Keylogger on Hostel computers

23 December 2011

In a hostel in Istanbul they had a decent setup with 4 PCs running DeepFreeze 4.2.
At my usually quick check before using one of the PCs I noticed something in Autoruns.exe, the userinit key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit) had a pointer to …\mpk\mpk.exe

So whatever that is, it runs every time a user logs on. I looked in that directory (which had the attributes hidden and system), and also found: mpkview.exe, running that I got the nice UI of the following software: www.refog.com Personal Monitor

It showed me all web sites visited and all keyboard input by all the people who had used the PC today including Gmail passwords and some online banking credentials.

Checking the options of the software revealed that these logs are emailed every 30 minutes to an address which domain is registered by an Istanbul company. 

I checked the other three computers and found the exact same key logger installed.

I talked to the owner of the hostel and as expected it wasn’t the hostel itself spying on its guest. It must have been installed by a guest or an ex-employee.

I could find out that the software was active for 28 days, the trial they used would have expired after 30 days anyway. But 28 days on four PCs means they got a lot of information. Before I could do any more forensic work, they reinstalled all four PCs.

It turned out Deepfreeze had been installed with an empty password, which means everybody who knows a little about Deepfreeze could just disable it, install the software and then enable it again. They didn’t even have to use Deepunfreeze.

The second mistake they made is that they were using the administrator account which means that any guest could install new software.

While the first two mistakes were made by the IT guy who set up the PCs the third one was done by the hostel: 

They kept this whole affair a secret, thinking about their reputation. They should have told all their guests about this so they could change all the passwords they used while using the hostels PCs.

While so far I only found random malicious software on hostel PCs, this was an organized attack by someone who had physical access to the machines.

For me this means I will be even more careful when using public PCs. Not all keyboard logger software is as easy to find as this one though.

Pages in this section

Categories

ASP.Net | Community | Development | IIS | IT Pro | Security | SQL (Server) | Tools | Web | Work on the road | Windows