< A Multifaceted Approach to Understanding the Botnet Phenomenon | Nepenthes and CWSandbox >

CWSandbox vs. Spy.Banker

From time to time we also get malware binaries that behave like a Trojan. This is an example of a Spy.Banker (named by ClamAV), which tries to steal confidential financial information from the compromised machines. The malware uses SMTP to send information back to the attacker. The following mail is sent to the attacker and contains information about the compromised machine:

From: "!Mensagem [Cartao]!" 

Subject: FOO [Infectado por fataL]

To: xtinfecs@gmail.com

Date: Thu, 5 Oct 2006 01:15:26 +0200

X-Priority: 1

X-Library: Indy 9.00.10



!============fataL CorP============!

!Maquina?: FOO!

!Vítima LOGADA: !

!IP: 123.456.789.abc!

!Data de Abertura: 05.10.2006 Hora de Abertura: 01:15:24_

!Sistema?: Microsoft Windows XP (version 5.1)!

!Endereço da Placa: 00-AB-CD-EF-GH-00!

!============fataL CorP============!


The sandbox can also extract this kind of information since it parses the winsock communication and tries to extract information about different protocols. In addition to SMTP, CWSandbox is currently also capable of understanding IRC, HTTP, and FTP. The complete report is also available as HTML analysis and XML analysis.
This entry was posted by Thorsten Holz on Friday, October 20. 2006 at 10:02. and is filed under malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.