There is another reason why users should be wary of downloading files from file sharing sites – they host PASSTEAL variants. PASSTEAL, as you may recall, are malware using password recovery tools to steal information stored in Internet browsers. This technique is a deviation from previous infostealers that log keystrokes to gather data from infected systems.

Using feedback from the Trend Micro Smart Protection Network™, we found that several PASSTEAL malware use social engineering lures such as variants disguised as key generators for paid applications or are bundled with tampered paid-installer application as shown below:

This indicates that PASSTEAL authors’ are targeting file sharers and downloaders who frequently use BitTorrent or visit file hosting sites to get hold of illegal copies of software. Other variants were also found disguised as e-book versions of popular Young Adult (YA) novels.

Read the rest of this entry »

Since information is the new currency, cybercriminals are constantly formulating schemes to steal precious data from users. PASSTEAL, their latest attempt at information-stealing, incorporates a password recovery tool that effectively gathers login credentials – even for websites with secured connection.

We have noted several infostealing malware in the past, including TSPY_PIXSTEAL.A that collects image files and sending these to remote FTP servers. PASSTEAL exhibits certain behavior similar to PIXSSTEAL, but this malware steals information quite differently.

TSPY_PASSTEAL.A Gathers Info Stored in Browsers

Detected as TSPY_PASSTEAL.A, this infostealer sniffs out accounts from different online services and applications to steal login credentials and stores these in a .TXT file named {Computer name}.txt.

Unlike most info stealing malware that logs keystrokes to gather data, PASSTEAL uses a password recovery app to extract passwords stored in the browser. The particular sample we analyzed contains compressed data, which is the app “PasswordFox” designed for Firefox.

Once PASSTEAL extracts the data, it executes the command-line switch “/sxml” to save the stolen credentials in an .XML file, which the malware also uses to create a .TXT file. PASSTEAL then connects to a remote FTP server to store the collected information.

Read the rest of this entry »