border: 1px solid #d2d2d2; padding: 0px 8px 0px 8px; color: #a19999; font-size: 12px; height: 25px; width: 165px; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px; margin:0px; } .submitbutton{ background:#F66303; border: 1px solid #F66303; text-shadow: 1px 1px 1px #333; box-shadow: 3px 3px 3px #666; font:bold 12px Arial, sans-serif; color: #fff; height: 25px; padding: 0 12px 0 12px; margin: 0 0 0 5px; border-radius: 5px; -moz-border-radius: 5px; -webkit-border-radius: 5px; cursor:pointer;}

Receive all updates via Facebook. Just Click the Like Button Below

You can also receive Free Email Updates:

Powered By Blogger Widgets

Related Posts Plugin for WordPress, Blogger...

Sunday, May 29, 2011

Why Peoples Don’t Receive Logs Via Stealer Or Keylogger



Many of you might have tried many stealers and keyloggers to get logs of your customer.
You might have registered on various FTP, PHP sites or even emails to test and get logs of your customers.
Well, if you are not getting logs that doesn’t mean Stealer or Keylogger is not good or hosting site is bad.
There are various reasons why people don’t receive logs many times.
I will discuss some of the reasons, which I know. If you know more than these, please feel free to Comment
Reason 1:
You might have entered wrong FTP, PHP info. This is because many people don’t know how to put right PHP or FTP info into Stealer or Keylogger.
Reason 2:
May be your firewall is blocking access to your file.
If your customer has powerful firewall (like ZoneAlarm, Outpost etc…), then it WILL suspect some suspicious behavior and pop-up Internet access privilege. If your customer is smart enough, then he/she may block access to your file.
Reason 3:
You never know who is downloading your file (EXE). If the user is capable enough to ollydbg your file, he may easily get your FTP info (if file is not hardly crypted). If the user is smart enough, he may VMWare or Sandbox ur file and may delete ur file after seeing such external access info.
Reason 4:
Many Stealers or Keyloggers use UDP connection instead of TCP, for example Stealer2600.
UDP is very much unreliable as compared to TCP. So, UDP doesn’t provide error checksum or resending of data. If ur Stealer or Keylogger is using TCP connection, then its much better.
Reason 5:
Sometimes it may happen that FTP or PHP host is down for some reasons (like backup or upgradation etc…). At that time, ur stealer will send info to the host, but as the host is down, u won’t get logs.
Reason 6:
If your Stealer or Keylogger is FUD, say today on 10 March. It may become detected on 14th or 14th of March. You may never know. So, it won’t be FUD anymore and AV’s will delete it or may be Firewall will block access to your file.
Reason 7:
If your customer has powerful AV’s like Kaspersky, Avast, Nod etc…, they have Heutistic scanning. This may also prevent file from opening.
If ur exe is anti-Kaspersky or such like that, then well and good.
Reason 8:
Make sure your EXE is FUD and with many Anti-methods like anti-anubis, anti-sandbox, anti-VMWare, anti-debugger, anti-emulator, anti-sunbelt etc… (There are hell lot of anti-methods, i just explained a few)…
If ur exe is not anti with any of the above methods, then it may get detected, even by a n00b ...
Reason 9:
Sometimes, while stealer is sending logs to ur FTP or PHP, some packets may lost while traveling to ur host. This is because of many reasons, like network congestion or bottleneck problems, etc…
Reason 10:
Sometimes, your host gets too busy and might come under very much pressure. So, it may stop responding and may not collect logs.
Reason 11:
Once you have distributed ur EXE and if ur using FTP acc to get logs, and then if change pass of ur FTP acc, then also ur exe will not send logs.
This is coz, suppose say, ur ftp login info is username: “hello” and password is: “123456″. This is info is stored in ur exe and u distributed that. While uploading, ur exe will use the above info to upload logs to ur FTP.
If u change the password to “456789″, then u know that u hv changed the password of ur FTP acc, but ur EXE doesn’t know this. It will use the password as “123456″. So, in this case also you won’t receive logs.
Reasons 12:
Your Stealer or keylogger is a man-made software. It also requires maintenance and upgradation. Over a period of time, its may performance may decrease. This is also the reason of not receiving logs. But this happens very rarely, only if ur sticked to the same stealer for 2 years or more.
Reason 13:
Next reason is may be your crypter/binder/packer. If ur crypter does not support the stealer or keylogger which ur using, then it may corrupt ur exe.
So, choose the stealer and crypter combination wisely.
Reason 14:
Another reason is an operating system. Suppose say, ur stealer or keylogger is configured to run on XP SP1, SP2, SP3, NT, 2k and Vista.
If ur customers is using Windows 7, then obviously ur exe will not run on his PC as it can’t understand how to execute.
Reason 15:
Another reason cud be 32-bit and 64-bit. If stealer or keylogger is configured to run only on 32-bit machines, then on 64-bit machines, it may not work, even if ur using XP and stealer is compatible with XP.
Reason 16:
If you dun have good crypter and if ur FUDing ur file manually via Hexing, then make sure that u know proper hexing. Don’t just go on google or on some forums and find hexing solution on FUDing ur file. You WILL corrupt ur EXE if ur dun understand offset and other terms…
Using tutorial on hexing is a good choice but dun apply ur own logic with that hex tut if u don’t hexing.
Also, dun combine one hex tutorial with another hex tutorial.
This will definitely corrupt ur file.
Reason 17:
If ur customer doesn’t have stored passwords in his browser, then also stealer will not send logs or it will send empty logs.
Reason 18:
Say, ur customer is using Google chrome and storing passwords in it. If ur stealer is not configured to steal passwords from chrome, then also u won’t receive logs.
So, choose a stealer which have good combination of browser (FF, IE, etc…)
Reason 19:
Suppose ur EXE is FUD and is less than 20MB and if ur customers scans ur EXE under virustotal, or jotti, then ur EXE will get detected by many AV’s and within few days, it will get detected easily and AV’ will delete it.
Reason 20:
Even if ur EXE is 0/24 (FUD) on NVT, but if ur customers scans ur exe under Anubis, then mostly Anubis will show all the info after executing ur exe. This may alert ur customer and he may delete ur file.
These are the reason which I know, why people don’t receive logs.

No comments:

Post a Comment

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More