Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    It appears that information theft has taken a new form: we’ve found a malware that steals image files from all drives of an affected system and then sends them to a remote FTP server.

    Detected as TSPY_PIXSTEAL.A, this particular malware opens a hidden command line and copies all .JPG, .JPEG, and .DMP files. Both .JPG and .JPEG files pertain to file formats commonly used for images, while .DMP files are memory dump files that contain information on why a particular system has stopped unexpectedly.

    The images below show that TSPY_PIXSTEAL.A copies the files from drives C, D, and E of the affected system into it’s C:\ drive.

    Once done, it connects to an FTP server where it sends the first 20,000 files to the server. Though it appears tedious, the potential gain for cybercriminals should they be successful in stealing information is high. Information theft routines have been mostly limited to information that are in text form, thus this malware poses a whole new different risk for users. Users typically rely on photos for storing information, both personal and work-related, so the risk of information leakage is very high. Collected photos can be used for identity theft, blackmail, or can even be used in future targeted attacks.

    Securing data — including files such as images — is every user’s responsibility. Part of that responsibility, of course, is to prevent being infected by malware. For more information on how to secure one’s digital life, check our latest infographic: Fear Factors.

    Trend Micro protects users from this threat via the Trend Micro Smart Protection Network™ that blocks the FTP server and detects the information stealer.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • F0Real

      This is not very advanced. The FTP login credentials are sent unencrypted to the server.

    • spen
      • spen

        ive got a twat hacking me an all my kids

        2012-09-20 08:34:45, Info [windeploy.exe] ————————————————
        2012-09-20 08:34:45, Info [windeploy.exe] WinDeploy.exe launched with command-line []…
        2012-09-20 08:34:45, Info [windeploy.exe] Setup has not completed, adding pending reboot.
        2012-09-20 08:34:45, Info [windeploy.exe] Found generalization state [0x4], setup.exe completion flag [False] –> launching setup.exe.
        2012-09-20 08:34:45, Info [windeploy.exe] Launching [C:Windowssystem32oobesetup.exe]…
        2012-09-20 08:38:44, Info [windeploy.exe] Process exited with exit code [0x0]
        2012-09-20 08:38:44, Info [windeploy.exe] Found completion flag [True], reboot requested flag [True] –> rebooting computer before proceeding with deployment…
        2012-09-20 08:38:44, Info [windeploy.exe] Making sure that SystemSetupInProgress is cleared.
        2012-09-20 08:38:44, Info [windeploy.exe] An immediate reboot or shutdown was requested/required… rebooting / shutting down computer
        2012-09-20 08:38:44, Info [windeploy.exe] Flushing registry to disk…
        2012-09-20 08:38:45, Info [windeploy.exe] Flush took 952 ms.
        2012-09-20 08:38:45, Info [windeploy.exe] WinDeploy.exe exiting with code [0x0]
        2012-09-20 08:40:06, Info [windeploy.exe] ————————————————
        2012-09-20 08:40:06, Info [windeploy.exe] WinDeploy.exe launched with command-line []…
        2012-09-20 08:40:06, Info [windeploy.exe] Making sure that SystemSetupInProgress is cleared.
        2012-09-20 08:40:12, Info [windeploy.exe] Found no unattend file.
        2012-09-20 08:40:15, Info [windeploy.exe] Started WinSAT; will need to wait
        2012-09-20 08:40:22, Info [windeploy.exe] Launching [C:Windowssystem32oobeoobeldr.exe /system]…
        2012-09-20 08:40:22, Info [oobeldr.exe] OOBELdr.exe launched with command-line [/system]…
        2012-09-20 08:40:22, Info [oobeldr.exe] OrchestrateUpdateImageState: Updating image state from [IMAGE_STATE_SPECIALIZE_RESEAL_TO_OOBE] –> [IMAGE_STATE_UNDEPLOYABLE]
        2012-09-20 08:40:22, Info [oobeldr.exe] Parsing command line arguments…
        2012-09-20 08:40:22, Info [oobeldr.exe] Parsing the following command line: [/system]
        2012-09-20 08:40:22, Info [oobeldr.exe] Status for unattend pass [oobeSystem] = 0×0
        2012-09-20 08:40:22, Info [oobeldr.exe] Found no unattend file for oobeSystem pass; skipping pass.
        2012-09-20 08:40:22, Info [oobeldr.exe] No reboot has been requested for oobeSystem unattend.
        2012-09-20 08:40:22, Info [oobeldr.exe] Successfully ran oobeSystem pass.
        2012-09-20 08:40:22, Info [oobeldr.exe] Launching [C:Windowssystem32oobemsoobe.exe]…
        2012-09-20 08:40:22, Info [msoobe.exe] Starting service sppsvc
        2012-09-20 08:40:25, Info [msoobe.exe] Service sppsvc reports as running
        2012-09-20 08:40:25, Info [msoobe.exe] Starting service audiosrv
        2012-09-20 08:40:26, Info [msoobe.exe] Service audiosrv reports as running
        2012-09-20 08:40:26, Info [msoobe.exe] Successfully created first boot reg key
        2012-09-20 08:40:26, Info [msoobe.exe] Display mode is set to 800x600x32 [1Hz]
        2012-09-20 08:40:26, Info [msoobe.exe] Starting service Themes
        2012-09-20 08:40:27, Info [msoobe.exe] Service Themes reports as running
        2012-09-20 08:40:28, Info [msoobe.exe] Starting service TabletInputService
        2012-09-20 08:40:29, Warning [msoobe.exe] Service TabletInputService is not running after waiting 10000 milliseconds
        2012-09-20 08:40:29, Info [msoobe.exe] Found [1] UI languages
        2012-09-20 08:40:29, Info [msoobe.exe] Saving language [0x0409] [en]
        2012-09-20 08:40:30, Info [msoobe.exe] Saving language [0x0409] [en]
        2012-09-20 08:40:30, Info [msoobe.exe] Creating background bitmap [layout=0x00000000, cached=1]
        2012-09-20 08:40:30, Info [msoobe.exe] PID EditionID: [Ultimate]
        2012-09-20 08:40:30, Info [msoobe.exe] Registry EditionID: [Ultimate]
        2012-09-20 08:40:30, Info [msoobe.exe] Searching for EULA: [system32en-USLicensesRetailUltimatelicense.rtf]
        2012-09-20 08:40:30, Info [msoobe.exe] Searching for EULA: [system32en-USLicenses_DefaultUltimatelicense.rtf]
        2012-09-20 08:40:30, Info [msoobe.exe] Found EULA: [C:Windowssystem32en-USLicenses_DefaultUltimatelicense.rtf]
        2012-09-20 08:41:19, Info [msoobe.exe] Commit: setting computer name [Emma-PC]
        2012-09-20 08:41:20, Info [msoobe.exe] Queuing background work to worker thread; eType=0
        2012-09-20 08:41:20, Info [msoobe.exe] Starting service Schedule
        2012-09-20 08:41:20, Info [msoobe.exe] Starting service netprofm
        2012-09-20 08:41:21, Info [msoobe.exe] Service Schedule reports as running
        2012-09-20 08:41:21, Info [msoobe.exe] Successfully verified and committed UI language settings
        2012-09-20 08:41:23, Info [msoobe.exe] Service netprofm reports as running
        2012-09-20 08:41:23, Info [msoobe.exe] Successfully signalled event to start up services
        2012-09-20 08:41:31, Info [msoobe.exe] Successfully notified UI language change
        2012-09-20 08:41:55, Info [msoobe.exe] Queuing background work to worker thread; eType=1
        2012-09-20 08:41:55, Info [msoobe.exe] Commit: setting manual activation [1]
        2012-09-20 08:41:55, Info [msoobe.exe] Successfully installed product key
        2012-09-20 08:42:31, Info [msoobe.exe] Commit: Set time zone to [GMT Standard Time]
        2012-09-20 08:42:31, Info [msoobe.exe] Commit: Set time to 09/20/2012 – 08:42
        2012-09-20 08:42:31, Info [msoobe.exe] Checking whether to show wireless join
        2012-09-20 08:42:31, Info [msoobe.exe] Skipping wireless join: no adaptor
        2012-09-20 08:42:31, Info [msoobe.exe] CFSMNetworkState : wireless not valid
        2012-09-20 08:42:31, Info [msoobe.exe] Networks present [0]
        2012-09-20 08:42:31, Info [msoobe.exe] CFSMNetworkState is invalid : No active connections
        2012-09-20 08:42:31, Info [msoobe.exe] HomeGroup join: network is not NETWORK_HOME
        2012-09-20 08:42:31, Info [msoobe.exe] HomeGroup join: skipping HomeGroup join page
        2012-09-20 08:42:31, Info [msoobe.exe] Finalize: entered
        2012-09-20 08:42:31, Info [msoobe.exe] Finalize: create user [Emma]
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: setting windows error reporting [0x2]
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: setting Device Metadata PreventDeviceMetadataFromNetwork [0x0]
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: setting Windows Defender DisableTakingAction [0x0]
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: enabling Windows Defender check for signatures before scan [0x1]
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: driver searching value set to [0x1]
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: setting Internet Explorer phishing filter [0x1]
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: enabling SpyNet reporting [0x1]
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: setting TroubleShooting DefaultQueryRemoteServer [0x1]
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: setting Assitance GlobalOnlineAssist and GlobalImplicitFeedback [0x1]
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: setting SQMClient CEIPEnable [0x1]
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: enabling automatic updates
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: WU setting non admin elevated
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: WU setting non admin elevated set successfully
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: setting automatic update setting – notification level = aunlScheduledInstallation
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: setting automatic update setting – scheduled install day = ausidEveryDay
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: setting automatic update setting – scheduled install time = 3
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: setting automatic update setting – include recommended updates = yes
        2012-09-20 08:42:32, Info [msoobe.exe] Finalize: successfully set automatic update settings; now attempting to save
        2012-09-20 08:42:35, Info [msoobe.exe] Finalize: successfully saved automatic update settings
        2012-09-20 08:42:35, Info [msoobe.exe] Finalize: leaving automatic update settings
        2012-09-20 08:42:35, Info [msoobe.exe] Finalize: setting networks
        2012-09-20 08:42:35, Info [msoobe.exe] Wait for network init: Completed with hr=0×80070057
        2012-09-20 08:42:35, Info [msoobe.exe] Setting networks: No network guid specified or WaitForNetworkInitialize failed
        2012-09-20 08:42:35, Info [msoobe.exe] Setting networks: Completed with hr=0×80070057
        2012-09-20 08:42:35, Info [msoobe.exe] Running mandatory tasks
        2012-09-20 08:42:35, Info [msoobe.exe] Waiting on background work; eType=1, fCalledFromMandatoryTasks=1
        2012-09-20 08:42:35, Info [msoobe.exe] Waiting on background work; eType=0, fCalledFromMandatoryTasks=1
        2012-09-20 08:42:35, Info [msoobe.exe] Successfully installed Windows Recovery Environment
        2012-09-20 08:42:38, Info [msoobe.exe] Successfully removed administrator profile
        2012-09-20 08:42:38, Info [msoobe.exe] Exiting mandatory tasks… [0x00000000]
        2012-09-20 08:42:38, Info [msoobe.exe] Cleaning up background work
        2012-09-20 08:42:38, Info [msoobe.exe] OOBE wizard finish has been called.
        2012-09-20 08:42:39, Info [oobeldr.exe] OrchestrateUpdateImageState: Updating image state from [IMAGE_STATE_UNDEPLOYABLE] –> [IMAGE_STATE_COMPLETE]
        2012-09-20 08:42:39, Info [oobeldr.exe] OOBELdr.exe exiting with code [0x0]…
        2012-09-20 08:42:39, Info [windeploy.exe] Process exited with exit code [0x0]
        2012-09-20 08:42:39, Info [0x090008] PANTHR CBlackboard::Open: C:WindowsPantherSetupInfo succeeded.
        2012-09-20 08:42:39, Info [0x090009] PANTHR CBlackboard::Close: c:windowspanthersetupinfo.
        2012-09-20 08:42:39, Info [windeploy.exe] WinDeploy.exe exiting with code [0x0]

    • Zaufana Trzecia Strona

      DMP? Perhaps a typo, because the author of the malware wanted BMP files?

      • Sycho

        If that were the case, then why this comment in the article.. “.DMP files are memory dump files that contain information on why a particular system has stopped unexpectedly.”

        Perhaps there is a specific reason why the malware author would want that information. Maybe to look for system vulnerabilities? Services or programs that failed to start at boot time?

      • Caloy_ShowBoy

        This is not a typo. Figure 1 tells you that the debugger is copying *.dmp files from C,D and E drives.

        And if the malware author runs a debugger for the .dmp files, perhaps dumpchk or windbg, he can get more information about the loaded modules and threads in the targeted system. Thus, continuing the exploit on a higher level.

        • Zaufana Trzecia Strona

          This could be a typo by malware author himself. There are simpler ways to check loaded modules/threads on target system than looking for dmp files and debugging them. It just doesn;t fit – collecting jpg files and dmp at the same time – different areas of interest, suggesting different level of knowledge of the malware author. Why would someone stupid enough to embed ftp credentials in malware file look for dmp files?

        • Caloy_ShowBoy

          guess what you say is true.

          deduction for this is that it is great part of social engineering process for a specific or targeted attack. as what raymart paraiso said “used for identity theft, blackmail, or can even be used in future targeted attacks”. the .jpg files is mainly for blackmail or identity theft and .dmp might be used for, as he mentioned, future targeted attacks.

          and as for the ftp site with credentials (guess you’re right, it is careless move by the malware author), this malware is just an initiator of a larger scheme. as long as the author gets the preliminary information he needed for blackmailing, he doesn’t care if AVs detects this malware or blocks his site.

        • Lonesome23

          Hi,Zaufana. I think the dmp files is not a typo as the dmp files will give him information on how he can exploit the targeted system. As for the ftp credentials, I think Caloy is right. The malware author doesn’t care of the site as long as he gets the preliminary information he needed.

        • http://www.facebook.com/bev.blackston Bev Blackston

          Believe me they are….I was jacked this way…………..



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice