Home
I started the development of caffeine after the enrollment in my bachelors program in this university having this thesis in mind I have worked towards the perfection of my malware. The development of this keylogger was hard I have used the knowledge from the different courses I have taken in class in addition to the independent reading outside class. Some crucial technologies of the project I have learned on my own like Python programming language, batch scripting and vbs, but important is also the methodology I used and logic which I got form school especially the programming , network and security related courses. I go with the saying, to catch a criminal you must think as a criminal so I did my best into learning everything I needed to make this keylogger what it is today. I choose to name it caffeine because of the high amount of caffeine that was going into my body to stay up all night while developing this malware.
Caffeine is a computer malware, more specifically a fully undetectable keylogger that is also capable of data exfiltration. The malwarecopies itself in a hidden windows directory and logs all the key presses. It stores them in a text fileadding the timestamp of each key press, searches for sensitive files in the targets computer and mails these to a specific email address each time thecomputer starts. Caffeine can get but it is not limited to: getting the credentials of social media accounts, bank passwords, bank statements, emails, files, usage patterns of the victim and other confidential and private information. The keylogger also offers the possibility of further extension up to a certain point that does not raise any flags in the system thus triggering the Antivirus. Caffeine at the moment is FUD meaning fully undetectable by the Antivirus that is tested and proved.
-
Python Programming language
-
VBScript
-
Batch Scripting
-
SMTP
-
Loggers
-
String-searching
-
MIME
-
Python*
I choose to develop this project in Python despite having done Java as a primary language the whole three years of my degree I found myself to be more confident in using python for this malware. Despite this after converting java files into JAR for execution a lot of applications found it suspicious due to the increasing amount of malicious JAR files in the internet. Another reason is that I found most of the libraries ready in python whilst in java it requires downloading and installing them individually.
- VBScript
Using Vbs script was actually the only and the easiest way to go, VBScript being an active scripting language developed by Microsoft and based in visual basic it works in every windows machine already preinstalled, so running a vbs script would work in every Windows machine.
- Batch Script
Batch files are script files in DOS and Microsoft Windows they consists of commands that are executed line by line from the cmd. These commands are written in a text file then stored with the .bat extension. Every Windows computer has a CMD and will execute the commands without problem. This contributes to the main idea of having this malware comprehensively run on every windows computer.
Caffeine is started from one.vbs which is used to run the first.bat script hidden with no pop-ups or command line. WshShell is a generic name for a powerful object that enables you to query and interact with various aspects of the Windows shell. It can display information to the user, run applications, create shortcuts, work with the Registry, and control Windows' environment variables.[11] Here one.vbs refers to the shell object and executes first.bat while telling the shell to display nothing while executing the batch file.(See Appendix A for detailed information) Getting in the system, first.bat is a set of simple commands that copy caffeine.exe, caffeineMeter.exe and starter.vbs into the windows directory: “C:\Users\USER-HERE\AppData\Roaming” this is a deep directory in windows that contains application data and settings that are specific to the apps in your windows pc. This directory is not browsed by normal users 90% of the time and is safe to say hiding the malware here is a good measure. It was tricky accomplishing this copy command because the directory has a different name in every machine because of the computer name \User-Here\ can be possibly everything. I solved this problem by researching, I found that windows uses variable names for specific directories such as %WORD%, %temp% and one of them was also %appdata%, these variable names point to the folder’s directory. So calling %appdata% in different machines points to the application data directory of that machine. After copying the files into the directory an internet shortcut is created in the startup folder of windows. This folder is Windows default and everything inside it runs every time the computer starts. This startup folder lives inside some folders where %appdata% points to, this is the startup folder directory: “C:\Users\USER-HERE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”. As we can see our variable name points up to the Roaming folder where deep inside it resides the startup folder so I added %Appdata% and as usual the other part “\Microsoft\Windows\Start Menu\Programs\Startup\”. In addition to the directory the shortcut also needs a name which I simply called it autostart. The internet shortcut needs four parameters to be created the directory
where it will reside, the name, the application where does it point to and the icon. (See appendix B for detailed information) Below is a diagram that displays this first part of the malware activity. Since I have copied the autorun file in the startup folder now the keylogger starts working every time the computer starts, executing caffeine.exe and caffeineMeter.exe.
Execution order is caffeine then caffeineMeter so firstly it starts logging the key presses and directly storing them in a text file named coffee.txt after that caffeineMeter gets executed which searches for sensitive files in the computer’s victim and mails both the file if found and coffee.txt from the logger to an email address. Caffeine is a compiled python file to exe that logs every key press using the pynput and logging libraries more specifically it uses the Key and Listener from pynput.keyboard. This library allows you to control and monitor input devices. It contains subpackages for each type of input device supported: pynput. mouse Contains classes for controlling and monitoring a mouse or trackpad. pynput. keyboard Contains classes for controlling and monitoring the keyboard. [12][13] Firstly I have set the basic configurations; I have specified a filename so that a file handler is created using the specified name., the directory and the format which the key presses will be stored which is the time it was pressed and the key. Method on_press gets key as a parameter and for every key that is pressed it get the value of that key as a string. We also collect the events until released for example if user holds down a key it won’t only save that key once but the whole time it is still pressed.[13] (See Appendix D for detailed information)
This other part of the malware is a bit more complicated because it involves multiple libraries such as smtplib, socket, encoders, os and parts of the MIME library (MIME multipart, MIME base and MIME text). The first function is called milk I choose this name because it reassembles the milking process of a cow when extracting a file from the directory. I added this data exfiltration feature lately, before this class was only used to send the coffee.txt logs that caffeine produces. The method takes the parameter folder which I have set to C:\Usersbecause in this directory it can find every file that all the users of that machine have. The methods scan every folder starting from my documents, downloads, desktop, my photos, and every subfolder that exists for all of the users. This scan is what takes a little bit of time but comparing to the damage it does is worth it. The method uses the library OS which provides portable ways of using system-dependent functionalities. [14] First I created an empty string named file_list, and a loop that opens the directory we have set before as variable name folder and for every path, directory and file that exists in that directory it uses string matching to find files ending with the extension .txt, .pdf, .doc and .docx.These files types are usually where sensitive information I am looking for is found: text files pdf files or word documents. After finding these types of files it chooses only the files that start with the name passw(haven’t used password because some applications use shorted names like psw or passw), bank, statement or email. After the finding a file that matches all the conditions it gets the directory and the filename and saves them as a string to the variable I created before file_list. This method returns file_listso when calling it we get that variable for example “C://Users/Admin/Desktop/bank_statement_uba2020.pdf” This method can be improved further by adding the option to search for more file types/extensions and adding a faster searching algorithm. The second method called getPcNameuses the library socket which provides access to the BSD socket interface. I have used the libraries method getHostname() and getHostByName()which in combination together return the IPV4 address and the hostname of the machine where it is currently running as a string. The method returns the string user id which concatenates the IP and the name in one. This is later used as a subject for the email address to differentiate where the logs are coming from for example Loggs from Example-PC @ 112.158.126.31. [15] I have created some variables that contain the information needed for the third and last method of the malware which are email_username, email_password, email_receiver, subject, body, filename and filename2. The sendMail method takes these variables as a parameter it uses the MIME library from the emailmodule. Firstly it creates a multipart object named msg which takes the parameters: from, to, subject and attachment which I have set equal to the variables above. To the msg object attached is MIMEtext object which defines the content and the content type in this case is the variable body and the type plainas in plain text, the method open() that is used to read a file in text format by default setting the mode parameter to rb meaning opening a file in binary format for reading.[16] [17] [18] Second is created the MIMEbase object reading the attachment and encoding it into base64 in order to be sent, the object I called part part is then attached to the msg object, then a variable called text converts the whole msg with the partattached to string. The connection to the SMTP server is done by firstly naming a variable server that calls the smtp library setting the servers SMTPaddress and port then startinga TSL connection to the server. After logging in with the SMTP server using the login credentials of my email account which in this case I set to the variables email_username and email_password, I use the method sendmail of the smtp library to send the mail with the other remaining parameters. These being email_username, email_receiver and the text variable which holds the whole message as a string created before, after this I call the default quit() method to close the connection.[17][18] In the end of the file I call the method sendMail() in order to execute it with the parameters set above twice; once with the variable filename and second with the variable filename2 where the first has attached coffee.txt from caffeine.exe and the second sends the same except attached is the file that is returned from the method milk(), the sensitive data. In the end we get two emails in the inbox giving us the victim’s key logs of the whole day everyday and their sensitive data updated because the scan runs every time the computer starts. (See Appendix E for detailed information)
Caffeine stores its key presses in coffee.txt line by line, but finding credentials or reading in a vertical form is hard so I choose do create a simple java application that gets the content of that folder and displays it in a readable and clear format. The application consists simply of a panel with a text area, a label and a button. The design was done using the JswingGUI toolkit for java. When the button “Decrypt” is clicked the a new scanner object is called to search for a file named coffee.txt if found it shows Decrypting . . . and reads the text file line by line. The logs are saved in the format shown below in Figure 16 including the date and time and the key pressed in between apostrophes ‘a’. The loop searches if a row contains an apostrophe ’ character in the lines gets the position of that character and gets the substring that its after that apostrophe up until the end removing also the last character which is the second apostrophe. It does this procedure for every line in the log and when finished it displays clearly the logs in the text area above. See Figure 17. (Appendix F for detailed information) [19] [20]
# I was drinking way too much caffeine at the time that's why I named it Caffeine.
