Easy as 1, 2, 3!

Everyday at SophosLabs, we see multitudes of malware samples that have been created with malware ‘toolkits’. Using one of these toolkits is as simple as choosing the required functionality (perhaps to download another executable from the Internet) and pressing a big red “GO” button. Luckily the resulting executables generally share remarkably similar characteristics, allowing us to easily detect unseen variants proactively (in this case, as Troj/ToyFtp-Gen).

However, something that is decidedly less common is when we see the actual toolkit make its way into the lab. One such sample that crossed my desk today was a program for generating password stealing Trojans. This program allowed users to choose a number of different installation methods, as well as specify the credentials of a remote FTP server (or ‘dump’), which the generated Trojan uses to upload stolen information. While this is a relatively simple example, it emphasizes the fact that sometimes, creating malware really is a trivial exercise.


On the surface, a program such as this may seem pretty clever, but analysis reveals a different story. The combination of poor program design, default component names and a number of glaring logic errors all combine to prove once again that real skill among malware authors is increasingly a dying trend.