PINCH, THE TROJAN CREATOR
Some time ago, we talked to you about malware prices, HTTP botnets, etc. Today I will show you the level Trojan creators have reached and the way in which some of them launch their creation ‘builders’, authentic centers for designing and creating totally customizable Trojans. And this is where Pinch comes in.
It is a tool for creating Trojans which allows: defining the actions for the Trojan to take, packing the executable file to make its detection more difficult, disabling specific ‘annoying’ services such as those of antiviruses…
Among the tools for creating viruses, Trojans, etc. this might be the most commonly used, distributed and sold, given its ease of use due to a very intuitive interface. This allows malicious attackers to have an executable ready to infect, steal, spread, etc. in a few minutes. Consequently, it causes victims serious problems without them even realizing, until it is too late and they have to face the financial consequences.
First, attackers must choose the ‘return’ mode of the data the Trojan obtains. More specifically, whether the data should be sent via SMTP, HTTP or simply be left on a system file to recover it later through a backdoor opened on the victim’s computer by the Trojan.
If SMTP is chosen, the following parameters must be specified:
+ SMTP server and port to use.
+ ‘From’ and ‘To’ fields of email to send.
+ Subject
+ Interval between data sending
If HTTP is chosen, the name of the server with mail3.php must be specified. Mail3.php loads the information onto the server.
If the FILE method is chosen, the name of the file created with the information and its path must be specified.
There are several tabs in the middle of the screen where the parameters below can be specified:
PWD: The type of password to be stolen can be indicated: from mail programs to passwords stored on browsers, including system information. The report can also be encrypted.
RUN: The way the Trojan will run on the target computer, the location it will be copied to (if necessary), its name, etc. are indicated.
If Autorun is selected, there are several options to choose from:
+ Standard: It copies the executable file onto the selected directory and includes it in the registry to carry out the autorun.
+ DLL RUN: It copies the Trojan to the directory, creates a .dll and includes a reference in the Windows Registry for it to run automatically.
+ UNDELETE: It compiles the Trojan and changes it to different formats (exe, dll), it compiles a .dll again with one of the conversions, etc.
+ SERVICE: It copies the Trojan to the directory, and creates a reference in the Windows Registry so it runs automatically. The name of the service can be specified.
It can also be set to act on a specific date and time, delete itself, and run when it detects a network connection or after a reboot. It can also be compiled to change the firewall settings in Windows and allow the Trojan to act.
SPY: The following parameters are specified in this section: lets Trojans act as keyloggers, takes screenshots of the victim’s desktop, captures IE data, looks for certain files on the target system, etc.
NET: Allows the victim’s PC to be turned into a Proxy, specifying ports, etc. It also acts as a downloader; by specifying the address of the executable file, victims download the .exe file and run it. The last option allows connecting to a php script, allowing parameter specification, etc.
BD: Or backdoor. Allows ports to be specified and logs to be opened on victims’ computers.
ETC: Allows the Trojan to be hidden using typical joiner methods.
KILL: It allows the selected services or processes to be killed. It allows most antivirus services to be selected by default.
IE: Allows attackers to add sites to the IE Trusted Sites and the favorites section.
WORM: Allows worm characteristics to be determined for the Trojan so it distributes itself.
IRC-BOT: Allows victims’ computers to be added to an IRC bot network, specifying the server, channel, port and password.
It also allows the Trojan to be encrypted using RC4, packing it using FSG, UPX or MEW.
Once all the Trojan’s characteristics are specified, it must be compiled to obtain the .exe file.
The version I have used for this post is version 2.60 since the builder in this version is very complete. Later versions are available, but they are disabled builders which do not allow all the Trojan’s characteristics to be specified from a single builder. The author has ‘diversified’ them, has created a specific builder for SMTP, and has removed several options which are now included in the final Trojan by default. Bearing in mind builder prices, this process to make their ‘creations’ more profitable is not surprising. Here you have a screenshot of the latest version:
The parser: The pinch is accompanied by a parser program which is capable of reading and decrypting the logs left by the Trojan. The parser lets you search the logs and truth be said, it is easy to use and allows easy visualization of different log data obtained by the Trojan:
PINCH, THE TROJAN CREATOR
Some time ago, we talked to you about malware prices, HTTP botnets, etc. Today I will show you the level Trojan creators have reached and the way in which some of them launch their creation ‘builders’, authentic centers for designing and creating totally customizable Trojans. And this is where Pinch comes in.
It is a tool for creating Trojans which allows: defining the actions for the Trojan to take, packing the executable file to make its detection more difficult, disabling specific ‘annoying’ services such as those of antiviruses…
Among the tools for creating viruses, Trojans, etc. this might be the most commonly used, distributed and sold, given its ease of use due to a very intuitive interface. This allows malicious attackers to have an executable ready to infect, steal, spread, etc. in a few minutes. Consequently, it causes victims serious problems without them even realizing, until it is too late and they have to face the financial consequences.
First, attackers must choose the ‘return’ mode of the data the Trojan obtains. More specifically, whether the data should be sent via SMTP, HTTP or simply be left on a system file to recover it later through a backdoor opened on the victim’s computer by the Trojan.
If SMTP is chosen, the following parameters must be specified:
+ SMTP server and port to use.
+ ‘From’ and ‘To’ fields of email to send.
+ Subject
+ Interval between data sending
If HTTP is chosen, the name of the server with mail3.php must be specified. Mail3.php loads the information onto the server.
If the FILE method is chosen, the name of the file created with the information and its path must be specified.
There are several tabs in the middle of the screen where the parameters below can be specified:
PWD: The type of password to be stolen can be indicated: from mail programs to passwords stored on browsers, including system information. The report can also be encrypted.
RUN: The way the Trojan will run on the target computer, the location it will be copied to (if necessary), its name, etc. are indicated.
If Autorun is selected, there are several options to choose from:
+ Standard: It copies the executable file onto the selected directory and includes it in the registry to carry out the autorun.
+ DLL RUN: It copies the Trojan to the directory, creates a .dll and includes a reference in the Windows Registry for it to run automatically.
+ UNDELETE: It compiles the Trojan and changes it to different formats (exe, dll), it compiles a .dll again with one of the conversions, etc.
+ SERVICE: It copies the Trojan to the directory, and creates a reference in the Windows Registry so it runs automatically. The name of the service can be specified.
It can also be set to act on a specific date and time, delete itself, and run when it detects a network connection or after a reboot. It can also be compiled to change the firewall settings in Windows and allow the Trojan to act.
SPY: The following parameters are specified in this section: lets Trojans act as keyloggers, takes screenshots of the victim’s desktop, captures IE data, looks for certain files on the target system, etc.
NET: Allows the victim’s PC to be turned into a Proxy, specifying ports, etc. It also acts as a downloader; by specifying the address of the executable file, victims download the .exe file and run it. The last option allows connecting to a php script, allowing parameter specification, etc.
BD: Or backdoor. Allows ports to be specified and logs to be opened on victims’ computers.
ETC: Allows the Trojan to be hidden using typical joiner methods.
KILL: It allows the selected services or processes to be killed. It allows most antivirus services to be selected by default.
IE: Allows attackers to add sites to the IE Trusted Sites and the favorites section.
WORM: Allows worm characteristics to be determined for the Trojan so it distributes itself.
IRC-BOT: Allows victims’ computers to be added to an IRC bot network, specifying the server, channel, port and password.
It also allows the Trojan to be encrypted using RC4, packing it using FSG, UPX or MEW.
Once all the Trojan’s characteristics are specified, it must be compiled to obtain the .exe file.
The version I have used for this post is version 2.60 since the builder in this version is very complete. Later versions are available, but they are disabled builders which do not allow all the Trojan’s characteristics to be specified from a single builder. The author has ‘diversified’ them, has created a specific builder for SMTP, and has removed several options which are now included in the final Trojan by default. Bearing in mind builder prices, this process to make their ‘creations’ more profitable is not surprising. Here you have a screenshot of the latest version:
The parser: The pinch is accompanied by a parser program which is capable of reading and decrypting the logs left by the Trojan. The parser lets you search the logs and truth be said, it is easy to use and allows easy visualization of different log data obtained by the Trojan:
Spammers: PDF rules!
A few weeks ago a spam attack was launched – as it happens everyday. But that time there was something new. It was a pump and dump stock scam, using a PDF attachment. And what’s more, the PDF looked in a very professional way, so many people could be fooled. You can download the PDF clicking on the image below:
It must have been successful somehow, as the number of these PDF scams are increasing a lot. We must say that most of them are made in a really poor way, just take a look at the following screenshots:
But you can find some which look better:
As you can see most of the times they are just copy-pasting the body of the ”old” spam messages into the PDF file. But today, I have found one that has caught my eye. The first thing is the Subject (Off the record), which, on its own, makes anyone’s curiosity arouse. If the message is opened, there is a PDF attached, whose name is the name and surname of the user’s mail account! When it is opened, we discover that we will be given $500 if we reactivate an online casino account, finally it was not so exciting:
Spammers: PDF rules!
A few weeks ago a spam attack was launched – as it happens everyday. But that time there was something new. It was a pump and dump stock scam, using a PDF attachment. And what’s more, the PDF looked in a very professional way, so many people could be fooled. You can download the PDF clicking on the image below:
It must have been successful somehow, as the number of these PDF scams are increasing a lot. We must say that most of them are made in a really poor way, just take a look at the following screenshots:
But you can find some which look better:
As you can see most of the times they are just copy-pasting the body of the ”old” spam messages into the PDF file. But today, I have found one that has caught my eye. The first thing is the Subject (Off the record), which, on its own, makes anyone’s curiosity arouse. If the message is opened, there is a PDF attached, whose name is the name and surname of the user’s mail account! When it is opened, we discover that we will be given $500 if we reactivate an online casino account, finally it was not so exciting:
Think you might be infected?
Install a personal firewall like the Panda Antivirus + Firewall 2007 – $10 Discount Coupon to stop uninvited users from accessing your computer. A firewall blocks unauthorized access to your computer and will alert you if spyware already on your computer is sending information out. If you think your computer might have spyware on it, [...]