Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Since information is the new currency, cybercriminals are constantly formulating schemes to steal precious data from users. PASSTEAL, their latest attempt at information-stealing, incorporates a password recovery tool that effectively gathers login credentials – even for websites with secured connection.

    We have noted several infostealing malware in the past, including TSPY_PIXSTEAL.A that collects image files and sending these to remote FTP servers. PASSTEAL exhibits certain behavior similar to PIXSSTEAL, but this malware steals information quite differently.

    TSPY_PASSTEAL.A Gathers Info Stored in Browsers

    Detected as TSPY_PASSTEAL.A, this infostealer sniffs out accounts from different online services and applications to steal login credentials and stores these in a .TXT file named {Computer name}.txt.

    Unlike most info stealing malware that logs keystrokes to gather data, PASSTEAL uses a password recovery app to extract passwords stored in the browser. The particular sample we analyzed contains compressed data, which is the app “PasswordFox” designed for Firefox.

    Once PASSTEAL extracts the data, it executes the command-line switch “/sxml” to save the stolen credentials in an .XML file, which the malware also uses to create a .TXT file. PASSTEAL then connects to a remote FTP server to store the collected information.

    In effect, the password recovery tool enables PASSTEAL to acquire all login credentials stored in the browser- even from websites using secured connections (SSL or HTTPS). Some sites that use this connection includes Facebook, Twitter, Pinterest, Tumblr, Google, Yahoo, Microsoft, Amazon, EBay, Dropbox and online banking sites.

    PASSTEAL also doesn’t restrict itself to browser applications. Certain variants are designed to log information from applications such as Steam and JDownloader.

    During our research, we found out that the malware has already infected more than 400 systems. Because of similarity in data extraction routine (FTP upload), PASSTEAL and PIXSTEAL were possibly created by the same cybercriminals.

    Once login credentials are stolen, cybercriminals may incorporate these into their illegal schemes such as identity fraud. To gain profit, they can also sell the stolen email addresses to spammers or other cybercriminals groups.

    Once they gain access to victims’ online banking account, these crooks may also conduct illegal fund transfers and transactions, leaving users with actual monetary loss.

    Secure Your Passwords

    Clear your cache. Change passwords regularly. Security tips we often hear but rarely taken to heart. But with PASSTEAL’s capability to extract data from browsers, users may need to observe these best practices routinely to reduce risk of data theft. Instead of storing passwords in browsers, another option is for users to utilize password managing tools like Trend Micro DirectPass to effectively handle and store their multiple passwords.

    To know more about how to protect numerous passwords from cybercrime, you may read our Digital Life e-Guide How to Secure Your Multiple Online Accounts.

    Online services like Google, Dropbox, and Facebook offers two-factor authentication (TFA) that provides an additional layer of security. This method generates a code that users need to access their accounts, aside from username and password. This code is sent to a user’s mobile phone as an SMS or voice message. With this measure in place, we can make it harder for online criminals to access our online account.

    Trend Micro Smart Protection Network™ detects and deletes TSPY_PASSTEAL.A and blocks access to the aforementioned FTP server.

    Update as of Nov. 7, 10:46 PM PST

    Further analysis revealed that PASSTEAL queries the server {BLOCKED}, which we found to be located in Germany.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • KMoran

      Does the encrypted Master Password function in Firefox prevent the theft?

      • Alvin Nieto

        Hi Kmoran,

        Thanks for reminding us of this option. As we’ve tested the password recovery tool with the Master Password feature on, it failed to acquire account credentials from Firefox.

        Sadly, this function isn’t set to default and many users are not aware of this security function. Other browser applications do not yet offer this feature as of now.

        To our other readers, you may turn this feature on for Firefox by following the steps provided by Mozilla:

    • Alex Dalaplan

      So the takeaway is “do not store login information in the browser because malwares can get them”, which is something people in our profession already recommend and say.

      • Alvin Nieto

        Hi Alex,

        We will take note of your feedback in our future blogs. Thank you very much.

        HTTPS and SSL were mentioned due to the complacency and mindset that users’ information are safe if they use these secure channels. And if the information were taken before being sent thru, of course, these secure connections doesn’t have a chance of protecting your data anymore, which is also easier for malware authors to do than trying to decrypt the secured data packets that you send from your machine.

    • Brad Ly

      Is this just for firefox? I mean, Can I just switch to another browser instead and forever avoid this kind of password stealing malware?

      Also, what versions of firefox are affected?

      • Alvin Nieto

        According to the data we’ve analyzed, there are certain variants of this malware which targets the credentials stored in Google Chrome and Internet Explorer, by using similar tools to “PasswordFox”.

        It’s easy for malware authors to repackage the malware, and use a different password recovery tool targeted for different applications.

        We’ve also tested the password recovery tool using Firefox 16.0.2 (latest stable version as of now), and have verified that it could still retrieve account information. Also works on older versions.

        Similar password recovery tools, which may be bundled with other variants of this malware, were also able to extract credentials from Google Chrome 23.0.1271.64 (latest stable) and IE 8 & 9.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice