Windows anti-virus and anti-malware solutions do not catch the simplest keylogger.

For the test I created a windows application using the popular UserActivityHook.cs library.   It took me about 30 minutes of mostly copy and pasting.  I didn’t have to obfuscate the nature of my program nor did I have to pack it’s binary contents.    The program runs as plain user – it doesn’t need privilege escalation either.  In other words, it is very dangerous.   I scanned the executable through virustotal as well as few popular anti-virus and anti-malware programs on various workstations locally and they all passed the keylogger as 100% ok.

This doesn’t illustrate my hacking abilities (I used none).   What this does illustrate is the poor state of anti-malware and anti-virus tools at the moment.  No matter what the marketing materials tell you, the only protection these tools offer you is against specific white-listed instances of malware. For any other attack you’re on your own.

virus-total-pass

I couldn’t believe my eyes, either, so I decided to dig deeper.

Why was this so easy?

To understand that let’s dig into the various detection methods antivirus programs have at their disposal (thanks Wikipedia) and why each method fails

  • Signature-based detection: is the most common method. To identify viruses and other malware, the antivirus engine compares the contents of a file to its database of known malware signatures. Since this malware is new, there is nothing to compare to.   This is also another reason why I’m not posting the keylogger for everyone to download.   Days after I release it, it will get picked up by one of the many anti-malware teams and a signature will be made out of it in a hurry.   I don’t want to be tagged as distributing malware down the road.   This approach is mediocre, but it’s not good enough – definitely not as good as the various vendors would have you believe.   It’s trivial to bypass the anti-malware scan if you spend 30 minutes making your own.   Even if you copy and paste bunch of stuff together.  On the other hand if you’re using someone else’s tool it will get picked up as malware sooner or later.
  • Heuristic based detection: is generally used together with signature-based detection. It detects malware based on characteristics typically used in known malware code.   I was kind of rooting for the anti-malware programs to catch it based on heuristics,  if they can’t catch my test, how are they catching the keyloggers that others are trying to use against me?    Sadly none did.   This is most likely due to the fact that the Windows security architecture allows keylogging as a very routine function that is used by many legitimate applications.   In particular the keylogger depends on GetKeyboardState API call that’s used for many other benign reasons by other applications.   I still think if the anti-virus companies tried harder, they could catch this based on heuristics.  Currently they obviously don’t.
  • Behavioural-based detection: is similar to heuristic-based detection and used also in Intrusion Detection System. The main difference is that, instead of characteristics hardcoded in the malware code itself, it is based on the behavioural fingerprint of the malware at run-time. Clearly, this technique is able to detect (known or unknown) malware only after they have starting doing their malicious actions.    Once again anti-malware products didn’t live up to this promise.  They could have noticed the writes to disk milliseconds after each key press – they didn’t.   Then again, it is tricky.  There are lot of legitimate programs out there that do write to disk after key strokes and they aren’t key loggers.  
  • Data mining techniques: are one of the latest approach applied in malware detection.   Data mining and machine learning algorithms are used to try to classify the behaviour of a file (as either malicious or benign) given a series of file features, that are extracted from the file itself.    Data mining should have been a no-brainer for an anti-malware tool.    I was doing all sorts of suspicious stuff in my code and not hiding it one bit.   I guess we have to wait until this matures a bit, but given how miserably the other methods failed, I’m not holding my breath for that.

So….  this sucks.   How do you protect myself then?    Right now, you probably can’t.   Anti-malware companies have to step up and detect these kind of things.    Be skeptical, just because you see 57 green check marks on virus total, doesn’t mean it’s safe.   And no, don’t stop using your anti-virus, virustotal or whatever else you have.   Even if anti-virus is 90% effective.  That’s better than 0% without it.

ASP.NET dll download vulnerability

Attack:

  1. Guess what the dll of the core application is called.  By default it will be called the same name as the ASP.NET project created by the programmer.   Other than taking a guess based on the name of the web site, often it’s possible to determine the name by browsing HTML source or by triggering errors.
  2. Download the main dll by requesting the following URL:  http://domain.com/bin/application.dll
  3. Once you’ve got the .dll downloaded you can decompile it using ILSpy or your own favorite reversing tool.   If you’re lucky, you may find hardcoded passwords.  If not, you can now look for SQL and Linq injection opportunities that the source code is likely to reveal.

Defence:

  • Most IIS installations restrict access to /bin/ folder by default, but I’ve noticed that for some reason, some don’t.   One way to block this attack is by adding a hidden segment “bin”.

Notes:

  • I found at least one Linux system running Apache with Mono that was vulnerable.  Linux is not immune, if anything I’d say it’s more likely to allow this attack.