Analysis of the Fimbel Keylogger and Pace University Converter Christopher Funk, Sheryl Hanchar, and Ned Bakelman

Keyloggers  Record Keystokes  Not intrinsically good or evil  Potential Uses  Data Grabbers (Evil)  Active Identification (Good)  Visibility of Keyloggers  Rootkit vs. Normal Process

Tools for finding Anatomy of any program  Analyze it as if it was malicious software  Ultimate Packer for eXecutables (UPX)  Fakenet – Network Diagnostics  Process Explorer – Process Information  OLLYdbg – Showing Flow of Program  IDA Pro – Interactive Disassembler  CFF Explorer – Decompile.Net directory

Keylogger Software Pack  Originally three programs  Fimble Keylogger  Pace Keylogger Launcher  Focus of in-depth analysis  Pace Converter  Newer Version is two programs  Combined the two Pace tools

Pace Keylogger Anatomy  Opens connect to Pace Server that remains open  User Agent is a.Net program

Pace Keylogger Anatomy  UPX strings showing where the program is sending the data  Password is blacked out

Pace Keylogger Anatomy  Process Explorer showing the call to start the Fimble Keylogger

Pace Keylogger Anatomy  Ollydgb showing uniquely.Net Calls

Pace Keylogger Anatomy  IDA Pro showing.Net boolean variable  Says if Fimble is running  Very Visible Program

Pace Keylogger Anatomy  CFF Explorer – only works with.Net programs  Entry Point where malicious software can take control  Or just inject code into other benign program

Combination Project Breakdown  Goal – Combining Software Tools  Keylogger Launcher  Converter  Issues  Different Programming Languages  External Program Control from Java Environment  Parallel work being done by customer on code Pace University

Two Different Tools Pace University

Goal Breakdown  Expanding converter to encompass launcher functions  Start and Stop the keylogger  Working with previous code  Naming Convention  Identify keylogging target application  Field for name information  Numbering Outputs  Adding in customer revisions Pace University

Step 1: Working with Previous Code  Compiling issues when exporting to Jar  Netbeans Meta data  Very messy code  Did not follow best practices  Obsoleted code that still was in use  Main() issues  Moving it from Login() class to converter() class Pace University

Step 2: Start and Stop Keylogger  External Program Executioner  Java Process Builder / Process classes  Issues  Unable to find the program  Documentation does not specify necessary parameters  Error Messages Unclear  Working only on one machine  Re-arranging GUI and how to identify the keylogger Pace University

`ProcessBuilder builder = new ProcessBuilder(keyloggerDirectoryField.getText() + "startkeylogger.exe"); builder.directory(new File (keyloggerDirectoryField.getText())); Process javap = builder.start();`

Step 3: Naming Convention  LastName_Firstname_Application_Number.xml  Identify Target Program  Drop down menu  Hard coded string, not filtering the output  Name information  Fields where there but by default were invisible even though necessary  Numbering  Had to find the last number with the name output name and then iterate Pace University

Step 4: Combining Customer Code  Costumer has added to the code after the original version that was combined  Need for communication after last step to make sure that his new changes work with new code  Did not change the converting code classes  Allows for change as the code as long as the function calls stay the same Pace University

Communication with Customer / Testing  Constant communication  Only one meeting at the last class  Very easy to work with  Indispensable to combining project  Test it on other machines to ensure it was working  Try out functions in different ways  Guide my steps to ensure all necessary functions were worked on first  Work with the previous code and understand what the function did Pace University

Final KeyLogger Launcher and Converter Pace University

Questions, Comments, Concerns, or well wishes