Fake AV — why I want your FTP credentials.

JMH

Banned
I recently came across a rogue security software (aka “Fake AV”) variant Troj/FakeAv-AAL which, in addition to the scareware component, downloads and runs a packet sniffer Troj/Sniffer-R. After pealing away the encryption layers, the credential-sniffing logic is quite simple. The trojan initially sets up a socket to receive all incoming and outgoing packets and sits in a loop, waiting for packets with a source or destination port of 21 — the FTP control port number. It captures the host name, user name and password for any outgoing FTP connections, and checks the user and password combo are valid by parsing incoming FTP traffic for the ‘login success’ status code. Only the credentials which result in a login success are subsequently reported to a remote server — which currently maps to a known malicious domain associated with rogue security software.
Link -
Fake AV — why I want your FTP credentials | SophosLabs blog
 

My Computer

System One

  • Manufacturer/Model
    LAPTOP. HP Pavilion dv7-1005TX .
    CPU
    IntelCore [email protected] x2
    Memory
    4.00 GB installed, max capacity 8 GB.
    Graphics Card(s)
    Nvidia GeForce 9600M GT & 512MB DDR2 dedicated graphics mem.
    Monitor(s) Displays
    17.0" diagonal WXGA + High definition brightview widescreen infinity display.
    Screen Resolution
    1440 x 900
    Hard Drives
    SPECS.
    Drive 1. 298.09 GB Fujitzu MHZ2320BH G2 ATA Device
    Drive 2. [ All as above.]

    CONFIG. C:\287.65 GB, D:\298.09 GB, E:\10.44 GB.
    Case
    Laptop / notebook.
    Cooling
    Stock.
    Keyboard
    IBM enhanced
    Mouse
    Synaptics PS/2 Port touch pad.
    Internet Speed
    ADSL [ Too slow.]
    Other Info
    Webcam.
Back
Top