Jump to content

Track down keylogger


Recommended Posts

Hi,

Could any one suggest a traffic log program or what ever to find out were the logs are going from a key logger that was installed into my computer.

I think there would be an email server or what ever but I am not sure how to find it.

Link to post
Share on other sites

I second wireshark too. Great for capturing traffic, but if the program uses SSL or encryption to send the traffic, you won't see any of the plain text keystrokes, so if you open notepad to test if you can find what you type in wireshark, it may not be seen if encrypted.

Also, try SynInternals Process monitor to find rouge and hidden processes, shows what Registry keys the program changes/is using, if its a hidden services or injected into other running processes, etc, and also TCPview, to see programs in a visual representation kind of like netstat with more info on programs in use, you can right click and kill the process making the connection if you find its the keylogger (just "runas" TCPview as admin to kill some processes if they don't kill if running as a normal user).

Last tool I would also suggest is NetworkMiner, which can reconstruct actual files from the pcap traffic. You can also import pcaps from Wireshark into NetworkMiner and then find executables, images, and other file types and it reconstructs them for you, which helps track down malware and packages being sent between the keylogger and wherever it calls home to.

Link to post
Share on other sites

Try the free trial of a commercial keylogger, like Micro keylogger, then you might know where the logs are going.

If he got hit with rouge malware that calls home to a specific site, how is another keylogger going to help him other than showing where THAT program stores its files? One program != the other. Edited by digip
Link to post
Share on other sites

I actively run multiple key loggers on every PC in my house. If you have any questions on what is outgoing... I think a netstat -ano would be a great place to start. Then, if you find any IPs you may not know of; you can run a whois against it and maybe find the rogue server that may be logging your keystrokes.

Until then, I would not risk logging into anything until you track down the logger and terminate it. It has been a long time since I have been exposed to any malware... but I think this largely attributes my lack of torrent services and piracy.

Prevention is key... don't expose your PC to nasties by largely avoiding illegal activities on the internet. Hackers know what is popular and what is not... either way... the risk is rarely worth the benefit.

Link to post
Share on other sites

thanks for the reply's,

I got a file sent from someone I don't really trust so I scanned it on virus total and the result was something like 38/43 saying mostly that it is a key logger.

I thought maybe if hes stupid enough he might send all the logs directly to his computer so if I get his IP address I might be able to hack in with metasploit or what ever and have some revenge :D.

Link to post
Share on other sites

Not to be the turd in the punch bowl... but be careful and don't be naive enough to post illegal activities on the site if you are TESTING for EDUCATIONAL PURPOSES ONLY... always have the web application admins full permissions before preforming any type of scans.

(Careful what you post, buddy... :) )

Link to post
Share on other sites

I would run it in something like sandboxie, in a virtual machine. Sandboxie, will show you where all the files are it installs, requires, and registry changes. Also, using a VM, means you can use Wireshark, to monitor the virtual machines traffic from the host machine and see where it calls home to without the program seeing wireshark running, since some apps, are smart enough to check for winpcap installed or other packet tracing apps, and will either kill them, or just not run. You can also attach process mon to see what the VM is doing to the OS as well. Chris from SecuraBit did an episode with Darren on how to use it to monitor VM's for tracking and watching malware run.

Edited by digip
Link to post
Share on other sites

Do not forget most keyloggers only send the things they capture at certain times. Like when there capture is x size or at specific times in there config. So you will only see a connection to the destination at those times.

Edited by GuardMoony
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...