Overview -This is a detection for many non-descript password stealing trojans.
Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.
Characteristics -
This detection covers many nondescript password stealing (PWS) trojans - typically one-off creations that have been received by Avert. There are many variants of this trojan, and the specific actions taken are decided by the hacker who uses this trojan, so this description is meant as a general guide.
These trojan are designed to search for passwords when run on the victim's system, and return the passwords to the trojan creator. The specific type of password stolen varies from trojan to trojan, but can include the following:
- Local or domain usernames/passwords
- Online banking numbers/username/passwords
- Dial-up numbers/usernames/passwords
- Email servers/usernames/passwords
- Insant Messenging usernames/numbers/passwords
- Online game credentials
- Any passwords typed at the keyboard.
This information may be captured by monitoring keystrokes or mouse movement throughout the infected system, or just in particular windows. It may also gather information from registry entries or files on the system. Once this information is gathered, it is sent to the trojan creator. This information is most commonly sent by email, HTTP or IM, to the trojan creator.
Specific features and symptoms of the detected sample will vary.
It is common for trojans to copy themselves to a location where their presence is unobtrusive. Most commonly, trojans will use the Windows or Windows System Directory (e.g. C:\Windows or C:\Windows\System32). The trojan may use a stealthy filename to make itself appear to be a valid Windows file, or use a random filename to thwart searches for malicious filenames. A registry entry may be created to run the malicious file again at Windows startup.
Symptoms -
Password stealers are stealthy by design so most users will not notice that one is installed. Typically these PWS trojans will attempt to hook the victim computer's registry to load themselves at startup. Some PWS trojans may have mail clients built in so that they can send logged information to the trojan creator.
Method of Infection -
This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.