Hacking REFOG Keylogger
(Snoop Unto Others as Others Snoop Unto You)
by Alex Nocenti (a.k.a. MrPockets)
If personal privacy was anything like Normandy, REFOG Keylogger would be the invasion that was D-Day.
For those who are not familiar with the product, REFOG Keylogger is less like a logger of keys and more like a tool to assist in the complete invasion of personal privacy. Not only does REFOG monitor keystrokes, but, much like infected zombies, PCs monitored by REFOG can also capture a list of applications launched, screenshots of the user session, websites visited, and more.
But there are many things in this world with which I strongly disagree, and REFOG is only one of them.
My real gripe with REFOG and the project that came of it started after I noticed a bold claim of invincibility boasted upon the REFOG website. On its very homepage (refog.com), the description of the REFOG Keylogger states "Being able to run silently and undetectable, REFOG Keylogger is impossible to be seen or removed by your teenage kids or the spouse."
Woah, now that makes my hacker spot itch. At this point, I was well intrigued, and I clicked to "Read More." The product description page (refog.com/keylogger.html) reiterated the keylogger's stealth persona, but the audacity continued.
Below are a few quotes directly off the sales pitch on the REFOG Keylogger's webpage:
"Even computer-savvy teenagers won't be able to tell whether it's running without knowing your Master Password, nor can they stop or uninstall the monitor."
"Your Master Password is always required to make changes to REFOG Keylogger. No one can uninstall, block, or circumvent REFOG Keylogger monitoring without knowing your password. Without the password, it's even impossible to tell whether or not REFOG Keylogger is running!"
"You may not want to disclose the act of PC monitoring, so REFOG can work in special stealth mode, making it completely invisible even to a skilled PC user."
Challenge accepted!
Words like "can't," "impossible," and "password" have inspired the hacker culture for decades, and as both a "skilled PC user" and a spouse, I found myself the perfect subject for the test.
With a can of Mountain Dew and a pot of joe brewing, the audit was started to pursue the following questions: For starters, can the program be detected without any passwords, and can the program be stopped by the "victim" to regain his/her privacy?
Can the information logged be seen without knowing the master password?
Can the master password be recovered or changed?
Could I even take this as far as to manipulate the logged data to "spoof" the information the keylogger records?
I also wanted to know if the recorded data could be siphoned off of the PC or accessed remotely, which could pose a serious threat to the safety of the user.
My methodology, although a bit tedious, was simple.
Using various tools, I wanted to record before and after snapshots of things like running processes, files on the hard drive, MD5 hashes of those files (to know which existing files were modified or replaced), and registry keys. This was done during the install, before and after changing the REFOG password, before and after using a chat program, before and after a few minutes of a web browsing session using Internet Explorer, and so on.
My thoughts were that the program is installed to and operating locally on the PC, so all of its inner workings and recorded logs had to be somewhere on the hard disk, and this would allow me to find out where they were and how they worked.
Among the tools I used were Disk and Registry Alert, MD5summer, Regshot, Wireshark, BackTrack 5, and a few native Windows commands like tasklist, taskkill, and netstat. I used a Windows XP Pro SP3 VM as my guinea pig and "acquired' REFOG Keylogger version 5.1.8.934.
My findings were either astonishing or hardly surprising, depending on whose side you're on.
The logs from Disk and Registry Alert showed the addition of a directory, albeit hidden, named MPK in C:\Documents and Settings\All Users\application data\ after install.
Another hidden directory named MPK was added within %systemroot%\system32 and contained an EXE file named MPK that, when run, would pop up the password prompt to access the Master GUI.
Not very stealthy, eh?
A comparison of tasklist's output also revealed a new running process called MPK.EXE. Killing this process with the command taskkill effectively disables the keylogger. I should point out, however, that the MPK.EXE process is hidden from Task Manager, so REFOG gets small credit there, I suppose.
But the answer to the question about REFOG's detectability is clear. Even an account without local admin privileges can run tasklist or enable the viewing of hidden files, so a simple check for the process or REFOG's directories makes its presence more than evident.
After creating a limited, non-administrative account on the host and moving around a bit, I began to tear the program apart piece by piece to find clear answers to the rest of my initial questions.
The screenshots taken of a user's sessions are stored in a numerically labeled directory within the C:\Documents and Settings\All Users\Application data\MPK directory. There is a directory for each user account on the system, starting with "1" and sequentially counting up.
All of the logged data for each user is stored within them. After spending some time logged in as my limited account, the directory "3" began populating itself with numerous extensionless files. The files all started with I40826_ and ended in a 10-digit numerical.
Booting to BackTrack 5 and running the file command showed them as JPEG images and, sure enough, after I had logged back into Windows with my limited account, I was able to rename them to WHATEVER.JPG and open them up. I was also able to "edit" them with MS Paint and replace what would be incriminating evidence with images of Bible study and fuzzy puppy dogs.
Pwnt.
Another interesting file I found in that same directory was named D0000, and turned out to be an SQLite database storing all of REFOG's logged data for this user.
With SQLite Administrator, a free self-contained EXE file that can be run without local admin rights, I was able to open the database and not only view but also modify (read = spoof) all of the timestamps, recorded keystrokes, websites viewed, clipboard data, programs launched, and so on.
Furthermore, all of the D0000 log files for other users could be opened and modified. Not only could I cover up my own tracks, but I could creep on all of the other local users.
Wai pwnt.
Another interesting file I found was one in the root of the C:\Documents and Settings\All Users\Application Data\MPK directory named S0000.
Turns out this is where REFOG stores the password to access the Master GUI. After all, the contents of the D0000 files for individual users are laid out somewhat cryptically, and why dance around the data when we can waltz right in, right?
All I had to do was install REFOG in another VM and set the password to something like kittens.
Then, I copied the S0000 file containing the password I knew, and pasted it into the original VM, and the program that once required the passphrase P@55w0rdz+R4_$t3aling! could be accessed by typing kittens.
From this console, I could enable/disable, delete, change settings, or otherwise fully control the program. The interface for the "owner" of REFOG isn't designed to change or spoof any of REFOG's logged data, but a user can always fall back on SQLite Administrator if he/she spots something incriminating in the Master GUI.
Now, creating a S0000 file with a second install of REFOG might be a bit beyond the skillset of a normal end user, but I have a feeling that S0000 "reset" files will begin showing up on the Internet by the time this article is published.
Truth: REFOG can be disabled simply, without knowing the password.
Truth: REFOG can be easily detected by using the tasklist command to spot the MPK.EXE process, or looking for the C:\Documents and Settings\All Users\Application Data\MPK or %systemroot\System32\MPK directories.
Truth: The REFOG interface can be accessed by launching %systemroot%\System32\MPK\MPK.EXE, or just giving a whirl at: Start -> Run -> runrefog
Truth: The REFOG data can be accessed and spoofed by anyone without a password by opening the D0000 SQLite file.
Truth: The REFOG user interface can be accessed without knowing the password by replacing the C:\Documents and Settings\All Users\Application Data\MPK\S0000 file with one of a known or blank password.
Truth: REFOG is kinda lame.
In conclusion, REFOG is nowhere near as stealthy or secure as it claims to be.
All of the techniques I used to exploit or modify the program are relatively simple, don't require local administrative privileges on the system, and should be well within the skillset of anyone capable of logging into a PC.