PayPal data stealing trojan and IcePack malware installer

PayRob.A is a Trojan designed to steal data from PayPal accounts. Like most Trojans, PayRob.A cannot spread by itself, but needs intervention from a malicious user to reach computers.

If the targeted user runs the file carrying PayRob.A, it gives itself hidden file attributes and modifies the Windows Registry to ensure it is run whenever the system is restarted.

The Trojan creates two files on the infected computer in the temporary Internet files folder and in C:\WINDOWS\MSAPPS\. If the latter folder is not found on the system, an error message is displayed.

It also copies a file called modeexpinovo.txt to the temporary Internet files folder. This text file stores all of the PayPal passwords that it finds on the affected system. This file can be accessed remotely by hackers from a certain Internet host.

The Chasnah.A worm displays messages in Indonesian when the user logs on and opens a web page from an Indonesian organization from time to time.

This worm uses shared folders and USB devices to spread. When run, Chasnah.A creates several files on the infected system and entries in the Windows registry.

From then on, a screen is displayed in English and Indonesian whenever the user logs on. Furthermore, it periodically opens the web browser, displaying the page mentioned earlier.

Chasnah.A reduces the system protection level by preventing certain security applications from being run, and from time to time, it checks if there are any USB devices connected to the computer in order to infect them.

Finally, IcePack is a malicious tool for installing malware through exploits. Icepack infects computers through the following process: the application accesses a web page to which it adds an iframe reference pointing to the server where the application is installed. The main innovation in Icepack is that the tool adds the iframe. Previous applications like Mpack needed a hacker to manually access the web pages in which to insert it.

When a user visits one of these malformed pages, the iframe activates Icepack, which looks for vulnerabilities on the user’s computer. If it finds one, it will download the exploit for this vulnerability to the computer. An important feature of Icepack is that it uses exploits corresponding to the latest vulnerabilities to appear. The reason is that as they are more recent, users are less likely to have updated their computers to resolve these security flaws.

From then on, the cyber-crook can download any type of malware to the affected computers. Another innovation of Icepack is that it combines an ftps checker and an iframer. The first helps cyber-crooks to exploit the information about the FTP accounts they have stolen from affected computers. The data from these accounts is passed through the checker to verify if it is valid. The valid data will be passed to the iframe, which will insert the iframe pointing to Icepack in the account. By doing this, the application can start its “lifecycle” again.

Share this