TSPY_MAHA.S, is a keylogger Trojan Spy that uploads captured information to a certain site. Testing one of the URLs being accessed by the keylogger to check if it was still up.

http://in-2-[BLOCKED]eb2.com/img/parse.php

The URL displayed nothing which was a good sign that it was still up. No error messages returned. Testing further, by simply removing “parse.php” from the URL, I wanted to see if I can find further information.

http://in-2-[BLOCKED]eb2.com/img/

To my surprise, directory listing is enabled! From here, you can either download the whole arhive (archive_5f4a8.tar.gz) or just browse through the logged keystrokes in the folder “Logs”.

The malware used the format _ of the infected machine/account where logged keystrokes are found.

Browsing further inside, log files are named in the format DD_MM_YYYY.html where it corresponds to the actual date the log file was posted to the server.

Various types of logged keystrokes (such as Bank Accounts, Yahoo! & MSN accounts, PayPal account, Email conversations) were found inside the folders which I believe are still active and the password have not been changed.