Password Recovery App Aids Malware

Friday, November 9, 2012 @ 09:11 AM gHale

A new password stealing threat called PASSTEAL (TSPY_PASSTEAL.A) relies on a password recovery app to garner a user’s information.

The malware collects the information stored in web browser by sniffing out accounts from different online services and applications, said researchers at Trend Micro. The sample analyzed by the security firm contains the PasswordFox app designed to work with Firefox.

New Java Malware Forming
Simple Works for Malware Writers
LinkedIn Emails lead to BlackHole
XSS Top Web Attack

“In effect, the password recovery tool enables PASSTEAL to acquire all login credentials stored in the browser — even from websites using secured connections (SSL or HTTPS),” said Alvin John Nieto, threat response engineer at Trend Micro.

“Some sites that use this connection includes Facebook, Twitter, Pinterest, Tumblr, Google, Yahoo, Microsoft, Amazon, EBay, Dropbox and online banking sites. PASSTEAL also doesn’t restrict itself to browser applications. Certain variantscan log information from applications such as Steam and JDownloader.”

After it extracts the data, the malicious element executes a command to save all the information into an .xml file. Based on this .xml file, a text (.txt) file also ends up created.

Once it gathers all the information, the malware connects to a remote FTP server and uploads the files.

This tactic is similar to the one deployed by the image-stealing malware (PIXSTEAL) identified last week. Because of this, experts believe there might be a connection between PIXSTEAL and PASSTEAL.

Leave a Reply

You must be logged in to post a comment.