Yesterday, we were shooting a report for a television network in Canada. Part of the report concerns the underground economy. We decided to connect to an Internet Relay Chat (IRC) server to see how much stolen credit card data is sold. While looking at the never ending flow of people announcing their PayPal, egold and other stolen account data and people advertising their willingness in "cashing out" the stolen money, an announcement caught our attention: Jimbo said he had stolen credit card data and that he was giving everyone a sample of the "stock". In the same message, Jimbo provided a link to a file called dump.txt for everyone to look at.
Although the link had the 'txt' extension, it was not pointing to a plain text file. Instead, the user was directed to a Visual Basic (VB) script that would automatically download and execute a file called Install.exe on the victim's PC. We quickly downloaded a copy of this Install.exe file and started analyzing it. After 2-3 minutes of analysis, we discovered that one of the functionality of this program was to disable various antivirus programs by searching for their process names and killing them. Also, Install.exe creates a folder in the windowssystem32 folder and uses rootkit techniques to hide its presence. The new folder contains logs related to this malware and two new executable files, KWVJ.exe and AKV.exe.
As you might have guessed, our friend Jimbo is not giving out any of his stolen credit card data, he is trying to install spyware on the system of his fellow thieves! The two executable files that are dropped by Install.exe are a screen capture program and a key logger. The screen capture program regularly takes screenshots of what the user is doing and stores them on disk. The key logger part of this malware is specifically designed to monitor Internet Explorer and Firefox and common instant messaging clients such as MSN Messenger, Yahoo Messenger, Google Talk, ICQ, and Skype. Both programs are written in C++ and make use of third party libraries to achieve their goal.
It is interesting to note that cyber criminals are not only targeting legitimate business but also fellow fraudsters in their quest for quick profit. They will not hesitate to use malicious software and deception to acquire stolen account data and profit from it.
Pierre-Marc Bureau
Researcher