Saturday, January 26, 2008

Snoop, Sneak, Sniff

Mac users are more likely affected by tracking threats than malware.

Why? Let's start by defining what is a tracking threat.

Tracking threat are software or application that snoop user's activity, sneak password and sniff out private information. Software or applications such as keyloggers and sniffers are considered as tracking threats and they are vastly available over the internet.

This type of software/application are also classified as grayware. Graywares are not considered as malwares and they are not even dangerous by itself. However, just like a kitchen knife, if it falls to a wrong guy it will definitely poses threat to the user and to other people as well.

Let's take a look on LogKext.

Downloaded file: (107,080 bytes)

LogKext is the only kernel-based freeware keylogger for Mac OS X. It is controlled by a command-line client called logKextClient.

LogKext.pkg is the installer that contains eight different packages. During the installation process, the user is required to enter the administrator or root user password to authenticate.

Below are the packages and its descriptions.

logkextclient.pkg - This package contains logKextClient, which is in Mac universal binary format. This binary file is the interactive client of LogKext, which also manages the output logfile, encryption controls and daemon preferences.

logkextdaemon.pkg - This package contains logKextDaemon, which is in Mac universal binary format. This binary is a daemon program that runs in background and manages the keylogging activity.

logkextkeymap.pkg - This package contains property list file, logKextKeymap.plist. The list includes identifiable keys such as numbers, letters (upper and lower case) and characters.

logkextkeygen.pkg - This package contains a logKextKeyGen, which is in Mac universal binary format. This binary is responsible for recording or logging keyboard typed information.

Logkext-1.pkg - This package contains another package named LogKext.kext, which contains a binary file LogKext. LogKext is the main program responsible for intercepting keyboard events by using IOHIDSystem and IOHIKeyboard classes in the kernel.

logkextReadme.pkg - This package contains LogKext Readme.html, which includes install and uninstall guide, release notes and frequently asked questions.

logkextuninstall.pkg - This package contains LogKextUninstall.command, which is a terminal shell script that stops logKext from running and removes it's related files.

The packages were installed in this order:


The following files were created:

LogKext Readme.html
/Library/Application Support/logKext/logKextDaemon
/Library/Application Support/logKext/logKextKeyGen
/Library/Application Support/logKext/logKextKeymap.plist

This program can monitors and record user's keystrokes including username, password, PII, private conversations, typed-in urls and more.

So, imagine if this piece of software went to the wrong hands ?

It is more scary when you thought you have downloaded and installed a clean application, but with undocumented details there's more hidden or unexplainable features that could work in background.

Let's take a look on Keylogger X.

Downloaded file: KeyloggerX.dmg.sit (768,805 bytes)

Inside this image are the following files:

Disclaimer.rtf - This document informs the user that "You are held resposible for your actions". Check the full disclaimer here.

Keylogger X - This is the binary file in Prefered Executable Format File (signature start with "Joy!peffpwpc").

Read Me.rtf - This document describes this program as "Keylogger X is designed to run on OSX. The logged file is saved in the users preference folder called "User Preferences". "

Ok, let's run and check this program. Oops, there's nothing on your screen, you cannot even search for "User Preferences" folder. Where? Nobody knows!

Is it running in background ?

Upon checking the code, this program imports 3 containers with over 900 imported symbols that includes multimedia and networking.
From the data section, you will find more interesting strings.

Congratulations! You just installed a "more efficient keylogger".

The behavior of this program is not acceptable and absolutely real threat to users.