Security Advisories

Trustwave Press Releases

« Come and Join Us at InfoSecurity | Main | WordPress 3.3.2 Addresses Setup XSS Vulnerabilities »

25 April 2012


@Adriane Pavone

The author's computer was freely given access to these credentials, which is equivalent to giving the author access to these credentials. Hence, accessing the files seems legitimate to me.


In a scenario where "Cool, Huge brains" successfully installs his/her malware on a host PC, how much protection does an encrypted anti-keylogging program like Keyscrambler provide?

How the did you know where the key started and ended?

Sir can you teach me how to do this? I just need to know who is hacking my accounts and the situation is same on my side. Kindly reply pls!

Pretty bad ass. I too was expecting with your skills that you were going to track him all the way back to his terminal, engage his webcam and post a video of him.

Anyway something else that is probably nothing; Charles Onuigbo is an anagram for "Cool, Huge brains!"

I am disappointed. I expected you to reverse the situation, get into his computer and disable it at least. But something like blowing it up or making him send something to the FBI that would completely fuck him up would have been more in the orgasmic category. Guess hackers are that cool only in the movies.

My mind was just blown. I for one, know nothing about hacking or anything, but i tried to understand it. Good job!

You sir, are a gentleman and a scholar.

Awesome man! I hope your research can help us start to fight back agains these fuckers

I'm laughing out LOUD. Good job, sir.

I would really love to get the actual person, though.

Fascinating, and nice to see a win like that.

@David: I assumed that those repetitive string were whitespaces when decoded and those would be 0x00s. The repetitive string was 21 bytes long. The pattern is more obvious when viewing in text mode because part of the repetitive string contains 0x0D,0x0A (line termination). So i took that 21 bytes string starting with 0x0D,0x0A and xor it against PK.BIN starting at the offset where i took my XOR key.

@jeremy.collake: thank you for that advice.

You made one error in your analysis. When you say the key '0xAA' did not work, and you had to add an additional byte of 0x00. Actually, you set the word size to 16 bits instead of 8 bits (your first try). This is important, as XOR'ing by 00 results in the same value you input. Thus, to say you XOR by 0x00 is redundant, and overlooks the fact that 0xAA is the correct key. In short, X xor 0=X (X^0=X). The original decode value given to you was likely simply not specified with a word size.

How did you decide on what key to use to decode the PK.BIN file? Was the key being repeated just white space in the file?

Nice detective work! As someone who has cleaned 1000 PCs from this sort of thing, I really appreciate that someone is tracking it down and stopping it.

Next I hope someone will trace the money trail from those fake Windows/2012 Antivirus Scan programs and seize their accounts.

You said "That number of logs shows just how effective the spammer’s social engineering trick was." Didn't you mean "That number of logs shows just how many idiots are out there."?

@A Facebook User

Umm, because that would be illegal?

Doesn't matter that they are committing a crime (or not, depends on their jurisdictions laws), as soon as you intentionally start deleting those logs, files that you do not own on a server that you do not own and do not have a legitimate reason to access, you are just as liable for computer crimes as your jurisdictions laws make you for any other computer crime.

@Matthias Brugger i actually did. If you read the blog and noticed the Wireshark screenshot, that is how i intercepted the FTP credentials. My objective of decoding the configuration file (PK.BIN) is to retrieve the PK admin panel password and other useful details such as the license name.

One question, why didn't you use a network sniffer to get the ftp credentials? I think it would have been much easier.

That was awesome!!! Thanks for the step by step and explanations with pictures.

Why didn't you delete all of the other logs off of his server?

@Ali Khalid

If you look at the original encoded bpk.dat you will notice that every other byte is already 0x00 (mostly). Unicode takes 2 bytes per character but for most English character sets the high order byte is always 0x00. In order to keep the decoded output somewhat readable Rodel left them alone (XOR 0x00) during decoding so that in the right hand part of the decoded output they remain spaces rather than junk.

Note that there are a lot of intricacies to Unicode. I've grossly oversimplified here but I think that should explain it.

Great post. BTW how did you know that XORing bpk with 0xAA, 0x00 will produce the correct result. Was it a guess ?

Nice one.
You're a genius.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment