Help Net Security (HNS) has a report on a tool called "Pinch" that is being sold on several online forums. According to the report, the probably aptly named Pinch lets cybercrooks define a series of malicious actions that the resultant executable will take.
For those in the IT industry long enough, this is reminiscent of the cult classic Back Orifice 2000 of yesteryear. However, the functionality of this tool appears to be in a different league both in terms of features and versatility.
HNS seems to have got their hands on a copy of this tool, and below is a list of salient points pertaining to the features.
- PWD: Allows selection of the type of passwords (System/Applications) to be stolen by the Trojan. Data can be encrypted before being sent out.
- SPY: Keylogger, automated screenshots, stealing of browser data or search for specific files.
- NET: Turns infected computer into a proxy for further nefarious activities. Trojans can also be turned into downloaders that download other executable files onto the compromised computer.
- BD: A backdoor basically that will open specified ports.
- ETC: Allows stealth for the Trojan, up to including rootkits.
- WORM: tab, which allows criminals to add worm features to their creations, so that they can spread by their own means, infecting other files or sending themselves out by e-mail.
Pinch also lets users define the way in which stolen data will be transmitted out. Cybercrooks can receive data via SMTP, HTTP or, simply order the Trojan to leave stolen data in a file on the infected computer to retrieve it later on through a port opened by the Trojan itself.
Also, infected computers can be made to take part in a zombie network, and the Trojan itself can be packed to make detection by signature-based virus scanners much more difficult. Usual killing of security processes applies as well of course.
And if you happen to have the source code for the tool, it becomes a very real possibility to tailor it to output a totally customized Trojan that no standard anti-virus scanners on the market will be able to detect. (See my: Major AV Vendors: Pure Signature-Based Approach Insufficient).