NEWS FROM THE LAB - Thursday, May 10, 2007

Advanced tools to handle stolen information Posted by Patrik @ 04:18 GMT

When analyzing one of the latest variants of LDPinch, an information stealing trojan, we found the drop-site used by the trojan to upload the stolen information. As you can see from the screenshot below, the files are named in the format of hour_minute-day.month.year_ipaddress_computername.

Pinch Drop

So whenever a user gets hit by this trojan, it will collect lots of information, and upload it to this site.

At the time of writing, there are 1591 files there, and new ones are arriving every few minutes. We are still in process of taking down the site. The files on the drop-site are encrypted using a proprietary encryption algorithm. To decrypt it, the authors behind LDPinch have created a reporting tool. Thanks to Adam at Sunbelt Software, we got access to this tool.

The reporting tool has a very nice UI. As you can see from the screenshot, everything is structured very nicely, you can see generic information about the computer itself such as hardware information (CPU, RAM, Disk, et cetera). You can also see which version of Windows is being used together with the license key. At the bottom of the screen you can see all of the stolen information such as ICQ credentials, usernames and passwords taken from stored e-mail accounts in Outlook and Thunderbird, and also information stored in the password managers of Internet Explorer, Firefox, and Opera. To protect the identity of the infected user we've blurred some of the information.

Pinch Parser

The tool also comes with some simple statistics and you can also export the information into different types of files, such as exporting all e-mail addresses to a TXT file, or the report as an HTML, et cetera. There are also facilities to filter the data or search for strings, such as all stolen credentials for yahoo.com for example.

Pinch Parser

The guys behind the trojan are from Russia and the tool is available in both English and Russian languages. This clearly indicates that the bad guys are working in a professional manner, creating easy-to-use tools to quickly get to the information instead of having just TXT files with loads and loads of text to filter through.

Right now the latest variant is LdPinch.BYJ, detection was added yesterday evening.