Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    TSPY_MAHA.S, is a keylogger Trojan Spy that uploads captured information to a certain site. Testing one of the URLs being accessed by the keylogger to check if it was still up.

    http://in-2-[BLOCKED]eb2.com/img/parse.php

    The URL displayed nothing which was a good sign that it was still up. No error messages returned. Testing further, by simply removing “parse.php” from the URL, I wanted to see if I can find further information.

    http://in-2-[BLOCKED]eb2.com/img/

    maha_1.JPG

    To my surprise, directory listing is enabled! From here, you can either download the whole arhive (archive_5f4a8.tar.gz) or just browse through the logged keystrokes in the folder “Logs”.

    maha_2.JPG

    The malware used the format _ of the infected machine/account where logged keystrokes are found.

    Browsing further inside, log files are named in the format DD_MM_YYYY.html where it corresponds to the actual date the log file was posted to the server.

    maha_3.JPG

    Various types of logged keystrokes (such as Bank Accounts, Yahoo! & MSN accounts, PayPal account, Email conversations) were found inside the folders which I believe are still active and the password have not been changed.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice