Mail and Browser password stealing Malware (July 5, 2013)

Dell SonicWALL Threats Research Team received reports of a password stealing Malware capable of collecting stored passwords from Email, IM and Internet Browsers using third party programs. Once stolen, the passwords are sent to the attacker.

Infection Cycle

Upon execution the Malware drops the following files in %SystemDrive%userspublicPublic Document folder

• Picture Viewer.exe
• keeprun.ini
• image.exe
• bms.klm
• sad.vbs
• pid.PDF
• msnd.exe
• iewed.bat
• ied.bat
• ictd.bat
• icd.bat
• dd.vbs
• cond.reg
• aatd.bat

It makes the following changes to the registry to ensure execution upon reboot:

• HKCUsoftwareMicrosoftWindowscurrentversionRun "stat"="%USERPROFILE%All UsersMsnMsn2aatd.bat"
• HKLMSoftwareMicrosoftWindowsCurrentVersionRun "stat2"="%USERPROFILE%All UsersMsnMsn2aatd.bat"

The Malware begins execution in the following order:

• sad.vbs invokes ictd.bat which in turn invokes icd.bat
• icd.bat performs a number of tasks:
• Regedit /s "cond.reg" - Adds aatd.bat to the Registry Run key so that it starts each time the system reboots
• Start pid.PDF - No malicious activity observed
• Creates "%systemdrive%Documents and SettingsAll UsersMsnMsn2" folder which contain the same dropped files
• start image.exe - This is Mail Password Decryptor program
• start picture.exe - This is Browser Password Recovery program
• disable windows firewall using netsh firewall set opmode disable and advfirewall set currentprofile state off
• start msmd.exe - Tracks keeprun.ini to ensure some files are always running on the system
• start ftp and transfer password files from image.exe and picture.exe to the server

The next time system reboots the flow will begin from aatd.bat which is triggered into execution from the Registry Run key:

• aatd.bat starts msnd.exe
• msnd.exe tracks keeprun.ini and ensures ied.bat is running
• ied.bat invokes dd.vbs which in turn invokes iewed.bat that has the same functionality as icd.bat thereby ensuring that the password stealing functionality is triggered

Mail Password Decryptor is a free tool to recover passwords from email clients. As listed by the author it supports password recovery from:

• Gmail
• Yahoo Mail
• Hotmail
• Windows Live Mail
• Microsoft Outlook
• Thunderbird
• IncrediMail
• GTalk

Browser Password Decryptor is a free tool to recover website login passwords from Web Browsers. As listed by the author it supports password recovery from:

• Firefox
• Internet Explorer
• Google Chrome
• Apple Safari
• Opera
• Sea Monkey
• Comodo Dragon
• Flock

The followiing passwords were captured from our Browsers and Mail Clients when the sample was being analyzed, this file would then be sent to the attacker:

The passwords stored by the Malware are transferred to the attacker via ftp to ftp.freehostia.com. Credentials and commands for the ftp file transfer are stored in the bms.klm file but during our analysis they did not work indicating that they have been changed.

Both Mail Password Decryptor and Browser Password Decryptor are freely available on a reputed security forum. This Malware is a classic example illustrating misuse of Security Tools developed for non-malicious purposes. Using freely available tools it tries to steal passwords from the victim's system and sends them to the attacker without the victim's knowledge.

Dell SonicWALL Gateway AntiVirus provides protection against these threats with the following signatures:

• GAV: ZBot.EB_3 (Trojan)
• GAV: Hacktool.MailPassRec (HackTool)
• GAV: Hacktool.BrowserPassRec (HackTool)
• GAV: Agent.KPRN (Trojan)
• GAV: Fotip.BTH (Trojan)