Log In RegMe

New sample of stealer trojan

']['€AM€LiT€ Forum - News, Reports and Alerts

Author

Message

GenL

2009-09-03
00:03:56

Hi guys.
I found a trojan inside some warez file from comment links at rlslog. I know it dumps passwords at http://warezbb.info/Dont_Bother/

But i want to know, if it does anything else to the system? Can anyone help me with this?

File is here (ccs.exe): http://www.mediafire.com/?rzlfmxzyfhi
It's probably crypted with some VB shit. PE-header says it's compiled @ 31.08.09.

I would appreciate if you'll find some time for this!

PS: I wonder, are there any chances this server will be hacked ad wiped finally?

____________________

Vektor

2009-09-11
21:24:57

Quote

I downloaded your file and as I see, the trojan you have there is iStealer (version 5) - encrypted with a VB crypter.

GenL wrote:

I found a trojan inside some warez file from comment links at rlslog. I know it dumps passwords at http://warezbb.info/Dont_Bother/

This trojan indeed sends all passwords to that address. Most stealer trojans don't change any system settings, and this one is no exception.

Almost all software related posts from rlslog.net have at least one comment posted by rlslog.net staff members with links to iStealer trojans that send all passwords to warezbb.info (on other forums normal users say rlslog staff members replace their comments with trojan links).
BTW not many people who know about .exe encryption and that some executables downloaded from untrusted sources are encrypted and there is no information about what they should do would still execute them. I mean - you didn't download "ccs.exe", you downloaded something else and you extracted ccs.exe from there. Did you expect the file to be called warning_trojan_dont_execute.exe or something ?

GenL

2009-09-12
15:49:27

Quote

Vektor wrote:

I mean - you didn't download "ccs.exe", you downloaded something else and you extracted ccs.exe from there. Did you expect the file to be called warning_trojan_dont_execute.exe or something ?

Yes, i extracted it when i noticed its hidden activity (forgot to be more careful).
I'm not a novice, just wanted to ensure about its safety to the system, as i didn't have time to fully analyze logs from filemon and regmon, they were massive. And i'm not experienced enough to debug a target crypted this way...

So thank you for your time.

BTW later i found sources of iStealer 5, and found inside all that stuff for stealing passwords from particular apps. I'm almost sure that such people like spreader of this trojan, are not clever/stupid enough to write some destructive code additionally to the default scheme. That's probably the only one good thing about rlslog trojan spreaders.

Vektor

2009-09-12
16:20:23

Quote

The first thing iStealer does is to search for windows created with ProcMon and Ethereal/Wireshark window class names and to exit if found. Most other trojans search for more class names / process names / hooks / etc. related to more debugging/monitoring tools so you cannot rely on them to see trojan activity if any.
Unless you trace them with a debugger and use it to restrict what they can and cannot do, submit them to all AV companies (VirusTotal is a great tool for this purpose), and wait a few days until detection is implemented in AV products (if they didn't detect them already).

GenL

2009-09-12
21:43:55

Quote

Vektor wrote:

I didn't know it, but my regmon and filemon are patched against anti-monitors, and i found actual passwords data requests there, there was just too much of other data inside...

Vektor wrote:

submit them to all AV companies (VirusTotal is a great tool for this purpose), and wait a few days until detection is implemented in AV products (if they didn't detect them already).

Good point, but i don't want to submit any sample to antivirus scanners. They are not reliable, and i don't want to support/help any of them nor their users.
I submitted it to CWSandbox to see actual activity, but its results was not really complete, i found more in regmon/filemon logs.