26 Sep Pinch pinched
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
We regularly see Trojans being sent via IM. There's a whole range of approaches used, from standard messages saying 'Hey, take a look at my photos' or links which purportedly lead to useful utilities, to social engineering which plays on people's fears:
[Translation: Look what's been written about you here]
Of course, the pages linked to are stuffed with exploits which are used to turn the victim machine into a malware menagerie.
There's nothing new in these mailings. But today we got another example of a mailing that's been going on for the last three weeks or so – every day, millions of ICQ users are being sent the following message:
[Translation: A new unofficial add-on to the well-known QIP client has been released_www.qip.ru
The add-on includes options such as:
*hide/ fake your number
*hide/ fake your primary email
*eavesdrop on other users (requires qip 8020 or higher)
*check user status
*view user's contact list (requires paid plug-in enquiries to UIN# ****016)
*qip 8000 or higher can be downloaded from _www.qip.ru
*Windows 2000/2003/XP (Vista not supported)
Unpack the archive, launch the Install file remaining files should be located
in the folder together with install.
Download: _http://slil.ru/248### (656 kb)
Although the link does change, sometimes the same link gets sent twice in one day – it depends how quickly antivirus companies react to the latest malware that's placed on the link. If the user is incautious or uninformed enough to click on the link, his or her machine ends up infected with a variant of the ever popular Trojan-PSW.Win32.LdPinch.
We took a look at all the different variants that have been downloaded, and discovered that:
Pinch is a true omnivore – it grabs just about everything it can from the victim machine: the Windows license number, system information, a list of programs installed, as well as ICQ, email and FTP passwords, and passwords saved to Windows Protected Storage.
On the most productive days, the person behind the mass mailings managed to collect up to a hundred logs. And his e-store has a whole bunch of ICQ numbers for sale, presumably stolen from victim machines. He's clearly out to make money – given that malware writers have made the shift from simple disruption to clearly criminal activity, that's no surprise. However, what he maybe doesn't realize is that a careful analysis of Pinch leads to a wealth of information about the author - name, date of birth, town, mobile number and various other personal data.
Good news for those fighting cyber crime, but not so great for those involved in illegal activity.