Trojan horse designed to steal your photos

Filed Under: Data loss, Featured, Malware, Windows

When it comes to data theft there seems to be no limit to the types of files that might be stolen if your system becomes compromised.

The latest, Troj/PixSteal-A, is designed to take all of the images, photos and even memory dumps from your hard drive.

The malware starts out by scouring your C: D: and E: drives on Windows for any files ending in .JPG, .JPEG and .DMP.

IDA disassembly of Troj/PixSteal-A

After it gathers up all of the images it can find it then uploads them via FTP to a FTP server hosted in Iraq.

Files stolen by Troj/PixSteal-AThe image on the right shows some of the filenames present at the time of this writing. The ones shown here are default images included with Windows XP, but many others were found.

In a second strange link to the Iraqi server hosting the FTP site some of the images that were purloined from victims appeared to be scanned documents written in Arabic.

This might hint at one of the motives behind image thefts. Are they look for *wink* candid photos *wink* that they might use to extort money from the victims?

Are they looking to get scanned copies of sensitive identity documents like passports, social security numbers and driver's licenses?

Perhaps they are trolling for photos of sensitive company documents, screen captures or faxes?

The theft of memory dumps might not fit into the above scenarios, unless you consider the types of things that are currently stored on that FTP server.

One file is named "Google_Talk_1.0.0.104_121002-170904.dmp"... You private instant messaging conversations could likely be inside of the memory space of a program like Google Talk.

If I had to make a guess, I would think the above evidence suggests it is being used for espionage, but we can't be sure.

One thing you can do is block FTP access on your firewalls. While that might seem extreme, I suggest to you that you shouldn't allow FTP access to begin with.

Tombstone image courtesy of ShutterstockFTP should have died a long time ago and you can help. Just refuse to use it. Web host require FTP for your website? FIND A NEW HOST. Your password should never be transmitted in plain text, therefore you should never use FTP.

Sometimes it is hard to move on from tried and true methods, but here is another reason to put the final nail in FTP's already well sealed coffin.

It might also be a good time to review what protocols you allow to exit your firewall unfettered and whether they are fit for purpose or not.

Special thanks to Anna Szalay and Jagadeesh Chandraiah from SophosLabs for the screenshots and reversing work on this malware.

Image of a tombstone courtesy of Shutterstock.

, , , , , ,

You might like

26 Responses to Trojan horse designed to steal your photos

  1. agiant · 1061 days ago

    Ok, your firewall filters http://FTP... and? The trojan can send the pictures via any other port, for example, as HTTP requests. This is not the solution.

    • Chester Wisniewski · 1061 days ago

      Not this Trojan. This isn't a targeted attack. In fact most attacks are not. It is best to not allow any unneeded outbound traffic regardless of whether it is possible to accomlish a similar task using alternate methods. Perfect? No. Better than allowing anything and everything to go everywhere without care? Yes.

  2. Link · 1061 days ago

    I use SSH for file transfer on my server. :)

  3. Mark · 1061 days ago

    The fact that it uses FTP is neither here nor there. It could just as easily be using SFTP, SCP or HTTPS POST. FTP has it's uses as long as you understand that it is inherently insecure. As for your webhost, unless you have SSL on your site, it really doesn't matter if your password is sent in the clear since everything you get from your website via HTTP is also in the clear.

    • Chester Wisniewski · 1061 days ago

      Yes it could use other protocols, but it doesn't. Blocking unneeded and outdated traffic only helps in narrowing down the traffic you need to inspect and protect.

      Your premise that everything on your site is public has nothing to do with presenting your password in plain text. Once I capture your FTP password I can install all sorts of exploits which is exactly why toolkits like Blackhole have so much success. Handing your credentials over doesn't just leak your content, it provides your adversary with the ability to booby-trap it. Far worse because the person making the mistake isn't the victim, rather the people who are foolish enough to trust that person become the victims.

  4. How do I go about taking this action? I am not computer savvy.

  5. Marc Glasby · 1061 days ago

    Some explanation of what alternatives there are to using FTP to update websites would be very useful as I am sure many website operators in the 'amateur' category like me, still use FTP all the time.

    • Chester Wisniewski · 1061 days ago

      Great point Marc,

      The two most common alternatives are SCP (Secure Copy). and SFTP (Secure FTP). Any internet provider that cares in the least about security should offer one or both. If you are a Windows user there are free tools for using either of them in the same way you likely interact with FTP. The one I prefer is WinSCP ( which is both free and easy to use.

      I hope you find that helpful,

      • Richard · 1061 days ago

        How about on the hosting end? IIS7 supports FTPS, but not SFTP.

      • Laurence Marks · 1060 days ago

        Chet wrote: If you are a Windows user there are free tools for using either of them in the same way you likely interact with FTP.

        Well, I use the command line as a matter of preference. What is the command line invocation for SCP or SFTP?

  6. I don't really understand the reasoning behind block just FTP access. Just because 1 virus uses it? if A virus would do the same, but upload the pictures to let's say facebook, using http. Should I block facebook access?
    I agree that people should be aware of security. But the thing is, most people aren't, or don't understand it. So for the majority of people it should be ok, to block outbound traffic on FTP ports.
    But still, if I have to close all ports that are being abused by virusses, then I won't have any internet access left. Because I'm sure there are also botnets running over ssh ports to communicate. Should I close that port aswell?

    • JimboC_Security · 1060 days ago

      Hi Hugo Van Der Vlies,

      You raise several good points and questions. My advice would be to block the FTP ports (port 20 and 21). If you know that you use inbound FTP, feel free to allow it.

      Chester is suggesting blocking FTP access to reduce your attack surface against any further malware that may use such a method to steal data from your PC should such an infection attempt this in the future.

      As for blocking other ports e.g. for http (port 80), that should not be necessary since if you did (as I am sure you are aware), you would not be able to view websites.

      My advice would be simply to ensure that your firewall is monitoring and protecting you from intrusions using those ports.

      A very good way to tell is to use the Shields UP firewall penetration tester on the Gibson Research Corporations site:

      Click “Proceed” once you access the above link, then I would recommend using the File Sharing, Common Ports and All Service Ports tests. The SSH port 22, will be included in these tests.

      If you fail any of them, please view the text summary since a fail can simply mean that your broadband router/modem responded to an ICMP ping (this is a small concern but not a major one, but can be addressed) and the text summary will usually state that all ports were stealthed.

      I hope this helps. Thank you.

    • JimboC_Security · 1060 days ago

      Hi Hugo Van Der Vlies,

      In addition to my post above, please find below a link to a recent security blog post written by Microsoft Technical Fellow, Mark Russinovich which shows the kind of damage leaving FTP open can cause. If a firewall had been used in this scenario, it would have been another level of security the infection would have to bypass (assuming it could do this).

      Assuming the firewall remained functional, the company in question would not have lost any corporate information.

      Security isn’t just about patching known vulnerabilities, it is also about (among other things) defense in depth.

      E.g. if something does not need to be enabled, disable it. If something isn’t used, disable it or even better remove it. Thinking about how the technology you have could be abused/used against you and implementing safe guards to make that abuse harder/very difficult contributes to security. It is all about making it as hard as possible for your infrastructure to be compromised.

      Thank you.

      • Sure, I agree that one should block unneeded ports. But I use ftp regularly. Even if I would use SFTP or FTPS, I would still need a port to be open. So malware could use that port.
        And that is my point: malware will always find a way to reach out of your network, it doesn't matter through which port.
        As I said earlier, If the malware would post to a webserver, should I block port 80? no! because it blocks my access aswell.

        • JimboC_Security · 1059 days ago

          That is my point: malware will always find a way to reach out of your network, it doesn't matter through which port.
          Hi Hugo,

          That’s a good point. This is where more modern firewalls come into effect. Such firewalls use heuristics and the reputation of a program to determine if it should be allowed access to the internet.

          Since a malware executable should have a low reputation, no digital signature (most likely), only seen on a small number of computers (this could also be a unique file, further lowering its reputation) and carries out suspicious actions (found using behavioral analysis) e.g. searching for files of specific extensions, compressing them (possibly encrypting) and then sending via FTP (which a legitimate program is very unlikely to do without your consent), such a program would be denied access to the internet without blocking any ports.

          Not all firewalls use these techniques to determine if a program should be allowed access, thus I assume Sophos suggested blocking inbound/outbound FTP access to stop this particular threat (and any further threats that use this method of data gathering) no matter what firewall you are using. I commend Sophos and Chester for suggesting this approach.

          However as you point, it isn’t perfect as malware can and does adapt, this is where more sophisticated firewalls attempt to resolve such drawbacks as effectively as possible. Security software that utilizes behavioral analysis and reputation to determine if a program should be allowed to run would also help to stop such malware since it would not be allowed to execute in the first place (before it evens attempted to send data through the firewall).

          I hope this provides some reassurance. Thank you.

  7. F.R. · 1060 days ago

    I used to use Sunbelt Personal Firewall, which made configuration relatively understandable , but after ditching Avast in favour of Avira on an XP machine, I had to ditch Sunbelt too... now I have only the Windows Firewall running, which I think is not a bad firewall per se if my reading around has not deluded me too much. However I find configuring this one is far less straightforward, as the old Sunbelt firewall was.
    Any counter viewpoints out there ?

    • JimboC_Security · 1060 days ago

      Hi F.R.,

      The Windows XP can only block inbound connections; it cannot block any outbound connections on your PC. The Windows Vista Firewall and later versions have the ability to block both in and outbound connections.

      Not having the ability to block outbound connections is not a big drawback so long as you keep your Windows XP computer free from malware infection. Allow me to explain, the firewall can block attacks from getting in but if malware is already present on your computer, the firewall cannot stop that malware from communicating with the outside world and thus causing further harm to your computer since it has the potential to download more malware.

      Please do not mis-understand me; I am not saying that your PC is infected. The above information was used only as an example.

      You’re right about the Windows XP firewall, it is less straightforward to configure. The Windows Vista Firewall and later versions are a little better to configure, but not by much.

      Please see my post above (originally addressed to Ann) for more information.

      I hope this helps. Thank you.

  8. Ingmar · 1060 days ago

    The trojan is uploading photo's and .dmp files so the good lads at Sophos tell us. But whereto do they upload these files? Why doesn't Sophos publish the IP/DNS information so network administrators can block the suspicious servers?

    • JimboC_Security · 1060 days ago

      Hi Ingmar,

      That’s a good point. While Sophos could publish the IP address(es) of the server(s) involved. I suspect the reason they didn’t is that such servers might not be online for very much longer. The people using these servers are likely to shut them down and set up new servers. This serves 2 purposes:

      1.It covers the persons tracks since anybody trying to arrest the owners of such servers will no longer have a trial to follow (plus they are unlikely to use their real names/postal addresses).

      2.Anybody setting up an IP black list will again be vulnerable since the IP addresses of the new servers will be different to the originals.

      Maintaining such an IP blacklist can be like a game of cat and mouse and is an administrative overhead. Sophos’s suggestion of simply blocking FTP avoids all of the above drawbacks and the workarounds the criminals may be using to not get caught/stay operational.

      The above info is my educated guess but Sophos may have other reasons.

      Thank you.

  9. Laurence Marks · 1060 days ago

    So, uploading .jpg, .jpeg, and .dmp. I wonder if the latter is a typo for .bmp. That would be more consistent.

  10. Mike · 1060 days ago

    .dmp files contain output data from Windows system memory. The article contains at least one possible reason these are of interest to the bad guys.

    I am guessing if they were really looking for photos they would include a variety of image formats (*.bmp, *.gif, *.png, etc.). Instead the trojan only looks for JPEGs. My guess is this is because many scanners output scanned documents as *.jpg image files and it is scanned documents they seek, not photos.

    • This guess doesn't quite make sense though, as most scanners output as TIFF or PDF, not JPG.

      However, most user-created images are JPG, whereas png/bmp/gif/etc. are usually third-party generated or part of the OS. Therefore, searching only for JPG images means the attacker is looking for user generated content only, and is ignoring the plethora of other graphics data people have on their computer.

  11. charlie · 1060 days ago

    Well done for digging into this Sophos. Sophos is doing great job with naked security.

  12. I am beginning to wonder what the point of going online is all about with the amount of insecurities that one faces online, is it truly worth it any more?

  13. F0Real · 1058 days ago

    How does the malware infect people in the first place? Are there any exploits in the wild that download this trojan?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on as Chester, Chester Wisniewski on Google Plus or send him an email at