Getting back at a Cracker

[new_b_l33t]

My sister just got back from college, and guess what, she's got a keylogger on her computer! AWESOME HUH! Especially since she has entered credit card info, and bank info into the computer in this time that it has appearantly been installed. What i am hoping to do before i uninstall it is just type some BS, the let it try to either connect to a server to upload it's data, or connect to a mail server, when it does this i want either the e-mail he/she is using, or the server's ip adress. I thought it would be pretty easy to do this using a firewall that blocked everything, just look at the logs, if i didn't use the computer for anything, the keylogger should be the only thing that tried to access the network. Is there any way i can route all of my internet traffic through a proxy so that the cracker doesn't also get the IP adress of my home network when it uploads.

[MemorY]

How about you change every password, call the bank and change the info and see if he did anything, and uninstall the keylogger and live in peace. Why all the hassle. Maybe he didnt use a keylogger thats sending e-mails, maybe he had physical access to the cmoputer, and if he did use an e-mail address, the e-mail should appear somewhere in the code or settings of the keylogger.

[groovicus]

Just for the sake of starting at the beginning, how do you know she has a keylogger installed?

Then the next question would be, how do you know for sure there isn't anything else installed on there that you don't know about?

Rule of thumb (my thumb anyway), if the system has been compromised by something like that...best policy is to format and reinstall... for all you know, what ever it is that you think may be a keylogger may be just a decoy. That's what my evil twin would do anyway

[wyred]

There a dozens of sites with lists of proxies on the internet, just do a google search for them. One site I like that has a free somewhat up to date list is http://www.samair.ru/proxy/. I would do everything MemorY suggested.

[new_b_l33t]

Calling the bank and changing things is done, i just hoped to get the actual cracker into some trouble. No, nobody had physical access to the comp, she lives on an all girls dorm floor, i've met the girls they're not computer litterate, especially not her roomate. She said that the people who take care of the computers at her school needed to check hers out before they would allow it access to the network again, at first they though she had sasser but then said she had a keylogger. Memory, my first thought was to get a look at the code, but if it's compiled how would i do that, i don't know much about reverse engineering could you help me out here?

[MemorY]

Depends with what language it was written....

http://www.google.com/search?hl=en&l...2B+decompilers
http://www.google.com/search?hl=en&l...VB+decompilers
http://www.google.com/search?hl=en&l...23+decompilers
http://www.google.com/search?hl=en&l...on+decompilers
http://www.google.com/search?hl=en&l...esource+Hacker

[new_b_l33t]

HOw can i find out what langauge or is it just kindof trial and error?

[Galdron]

Originally posted here by groovicus
Just for the sake of starting at the beginning, how do you know she has a keylogger installed?

I kind of think Groove has a good point here.

Good luck.


Edit- I misread the post, as thinking the PC was at home not at school. Sry.

[MemorY]

Im not much of a programmer....The Resource Hacker may help you there...

visit
http://www.programmersheaven.com/c/M.../grouplist.asp

for more help, it's a forum for programmers, they can help you out more....

[groovicus]

I'll try to elaborate just a little more, and hopefully we can help you out.

I still stand by the rule of "If the system is haxored, you need to reformat it." But if you were me, the first thing to do would be to find it. As Galdron said, a virus scan, or whatever. You have to, at the minimum, at least know what you are looking for.

As far as reversing the offending application, that's a bit of an art IMHO. Once I found out what the keylogger was called, I would Google for every bit of info I could find. Chances are that the source code is available somewhere. That would give you a little insight to how the app works.

You are correct in that a firewall set to block everything outgoing would probably nab the logger, if it happens to be one designed to "phone home", as it were. I've tracked down spyware that way before. Some times though, these things are just passed around (email attachments). In that case, a cracker doing random scans would run across it by pure accident. Then they could possibly get the information.

As far as reversing, you would need a disassembler or debugger, of which there are many to choose from. Ollydebug, and W32dasm come to mind, along with IdaPro, or even SoftIce. But in order to understand the output, you are going to need some knowledge of assembly, and of programming in general. If you are so inclined, there are tons of websites dealing with reverse engineering. Although they often deal with reversing software for the purposes of pirating them, the techniques are the same for reversing malware.

For tutorials on assembly, do a Google for Randall Hyde Art of Assembly. His guides have served many well, myself included.