Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Pwstealers - evolution SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Pwstealers - evolution

While reading Mike's great story from yesterday's diary I thought about post this little story about my observations of Password Stealers, also known as PWstealers.

I have been watching this kind of malware for some time. I dont have exactly numbers but I am pretty sure that Brazil is one of the most targeted countries for this kind of scam...

I currently can distinguish four kinds of the pwstealers:

    - The keyloggers/screenloggers
    - The fake bank windows
    - Fake Bank webservers
    - The downloaders

The keyloggers/screenloggers will detect the bank urls and then try to get most of the information available and then send it to and email. I already found a compromised machine that was hosting hundreds of directories, and each one was from a machine and inside it, hundreds of small images from the user clicking, to find his/her passwords...

The fake bank windows is a funny one...whenever it detects the bank urls, it would call IE with a fake website of the bank that you typed.:) The funny was that not rare, the fake websites were outdated and with some strange graphics...The user was suppose to fill all fields and then the windows would close with an (also fake) error message...:)

The fake bank webservers are quite interesting. This malware would install a webserver on the machine, change the hosts file to redirect a specific bank domain to his localhost, which would be running the Bank homepage, right?:)

The fourth one is quite obvious and sometimes even I am not sure if I would put in the same category (pw stealers). But I am putting because these ones are specific for pwstealers. These downloaders usually will contact a free hosting site and download a piece of one of the three kinds above...!

Another thing that I am also observing is that they are changing the way the code is packed...recently they are changing the king of packer used, to some more powerful ones...more difficult to reverse...

Well...that's it!

Ah, if you are following my malware analysis quiz, I posted the results of the first one last friday and already put the new one, which the answers should be sent no longer than Oct 15. :) I hope that you are having as much fun as I am!:) I am already getting some really great answers!

signing off...
----------------------------------------------------
Handler on Duty: Pedro Bueno - pbueno $$ ( isc. sans. org )
Pedro

155 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!