TSPY_FAKEPUT.A

 Analysis by: Homer Pacag

 ALIASES:

Trojan:Win32/Modputty.A (Microsoft); Hacktool (Symantec)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet

This spyware may be unknowingly downloaded by a user while visiting malicious websites.

  TECHNICAL DETAILS

File Size:

593,920 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

20 May 2015

Payload:

Steals information

Arrival Details

This spyware may be unknowingly downloaded by a user while visiting malicious websites.

NOTES:

It retrieves the following information of the machine/server intended to access using Putty:

  • IP Address/Domain
  • Username
  • Password
  • Port

It uses the string format ssh://{username}:{password}@{IP address/domain}:{port}.

The malware is encoded to Base64 for encryption then concatenated to URL and finally sent to the following URL:

  • http://{BLOCKED}-uro.ru/get/index.php?record={encoded base64 stolen information}

In comparison, the GUI and File icon of the normal Putty and malicious Putty may be similar.

We can determine their differences by checking file properties and clicking the about button in the GUI.

  SOLUTION

Minimum Scan Engine:

9.750

Scan your computer with your Trend Micro product to delete files detected as TSPY_FAKEPUT.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.