SCF Portal Stats

Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42953
  • Total Topics: 16150
  • Online Today: 4867
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

« previous next »
Pages: [1]

Author Topic: Image Theft via FTP Could Be First Stage of Attack  (Read 2093 times)

0 Members and 1 Guest are viewing this topic.

Pez

  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Image Theft via FTP Could Be First Stage of Attack
« on: 07. November 2012., 09:46:29 »
Image Theft via FTP Could Be First Stage of Attack

We recently came across a Trojan that steals image files of .jpg, .jpeg extensions, and Windows memory dumps (.dmp) from victims’ machines and uploads them to an FTP address hardcoded in the malware.

This Trojan silently opens a command line and copies those image files found on the C, D, and E drives to the C drive. These collected file are then sent to an FTP server.

We suspect this malware is in its first stage of development for information theft, and we expect it to return as a more sophisticated attack. The stolen image files could be used for blackmailing the victims and demanding a ransom. We are aware of nude pictures of celebrities stolen a few months back. This malware could be deployed for a similar operation.

We also suspect the attackers would like to learn about vulnerabilities on the victims’ machines; perhaps that is why they are looking for .dmp files, which carry data “dumped” from a program’s memory space. They are often created when a program has an error in coding and crashes.

Gathering .dmp files could by a typo by the malware authors, who might have sought .bmp image files instead.


Larger picture

Malware collecting .jpg , .jpeg, and .dmp files from a victim’s C, D, and E drives and copying them to the C drive.

After collecting the files, the malware connects to an FTP link : 176.x.xxx.90 and logs in with username “wasitnew” and password “qiw2e3r4t5y6.”


Larger picture

Malware connecting to the Internet with username, password, and FTP address.

Using Wireshark, we can see below that an image file—autumn.jpg—has been uploaded via FTP after authenticating.


Larger picture

“Autumn.jpg,” collected from an infected machine, being uploaded via FTP.


Larger picture

The FTP server storing the collected files.

We noticed the FTP server died on November 5.

This malware can evolve with more sophisticated code and cause more harm. Since 2008 we have seen image files carrying embedded image files within. Malware authors sometimes hide their commands behind an image file using steganography.

We advise our customers to pay extra attention when they save any file type while online and to keep their antimalware software updated.


Orginal Article: Tuesday, November 6, 2012 at 10:32am by Niranjan Jayanand
Logged
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker's Computer Forum - SCforum.info

Image Theft via FTP Could Be First Stage of Attack
« on: 07. November 2012., 09:46:29 »
Pages: [1]
« previous next »
 

+ Quick Reply

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:
Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising