Keyloggers Posting on Webpages

As if the number of keystroke logger entries that recently made it to Pastebin wasn’t suspicious enough, their content raises eyebrows as well:  instead of the expected open-source code, there are Facebook or IM passwords, along with detailed information on unwary users’ surfing history. The amount of personal data publicly exposed is large enough to eliminate the supposition that an attacker might have manually posted it. A deeper look into the issue reveals that this is the result of a massive keylogger infestation.

Raw data search results

Why use Pastebin.com as a log repository?

Conventional keyloggers use classic log transfer approaches and send the data packets via e-mail or FTP; this dramatically increases the possibility for the law enforcers to find out who the remote attacker is and to ultimately get him. Furthermore, the e-mail approach is extremely “noisy”: it is easy for a system administrator to spot the traffic, not to mention that antimalware utilities usually let users know when an e-mail leaves the system. Other times, the e-mail ports (usually set to 25, 465 or 578) may be either secured or blocked, which would make the keylogger “cargo” fail on dry shore.

That is why this particular keylogger uses “customized” tactics as in depositing the output into a common world-wide-web location.  Shortly put Pastebin equals no firewall to block the traffic, no tracking path, no originating IP address, no identity exposed on the attacker’s side.

A keylogger report, as it appears in Pastebin

Pastebin is a huge collaborative platform hosting millions of lines of code published as plain text. Unlike forums or social networks, the published text is hardly likely to be seen by other users, unless they specifically look for it, but targeted searches will definitely bring the attacker the relevant logs straight in the browser window.

Therefore, not only do the victims get all their credential stolen via the keylogger, but also the collected data will be made available to all Internet users.  To add insult to injury, everything that has been posted stays accessible forever – even if the respective pages are taken down (the downside of caching data) – so other ill-intended persons can collect these details at any time and put them to new use.

A closer look at underground forums used by malware creators reveals a generous amount of source code that can be integrated in the upcoming breeds of keyloggers. This makes the whole situation much more alarming than a mini-epidemic caused by the emergence of a single piece of malware – it marks the beginning of a new way of exploiting public and reputed services, just as it happened with the Twitter-controlled botnets.

Fragment of Visual Basic code demonstrating how to send the grabbed data to a Pastebin URL

Mitigation

It appears that one of the keyloggers using Pastebin as an anonymous dropbox has been in the wild long enough to account for most of the posts. Identified by BitDefender as Trojan.Keylogger.PBin.A, the keylogger is a console application and uses the Pastebin API to send the intercepted keystrokes at random intervals.