Interview with the vampire

Meanwhile we were analyzing a sample of a trojan, suddenly an unexpected event occured. The keyboard and the mouse of the infected machine, where the analysis took place, came to life.
The first thought was that it is a problem with the keyboard, but after a few seconds later it was clear: those characters are not just some kind of random characters, like when the keyboard stucks. Somebody was typing a message to the debugger’s window. It was like a ghost in the machine:

There was no doubt, the botmaster had been observing our infected computer and decided to contact with us through the trojan. That the remote controlling is one of the functionalities of this bot.

As taking advantage of the situation we made some question to our strange visitor, you can find a transcription of our chatting with the trojan’s author, here:

[botmaster] why dont you stop this sh*t
do you want a little bit of help?
do you want me to explain how this plugin works?
it makes me laugh watching how you are trying to disassemble it during hours
of course, i am not going to send you the source code, sorry
[S21sec e-crime] how do you do with this trojan?
[botmaster] very bad, there are people attempting to catch and dismantle it
[S21sec e-crime] you always have a time window. no success?
[botmaster] no, unfortunately. the problem is the banks, not the trojan itself
[S21sec e-crime] if i am not wrong, it’s a multi-banking trojan, isn’t it?
[botmaster] depends on the configuration
[S21sec e-crime] is it your first banking trojan? have you made it from scratch?
[botmaster] not really. what i can tell you, it seems you have got the
idea how it works and no left much new thing to uncover. its pretty simple
well, apart of that, it allows you to control the PC like i do it now, nothing more.
[S21sec e-crime] do you have more trojans to set up a botnet? is it your first attempt?
[botmaster] right now i have 1500 online
[S21sec e-crime] and do you infect the machines or do you rent them?
[botmaster] well, i have to leave now, later we talk

Vicente Díaz, József Gégény
S21sec e-crime

Deja un comentario