PINCH, THE TROJAN CREATOR
44 views
Skip to first unread message
ket...@gmail.com
Mar 28, 2008, 6:57:13 AM3/28/08
to carder
Some time ago, we talked to you about malware prices, HTTP botnets,
etc. Today I will show you the level Trojan creators have reached and
the way in which some of them launch their creation 'builders',
authentic centers for designing and creating totally customizable
Trojans. And this is where Pinch comes in.
It is a tool for creating Trojans which allows: defining the actions
for the Trojan to take, packing the executable file to make its
detection more difficult, disabling specific 'annoying' services such
as those of antiviruses...
Among the tools for creating viruses, Trojans, etc. this might be the
most commonly used, distributed and sold, given its ease of use due to
a very intuitive interface. This allows malicious attackers to have an
executable ready to infect, steal, spread, etc. in a few minutes.
Consequently, it causes victims serious problems without them even
realizing, until it is too late and they have to face the financial
consequences.
First, attackers must choose the 'return' mode of the data the Trojan
obtains. More specifically, whether the data should be sent via SMTP,
HTTP or simply be left on a system file to recover it later through a
backdoor opened on the victim's computer by the Trojan.
If SMTP is chosen, the following parameters must be specified:
+ SMTP server and port to use.
+ 'From' and 'To' fields of email to send.
+ Subject
+ Interval between data sending
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/18/PinchSMTP.JPG
If HTTP is chosen, the name of the server with mail3.php must be
specified. Mail3.php loads the information onto the server.
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/18/PinchHTTP.JPG
If the FILE method is chosen, the name of the file created with the
information and its path must be specified.
There are several tabs in the middle of the screen where the
parameters below can be specified:
PWD: The type of password to be stolen can be indicated: from mail
programs to passwords stored on browsers, including system
information. The report can also be encrypted.
RUN: The way the Trojan will run on the target computer, the location
it will be copied to (if necessary), its name, etc. are indicated.
If Autorun is selected, there are several options to choose from:
+ Standard: It copies the executable file onto the selected directory
and includes it in the registry to carry out the autorun.
+ DLL RUN: It copies the Trojan to the directory, creates a .dll and
includes a reference in the Windows Registry for it to run
automatically.
+ UNDELETE: It compiles the Trojan and changes it to different formats
(exe, dll), it compiles a .dll again with one of the conversions, etc.
+ SERVICE: It copies the Trojan to the directory, and creates a
reference in the Windows Registry so it runs automatically. The name
of the service can be specified.
It can also be set to act on a specific date and time, delete itself,
and run when it detects a network connection or after a reboot. It can
also be compiled to change the firewall settings in Windows and allow
the Trojan to act.
SPY: The following parameters are specified in this section: lets
Trojans act as keyloggers, takes screenshots of the victim's desktop,
captures IE data, looks for certain files on the target system, etc.
NET: Allows the victim's PC to be turned into a Proxy, specifying
ports, etc. It also acts as a downloader; by specifying the address of
the executable file, victims download the .exe file and run it. The
last option allows connecting to a php script, allowing parameter
specification, etc.
BD: Or backdoor. Allows ports to be specified and logs to be opened on
victims' computers.
ETC: Allows the Trojan to be hidden using typical joiner methods.
KILL: It allows the selected services or processes to be killed. It
allows most antivirus services to be selected by default.
IE: Allows attackers to add sites to the IE Trusted Sites and the
favorites section.
WORM: Allows worm characteristics to be determined for the Trojan so
it distributes itself.
IRC-BOT: Allows victims' computers to be added to an IRC bot network,
specifying the server, channel, port and password.
It also allows the Trojan to be encrypted using RC4, packing it using
FSG, UPX or MEW.
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/18/Pinchfilebck.JPG
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/18/PinchFileKill.JPG
Once all the Trojan's characteristics are specified, it must be
compiled to obtain the .exe file.
The version I have used for this post is version 2.60 since the
builder in this version is very complete. Later versions are
available, but they are disabled builders which do not allow all the
Trojan's characteristics to be specified from a single builder. The
author has 'diversified' them, has created a specific builder for
SMTP, and has removed several options which are now included in the
final Trojan by default. Bearing in mind builder prices, this process
to make their 'creations' more profitable is not surprising. Here you
have a screenshot of the latest version:
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/18/Pinch3.JPG
The parser: The pinch is accompanied by a parser program which is
capable of reading and decrypting the logs left by the Trojan. The
parser lets you search the logs and truth be said, it is easy to use
and allows easy visualization of different log data obtained by the
Trojan:
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/18/parsersmall.JPG
Posted by adas dasdasd at 9:08 AM 0 comments
Labels: PINCH, THE TROJAN CREATOR
XRumer
As we commented in Spam in PHP forums and in Spam in PHP forums (II),
it has become more and more usual to see websites (forums, blogs,
wikis, guestbooks, etc...) that contain advertising comments or links
that direct to sites that infect with malware.
We are going to talk about a program that allows this type of comments
to be created: the XRumer.
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/24/xrumer1.JPG
It is sold for $450, and for $50 more you can have the Hrefer, which
includes more functions.
This application, with regard to the web section, is more powerful
than Zunker, as this is only able to post in phpBB and VBulleting.
Xrumer allows to post in phpBB and PHP-Nuke (with any modification),
yaBB, VBulletin, Invision Power Board, IconBoard, UltimateBB, exBB,
and phorum.org.
Basically, it follows the process below:
It looks for websites where comments can be inserted.
It registers itself as a user.
It posts the message.
This type of websites usually include human verification codes, in
order to make automatic registration more difficult for this kind of
robots or they use filters in order to block IP addresses that carry
out suspicious operations.
That's why, this program is able to recognize the texts in the
following type of images:
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/24/xrumer2.JPG
It also allows to connect to a list of proxies in order to use
different IP addresses.
Here you have a video where the working of the program is shown.
According to the comments of its creators, it is able to post 1100
links in only 15 minutes.
etc. Today I will show you the level Trojan creators have reached and
the way in which some of them launch their creation 'builders',
authentic centers for designing and creating totally customizable
Trojans. And this is where Pinch comes in.
It is a tool for creating Trojans which allows: defining the actions
for the Trojan to take, packing the executable file to make its
detection more difficult, disabling specific 'annoying' services such
as those of antiviruses...
Among the tools for creating viruses, Trojans, etc. this might be the
most commonly used, distributed and sold, given its ease of use due to
a very intuitive interface. This allows malicious attackers to have an
executable ready to infect, steal, spread, etc. in a few minutes.
Consequently, it causes victims serious problems without them even
realizing, until it is too late and they have to face the financial
consequences.
First, attackers must choose the 'return' mode of the data the Trojan
obtains. More specifically, whether the data should be sent via SMTP,
HTTP or simply be left on a system file to recover it later through a
backdoor opened on the victim's computer by the Trojan.
If SMTP is chosen, the following parameters must be specified:
+ SMTP server and port to use.
+ 'From' and 'To' fields of email to send.
+ Subject
+ Interval between data sending
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/18/PinchSMTP.JPG
If HTTP is chosen, the name of the server with mail3.php must be
specified. Mail3.php loads the information onto the server.
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/18/PinchHTTP.JPG
If the FILE method is chosen, the name of the file created with the
information and its path must be specified.
There are several tabs in the middle of the screen where the
parameters below can be specified:
PWD: The type of password to be stolen can be indicated: from mail
programs to passwords stored on browsers, including system
information. The report can also be encrypted.
RUN: The way the Trojan will run on the target computer, the location
it will be copied to (if necessary), its name, etc. are indicated.
If Autorun is selected, there are several options to choose from:
+ Standard: It copies the executable file onto the selected directory
and includes it in the registry to carry out the autorun.
+ DLL RUN: It copies the Trojan to the directory, creates a .dll and
includes a reference in the Windows Registry for it to run
automatically.
+ UNDELETE: It compiles the Trojan and changes it to different formats
(exe, dll), it compiles a .dll again with one of the conversions, etc.
+ SERVICE: It copies the Trojan to the directory, and creates a
reference in the Windows Registry so it runs automatically. The name
of the service can be specified.
It can also be set to act on a specific date and time, delete itself,
and run when it detects a network connection or after a reboot. It can
also be compiled to change the firewall settings in Windows and allow
the Trojan to act.
SPY: The following parameters are specified in this section: lets
Trojans act as keyloggers, takes screenshots of the victim's desktop,
captures IE data, looks for certain files on the target system, etc.
NET: Allows the victim's PC to be turned into a Proxy, specifying
ports, etc. It also acts as a downloader; by specifying the address of
the executable file, victims download the .exe file and run it. The
last option allows connecting to a php script, allowing parameter
specification, etc.
BD: Or backdoor. Allows ports to be specified and logs to be opened on
victims' computers.
ETC: Allows the Trojan to be hidden using typical joiner methods.
KILL: It allows the selected services or processes to be killed. It
allows most antivirus services to be selected by default.
IE: Allows attackers to add sites to the IE Trusted Sites and the
favorites section.
WORM: Allows worm characteristics to be determined for the Trojan so
it distributes itself.
IRC-BOT: Allows victims' computers to be added to an IRC bot network,
specifying the server, channel, port and password.
It also allows the Trojan to be encrypted using RC4, packing it using
FSG, UPX or MEW.
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/18/Pinchfilebck.JPG
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/18/PinchFileKill.JPG
Once all the Trojan's characteristics are specified, it must be
compiled to obtain the .exe file.
The version I have used for this post is version 2.60 since the
builder in this version is very complete. Later versions are
available, but they are disabled builders which do not allow all the
Trojan's characteristics to be specified from a single builder. The
author has 'diversified' them, has created a specific builder for
SMTP, and has removed several options which are now included in the
final Trojan by default. Bearing in mind builder prices, this process
to make their 'creations' more profitable is not surprising. Here you
have a screenshot of the latest version:
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/18/Pinch3.JPG
The parser: The pinch is accompanied by a parser program which is
capable of reading and decrypting the logs left by the Trojan. The
parser lets you search the logs and truth be said, it is easy to use
and allows easy visualization of different log data obtained by the
Trojan:
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/18/parsersmall.JPG
Posted by adas dasdasd at 9:08 AM 0 comments
Labels: PINCH, THE TROJAN CREATOR
XRumer
As we commented in Spam in PHP forums and in Spam in PHP forums (II),
it has become more and more usual to see websites (forums, blogs,
wikis, guestbooks, etc...) that contain advertising comments or links
that direct to sites that infect with malware.
We are going to talk about a program that allows this type of comments
to be created: the XRumer.
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/24/xrumer1.JPG
It is sold for $450, and for $50 more you can have the Hrefer, which
includes more functions.
This application, with regard to the web section, is more powerful
than Zunker, as this is only able to post in phpBB and VBulleting.
Xrumer allows to post in phpBB and PHP-Nuke (with any modification),
yaBB, VBulletin, Invision Power Board, IconBoard, UltimateBB, exBB,
and phorum.org.
Basically, it follows the process below:
It looks for websites where comments can be inserted.
It registers itself as a user.
It posts the message.
This type of websites usually include human verification codes, in
order to make automatic registration more difficult for this kind of
robots or they use filters in order to block IP addresses that carry
out suspicious operations.
That's why, this program is able to recognize the texts in the
following type of images:
http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2007/07/24/xrumer2.JPG
It also allows to connect to a list of proxies in order to use
different IP addresses.
Here you have a video where the working of the program is shown.
According to the comments of its creators, it is able to post 1100
links in only 15 minutes.
Reply all
Reply to author
Forward
0 new messages