CWSandbox vs. Spy.Banker

Friday, October 20. 2006
From time to time we also get malware binaries that behave like a Trojan. This is an example of a Spy.Banker (named by ClamAV), which tries to steal confidential financial information from the compromised machines. The malware uses SMTP to send information back to the attacker. The following mail is sent to the attacker and contains information about the compromised machine:

From: "!Mensagem [Cartao]!" 

Subject: FOO [Infectado por fataL]

To: xtinfecs@gmail.com

Date: Thu, 5 Oct 2006 01:15:26 +0200

X-Priority: 1

X-Library: Indy 9.00.10



!============fataL CorP============!

!Maquina?: FOO!

!Vítima LOGADA: !

!IP: 123.456.789.abc!

!Data de Abertura: 05.10.2006 Hora de Abertura: 01:15:24_

!Sistema?: Microsoft Windows XP (version 5.1)!

!Endereço da Placa: 00-AB-CD-EF-GH-00!

!============fataL CorP============!


The sandbox can also extract this kind of information since it parses the winsock communication and tries to extract information about different protocols. In addition to SMTP, CWSandbox is currently also capable of understanding IRC, HTTP, and FTP. The complete report is also available as HTML analysis and XML analysis.

Continue reading "CWSandbox vs. Spy.Banker"

Posted by Thorsten Holz in malware at 10:02 | Comments (0) | Trackbacks (0)

Black Hat Japan 2006 Briefings: Catching Malware

Wednesday, October 11. 2006
Together with Georg, I gave a talk at the recent Black Hat Japan 2006 Briefings. Our talk with the rather lengthy title "Catching Malware: Detecting, Tracking, and Mitigating Botnets" went well and the conference was - as ususal - pretty interesting. The slides are now available.

Continue reading "Black Hat Japan 2006 Briefings: Catching Malware"

Posted by Thorsten Holz in honeynets, malware at 14:48 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 2 entries)