Malware Review: Trojan.Keylogger.IStealer
This is how one can come across the infamous Trojan.Keylogger.IStealer.
As I was looking for some legit open-source code posted on certain webpages, suspicious content started to pop out, such as Facebook or IM passwords; plus detailed information on unwary users’ surfing history was out in the open. This database of too personal data pointed me in one direction: illegal keylogger activity. Having already approached the subject early this month, I decided to digg deeper in the pile of BitDefender keylogger collection and I found something even better:Trojan.Keylogger.IStealer.
Trojan.Keylogger.IStealer is a tool intended to help those in need of a keylogger. Well, not exactly a traditional keylogger, but rather a password collector that grabs already typed-in passwords and sends them to a webhosting account in the cloud. This gives cybercriminals the opportunity to use custom made software that can entirely suit their needs. Make no mistake about it, this is not one of the commercially-available keyloggers provided by various legit software manufacturers and used for parental control or supervision inside company networks.
Trojan.Keylogger.iStealer has no installer, there’s no warning about the computer being actively monitored, nothing that could justify a legit purpose. Instead, it allows the generated keylogger to be bound with another application, say a legitimate software kit that can be passed along via messenger or a file-sharing service. Just imagine that your friend offers you the latest driver pack for your video card, which also deploys this nifty bundle of joy. In the absence of an antivirus solution, you won’t even know what hit you.
This approach saves energy, time and money. The ill-intentioned person needs neither to talk to another individual about his/her intentions, nor to ask someone else to design a “utensil” to fit these requirements. What could be better than a personal “do-it-yourself” software kit?
Therefore, once the Trojan.Keylogger.IStealer gets into the “right” hands, the malicious tailoring is about to begin:
- the call-back web address can be customized for the reports to be directed to the cybercriminal’s webhosting account;
- the kit also includes the PHP page to be deployed on the specified URL ;
- The iStealer Trojan also features an extensive set of self-protection mechanisms, aimed at shielding it against dynamic and static analysis: anti-emulator routines, anti-debugger, anti-process-monitoring, the ability to run extremely silently when network monitoring applications are detected and the ability to auto-remove its original file after successful infestation.
Fig 1. The keylogger configuration panel
The cache master
The moment the Trojan is onto the victim’s computer, this customized tool immediately checks the cache files and gathers all the usernames and passwords that have been entered from that particular system. The really interesting thing about this is the fact that Trojan.Keylogger.IStealer collects login credentials introduced into the computer even way before the malicious Trojan “invasion”.
Fig 2. Login credentials as posted on the remote webpage
The classic keylogger is a Trojan born and sent into the world to monitor the keystroke-activities of the user whose systems it previously infected. The scope is one and one alone: easy money. E-banking login data, online stores’ credentials, and, in fact, all kind of login credentials are tracked and stored by the keylogger. Moreover, this piece of malware is not to stop at cataloging this info but it also sends it to the creator-profiteer. The iStealer Trojan can successfully snatch the cached passwords to quite a large assortment of applications, such as:
- Instant Messenger services – MSN Messenger®, Google™ Talk, Trillian, Pidgin, Paltalk
- Browsers: Firefox®, Internet Explorer® (including version no. 8), Opera and Google™ Chrome
- FTP transfer apps – CuteFTP, FileZilla, SmartFTP, FlashFXP
- DNS providers: NO-IP and DynDNS
- Other applications of interest: Steam, Internet Download Manager
Normally, this data is “shipped” via e-mail or FTP services, but this approach is neither discrete nor safe, and that is why the cybercriminals have started acting smarter by cropping only the interesting data, such as passwords and usernames and by collecting it on public locations, namely specific webpages set up with free and anonymous hosting providers. This was not enough either, and things advanced: it’s no longer the keystrokes or the passwords that are monitored; instead, the cache log-ons are observed, listed and posted on anonymous locations set up in the cloud.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.