Site icon Panda Security Mediacenter

PINCH, THE TROJAN CREATOR

Some time ago, we talked to you about malware prices, HTTP botnets, etc. Today I will show you the level Trojan creators have reached and the way in which some of them launch their creation ‘builders’, authentic centers for designing and creating totally customizable Trojans. And this is where Pinch comes in.

It is a tool for creating Trojans which allows: defining the actions for the Trojan to take, packing the executable file to make its detection more difficult, disabling specific ‘annoying’ services such as those of antiviruses…

Among the tools for creating viruses, Trojans, etc. this might be the most commonly used, distributed and sold, given its ease of use due to a very intuitive interface. This allows malicious attackers to have an executable ready to infect, steal, spread, etc. in a few minutes. Consequently, it causes victims serious problems without them even realizing, until it is too late and they have to face the financial consequences.

First, attackers must choose the ‘return’ mode of the data the Trojan obtains. More specifically, whether the data should be sent via SMTP, HTTP or simply be left on a system file to recover it later through a backdoor opened on the victim’s computer by the Trojan.

If SMTP is chosen, the following parameters must be specified:
+ SMTP server and port to use.
+ ‘From’ and ‘To’ fields of email to send.
+ Subject
+ Interval between data sending

If HTTP is chosen, the name of the server with mail3.php must be specified. Mail3.php loads the information onto the server.

If the FILE method is chosen, the name of the file created with the information and its path must be specified.

There are several tabs in the middle of the screen where the parameters below can be specified:

PWD: The type of password to be stolen can be indicated: from mail programs to passwords stored on browsers, including system information. The report can also be encrypted.

RUN: The way the Trojan will run on the target computer, the location it will be copied to (if necessary), its name, etc. are indicated.
 If Autorun is selected, there are several options to choose from:

+ Standard: It copies the executable file onto the selected directory and includes it in the registry to carry out the autorun.
+ DLL RUN: It copies the Trojan to the directory, creates a .dll and includes a reference in the Windows Registry for it to run automatically.
+ UNDELETE: It compiles the Trojan and changes it to different formats (exe, dll), it compiles a .dll again with one of the conversions, etc.
+ SERVICE: It copies the Trojan to the directory, and creates a reference in the Windows Registry so it runs automatically. The name of the service can be specified.

It can also be set to act on a specific date and time, delete itself, and run when it detects a network connection or after a reboot. It can also be compiled to change the firewall settings in Windows and allow the Trojan to act.

SPY: The following parameters are specified in this section: lets Trojans act as keyloggers, takes screenshots of the victim’s desktop, captures IE data, looks for certain files on the target system, etc.

NET: Allows the victim’s PC to be turned into a Proxy, specifying ports, etc. It also acts as a downloader; by specifying the address of the executable file, victims download the .exe file and run it. The last option allows connecting to a php script, allowing parameter specification, etc.

BD: Or backdoor. Allows ports to be specified and logs to be opened on victims’ computers.

ETC: Allows the Trojan to be hidden using typical joiner methods.

KILL: It allows the selected services or processes to be killed. It allows most antivirus services to be selected by default.

IE: Allows attackers to add sites to the IE Trusted Sites and the favorites section.

WORM: Allows worm characteristics to be determined for the Trojan so it distributes itself.

IRC-BOT: Allows victims’ computers to be added to an IRC bot network, specifying the server, channel, port and password.

It also allows the Trojan to be encrypted using RC4, packing it using FSG, UPX or MEW.

 

Once all the Trojan’s characteristics are specified, it must be compiled to obtain the .exe file.

The version I have used for this post is version 2.60 since the builder in this version is very complete. Later versions are available, but they are disabled builders which do not allow all the Trojan’s characteristics to be specified from a single builder. The author has ‘diversified’ them, has created a specific builder for SMTP, and has removed several options which are now included in the final Trojan by default. Bearing in mind builder prices, this process to make their ‘creations’ more profitable is not surprising. Here you have a screenshot of the latest version:

 

The parser: The pinch is accompanied by a parser program which is capable of reading and decrypting the logs left by the Trojan. The parser lets you search the logs and truth be said, it is easy to use and allows easy visualization of different log data obtained by the Trojan:

Exit mobile version