24
Jun
10

LocatePC – the LIGATT trojan

This is my first malware analysis, so feedback is welcome and encouraged. For now, it’s still legal to reverse engineer software in Canada, so until Bill C-32 gets passed I’m going to keep doing it.
I selected LocatePC, which was found on the LIGATT Security website. Downloading the ZIP file gives us two executables, the first is the installer, the other is the actual trojan. Both files are written in C#, compiled as .NET assembly. This software is a commercial product designed to stay resident on someone’s computer, and allow them to be notified in the event their computer is stolen. Both executables suffer from severe flaws, both in security and in usability. In cases where I’ve deemed appropriate, I’ve censored information; these omissions are left as an exercise for the reader to uncover.
The Installer
Upon launch, the installer immediately establishes a connection to a remote MySQL server:
new MySqlConnection(“Server=97.74.195.39; Port=3306; Database=locate_pc; User=****; Password=****; Encrypt=true”);
This is a rookie coding mistake: hard-coding credentials into an application. With this information, anyone could login to that MySQL database and manipulate the data. Fortunately for LIGATT, a firewall is preventing the software from making a connection to the database. This causes the installer to immediately quit, giving the user a “Communication error” alert box.
Now, at this point it’s clear that the software doesn’t work. But using some reverse engineering, we can see what the rest of the program does. There’s no sense leaving any of it uncovered.
So, assuming we can connect to the database, the installer then fetches a list of all MAC addresses on this machine. This list of MACs is used right away to check the database to identify whether the trojan is installed on the computer. The installer then asks the user for a registration code, and if they don’t have one they are directed to purchase one from the LIGATT website. Once a valid registration code is given, it checks to ensure it has not expired, and that the maximum number of licenses have not been used.
We are then presented with a nice Menu, giving us the option to install the trojan. Upon clicking it, the installer creates a new directory (INSTALLDIR) to install the trojan to, with the following format:
C:\Windows\<random existing directory>\<random 32-bit int>\
The directory is assigned to be readable & writeable by Everyone, and is given the hidden attribute. It then selects a name for the trojan (EXENAME), from the following list:
wingfuw winnmji winvmnw winhkip winfmvy winttkz windcmv winvtek winpfbp winzfdn winvqun winvwkx winqjbi wingroi winnzfv winhlng winybpn winhcwt winecmz winqrxi winxpju winriia winhiwf winayct winfkcd windpxb winebte winbhpu winjcdy winsicz winfzyn winrgri winmylp winonfq winpqjf wincmws winmsex winvgsi winesrl winewiv winveha winufbq winrzcg windtup winxtlk windiqu winsggx winzqei winpesf winairh winfomi winecfi winvljm winpnvz winuyyb winznpy winvxhf winycqe winlqlx winuilq winleud wingfnh windmci winrseu winqecu winedhi winnwmb winpamg windhwh winvqby winqmhu winhxzu winnics winpixl windevl winxdsi winggjm winszpd wingoyy winykec winqmrp winejgy winvtzu winqbtd winwpxd winjjep winlcgv winydrq winevmy winxolq winzuew winbvzd winekyb winatwy wintkjg winvgon winjqyt winwazf winrymo winguwl winpxwi wincmst winfkow winvgze winqgzc winhxpu winnyeu winutki winbrur winszra winydvf wintgkd winwapw winvmcy winohmp winrgzv winddwr wincnpf winncjg winaslp winlnyy winotfu winrpva winadqw winywgb winoeye winzmoo winloxz winabhl winxyje winoplo winlztk winmpti winopnn wingorv winvwuw winfung winuznj winjcbc winsvfr winerno winhgdg winoifn winktkk winsnya winbhya winidhb winkvls winnqcp winhnld
It then grabs “LocatePC.exe” from the current directory, and copies it to “INSTALLDIR\EXENAME.exe”; the installer then updates the database with the MAC address of our machine, the installation directory, and the executable’s name.
At this point, the installer presents us with a registration process. It asks for typical information: username, password, address, email, etc. In addition, the user selects a “boss-key”, a key combination used to show or hide the trojan menu. It also grabs the external IP of the machine from http://www.ligattsecurity.com/get_ip_address.php. This information is then inserted into the database. The password the user gives is then stored in “INSTALLDIR\EXENAME”, a file with no extension. The boss-key is written to “INSTALLDIR\_EXENAME.resx”.
A unique random 32-character alphanumeric string is generated. This used to uniquely identify the trojan install within the database later. This string is stored in “INSTALLDIR\EXENAME.0” (that’s a zero on the end, fonts are annoying).
The installer creates an entry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ for the newly installed trojan executable. Finally, a browser windows is spawned to the LIGATT LocatePC page, and the trojan is launched.
The Trojan
First things first, the trojan makes a connection to the MySQL database with the same credentials used above. If it’s unable to connect, it quits. It then grabs its name and installation directory from the command-line arguments list.
Now, I found this next part interesting. It creates a mutex called “LocatePC Lite”, creating it if it doesn’t exist. If it’s unable to grab the mutex (because another process holds it) then it quits. This ensures that only one copy of the trojan is running!
After that, we grab the 32-character string from “INSTALLDIR\EXENAME.0”, and look that up in the database, giving us information about the license, version, username, password. The trojan then uses this information to update the “last_login” on the account, with the current time, software version, and the mac address of the machine.
The program then opens up “INSTALLDIR\_EXENAME.resx” to get the boss-key, and registers that with the windows HotKey interface; it is then tied to a small windows that allows the user to quit the trojan or click an “About” link taking them to the LIGATT website.
Now, the trojan spawns a new thread. This thread performs all the actions listed below.
  • Check the database for whether we should uninstall ourselves. If so, deletes the entire INSTALLDIR directory, and removes the relevant registry key.
  • Check the database for whether we should update ourselves. If so, downloads the new version, replaces the executable, spawns a thread with the new executable and closes this thread.
  • Grab system information, mostly from WMI. This includes things like all IP and MAC addresses, OS version, motherboard serial number, bios version, etc. All of this information is then inserted into the database and associated with the registration code
  • Check the database for whether we should keylog. If so, record all keystrokes to the database.
  • Check the database for whether we should shutdown the PC. If so, do so.
  • Check the database for whether we should display a custom message. Message box appears with the message if there is one.
  • Check the database for whether we should activate the webcam. If so, takes a photo now and every 30 minutes, upload the jpg capture to the database.

Final Thoughts

The product ideas are good. That is, recording keystrokes, IP addresses, and webcam images are a good way to retrieve a laptop. However the actual design is severely flawed: all interactions require the database, and both programs fail if the database is inaccessible. In addition, there are several occurrences within the code of MySQL queries being made without parameterization; this could lead to SQL Injection from inside the application. As mentioned above, if the database were actually accessible for the program, it would also be accessible for anyone able to extract the credentials from the executables; this would allow an attacker to extract all information stored about the LocatePC clients, including full registration information.
Something else emerges quickly from that last thought. A more dedicated attacker could modify the database to set all instances of the trojan to enable keylogging, and then extract this information from all those computers via the database. One could argue that this was part of the design of LocatePC from the beginning: having a client pay to install a keylogger on their computer and commit identity theft with the data obtained. That’s a pretty good scam.
EDIT: clarified the section about the trojan connecting to the database, and where it gets its name from.
Advertisements

8 Responses to “LocatePC – the LIGATT trojan”


  1. 1 Adrian Sanabria
    June 24, 2010 at 5:55 pm

    Great analysis – I wonder whether the Ligatt crew wrote this code, as opposed to taking an existing trojan and customizing it for their resale needs. Many of the features you mention sound too much like trojans in the wild to be coincidence. Do you agree based on your analysis?

  2. 3 isdpodcast
    June 24, 2010 at 6:18 pm

    Great write-up. Did you attempt to connect to the MySQL database?

    • June 24, 2010 at 6:31 pm

      Yes, I attempted to troubleshoot the application by testing the connectivity to the remote host. It did not respond to any packets, leading me to believe it was firewalled.

      (That doesn’t sound like “port scan”, now does it?)

  3. 5 Xavior Barro
    July 7, 2010 at 1:20 pm

    Thank you for the review, ultramegaman.

    I’ve been looking for an objective review of Ligatt Security’s products but all I could find was spam on the various blogs and forums about them. The LocatePC was the one I was most interested in finding out about. Did you try the picture-taking feature?

    • July 7, 2010 at 1:41 pm

      The software did not work due to lack of connectivity with the remote database. As such, I was not able to test any of the features. Paying any money for this software would be a big mistake, as it just plain doesn’t work.

      • February 27, 2012 at 2:06 pm

        Actually I worked for the company. We did by the product from Ioconic.. it was originally wrote in C++, but I was new to c#. I wrote most of the code and then we hired a second party for the Keylogger. I got as far as the login, registration, all other checks. So yeah at the time I was a ameture coder when in came to C# that was my first project. I knew there would probably be flaws. I stopped working for the company in 2010. The new programmer is Russian. I think they have changed alot of things at LIGATT, such as website address, company location, database location.. So the app may now point to the correct database and may be more secure. Im not sure.. I like your review..


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: