After we tracked down one of the sources for the Zlob trojan as a free torrent download, we decided to see exactly how deep the rabbit-hole goes. So we checked the newest uploads and saw another package for the latest version of WinRAR (3.80).  It had just been uploaded so we decided to see if it really was clean or not. After a short analysis we found that it follows the same idea: there is a self-extracting installer with two files, one which is the malware and another which is the real WinRAR program. Now, we thought, what could be the real motive behind all this? It is very simple: money.

The malware, (detected as PWS:Win32/PWSteal.E), after it is executed, will send to a remote ftp server a list of your saved Firefox and Internet Explorer passwords. Among the files that we have seen on the server are passwords for eBay, Amazon, Paypal, Myspace, hi5, airlines, online banking systems, etc. Other files were packages containing the same password-stealer. Some of them were AIO (All In One) packages that probably got uploaded to various torrent trackers, in order to lure as many users as possible.

We also found out that there were thousands of computers infected (5000+), growing at a rate of around 1 computer / minute. So it seems that there are other infection channels too, because the infection rate is a bit high, and not all the files in the server had associated torrent trackers; this could mean that the passwords were merely not saved, or that the malware did not arrive only through torrent but through another channel. From time to time, the gathered files were moved to another location, clearly for sorting purposes and perhaps to package them for selling to other parties for significant amounts of money.

So basically, the free software might not be so cheap. Somebody may think that by just paying the ISP (Internet Service Provider) to get online, he or she may get a lot of free software, but in fact his/her bank account credentials or eBay/Amazon passwords may be stolen. At the end of the day, the bank account may be closer to zero than initially thought.

Andrei Saygo && Patrik Vicol