13 July 2007 10:40 GMT
Pinch Nothing!
The ‘Pinch’ (aka ‘LDPinch’) family of password stealing Trojans will be well known to most virus analysts. The family has been active for several years, and numerous variants are known. Russian in origin, various versions of this package (complete with documentation) can be downloaded. This morning, one of the samples received by SophosLabs was a new, undetected variant of this family. Despite recent generic detections providing good generic detection of this family, this new sample was missed - my interest was piqued.
The sample was encrypted with a reasonably nasty packer, that uses various anti-emulation techniques. At this point, I do not know the exact source of the sample - given the use of an enticing icon, I suspect the sample is being distributed in email or over P2P networks.
Peeling away the encryption, revealed what looked to be a dropper. This was confirmed when the sample was run - it writes the file pinch.exe to the %temp% folder, and executes that.
Happily, the dropped file is pro-actively detected, so customers would never actually get infected with the trojan.
With the recent release of Sophos Anti Virus 7, I was curious to explore how well the behavioural protection features would fare against this Trojan. Disabling the generic detection of the dropped pinch.exe component, I re-executed the dropper. The following then occurred:
- dropper writes the file
%temp%\pinch.exe %temp%\pinch.exeis executed- behavioural protection triggers as the Trojan attempts to install itself, blocking execution
pinch.exeprocess is terminated
So, despite not detecting the initial dropper sample, customers are protected against this threat at multiple levels. For persistent families such as Pinch, the bad guys are likely to put in more effort in attempts to evade generic detection. In this case, even if the dropped file is not detected, behavioural protection will still block it, and prevent it stealing data from the victim machine.
Fraser Howard, SophosLabs UK
