An analysis of AutoLog, a keylogger in AutoIt

Note: I have had this for quite a while, and the sample I had might be outdated.

AutoLog is a keylogger written in AutoIt that is UD and also is extremely popular. It uses the Jos van der Zande Obfuscator, which helps confuses the code to some point, but code structure is not changed at all. The obfuscator also prevents the output from being detected, however AVG detects any file obfuscated by the obfuscator. The obfuscator had a public deobfuscation tool, MyAutToExe, which perfectly deobfuscated the malware. However I happened to manage to extract the original unobfuscated code from the builder, so I will use that version as the variables and function names are mostly preserved already.

The code is slightly obfuscated before the use of the Obfuscator. The strings were encrypted and variables were renamed using Au3Stripper. It was trivial to automatically decrypt the strings and replace them. The Obfuscator is fairly good at ridding of detections, since with a few thousands users and me scanning on VirusTotal, it is a surprise that the stub stays under 5 detections without any updates.

The keylogging method is simple, it either used the IsPressed function or GetAsyncKeyState depending on the user’s choice. The site icanhazip.com is used to obtain the user’s external IP address. For those of you who didn’t know, icanhazip was flagged by antiviruses quite often  due to the fact that it is commonly abused by malware. Nothing out of the ordinary here.

6d1369e8cece15d10eb7c21a2de2c68a

An interesting thing about AutoLog is that it is able to hide itself from Task Manager in Windows 7, which is done through the use of SendMessage after obtaining a handle to the GUI. A fairly creative approach, I don’t think I have ever seen it before.

The AV Killer uses a combination of a public method and a seemingly private one. First, a handle to the process is obtained via OpenProcess, the AV is then suspended using NtSuspendProcess, and then closed. I am surprised that this work, due to the fact that AVs are protected by drivers and should be able to prevent themselves from being suspended and killed. After killing the process, the Image File Execution Option is used to set a debugger for the process to prevent the process from being revived. This is done for around 270 processes which range from Kaspersky, ClamAV to KeyScrambler and WireShark (which technically aren’t AVs).

Antivirus Killing function

Antivirus Killing function

AutoLog uses the API GetAsyncKeyState to log keystroke. The hooking mechanism is taken from a Github repository. AutoLog’s persistence exploits a bug on Windows 7 and potentially under (haven’t checked) which is described here. This bug renders the process pretty much unkillable. While this bug is capable of keeping the process alive, sometimes it causes freezes and stops the malware from functioning properly. A very creative approach I must say, I have never seen anything like this before in the realm of AutoIt malware.

USv3NSc

A comparison of AutoLog’s source code and the public keylogger source code (Left: AutoLog, Right: GitHub)

In conclusion, while AutoLog is an interesting piece of malware providing features that are often not seen on other malware samples, out of which the fact that it only has a few detections is extremely worrying as many AVs have trouble detecting AutoLog’s payload. Additionally, it is because of malware like this that public and freely available obfuscators are getting flagged up as malware.

 

Giang Nguyen

Blogger, Security geek, and Tech Nerd. Send me your malware, I will dissect them.

 

Leave a Reply

Your email address will not be published. Required fields are marked *