July spyware list
This month, the first positions of the list are very similar to last month’s.
1.- Application/MyWebSearch
2.- Adware/Lop
3.- Adware/Gator
4.- Adware/ActiveSearch
5.- Spyware/Virtumonde
6.- Adware/Savenow
Adware/VideoActiveXObject goes up from the 10th to 7th position.
It is the most active version of the known fakecodecs.
Application/RealSpy goes up from the 17th to the 13th position.
It is a commercial keylogger that logs the keystrokes typed by the user, monitors the websites visited, captures screenshots and records conversations of instant messaging programs such as MSN, ICQ, AOL and Yahoo.
Trj/Lineage.BZE goes up from the 34th to the 24th position.
It is a Trojan that steals passwords from the MORPG Lineage.
PINCH, THE TROJAN CREATOR
Some time ago, we talked to you about malware prices, HTTP botnets, etc. Today I will show you the level Trojan creators have reached and the way in which some of them launch their creation ‘builders’, authentic centers for designing and creating totally customizable Trojans. And this is where Pinch comes in.
It is a tool for creating Trojans which allows: defining the actions for the Trojan to take, packing the executable file to make its detection more difficult, disabling specific ‘annoying’ services such as those of antiviruses…
Among the tools for creating viruses, Trojans, etc. this might be the most commonly used, distributed and sold, given its ease of use due to a very intuitive interface. This allows malicious attackers to have an executable ready to infect, steal, spread, etc. in a few minutes. Consequently, it causes victims serious problems without them even realizing, until it is too late and they have to face the financial consequences.
First, attackers must choose the ‘return’ mode of the data the Trojan obtains. More specifically, whether the data should be sent via SMTP, HTTP or simply be left on a system file to recover it later through a backdoor opened on the victim’s computer by the Trojan.
If SMTP is chosen, the following parameters must be specified:
+ SMTP server and port to use.
+ ‘From’ and ‘To’ fields of email to send.
+ Subject
+ Interval between data sending
If HTTP is chosen, the name of the server with mail3.php must be specified. Mail3.php loads the information onto the server.
If the FILE method is chosen, the name of the file created with the information and its path must be specified.
There are several tabs in the middle of the screen where the parameters below can be specified:
PWD: The type of password to be stolen can be indicated: from mail programs to passwords stored on browsers, including system information. The report can also be encrypted.
RUN: The way the Trojan will run on the target computer, the location it will be copied to (if necessary), its name, etc. are indicated.
If Autorun is selected, there are several options to choose from:
+ Standard: It copies the executable file onto the selected directory and includes it in the registry to carry out the autorun.
+ DLL RUN: It copies the Trojan to the directory, creates a .dll and includes a reference in the Windows Registry for it to run automatically.
+ UNDELETE: It compiles the Trojan and changes it to different formats (exe, dll), it compiles a .dll again with one of the conversions, etc.
+ SERVICE: It copies the Trojan to the directory, and creates a reference in the Windows Registry so it runs automatically. The name of the service can be specified.
It can also be set to act on a specific date and time, delete itself, and run when it detects a network connection or after a reboot. It can also be compiled to change the firewall settings in Windows and allow the Trojan to act.
SPY: The following parameters are specified in this section: lets Trojans act as keyloggers, takes screenshots of the victim’s desktop, captures IE data, looks for certain files on the target system, etc.
NET: Allows the victim’s PC to be turned into a Proxy, specifying ports, etc. It also acts as a downloader; by specifying the address of the executable file, victims download the .exe file and run it. The last option allows connecting to a php script, allowing parameter specification, etc.
BD: Or backdoor. Allows ports to be specified and logs to be opened on victims’ computers.
ETC: Allows the Trojan to be hidden using typical joiner methods.
KILL: It allows the selected services or processes to be killed. It allows most antivirus services to be selected by default.
IE: Allows attackers to add sites to the IE Trusted Sites and the favorites section.
WORM: Allows worm characteristics to be determined for the Trojan so it distributes itself.
IRC-BOT: Allows victims’ computers to be added to an IRC bot network, specifying the server, channel, port and password.
It also allows the Trojan to be encrypted using RC4, packing it using FSG, UPX or MEW.
Once all the Trojan’s characteristics are specified, it must be compiled to obtain the .exe file.
The version I have used for this post is version 2.60 since the builder in this version is very complete. Later versions are available, but they are disabled builders which do not allow all the Trojan’s characteristics to be specified from a single builder. The author has ‘diversified’ them, has created a specific builder for SMTP, and has removed several options which are now included in the final Trojan by default. Bearing in mind builder prices, this process to make their ‘creations’ more profitable is not surprising. Here you have a screenshot of the latest version:
The parser: The pinch is accompanied by a parser program which is capable of reading and decrypting the logs left by the Trojan. The parser lets you search the logs and truth be said, it is easy to use and allows easy visualization of different log data obtained by the Trojan:
PINCH, THE TROJAN CREATOR
Some time ago, we talked to you about malware prices, HTTP botnets, etc. Today I will show you the level Trojan creators have reached and the way in which some of them launch their creation ‘builders’, authentic centers for designing and creating totally customizable Trojans. And this is where Pinch comes in.
It is a tool for creating Trojans which allows: defining the actions for the Trojan to take, packing the executable file to make its detection more difficult, disabling specific ‘annoying’ services such as those of antiviruses…
Among the tools for creating viruses, Trojans, etc. this might be the most commonly used, distributed and sold, given its ease of use due to a very intuitive interface. This allows malicious attackers to have an executable ready to infect, steal, spread, etc. in a few minutes. Consequently, it causes victims serious problems without them even realizing, until it is too late and they have to face the financial consequences.
First, attackers must choose the ‘return’ mode of the data the Trojan obtains. More specifically, whether the data should be sent via SMTP, HTTP or simply be left on a system file to recover it later through a backdoor opened on the victim’s computer by the Trojan.
If SMTP is chosen, the following parameters must be specified:
+ SMTP server and port to use.
+ ‘From’ and ‘To’ fields of email to send.
+ Subject
+ Interval between data sending
If HTTP is chosen, the name of the server with mail3.php must be specified. Mail3.php loads the information onto the server.
If the FILE method is chosen, the name of the file created with the information and its path must be specified.
There are several tabs in the middle of the screen where the parameters below can be specified:
PWD: The type of password to be stolen can be indicated: from mail programs to passwords stored on browsers, including system information. The report can also be encrypted.
RUN: The way the Trojan will run on the target computer, the location it will be copied to (if necessary), its name, etc. are indicated.
If Autorun is selected, there are several options to choose from:
+ Standard: It copies the executable file onto the selected directory and includes it in the registry to carry out the autorun.
+ DLL RUN: It copies the Trojan to the directory, creates a .dll and includes a reference in the Windows Registry for it to run automatically.
+ UNDELETE: It compiles the Trojan and changes it to different formats (exe, dll), it compiles a .dll again with one of the conversions, etc.
+ SERVICE: It copies the Trojan to the directory, and creates a reference in the Windows Registry so it runs automatically. The name of the service can be specified.
It can also be set to act on a specific date and time, delete itself, and run when it detects a network connection or after a reboot. It can also be compiled to change the firewall settings in Windows and allow the Trojan to act.
SPY: The following parameters are specified in this section: lets Trojans act as keyloggers, takes screenshots of the victim’s desktop, captures IE data, looks for certain files on the target system, etc.
NET: Allows the victim’s PC to be turned into a Proxy, specifying ports, etc. It also acts as a downloader; by specifying the address of the executable file, victims download the .exe file and run it. The last option allows connecting to a php script, allowing parameter specification, etc.
BD: Or backdoor. Allows ports to be specified and logs to be opened on victims’ computers.
ETC: Allows the Trojan to be hidden using typical joiner methods.
KILL: It allows the selected services or processes to be killed. It allows most antivirus services to be selected by default.
IE: Allows attackers to add sites to the IE Trusted Sites and the favorites section.
WORM: Allows worm characteristics to be determined for the Trojan so it distributes itself.
IRC-BOT: Allows victims’ computers to be added to an IRC bot network, specifying the server, channel, port and password.
It also allows the Trojan to be encrypted using RC4, packing it using FSG, UPX or MEW.
Once all the Trojan’s characteristics are specified, it must be compiled to obtain the .exe file.
The version I have used for this post is version 2.60 since the builder in this version is very complete. Later versions are available, but they are disabled builders which do not allow all the Trojan’s characteristics to be specified from a single builder. The author has ‘diversified’ them, has created a specific builder for SMTP, and has removed several options which are now included in the final Trojan by default. Bearing in mind builder prices, this process to make their ‘creations’ more profitable is not surprising. Here you have a screenshot of the latest version:
The parser: The pinch is accompanied by a parser program which is capable of reading and decrypting the logs left by the Trojan. The parser lets you search the logs and truth be said, it is easy to use and allows easy visualization of different log data obtained by the Trojan:
A new case of RansomWare !!!
We have detected a new case of RansomWare.
Once the malware infects users and encrypts their files, several “read_me.txt†files are created in the infected system, which warn users that their data files have been encrypted and that they won’t be able to access them unless they pay a ransom of $300.
The email addresses indicated in the message may vary:
The “personal code†may also vary depending on the random value that is used to encrypt the data.
The encrypted files usually begin with the text “GLAMOURâ€:
We have managed to access the data of the infected systems and there are 1,108 infected computers.
Besides, in 111 of those machines the port 6838 is open so that the machines act as socket servers.
The “construction kit†of Trj/Sinowal has been used to create this Trojan.
We have already mentioned this malware family in the eCrime 2007
http://research.pandasoftware.com/blogs/research/archive/2007/03/29/eCrime-2007-Congress.aspx
According to SecureWorks, this “construction kit†is sold for around $1,000.
http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?RSS&NewsId=3740
This variant has been detected as Trj/Sinowal.FY in the signature file.
A new case of RansomWare !!!
We have detected a new case of RansomWare.
Once the malware infects users and encrypts their files, several “read_me.txt†files are created in the infected system, which warn users that their data files have been encrypted and that they won’t be able to access them unless they pay a ransom of $300.
The email addresses indicated in the message may vary:
The “personal code†may also vary depending on the random value that is used to encrypt the data.
The encrypted files usually begin with the text “GLAMOURâ€:
We have managed to access the data of the infected systems and there are 1,108 infected computers.
Besides, in 111 of those machines the port 6838 is open so that the machines act as socket servers.
The “construction kit†of Trj/Sinowal has been used to create this Trojan.
We have already mentioned this malware family in the eCrime 2007
http://research.pandasoftware.com/blogs/research/archive/2007/03/29/eCrime-2007-Congress.aspx
According to SecureWorks, this “construction kit†is sold for around $1,000.
http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?RSS&NewsId=3740
This variant has been detected as Trj/Sinowal.FY in the signature file.