A peek inside a ‘life cycle aware’ underground market ad for a private keylogger

by

Share this news now.

By Dancho Danchev

What’s greed to some cybercriminals, is profit maximization to others, especially in times when we’re witnessing the maturing state of the modern cybercrime ‘enterprise’. Many enter this vibrant marketplace as vendors without really realizing that, thanks to the increasing transparency within the cybercrime ecosystem, their basic and valued added services will be directly benchmarked against a competing vendor, sometime rendering their unique value proposition completely irrelevant. Others will take a different approach by releasing a ‘life cycle aware’ underground market ad and will still manage to generate some revenue, as well as secure a decent number of customers in the long-term.

In this post, I’ll profile a ‘life cycle aware’ underground market ad for a private keylogger, relying on a limited number of licenses for its business model.

More details:

Sample description of the private keylogger:

The main advantages over other keyloggers, including Keylogger Detective:
- Low-level cover-up of the process from the task manager (tested on Windows 7, Vista, XP)
- Write to the log of the current URL, which quietly “pulled out” from the browser in real time (tested in Chrome, Opera, Firefox, IE)

General characteristics:
- Hide the process from Task Manager (Pro Edition)
- Edinokratnoe copy itself in startup and recording the first run
- Mark the beginning of the entries in the log
- Record all keys (Russian / English layout) and click in the log file
- Record title of the active window to a log file
- Record the current keyboard layout to a log file
- Write the current URL with a browser to a log file
- Sending logs to the post office / local storage on a computer
- In the absence of internet logs piling up and sent immediately if the connection to the Network

Standard Edition
- The size of 19 KB
- The average consumption of RAM 6 MB
- Build for each client, it is sewn up your mail (preferred to have a new one on mail.ru)
- When the log file size is 10 KB for sending your mail log file is cleared
- Of these characteristics is not only hiding from the task manager
- The value of 1000 rubles.

Pro Edition
- The size of 24 KB
- The average consumption of memory 12 MB
- Build for each client, it is sewn up your mail (preferred to have a new one on mail.ru)
- When the log file size is 10 KB for sending your mail log file is cleared
- Works hiding from the task manager
- The value of 1200 rubles.

Local Edition
- The size of 19 KB
- The log file is stored on your computer, the information is accumulated over time
- Hiding from the task manager – your choice
- The cost of 500/600 rubles.

Free Console Edition
- A free demo version of the program as a guarantee of performance
- All the information is displayed in the console
- There is no hiding from the manager

Sample screenshot of the private keylogger in action:

Private_Keylogger_2012_Cybercrime

Second screenshot of the private keylogger in action:

Private_Keylogger_2012_Cybercrime_01

Third screenshot of the private keylogger in action:

Private_Keylogger_2012_Cybercrime_02

It’s not a common practice for a cybercriminal to issue a limited number of licenses for his release. In fact, he’ll often do his best to maintain an identical profile with an identical underground market proposition across multiple cybercrime-friendly communities in an attempt to expand his operations. Issuing a limited number of releases, prevents the cybercriminal from gaining a bigger market share, and actually growing his business model. That’s unless of course he starts collecting a monthly fee for maintaining the fraudulent/malicious project in action, which although would secure him a revenue stream in the long-term, once again results in a limited market share gain.

Whether it’s greed or profit maximization, cybercriminals will continue looking for efficient and automated ways to defraud tens of thousands of users on a daily basis, while preserving their online anonymity by utilizing basic risk-forwarding tactics.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.

Trackbacks

  1. [...] others will simply bind this custom compiled BitCoin Jacker to a crypted keylogger (such as the Private Keylogger that was recently blogged by resident blogger Dancho Danchev) and then deploy the entire payload to [...]