11.05.12

Malware Stealing Victim’s images Uploading to FTP

We came across a new type of information stealer “Win32/PixSteal.B” which steals images and windows memory dump (.jpg , .jpeg and .dmp) from infected machine and uploads the same to a remote FTP server located in Germany.

This malware opens a command line silently and copies all .jpg, .jpeg and .dmp files present in C, D and E drive of the system to C drive. These collected file are then sent to an FTP server.

.jpg and .jpeg are image files whereas .dmp is windows memory dump (it has data “dumped” from a program’s memory space and often created when a program has an error or crashes).

Fig 1: Malware collecting .jpg, .jpeg and .dmp files from the C, D and E drive and copy the same to C drive.

We also suspect that the malware author can come back with file search for .bmp files instead of .dmp in future and of course with more complexity.

After collecting all relevant information it connects to an FTP link: 176.x.x.90 logging in with user name: wasitnew and Password: q1w2e3r4t5y6

Fig 2: Malware connecting to internet with user name, Password and FTP address

We can see the network connectivity in Wireshark below where an image file is uploaded.

Fig 3: “Autumn.jpg” collected from infected machine being uploaded to FTP.

Fig 4: FTP Server where all the collected files are being stored

We noticed the FTP dying on 5th November.

There are many threats which encrypt the non-pe files present in infected system and demands money in some form and which could lead to loss of data. This could be a first step seen with this malware family. This also sounds similar to early cases where hackers posted World renowned film actress photos over internet and made them easily available.

We here at Total defense detect and clean the same malware with “Win32/PixSteal.B” and we advise our customers to keep their antivirus up to date.