Security

Exposed: Tool that creates custom Trojans


MalwareHelp Net Security (HNS) has a report on a tool called "Pinch" that is being sold on several online forums. According to the report, the probably aptly named Pinch lets cybercrooks define a series of malicious actions that the resultant executable will take.

For those in the IT industry long enough, this is reminiscent of the cult classic Back Orifice 2000 of yesteryear. However, the functionality of this tool appears to be in a different league both in terms of features and versatility.

HNS seems to have got their hands on a copy of this tool, and below is a list of salient points pertaining to the features.

  • PWD: Allows selection of the type of passwords (System/Applications) to be stolen by the Trojan. Data can be encrypted before being sent out.
  • SPY: Keylogger, automated screenshots, stealing of browser data or search for specific files.
  • NET: Turns infected computer into a proxy for further nefarious activities. Trojans can also be turned into downloaders that download other executable files onto the compromised computer.
  • BD: A backdoor basically that will open specified ports.
  • ETC: Allows stealth for the Trojan, up to including rootkits.
  • WORM: tab, which allows criminals to add worm features to their creations, so that they can spread by their own means, infecting other files or sending themselves out by e-mail.

Pinch also lets users define the way in which stolen data will be transmitted out. Cybercrooks can receive data via SMTP, HTTP or, simply order the Trojan to leave stolen data in a file on the infected computer to retrieve it later on through a port opened by the Trojan itself.

Also, infected computers can be made to take part in a zombie network, and the Trojan itself can be packed to make detection by signature-based virus scanners much more difficult. Usual killing of security processes applies as well of course.

And if you happen to have the source code for the tool, it becomes a very real possibility to tailor it to output a totally customized Trojan that no standard anti-virus scanners on the market will be able to detect. (See my: Major AV Vendors: Pure Signature-Based Approach Insufficient).

Does the existence of such a Trojan creation tool worry you?

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

13 comments
HAL 9000
HAL 9000

So someone has finally found a way to make money out of creating Security Nightmares for us. What's the bet that if you look at the Source Code it will have a M$ signature on the bottom of the code? Things like Back Orifice where nasty but this looks to have the ability to do much more and be undetectable till way after the initial infection occurs. While the Script Kiddies have been dreaming of things like this for a very long time now it finally looks as if someone has reached the market and I'm betting that if this is only half as good as stated it will be a [b]Best Seller.[/b] Col

json_white
json_white

...this is such a big deal. Anybody can compile a vbscript and launch it via a self-extracting archive. Any/All additional executables and instructions can be delivered in this way. If you've convinced somebody to run your trojan,then you could have just packaged your infection as an MSI package. I suppose the big deal here is that it puts these capabilities in the hands of idiots. I guess this will start replacing the porn dialers that break everyone's PCs now. For anybody who is concerned, do not run untrusted code and don't operate your PC under an administrative account.

Locrian_Lyric
Locrian_Lyric

A tool for havoc for those who don't know what they're doing is a tool for great mischief.

HAL 9000
HAL 9000

[b]I suppose the big deal here is that it puts these capabilities in the hands of idiots.[/b] It's the idiots who will buy this crap and want to then use it to infect other systems and do harm. Granted not too many real computer systems will be compromised only the ones run by Home Owners and those [b]Make Believe Professionals[/b] who believe that the bit of paper that they have recently got means that they now know all that there is to know and that the world owes them a living. The problem here is that bit of Paper only gives them the right to go out into the Big Bad World and start to learn their trade and is only the very beginning not the end of all the learning. Col

Locrian_Lyric
Locrian_Lyric

that one day, legislation will be passed to make it against the law to beat script-kiddies, and that the penalty will be a two dollar fine.

paulmah
paulmah

Does the existence of such a Trojan creation tool worry you?

chigozie_onyeuko
chigozie_onyeuko

Can this Trojan break into soft wares as to reveil their unlocking codes and at the same time not infect the host computer? Onyeuko Chigozie Teddy Pisa Italy

json_white
json_white

Dude, a Trojan Horse is a malicious program that delivers a payload to a target system. The distributer hopes to find a way to get a user to execute the code with sufficient priviledges to infect the host computer with the payload. This is not the same thing as reverse engineering a piece of software to determine its serial generation alogorithm. In answer to your question though... You COULD try to infect a software manufacture's internal network with sufficient remote access capabilities to try and steal their algorithm from source control. Or just buy their software, its a lot more economic.

TechExec2
TechExec2

You don't even want to KNOW what I thought of when I saw your title: "Exposed: Tool that creates custom trojans" :^0 :^0 :^0

paulmah
paulmah

And what might you be thinking of. Remember that Google is watching though.. :)

Locrian_Lyric
Locrian_Lyric

after all the D*CKS out there that use them!

TechExec2
TechExec2

. Your title: "Exposed: Tool that creates custom trojans" Let's just put it this way... A custom trojan is best for an exposed tool. ]:) P.S. Google should be fine. I used the same words that you did. :^0

OldER Mycroft
OldER Mycroft

Racing around the place. That was my initial thought!

Editor's Picks