Infection File Steals Images From Your Hard Drive

| | Comments (0)
It's been an interesting day or so where leaked pictures on the web is concerned - stories abound regarding the leak of what are allegedly naked Rihanna shots (link is safe for work, obviously). Indeed, leaks of naked people plastered all over the web are becoming more and more common.

With that in mind, I thought we'd take a look at something I found at the weekend - a malicious program specifically designed to get onto your PC, scour the hard drive and send all the pictures it finds back to the hacker.

In time honoured tradition, here are the files as they appear on the desktop:

phuntr1.png

Aw look at the little hand, waving at you. Or, to be more accurate, look at the creepy set of fingers about to go pawing through your pictures.

As soon as you fire up Picture Hunter, you know the creator is fully aware of his rather ill-advised shenanigans:

phuntr2.png

It never fails to amaze me how many people create programs like this yet are never responsible for anything, ever. Oh well. The program springs into life with a number of basic options for our wannabe image pilferer:

phuntr3.png

As you can see, you enter your FTP account login details and FTP address into the required fields, then hit "Build". What you end up with is a customised version of the "Stub" file that contains your FTP data. Check out the file size, it's tiny:

phuntr4.png

Approximately 24.5kb of file rummaging activity is on the way - amazing to think how much damage such a small file could cause, as we'll see. It's worth noting that there are multiple versions of this in the wild - although some don't grab JPEG files, others not only grab JPEGs but also Zips, Docs and PDFs as an added bonus.

On my testbox, I've placed a number of images - each one a different type of file.

phuntr5.jpg
If I was tricked via Social Engineering into running the Server file (and of course, the attacker will likely rename it and probably give it a pretty icon to make it more appealing to the target) then the file will immediately start digging through the PC, digging out image files and then sending them to the attackers FTP account where he can browse the pictures at leisure.

Here's my FTP account a few minutes after the infection file has been executed on the target PC:

phuntr6.png

A .bmp, a .GIF and a .PNG have already appeared in the FTP directory. Shall we take a closer look at one of the files?

phuntr7.jpg

Whoops.

These are harmless images, but the potential for damage to a reputation (or just general embarassment) is huge - how many people store monster nudie pictures of themselves on their home computer, for example? The program attempts to minimise the amount of non essential images collected by filtering out certain areas of the PC - so temporary internet files, program files and images under 1kb in size are ignored.

Interestingly, the attacker could put themselves at risk due to the program simply scooping up whatever it finds - what if the infected PC has illegal pornography on it? All of a sudden, they've just uploaded a bunch of child pornography pictures to a third party FTP service - who probably aren't going to be very pleased, to put it mildly.

Of course, if the attacker is greedy enough to create a file like this in the first place, that's a risk they'll just have to take. For the rest of us, let this be a timely warning - the best place to store your image files (especially ones that involve you running around with a whip and a gimpsuit) is on an external hard drive that you can hide under the bed, in a locked case, surrounded by high explosives and tripwires.

Don't say we didn't warn you :)


Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on May 11, 2009 7:24 PM.

"Halo 3 Recon Armor" Chain Letter Spam was the previous entry in this blog.

Zango Continue To Rattle Chains From Beyond The Grave is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.