About Me

Pedro Bueno

Pedro Bueno
Security and Malware Researcher
Pedro Bueno is a Security and Malware Researcher at McAfee Labs for almost 5 years. He also has a volunteer job at the SANS ...

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Dumb Malware Authors Cause More Damage Than Smart Ones

Thursday, June 11, 2009 at 12:55pm by Pedro Bueno
Pedro Bueno

I don’t really know which is worse: a dumb or a smart malware writer.

Brazilian malware writers fall into the first category: bad coders and dumb. It’s as simple as that.

While checking a very recent PWS-Banker Trojan (the malware that steals banking information), I came across a variant. This one targets three Brazilian banks–Bradesco, Itau, and Real–to steal the basic information: bank account, branch office, user, password, and paper token info.

Next this malware sends the information to a remote SQL database. Nothing new to see here because password-stealing trojans have been around for several years, but what struck me in this case is that the malware author didn’t think about protecting the information he gathered (stole), since all the credentials to access the remote database are hardcoded inside the malware.

Provider=SQLOLEDB.1;Password=XXXXXX;Persist Security Info=True;User ID=YYYYY;Initial Catalog=YYYYY;Data Source=sql.[removed].com.br;Packet Size=10000

What does this mean? It was bad enough that someone gained access to the victims’ bank info, but now any person who checks the malware can also have access to that data! And by “checking” I do not mean it requires any reverse engineering.

Yes, it is just another password-stealing Trojan. No need to get too excited. :) And, yes, we already detect this malware–as PWS-Banker.gen.i.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (4)

  • Diego Carvalho October 30, 2009 11:50AM

    Hey Pedro,

    Who is the dumbest, the good (smart) malware coder ou the bad (dumb) one?

    Reply
  • jon June 12, 2009 10:59AM

    lolo i want to find this pws sample to study it

    Reply
  • darkmoon June 12, 2009 6:33AM

    That might be the case, but it also makes tracking a lot easier. It’s the ones that know how to obfuscate their data that make tracking them challenging, but also frustrating if they’re very good at what they do.

    So it kind of plays in both sides. Yes, that’s bad coding. While it’s not a feat of genius, I would rather them being dumb than smart and cause some serious damage.

    Reply
  • Erik June 11, 2009 11:48PM

    Very interesting!

    The latest version of NetworkMiner (0.88) can extract SQL credentials directly from a pcap or by sniffing data. Have you tried sniffing the traffic from the PWS-Banker.gen.i with NetworkMiner to extract the SQL credentials used by the worm?

    It would probably be a simple thing to do for people at home… Just sniff your network with NetworkMiner while doing your banking, then watch the “Credentials” tab in NetworkMiner to see if someone has stolen you credentials and posted them elsewhere.

    Network Miner is available here:
    http://sourceforge.net/projects/networkminer/

    Reply