unitex Posted May 27, 2013 Share Posted May 27, 2013 Hi, Could any one suggest a traffic log program or what ever to find out were the logs are going from a key logger that was installed into my computer. I think there would be an email server or what ever but I am not sure how to find it. Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted May 27, 2013 Share Posted May 27, 2013 Wireshark will let you do this easily. Quote Link to comment Share on other sites More sharing options...
digip Posted May 27, 2013 Share Posted May 27, 2013 I second wireshark too. Great for capturing traffic, but if the program uses SSL or encryption to send the traffic, you won't see any of the plain text keystrokes, so if you open notepad to test if you can find what you type in wireshark, it may not be seen if encrypted. Also, try SynInternals Process monitor to find rouge and hidden processes, shows what Registry keys the program changes/is using, if its a hidden services or injected into other running processes, etc, and also TCPview, to see programs in a visual representation kind of like netstat with more info on programs in use, you can right click and kill the process making the connection if you find its the keylogger (just "runas" TCPview as admin to kill some processes if they don't kill if running as a normal user). Last tool I would also suggest is NetworkMiner, which can reconstruct actual files from the pcap traffic. You can also import pcaps from Wireshark into NetworkMiner and then find executables, images, and other file types and it reconstructs them for you, which helps track down malware and packages being sent between the keylogger and wherever it calls home to. Quote Link to comment Share on other sites More sharing options...
JeremyS Posted May 28, 2013 Share Posted May 28, 2013 (edited) Try the free trial of a commercial keylogger, like Micro keylogger, then you might know where the logs are going. update: Official download address http://www.microkeylogger.com/download Edited May 29, 2013 by JeremyS Quote Link to comment Share on other sites More sharing options...
digip Posted May 28, 2013 Share Posted May 28, 2013 (edited) Try the free trial of a commercial keylogger, like Micro keylogger, then you might know where the logs are going.If he got hit with rouge malware that calls home to a specific site, how is another keylogger going to help him other than showing where THAT program stores its files? One program != the other. Edited May 28, 2013 by digip Quote Link to comment Share on other sites More sharing options...
newbi3 Posted May 28, 2013 Share Posted May 28, 2013 Just curious, what makes you think that you have a key logger on your machine? Quote Link to comment Share on other sites More sharing options...
Pwnd2Pwnr Posted May 29, 2013 Share Posted May 29, 2013 I actively run multiple key loggers on every PC in my house. If you have any questions on what is outgoing... I think a netstat -ano would be a great place to start. Then, if you find any IPs you may not know of; you can run a whois against it and maybe find the rogue server that may be logging your keystrokes. Until then, I would not risk logging into anything until you track down the logger and terminate it. It has been a long time since I have been exposed to any malware... but I think this largely attributes my lack of torrent services and piracy. Prevention is key... don't expose your PC to nasties by largely avoiding illegal activities on the internet. Hackers know what is popular and what is not... either way... the risk is rarely worth the benefit. Quote Link to comment Share on other sites More sharing options...
unitex Posted May 30, 2013 Author Share Posted May 30, 2013 thanks for the reply's, I got a file sent from someone I don't really trust so I scanned it on virus total and the result was something like 38/43 saying mostly that it is a key logger. I thought maybe if hes stupid enough he might send all the logs directly to his computer so if I get his IP address I might be able to hack in with metasploit or what ever and have some revenge :D. Quote Link to comment Share on other sites More sharing options...
Pwnd2Pwnr Posted June 2, 2013 Share Posted June 2, 2013 Not to be the turd in the punch bowl... but be careful and don't be naive enough to post illegal activities on the site if you are TESTING for EDUCATIONAL PURPOSES ONLY... always have the web application admins full permissions before preforming any type of scans. (Careful what you post, buddy... :) ) Quote Link to comment Share on other sites More sharing options...
digip Posted June 2, 2013 Share Posted June 2, 2013 (edited) I would run it in something like sandboxie, in a virtual machine. Sandboxie, will show you where all the files are it installs, requires, and registry changes. Also, using a VM, means you can use Wireshark, to monitor the virtual machines traffic from the host machine and see where it calls home to without the program seeing wireshark running, since some apps, are smart enough to check for winpcap installed or other packet tracing apps, and will either kill them, or just not run. You can also attach process mon to see what the VM is doing to the OS as well. Chris from SecuraBit did an episode with Darren on how to use it to monitor VM's for tracking and watching malware run. Edited June 2, 2013 by digip Quote Link to comment Share on other sites More sharing options...
GuardMoony Posted June 3, 2013 Share Posted June 3, 2013 (edited) Do not forget most keyloggers only send the things they capture at certain times. Like when there capture is x size or at specific times in there config. So you will only see a connection to the destination at those times. Edited June 3, 2013 by GuardMoony Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.