Get a glimpse of a keylogger working and see it get scanned by an antivirus program and then reported as "No Threat". Then even on a VPN connection, start a private call on Skype and see a private conversation get recorded and sent as a .wav file to the hacker's email so they can listen in and extract the information they want.
- I'm at a large corporate office, and I have two computers in front of me. One represents the victim, and the other represents the attacker. I'd like to bring your attention to the victim computer where literally everything I type and say is being recorded. Let's get an idea of the malware we're going to detect by seeing it in action. This SvcHost executable is the keylogger that can record both key presses and microphone audio. SvcHost is the name of a windows trusted process that is commonly associated with background services.
This keylogger wants to blend in as much as possible. We can see this if we right-click on it and select properties. If we go to the details tab, we can see stuff like the file description saying it's a host process for Windows services. The file version matches that of a Windows 10 OS. It even says it's from Microsoft Corporation with the copyright details. All of this is to deter you from deleting it. Even if you suspect this file of being malicious, looking at these types of details would make anyone second-guess deletion.
Let's exit out of the properties window and right-click on the keylogger again. This time, let's scan it with our anti-virus, Kaspersky. Okay, safe, no threats detected. Let's exit out of that. Let's right click on it again, and this time let's scan it with Malwarebytes. Once again, threats detected, zero. We can see that our anti-virus said it was not a threat. This also bypassed our Malwarebytes program.
In fact, if we go to virustotal.com, we can see just how many computer protection programs this malware is able evade. We can see at the top that the detection ratio says 0 out of 55, and then we can see a list of all the anti-virus programs and anti-malware. Chances are that one of your computer protection programs is on this list.
Virustotal.com will test any file or URL against all anti-virus programs. The databases for all of these computer protection programs are constantly being updated. So even though this malware has a detection ratio of 0 out of 55, this would change if the malware was out in the wild for some time. For example, in a few months the detection ratio will most likely be something around 15 out of 55. All right, enough about looking at this malware. Let's see it in action.
We can see this pop-up from Kaspersky indicating that a host process for Windows services is attempting to receive audio stream. Chances are most users will click Allow Now. Make sure you pay attention to pop-ups like this. Make sure you know the process that is trying to use the Windows audio stream; and if I move my mouse over here, let's connect to the VPN, which is the Virtual Private Network. The VPN encrypts all of your internet browsing activity and is meant to ensure online privacy. Even with this VPN for online privacy, this keylogger is still going to record every key you press and anything from your microphone and send it off.
It's currently recording everything in this entire room. This keylogger sends everything off to a different computer. Let's now see the attacker's perspective. Inside my inbox I can see these emails titled today's date and the time the recording took place. There are two types of emails in this inbox. One has a .log extension and the others have a .wav extension. The .log emails are the recordings for every single key I typed, and the .wav emails are the audio recordings.
If I open up one of these log files, we can literally see each keyboard button being pressed from what looks to be like Google to login credentials and passwords, your mother's maiden name, anything. Every key stroke is recorded and emailed. Now if I open up the .wav file, I can see this recording; and if I play it: "I'm at a large corporate office, and I have two computers in front of me.
One represents the victim, and the other represents the attacker. I'd like--" As you can see, it was recording the audio that we saw earlier. Let's see how we can address this as the victim. Let's open up our task manager and stop this keylogger from recording us. Organizing the processes by name in alphabetical order makes it easier.
And here it is. Once found, right click. I'm going to open the file location so I know where it is; and once I know the file location, I'm now going to kill the process. After I kill it, now I can delete it. And now I'm going to permanently delete it by emptying my recycle bin. Let's exit out of the task manager and open up the tools we will be using in this course to catch what anti-virus and anti-malware programs could not.
The first tool we're going to look at is the Windows performance recorder, and that is located in the Windows Performance Kits directory. Scrolling all the way to the bottom, we can see this WPRUI. That's the Windows performance recorder that we use to log system events and the Windows performance analyzer where we detect and analyze the malware. This is the environment that we will be in as we perform malware analysis in order to find out how this keylogger is recording us and when it comes in.
- Installing the Windows Performance Toolkit
- Reviewing keylogger source code
- Setting up a private call environment
- Gathering keylogger evidence
- Spyware audio usage analysis
- Spyware removal
- Microphone recording prevention tips