WildPackets welcomes this guest blog post from independent security consultant Dr. Gordon Mitchell, who details below using Wildpackets OmniPeek Network Analyzer to discover and thwart a keylogger who had compromised a local government network.
Keylogging tracks the keys struck on a keyboard in a discreet manner so that the person using the keyboard is unaware that their actions are being monitored. There are several keylogging methods, ranging from hardware and software-based approaches to electromagnetic and acoustic analysis.
A while back, I found evidence of a keylogger on a local government computer… hunting time.
Using Wildpackets Etherpeek (now included in Omnipeek) as my weapon of choice a live analysis was performed. It turned out that a “smoking gun” email had started it all by explaining how to install the keylogging software. This is obviously a concern, especially in a government setting where information is at high risk of being compromised.
So, what had been stolen? If no keystrokes were captured there wasn’t much to worry about. I went to work.
A clone of the computer’s hard drive was created to connect the machine to the Internet. Before plugging in the Ethernet cable, I made sure to limit the export of data.
The restored computer was allowed to connect to the Internet through a firewall, which only allowed it to get DNS information. By hacking the Windows hosts file connections were directed to a test machine that was set up with a fake SMTP server. The computer was turned on and text was typed into Notepad.
If there was an active keylogger, this text would have likely been picked up and emailed off with previously recorded activity. Not long after plugging the Ethernet cable in, I saw activity. The test machine was monitored with a Peek-equipped PC. All the traffic between the restored computer and the test machine was recorded, thanks to Wildpackets.
The first intercepted traffic included the material below:
This information came from the keylogger report that was being sent to an offshore email account. The good thing was that classified reference related to staff categories was not secret government information.
Next came the text that I had typed on the restored machine keypad. This was confirmation that the keylogger was stealing information. A bit more analysis defined the scope of the loss, allowing repair of the damage…. and identification of the person who installed the keylogger. RIP, keylogger.