Trojan horse designed to steal your photos

When it comes to data theft there seems to be no limit to the types of files that might be stolen if your system becomes compromised.

The latest, Troj/PixSteal-A, is designed to take all of the images, photos and even memory dumps from your hard drive.

The malware starts out by scouring your C: D: and E: drives on Windows for any files ending in .JPG, .JPEG and .DMP.

IDA disassembly of Troj/PixSteal-A

After it gathers up all of the images it can find it then uploads them via FTP to a FTP server hosted in Iraq.

Files stolen by Troj/PixSteal-AThe image on the right shows some of the filenames present at the time of this writing. The ones shown here are default images included with Windows XP, but many others were found.

In a second strange link to the Iraqi server hosting the FTP site some of the images that were purloined from victims appeared to be scanned documents written in Arabic.

This might hint at one of the motives behind image thefts. Are they look for *wink* candid photos *wink* that they might use to extort money from the victims?

Are they looking to get scanned copies of sensitive identity documents like passports, social security numbers and driver’s licenses?

Perhaps they are trolling for photos of sensitive company documents, screen captures or faxes?

The theft of memory dumps might not fit into the above scenarios, unless you consider the types of things that are currently stored on that FTP server.

One file is named “Google_Talk_1.0.0.104_121002-170904.dmp”… You private instant messaging conversations could likely be inside of the memory space of a program like Google Talk.

If I had to make a guess, I would think the above evidence suggests it is being used for espionage, but we can’t be sure.

One thing you can do is block FTP access on your firewalls. While that might seem extreme, I suggest to you that you shouldn’t allow FTP access to begin with.

Tombstone image courtesy of ShutterstockFTP should have died a long time ago and you can help. Just refuse to use it. Web host require FTP for your website? FIND A NEW HOST. Your password should never be transmitted in plain text, therefore you should never use FTP.

Sometimes it is hard to move on from tried and true methods, but here is another reason to put the final nail in FTP’s already well sealed coffin.

It might also be a good time to review what protocols you allow to exit your firewall unfettered and whether they are fit for purpose or not.

Special thanks to Anna Szalay and Jagadeesh Chandraiah from SophosLabs for the screenshots and reversing work on this malware.

Image of a tombstone courtesy of Shutterstock.