| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200509131202320.SM01036@JEFFMILLS> Date: Tue Sep 13 17:03:03 2005 From: fractalg at highspeedweb.net (Pedro Hugo) Subject: "New" Brazilian Home Banking Trojan Hello, I'm receiving an homebanking trojan from Brazil. The email is disguised as a patch for Orkut Bad Server and Errors. The download location is at http://69.57.154.130/~arquivo/orkut-patch.exe . AVG detects it, Norton doesn't. Didn't had the opportunity to test with other AV. Some quick notes about this one: - It's packed with PECOMPACT 2.x. It can easily be unpacked with Olly, using the PECOMPACT scripts (www.openrce.org for example) and Ollydump. - You can extract a few Jpeg's from the unpacked binary. It confirms it tries to attack homebanking accounts. - Strings reveals some 4 or 5 banks addresses. - Seems to be coded in Delphi. - It appears to email the stolen accounts to 2 accounts. At least they are in the code. I think it should be interesting for Malware Reverse Engineering practice. No much spare time at the moment to give a look at it, so no much details. It could be useful to AV vendors, since I'm not sure it's being detected by all. I thought it was a new one in the wild, until I tested with AVG :( Best Regards, Pedro Hugo P.S.: The first copy arrived 3 weeks ago, and today I have received two more. If you want the original email, I can forward it.
Powered by blists - more mailing lists