E-Bandits - Part 1

This post is the first in a new series of articles about E-Bandits. In these articles I will talk about some of the low profile malware currently involved in various data stealing and phishing scams.
Data stealing is not just about stealing credit card information or login credentials. Some of these malware are capable of taking pictures and/or capturing video from your webcam and uploading them to remote servers.  The worst types of privacy breaches include taking screenshots of your desktop, monitoring your chatting sessions, and grabbing pictures from your 'My Pictures' folder.

 

One such malware is 'Spyware.PerfectKeylogger'. Perfect Keylogger is a legitimate monitoring tool from BlazingTools Software, but a tweaked version is being used with malicious intent. This malware uses the same core engine so it has all the capabilities which one might find in the original software, i.e. monitoring keystokes, taking screenshots of the user's desktop, and logging emails, chat sessions, instant messages, applications used, and websites visited.

Normally this malware spreads through common social engineering techniques. The sample I analyzed had the name 'inst_wrar380tr.exe', a fake WinRar setup file. Upon execution this malware produced an error message:

Runtime Error '339'
'Component 'comctl32.ocx' or one of its dependencies not correctly registered: a file missing or invalid.

This is an attempt to trick the user into thinking that the WinRar setup file was not downloaded properly or is otherwise corrupt. Once executed, it tries to authenticate itself with 'smtp.aol.com' and sends an email to the email address 'hack***pro@aol.com' with this subject line:

Perfect Keylogger was installed successfully: 3/18/2009, 12:52 PM ([NetBiosName]\[User Name])

After the initial confirmation email it keeps on sending other emails to the same address, normally with an attachment named 'logs.zip', containing sensitive information from the infected system. In the sample run in my lab, I observed that initially logs.zip only contained screen shots captured from my infected virtual machine.

This is what the confirmation email looks like:

6

As one can see from this screenshot, the malware first tries to

authenticate itself with 'smtp.aol.com' supplying base64 encoded

credentials.

Here are some of the contents of logs.zip:

7

User beware. Do not become a victim of these types of social engineering traps. Always download software from trusted sources.  Crack tools/key generators are evil.  Do not run them as most of the time they contain malware.  If there is any doubt, it's always better to scan an executable through Virustotal.

Atif Mushtaq @ FireEye Malware Intelli..

Wait a second, here is a twist...:)

It's pretty easy to decode base64 encoded credentials and this malware has already exposed these to me. After decoding the credentials for 'hack**pro@aol.com', I decided to login into this inbox. An Inner insight into this inbox gave me some valuable information about this particular threat and bad guys running this malware.

Here are a few screenshots from the inbox:

1

6a00d835018afd53ef01156e48292f970c

After complete verification that this email account is being used solely for storing stolen information, I sent an abuse notification to AOL with above shown information as a proof but so far no action.  It looks as though everyone is too busy nowadays..:)

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM