PixSteal-A Trojan Steals Images, Uploads to Iraqi FTP Server

A new Trojan has been identified that has the capability of stealing images from infected computers, setting the stage for anything from identity theft to blackmail.

A new Trojan has been identified that has the capability of stealing images from infected computers, setting the stage for anything from identity theft to blackmail.

PixSteal-A also pilfers .dmp, or Windows memory dump files that contain data on system crashes and sends all stolen data to a remote FTP server in Iraq, according to Sophos.

This isn’t the first malware to target non text-based files. ACAD/Medre.A surfaced in June and it was designed to steal blueprints and engineering documents designed on AutoCAD software.

“We suspect this malware is in its first stage of development for information theft, and we expect it to return as a more sophisticated attack,” wrote McAfee researcher Niranjan Jayanand.

In the meantime, the attackers could be harvesting a trove of image files that include anything from compromising photographs, to scanned sensitive documents containing personal information.

Users become infected via drive-by downloads from compromised or attacker-owned sites. It scans local and remote files for .jpg, .jpeg, and .dmp files. Sophos found a Google Talk memory dump file stored on the FTP server that could likely contain instant messaging conversations. Dmp files can also provide hints about system vulnerabilities.

“If I had to make a guess, I would think the above evidence suggests it is being used for espionage,” said Sophos’ Chester Wisniewski. “But we can’t be sure.”

Once the malware connects to the FTP server, it sends the first 20,000 files it finds to the server, Trend Micro said.

“Though it appears tedious, the potential gain for cybercriminals should they be successful in stealing information is high,” said Trend Micro researcher Raymart Paraiso. “Information theft routines have been mostly limited to information that are in text form, thus this malware poses a whole new different risk for users.”

Experts recommend a number of precautions, including blocking FTP transfers via corporate firewalls. This particular FTP server went dark on Monday, McAfee said.

“This malware can evolve with more sophisticated code and cause more harm,” McAfee’s Jayanand said. “Since 2008, we have seen image files carrying embedded image files within. Malware authors sometimes hide their commands behind an image file using steganography.”

Cybersecurity for your growing business
Cybersecurity for your growing business