Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Java Based Stealthy Reinstalling Keylogger


  • Please log in to reply
No replies to this topic

#1 Trance

Trance

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 16 July 2007 - 05:52 PM

I have now seen the evidence of this program which has been running on my machine for months. I would appreciate anyone's advice on it's removal. Here are some of this loggers traits... IF I can get the name of the program that is doing this I would sincerely appreciate it.

THE CLUES....
There are no files specific to the keylogger program. I am assuming the program is rebuilt from peices which have been hidden on top of other valid files. Copies of the valid files are moved and everything is redirected in the Registry so they run, and the files I see are those which are used by the program. All done through JAVA coding.

The program confirms its existence and reinstalls itself, but not immediately on boot - sometimes it waits and then starts running - anywhere from a few minutes to an hour before it launches. Again, it's JAVA doing it

McAfee will not assist in the resolution or identification of the problem. Even after I informed them that it was what it was. (See AntiSpywareCoalition to understand how the spies and the anti-spies allow each other's program to exist and run. They are without a doubt enabling the problem.) The assumption seems to be that if t is on your machine your mother or your boss put it there. They choose not to detect it or assist you in it's removal. And actually suggest your just reinstall their product. (Maybe I'm paranoid after months of this, but if it's this stealthy at hiding, it can distinguish when to wait a few days before attacking again so you think a reinstall worked.)

Finally discovery of the program was from a basic method. Everyone takes things for granted and with Windows, we rarely change the settings on file manager. No problem if you don't see the FILE EXTENSION. Think again. And the HIDDEN files are all hidden for a reason. AND THEN there's SYSTEM files which are all hidden for a reason. Well whoever wrote this program didn't follow the rules - and not only hide the files but called some of the system files too.
And be careful, the files and directories will rehide themselves arbitrarily. AND the files which it creates will have a variety of dates they didn;t overlook that at all.

A quick run down expanding every directory gave rise to patterns of directories and files which just stood out. When using the Thumbnail view of those directories, well that was when it got interesting... There were pictures of everywhere where I had been. Not just the individual pictures, but the assembled pictures of web pages and programs I have run or written. That totally confirmed my suspicions.

There are so many web sites out there that to list the files the program hid behind or on top of would be pointless. But my biggest clue was EMPROXY.exe while running McAfee. It was running constantly. It is the program they use to check email and IMs coming and going. Well as the keyloggger was sending out the data it was being seen and reviewed by EMPROXY which meant it was running just about all the time and bringing the pc to a halt.

The next clue was thanks to the PHP style of having a billion peices to put out one web page. All those little peices were being transmitted every time I touched one. BUT IF YOU MOVE A DIRECTORY... you can almost see the machine trying to copy all the files into a background area from which to send the files later. I have about a dozen web sites. When I copied my Web Site Directories to another drive and back and deleted the extra set, my pc went from 100,000 files to over 750,000 files to scan on every virus scan. This time it slowed to a crashing halt. It is currently still trying to transmit all of those files. To make it interesting I launched a dvd and told it to repeatedly replay all night. (Bad Idea - it could be sending all of those snapshots forever.)

Now add in that the person who has hacked you can enable and disable the program remotely. So if your spouse is doing it and you get suspicious, they turn it off for a day.

There was also a great little tool called kl-detector which takes the simple approach and notes everything that is being written to the disk while you are doing any task. It did it on the fly and caught everything that was going on with the disk by simply looking at everything and not dismissing anything. The good and the BAD. KUDOS for an awesomely simple approach to proving the existence of the steathiest program I've ever encountered.

Now when I add to this information all of the research of the files on the web, I find that if you get hit with something like this - everyone will think you've gone out of your mind. You will find few programs which offer releif. You can't find the correct file sizes for program files anymore even if you had the time to research all of them. If you get hit with it - you are done. While I bow to the programmers who thought of everything on this one... you bastards have cost me countless hours of my life. 5 months of being misdirected.

I'd like to suggest for this forum that there be a forum list of clues. While it drove me nuts seeing all the HiJack this logs of others with the same file names as I was researching, if I had only known the clues to look for it would have been more helpful than reading through entries a mile long to hear that it was solved, but never the clue. Maybe call it "You might have a problem if... "
1. EMPROXY.exe is running all the time.
2. Frequently you see csrss and lsass running and look at all those SVCHOSTS running too.
3. ATI is the name of my video driver, and also the name of a WEBWATCHER developer.
4. MSWORD launches randomly every now and again - and I didn't even touch the pc. (About every time I hit REGEDIT. it popped open and closed.)

I have pages of files which I deemed suspicious and behaviors that I noticed happening.
I'll list em all if the forum is launched...

Last - I'm still mad as hell at the person who put this on my machine... and we'll have our day in court. I'd like to get some work done in the meantime... so if anyone knows what I've got and how to clear it - PLEASE LET ME KNOW.

T

BC AdBot (Login to Remove)

 


m



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users