It is no secret that over the last few years complicated malware have been on the rise. Authors of such malware make a great effort to ensure that their code and its associated payload remain hidden on the infected machine. Stuxnet, for example, was the first malware to include a Programmable Logic Controller rootkit, and had the capability to hide its changes via reprogramming the PLC. Complex malware have become so common that we forget it is still possible to write really simple malware which are capable of as much exacting damage as that for a complicated one.
Last week we at the K7 Threat Control Lab (K7TCL) spotted one such malware. It is a very simple perl script converted into a windows executable using perl2exe. When executed, the malware collects documents from the infected machines and uploads them to the author’s FTP site. Perhaps not as impressive as Stuxnet, but it does the business.
Decompiling the executable gives us the perl script and the user credentials used to upload the stolen files. Just out of curiosity I decided to follow the malware trail back to the FTP site, and I was in for quite a surprise. The FTP site was not just full of stolen documents, but some came from what appeared to be world renowned financial institutions.
This malware is detected by K7 Security products as Trojan (001ECA471). Such malware spread using social engineering techniques, masquerading as something beneficial. Distribution channels tend to include IRC, peer-to-peer networks, newsgroup postings, email, etc. Users are advised to exercise caution while downloading files from untrusted sources.
Lokesh Kumar
Collection Manager, K7TCL