Ajarn Forum - Living and Teaching In Thailand - View Single Post

Citan · 15th February 2008, 09:35

Considering the ease with which a keylogger can be installed and hidden in Windows XP sp2 or 3, I will say yes. Let me give an example.

I use a keylogger on my own computer which sends logs to my computer on localhost through the postfix mail protocol (think new sendmail). Why? To keep track of data flow into my computer, since logging is disabled except for event management and in the event of kernel discrepencies or when the system needs to know something (HAL or uDev for example). Now granted I use a Linux keylogger but the idea is the same.

On any computer, unless you built the OS, or are using something truely unique like HaikuOS or Amiga OS4 then there is a place where a keylogger can hide and nothing will find it except tools designed to tunnel out a keylogger. In Windows XP, this golden nugget would be (of many places) the System Restore Point, or the MBR. In Linux it is also the MBR, as is the same with Unix/BSD and Solaris.

Now I am not a Windows Guru by any strech of the imagination, but I do keep Windows Servers online at my home for playing with, testing, and beating up remotely for fun. I do know a little about Keyloggers so I hope sharing this information with you can help keep you safe.

Most software keyloggers to two things. First they start as a daemon (a background process in the memory module) and run, capturing key strokes as they are entered, and at a preset threshold (default is full memory) they export their log (defaulted on most software side loggers as an email address). This is a good and a bad thing. Keyloggers, on the software side come in memory flavors and have different functions, the main weakness being they can only run once the user has logged in, as this opens the runtime libraries on windows and allows memory and processes to allocate and doll themselves out for the run session. Most internet cafes I went to in Thailand never had anyone log out, they just used the timer.log thing which fakes a login screen until you pay the fee then they hit a switch in the main box to free up the lame ass screensaver they have. This means it could run all the time.

The issue is that the person using it has to have a goal, and be able to read keylogger hash. Most good (read, keylogger whereby you have to know how to read the manual...) do not export their files in plain text, they do so in a hash algorithm that you have to decode once it is on your local machine of choice. I am going to not give the peoples at internet cafes the benefit of the doubt and assume they are using whatever free keelog tool they found on google.co.th.

My experience in Thailand showed that, the majority of keylogged data people were doing was what we would call noodling. Like, how rednecks catch catfish. Same idea. You fish for specific traffic with a keylogger and export it to a non-local (out of country) site, for filtering and shipping out to whomever is your overlord. In Thailand, the hot ticket keylog item is game accounts. Stolen game accounts are big business in the underground. I do not care if you do not believe me, you're the one who can't find a google keylogger on a windows box, not me. Go to pantip and ask someone about how you "lost your RO account" and "are in need of a new one" and about how "oh shit I just dropped 100 baht, damn I miss my level 99 Blacksmith with x x x x and x item specs" watch how fast it appears back to you, in cd format too!

I assume most of them are using a keylogger from keelog.com as this is the most common and is considered to be a very high quality tool. It also has the advantage of being able to hide in many places, and starts are bootime (Linux/Unix/Anything System V= runlevel 1) and logs the login screen in its own hash, such that on Windows Xp after decrypting you get something like "$login=asdf && $pass=1234" (or well I would get something like that being on Linux anyway)

I would caution against USB keys. On Windows there is a regedit functon, something like Enable/Disable Autorun on all devices. I'm going to bet that that is on on almost any internet cafe in Thailand. this means it is disabled so all devices have autorun, which is very similar to executive permissions on a windows machine. Anything that wants to can jump from the autorun level into one of many hiding places on the machine and get to work, a good example being a tool called OPHcrack which runs from a bootable live CD and cracks the SAM hash (the file windows stores passwords and sensitive info in) when the auto run kicks in.

There is a thing which I won't go into detail on called the usbHacksaw. This is why you do not use usbkeys to carry your personal data unless you protect it, and disable any autorun before launching it.

**MORE TO COME, NEED TO EDIT AND GET MORE RELEVENT INFO FOR THAILAND PROPER**

15th February 2008, 09:35	#22 (permalink)
Citan Citan is..... in /proc of all places! Join Date: Feb 2006 Location: Missouri Southern State University Posts: 1,391 vCash: 500 Rep Power: 82	Re: Do Internet Cafes have Keyloggers? Considering the ease with which a keylogger can be installed and hidden in Windows XP sp2 or 3, I will say yes. Let me give an example. I use a keylogger on my own computer which sends logs to my computer on localhost through the postfix mail protocol (think new sendmail). Why? To keep track of data flow into my computer, since logging is disabled except for event management and in the event of kernel discrepencies or when the system needs to know something (HAL or uDev for example). Now granted I use a Linux keylogger but the idea is the same. On any computer, unless you built the OS, or are using something truely unique like HaikuOS or Amiga OS4 then there is a place where a keylogger can hide and nothing will find it except tools designed to tunnel out a keylogger. In Windows XP, this golden nugget would be (of many places) the System Restore Point, or the MBR. In Linux it is also the MBR, as is the same with Unix/BSD and Solaris. Now I am not a Windows Guru by any strech of the imagination, but I do keep Windows Servers online at my home for playing with, testing, and beating up remotely for fun. I do know a little about Keyloggers so I hope sharing this information with you can help keep you safe. Most software keyloggers to two things. First they start as a daemon (a background process in the memory module) and run, capturing key strokes as they are entered, and at a preset threshold (default is full memory) they export their log (defaulted on most software side loggers as an email address). This is a good and a bad thing. Keyloggers, on the software side come in memory flavors and have different functions, the main weakness being they can only run once the user has logged in, as this opens the runtime libraries on windows and allows memory and processes to allocate and doll themselves out for the run session. Most internet cafes I went to in Thailand never had anyone log out, they just used the timer.log thing which fakes a login screen until you pay the fee then they hit a switch in the main box to free up the lame ass screensaver they have. This means it could run all the time. The issue is that the person using it has to have a goal, and be able to read keylogger hash. Most good (read, keylogger whereby you have to know how to read the manual...) do not export their files in plain text, they do so in a hash algorithm that you have to decode once it is on your local machine of choice. I am going to not give the peoples at internet cafes the benefit of the doubt and assume they are using whatever free keelog tool they found on google.co.th. My experience in Thailand showed that, the majority of keylogged data people were doing was what we would call noodling. Like, how rednecks catch catfish. Same idea. You fish for specific traffic with a keylogger and export it to a non-local (out of country) site, for filtering and shipping out to whomever is your overlord. In Thailand, the hot ticket keylog item is game accounts. Stolen game accounts are big business in the underground. I do not care if you do not believe me, you're the one who can't find a google keylogger on a windows box, not me. Go to pantip and ask someone about how you "lost your RO account" and "are in need of a new one" and about how "oh shit I just dropped 100 baht, damn I miss my level 99 Blacksmith with x x x x and x item specs" watch how fast it appears back to you, in cd format too! I assume most of them are using a keylogger from keelog.com as this is the most common and is considered to be a very high quality tool. It also has the advantage of being able to hide in many places, and starts are bootime (Linux/Unix/Anything System V= runlevel 1) and logs the login screen in its own hash, such that on Windows Xp after decrypting you get something like "$login=asdf && $pass=1234" (or well I would get something like that being on Linux anyway) I would caution against USB keys. On Windows there is a regedit functon, something like Enable/Disable Autorun on all devices. I'm going to bet that that is on on almost any internet cafe in Thailand. this means it is disabled so all devices have autorun, which is very similar to executive permissions on a windows machine. Anything that wants to can jump from the autorun level into one of many hiding places on the machine and get to work, a good example being a tool called OPHcrack which runs from a bootable live CD and cracks the SAM hash (the file windows stores passwords and sensitive info in) when the auto run kicks in. There is a thing which I won't go into detail on called the usbHacksaw. This is why you do not use usbkeys to carry your personal data unless you protect it, and disable any autorun before launching it. MORE TO COME, NEED TO EDIT AND GET MORE RELEVENT INFO FOR THAILAND PROPER __________________ Yours, Norng Citan