7 March 2008 15:46 GMT
Turkish Delight
Whilst perusing some malware today, I came across an interesting case. Readers are probably familiar with the Ardamax Keylogger application (detected as a Ardamax PUA).
![[Ardamax application]](/images/sophoslabs-blog/2008/03/arda.png)
The application is frequently bundled and packaged up by hackers looking to misuse it to steal data.
Today I came across a web attack (probably Turkish in origin) using an old browser exploit to infect victims with a self-extracting installer which installs Ardamax on the victim machine.
![[Web attack installing Ardamax]](/images/sophoslabs-blog/2008/03/dv3.png)
Browsing to the root of the site hosting Mal/Psyme-A, I noticed directory browsing was enabled. Various files and directories in the root were clearly ‘of interest’, including:
- the malicious Ardamax installer (detected as Troj/Ardamax-N)
- PHP backdoor (detected as Mal/PHPShell-A)
- logon credentials to a remote FTP server
Within one of the folders was files containing data harvested from victim machines:
![[List of files containing stolen data]](/images/sophoslabs-blog/2008/03/dv2.png)
The data includes:
- screenshots from infected machines
- lists of web sites visited on infected machines
- logged keystrokes (with the relevant active process name)
From the log files visible now, several victims seem to have been infected already, and the attacker continues to harvest potentially valuable information. Though rather primitive and long-in-the-tooth, techniques such as logging keystrokes and grabbing screenshots can still be an effective way of harvesting data from victim machines.
Protect yourself - ensure you have PUA detection enabled. Supposing the bundled installer was not already detected, PUA detection would still provide protection: the installed components are all detected as Ardamax PUA.
Fraser Howard, SophosLabs UK
