CWSandbox vs. Spy.Banker

Friday, October 20. 2006
From time to time we also get malware binaries that behave like a Trojan. This is an example of a Spy.Banker (named by ClamAV), which tries to steal confidential financial information from the compromised machines. The malware uses SMTP to send information back to the attacker. The following mail is sent to the attacker and contains information about the compromised machine:

From: "!Mensagem [Cartao]!" 

Subject: FOO [Infectado por fataL]

To: xtinfecs@gmail.com

Date: Thu, 5 Oct 2006 01:15:26 +0200

X-Priority: 1

X-Library: Indy 9.00.10



!============fataL CorP============!

!Maquina?: FOO!

!Vítima LOGADA: !

!IP: 123.456.789.abc!

!Data de Abertura: 05.10.2006 Hora de Abertura: 01:15:24_

!Sistema?: Microsoft Windows XP (version 5.1)!

!Endereço da Placa: 00-AB-CD-EF-GH-00!

!============fataL CorP============!


The sandbox can also extract this kind of information since it parses the winsock communication and tries to extract information about different protocols. In addition to SMTP, CWSandbox is currently also capable of understanding IRC, HTTP, and FTP. The complete report is also available as HTML analysis and XML analysis.

Continue reading "CWSandbox vs. Spy.Banker"

Posted by Thorsten Holz in malware at 10:02 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 1 entries)