Many of you might have tried many stealers and keyloggers to get logs of your victims. You might have registered on various FTP, PHP sites or even emails to test and get logs of your victims. I have seen many people complaining about stealers or crypters and KL’s. So, this thread may be the right solution/place for you.
Well, if you are not getting logs that doesn’t mean stealer or KL is not good or hosting site is bad.
KL = keylogger
There are various reasons why people don’t receive logs many times.
I will discuss some of the reasons, which I know. If you know more than these, please feel free to post. Also, if at some point, I am wrong, please correct me..
Reason 1:
You might have entered wrong FTP, PHP info. This is because many people don’t know how to put right PHP or FTP info into stealer or KL.
Reason 2:
May be your firewall is blocking access to your file.
If your target has powerful firewall (like ZoneAlarm, Outpost etc…), then it WILL suspect some suspicious behavior and pop-up Internet access privilege. If your target is smart enough, then he/she may block access to your file.
Reason 3:
You never know who is downloading your file (EXE). If the user is capable enough to ollydbg your file, he may easily get your FTP info (if file is not hardly crypted). If the user is smart enough, he may VMWare or Sandbox ur file and may delete ur file after seeing such external access info.
Reason 4:
Many stealers or KLs use UDP connection instead of TCP, for example Stealer2600. UDP is very much unreliable as compared to TCP. So, UDP doesn’t provide error checksum or resending of data. If ur stealer or KL is using TCP connection, then its much better. Reason 5:
Sometimes it may happen that FTP or PHP host is down for some reasons (like backup or upgradation etc…). At that time, ur stealer will send info to the host, but as the host is down, u won’t get logs.
Reason 6:
If your stealer or KL is FUD, say today on 7th Aug. It may become detected on 8th or 10th of August. You may never know. So, it won’t be FUD anymore and AV’s will delete it or may be FW will block access to your file.
Reason 7:
If your target has powerful AV’s like Kaspersky, Avast, Nod etc…, they have Heutistic scanning. This may also prevent file from opening. If ur exe is anti-Kaspersky or such like that, then well and good.
Reason 8:
Make sure your EXE is FUD and with many Anti-methods like anti-anubis, anti-sandbox, anti-VMWare, anti-debugger, anti-emulator, anti-sunbelt etc… (There are hell lot of anti-methods, i just explained a few)…
If ur exe is not anti with any of the above methods, then it may get detected, even by a n00b
Reason 9:
Sometimes, while stealer is sending logs 2 ur FTP or PHP, some packets may lost while traveling to ur host. This is because of many reasons, like network congestion or bottleneck problems, etc…
Reason 10:
Sometimes, your host gets too busy and might come under very much pressure. So, it may stop responding and may not collect logs.
Reason 11:
Once you have distributed ur EXE and if ur using FTP acc to get logs, and then if change pass of ur FTP acc, then also ur exe will not send logs.
This is coz, suppose say, ur ftp login info is username: “hello” and password is: “123456”. This is info is stored in ur exe and u distributed that. While uploading, ur exe will use the above info to upload logs 2 ur FTP.
If u change the password to “456789”, then u know that u hv changed the password of ur FTP acc, but ur EXE doesn’t know this. It will use the password as “123456”. So, in this case also u won’t receive logs.
Reasons 12:
Your Stealer or keylogger is a man-made software. It also requires maintenance and upgradation. Over a period of time, its may performance may decrease. This is also the reason of not receiving logs. But this happens very rarely, only if ur sticked 2 the same stealer for 2 years or more.
Reason 13:
Next reason is may be your crypter/binder/packer. If ur crypter does not support the stealer or KL which ur using, then it may corrupt ur exe. So, choose the stealer and crypter combination wisely.
Reason 14:
Another reason is an operating system. Suppose say, ur stealer or KL is configured to run on XP SP1, SP2, SP3, NT, 2k and Vista.
If ur customers is using Windows 7, then obviously ur exe will not run on his PC as it can’t understand how to execute.
Reason 15:
Another reason cud be 32-bit and 64-bit. If stealer or KL is configured 2 run only on 32-bit machines, then on 64-bit machines, it may not work, even if ur using XP and stealer is compatible with XP.
Reason 16:
If you dun hv good crypter and if ur FUDing ur file manually via Hexing, then make sure that u know proper hexing. Dun just go on google or on some forums and find hexing solution on FUDing ur file. You WILL corrupt ur EXE if ur dun understand offset and other terms…
Using tutorial on hexing is a good choice but dun apply ur own logic with that hex tut if u dunno hexing.
Also, dun combine one hex tutorial with another hex tutorial.
This will definitely corrupt your file. Hahaha……
Reason 17:
If your customer doesn’t have stored passwords in his browser, then also stealer will not send logs or it will send empty logs.
Reason 18:
Say, ur customer is using Google chrome and storing passwords in it. If ur stealer is not configured 2 steal passwords from chrome, then also u won’t receive logs. So, choose a stealer which have good combination of browser (FF, IE, etc…)
Reason 19:
Suppose ur EXE is FUD and is less than 20MB and if ur customers scans ur EXE under virustotal, or jotti, then ur EXE will get detected by many AV’s and within few days, it will get detected easily and AV’ will delete it.
Reason 20:
Even if ur EXE is 0/24 (FUD) on NVT, but if ur victims scans ur exe under Anubis, then mostly Anubis will show all the info after executing ur exe. This may alert ur customer and he may delete ur file.